RE: [ActiveDir] rebooting a patched, but stubborn DC

[Roger Seielstad]

I see that occasionally, but rarely. But I'm not running any DC's these days
- just a whole boatload of application servers. 



Roger D. Seielstad
E-mail Geek

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Sunday, October 16, 2005 4:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC

Hi Susan,
 Thanks for the response.  No UPS issues.  Checked the services remotely
and didn't find anything unusual.  The DC did finally reboot on its own
shortly after I sent out my first message - about 2 hours after the original
patching and message saying it wanted to reboot and I clicked OK.  The event
logs showed nothing of any consequence, just a big (2 hour) gap in the
system event log entries (between the entry saying it initiated shutdown and
the entry saying the system was coming back up).   The security log showed
no gaps at all.  Am I the only one that sees this kind of behavior on
W2K3/SP1 servers?  I normally don't use the "/console" switch when I TS in
(eg, mstsc.exe /console).  I wonder if that could speed the process up.
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP]
Sent: Sat 10/15/2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC



APC UPS's and you don't have the latest ver on there?
HP with a UPS?

Can you get into services and see if something is 'stopping'?

Got any ILO ability there [or suitable other remote techniques]?

Thommes, Michael M. wrote:

>So I have remotely (TS connection) applied the latest Windows patches 
>to one of my DCs.  Patches went on fine.  Said it needed to reboot.  I 
>clicked "Restart".  And two hours later, it still has not rebooted, but 
>it did terminate the TS session.  I have tried to "kick it" via a 
>"shutdown /f /r" command from another DC.  Still no luck.  Issue same 
>command remotely with the big Kahuna account, and it says a shutdown is 
>in progress.  It appears to still be serving up clients, e.g., no 
>discernable ill effects.  I have seen this periodically in the past 
>with other servers.  Anyone have any comments/thoughts are this 
>irritating, weekend  activity?  TIA!
>
>Mike Thommes
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> 
>

--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs

[Roger Seielstad]

Title: Domain Controller Consolidation utilizing Dual Core CPUs



Its a fairly simple equation.
 
Dual Core processors have 2 full CPU's per chip. Therefore, 
they have two sets of cache, and can have two instructions being executed at the 
same time.
 
Hyperthreading is a single CPU per chip that supports two 
parallel "trains" of instructions and data into the processor. The only real 
benefit to Hyperthreading is that it reduces some of the pain of context 
switching within a processor, thereby speeding things up. Regardless of how the 
OS presents it (IMO it should NOT reflect as 2 processors), its still only able 
to execute a single instruction at a time.
 
With those ideas in mind, IMO its better to scale AD out 
rather than up with regards to performance, depending of course on database 
size. I doubt there are a lot of environments where this question is of any real 
relevance. Dual core is interesting more from a rack/power density stance than 
from its outright speed of processing. In my current environment, we're 
seriously limited with data center space in part due to growth of our services, 
so we're trying to find more efficient uses of space and power. For instance, 
the AMD64 x2 processors[1] draw roughly the same power at full utilization as 
their single core bretheren. That's a HUGE savings for power and cooling versus 
traditional dual processor machines.
 
If you do go dual core, I'd also go as far as saying 
*which* dual core technology you choose. There's a huge difference between the 
architectures from Intel and AMD, both of which have their benefits. However my 
personal opinion is that in the vast majority of cases AMD's design is vastly 
superior for general computing tasks - the last time I checked, the AMD64 
platform uses about half as many clock cycles to go to RAM than the Intel EM64T 
design requires. The end result is that for servers tasked with randomized 
data retrieval (which AD definitely qualifies as), AMD has 
the edge.
 
It is worth noting however that the Intel EM64T 
architecture is better suited for applications where there can be a long, 
somewhat predictable, pipeline of data to be processed. For example, I'd expect 
things like hard core scientific and statistical processing to be faster on the 
EM64Ts. 
 

Roger D. 
Seielstad
E-mail Geek
 
[1] Which is what my new toy here at home is running - spanking 
fast!
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. 
FunesSent: Thursday, October 13, 2005 9:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Consolidation utilizing Dual Core CPUs 

Gentleman, Does 
anyone has any information regarding Domain Controller consolidation utilizing 
Dual Core CPUs? I have not seen anything 
reports from microsoft indicating the performance boost gained by utilizing Dual 
Core technology on DCs. It is presume to be much better that the 20% to 30% gain 
from Hyper Threading CPUs.
Thanks for your input, 
Mauricio Funes [EMAIL PROTECTED] Pasadena, CA 

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

Its really been a while since I laid hands on SBS, so I'm shooting from some
pretty dusty memories.




Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Saturday, September 24, 2005 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

I'd still like get more specifics ...what exactly ..what scripts.. what
things. what doesn't work in an SBS deployment?  Once you build the box
it's the real bits.  And you can sign up to be a system builder and get the
OEM build kit and do your own.

As far as the CEICW you can dump out the xml file and just dump it in to
another setup.

Actually the dev team would love to know what you find that drives you crazy
as the more IT pros can deploy these little guys... be more converts to
SBSlnad I get :-)

Roger Seielstad wrote:

>The "manual" issue comes down to scale. Without going into too much 
>detail, my current team (5 engineers including myself) manage 1000 
>application servers. Obviously, the concept of using a wizard to 
>configure things there wouldn't work. That's where all the scripting 
>and command line tools come into play.
>
>With regards to CALs, the license tracking functionality outside of SBS 
>is, well, broken. Its never worked right. I can't remember all the 
>specifics, but basically its nearly impossible for indvidual machines 
>to not be counted multiple times. Effectively if you have 100 machines, 
>it was possible to get a report of there being >200 CALs in use. One of 
>the many reasons I force disable the LicenseLogging service..
>
>
>
>Roger Seielstad
>E-mail Geek
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
>Sent: Thursday, September 22, 2005 10:01 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Trust me... it's a religious thing  :-)
>
>Those of us that have the religion of SBS don't see a problem with the 
>wizards .:-)
>
>We're looking to start a support group for former Enterprise Admins who 
>are now SBSers 
><http://msmvps.com/bradley/archive/2005/07/27/59808.aspx>
>http://msmvps.com/bradley/archive/2005/07/27/59808.aspx
>
>I'll be honest with you ... the first time I set up 'normal' server and 
>'normal' exchange I was extremely surprised how much manual stuff you 
>guys do in big server land.  Forestprep and all that.  The next thing I 
>was absolutely flabergasted about was how they trust you on the number of
cals.
>'You just stick in a number there?  And they trust you to be honest? Wow."
>Blew me away.
>
>Actually it's near impossible to get WSS [sharepoint] on a same box as 
>Exchange anyway.  There are a couple of folks that tried and finally 
>gave up.
>
>Roger Seielstad wrote:
>
>  
>
>>Actually, I don't think it's a religious issue. The problem with SBS 
>>is that its not really the amalgam of Microsoft technologies that it's 
>>billed as, and as such you can't administer it as you would with all 
>>the same apps in a non-SBS implementation.
>>
>>It's a neat package overall, but the requirement to do the wizard 
>>thing makes it hard for people like us to deal with it..
>>
>>
>>
>>Roger Seielstad
>>E-mail Geek
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
>>Smith
>>Sent: Thursday, September 22, 2005 1:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>And that is a real difficulty.
>>
>>The wizards should integrate seamlessly. Or the other tools should 
>>integrate seamlessly. Take your pick.
>>
>>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>>I HATE touching the SBS clients because it's a fair bet there is a 
>>wizard for something that I'm not going to use a wizard for, because I 
>>can use one of my scripts or a native tool and do it quicker. (You can 
>>argue that someone that knows the wizards can do it more quickly with 
>>them -- and that's fine -- but I don't, and shouldn't have to.)
>>
>>It's a religious issue.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Thursday, September 22, 2005 12:19 PM
>>To: ActiveDir@mail.activedir.org
&g

RE: [ActiveDir] GPO Restricted Groups gotchas ?

[Roger Seielstad]

That's not the same net effect. Those settings are only applied at restart as 
opposed to being applied every 90 minutes (or whatever your refresh interval 
is). Its quite possible to remove the perms granted by that script and run like 
that for months. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 24, 2005 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?

I agree it would be better to give that option of append alongwith override.I 
assume, they didn't implement, because it is very easy to get thedesired result 
thru other means like this batch file, which can  runas computer startup 
script, for intended machines. This works likeappend operation.
:: Add support admin to administrators groupnet localgroup administrators  
domain\supportadmin /add

On 9/25/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:>> Actually, the ideal 
would be the option to append or override.>> Sometimes you don't care if 
other's are in a specific group, as long as a> specific set of accounts/groups 
are in that group. Case in point is IT shops> where the user is 
granted/required to have local admin. Ideally, you'd set> that user, plus your 
IT support staff, as local admin. Without having the> option to append, all you 
can do is override, which means that one user is> then oout.>>> > Roger 
Seielstad> E-mail Geek>>>  >  From: [EMAIL 
PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> Kamlesh Parmar> Sent: 
Friday, September 23, 2005 2:42 AM> To: ActiveDir@mail.activedir.org> Subject: 
Re: [ActiveDir] GPO Restricted Groups gotchas ?>>>> But then it defeats the 
purpose of restricted group, as you want to be sure> that, only known members 
are part of the restricted group. If the operation> is merge than it is not 
restricted by definition?> When u ask for merge or append, you are doing some 
group membership> modification. You better use some scripts for that.>> I would 
suggest create a separate group of those app servers, and apply> group policy 
with restricted group populated as you want.> Make sure Group Policy is applies 
to that Group of appservers only. it is> must that you Remove "Authenticated 
Users" group from group policy security.>>> On 9/23/05, Mark Parris <[EMAIL 
PROTECTED]> wrote:> >> >> >> > The biggest gottcha, is that any existing group 
memberships for groups> managed by the restricted group policy are overridden 
by the restricted> group policy – this is my biggest gripe, I wish they would 
merge\append.> >> >> >> > Mark> >> >> >> > >> 
>> > From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> [EMAIL 
PROTECTED]> > Sent: 23 September 2005 06:36> > To: 
ActiveDir@mail.activedir.org> > Subject: [ActiveDir] GPO Restricted Groups 
gotchas ?> >> >> >> >> >> > I would like to use restricted groups policies to 
specifiy local> Administrative access to application servers. I am sure this 
has already> been tried. I would like to know how this worked or did not work 
for those> who have tried it  and where there any unexpected gotchas that 
happened ?> >> > Thank You ! And have a nice day !> >> >> 
**> > Mark 
Lunsford> > KAISER PERMANENTE>>>> --> ~~~> "Fortune and 
Love befriend the bold"> ~~~>

--~~~"Fortune and Love befriend the 
bold"~~~.+-Šwèþm§ÿÿÃ
ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËE
á¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃæj)ÿj·!Š÷ÿr‰¿iËb½çb¯þ4™¨¥ý§-Š÷Š¿è

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Applications that extend the schema...

[Roger Seielstad]

Applications should never, and I mean NEVER, be trusted to auto update the
schema as necessary.

I'd expect schema modifications to be handled as a one off,
quasi-interactive process. Quasi-interactive meaning a human logs in with an
account holding the appropriate permissions and does the modification. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, September 23, 2005 7:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Applications that extend the schema...

Given the # of variations that may exist in AD deployments, anywhere from a
small business with a single forest/tree/domain all the way up to a large
enterprise with multiple forests each containing multiple trees with each
tree having numerous domains, there may be many differences of opinion on
the part of administrators regarding schema extensions and applications the
create them.

I'm interested in hearing those opinions in regards to an enterprise type of
resource provisioning application that will run primarily as a service under
a specific domain account, with the caveat that the application does require
some schema extensions in order to run properly.  In particular, the
question pertains to whether or not the main application should attempt to
perform the schema extension work when it detects that they are not present,
and if so, should it want/need to do so under it's own set of credentials
used to perform the service logon by the service control manager when the
service is started, or should the application's UI request an elevated set
of credentials in order to perform the schema extension.  Alternatively,
should the schema extension be performed using an additional program
provided with the application so that it would be relatively easy for an
administrator to logon, run the schema extension tool, and then be done with
their part so that the application's "owner" could continue with the
installation & configuration of the application.

I'm familiar with many of the issues in terms of Novell's eDirectory, but
with AD there may be some other concerns due to differences in the two
directory services and how they are implmented.  It's the AD-specific
concerns that interest me.


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

[Roger Seielstad]

That's really what a TAM's job is. They're supposed to be advocates for
their customer within Microoft. If they're not beatting down (virtual) doors
within MS to get issues resolved for their customer, they're failing at what
they get paid to do... 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

Yep it is very hit and miss. Sort of the same with MCS and PSS folks and
honestly any consultants or support folks anywhere. There are good ones, not
so good ones, and those that couldn't get a job anywhere else.

My favorite TAM/PSS/MCS/CONSULTANT/SUPPORT folks are the ones that can
proudly say, I don't know, but I will try to find out.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Friday, September 23, 2005 6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

We have a great TAM.  The guy is extremely knowledgeable on a wide variety
of MS products.  What he doesn't know, he knows who to get in touch with in
Las Colinas to get the right answers fast.  That's why I was shocked when I
went to some MS training on MIIS in San Jose, and heard the technical people
in the class bagging on TAMs and how non-technical they tend to be. 

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...

Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for. 
 
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM... 


Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it. 

   joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

Us in SBSland have newsgroups and MVPs.



Brian Desmond wrote:

> *Technical Account Manager. When you spend ample money with MS, you 
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
> **c - 312.731.3132**
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *DeStefano, 
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase 
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as 
> folks have pointed out, since there are no viable workarounds, it 
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you 
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP,

RE: [ActiveDir] GPO Restricted Groups gotchas ?

[Roger Seielstad]

Actually, the ideal would be the option to append or 
override.
 
Sometimes you don't care if other's are in a specific 
group, as long as a specific set of accounts/groups are in that group. Case in 
point is IT shops where the user is granted/required to have local admin. 
Ideally, you'd set that user, plus your IT support staff, as local admin. 
Without having the option to append, all you can do is override, which means 
that one user is then oout.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, September 23, 2005 2:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GPO Restricted 
Groups gotchas ?

But then it defeats the purpose of restricted group, as you want to be sure 
that, only known members are part of the restricted group. If the operation is 
merge than it is not restricted by definition? 
When u ask for merge or append, you are doing some group membership 
modification. You better use some scripts for that.
 
I would suggest create a separate group of those app servers, and apply 
group policy with restricted group populated as you want.
Make sure Group Policy is applies to that Group of appservers only. it is 
must that you Remove "Authenticated Users" group from group policy 
security.
 
On 9/23/05, Mark 
Parris <[EMAIL PROTECTED]> 
wrote: 

  
  The biggest gottcha, 
  is that any existing group memberships for groups managed by the restricted 
  group policy are overridden by the restricted group policy – this is my 
  biggest gripe, I wish they would merge\append. 
   
  Mark
   
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: 23 September 2005 06:36 
  To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Restricted 
  Groups gotchas ?
  
   
  I would like to use 
  restricted groups policies to specifiy local Administrative access to 
  application servers. I am sure this has already been tried. I would like to 
  know how this worked or did not work for those who have tried it  and 
  where there any unexpected gotchas that happened ? Thank You ! And have a 
  nice day 
  !**Mark 
  Lunsford KAISER 
PERMANENTE-- ~~~"Fortune and Love befriend 
the bold"~~~

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

The "manual" issue comes down to scale. Without going into too much detail,
my current team (5 engineers including myself) manage 1000 application
servers. Obviously, the concept of using a wizard to configure things there
wouldn't work. That's where all the scripting and command line tools come
into play.

With regards to CALs, the license tracking functionality outside of SBS is,
well, broken. Its never worked right. I can't remember all the specifics,
but basically its nearly impossible for indvidual machines to not be counted
multiple times. Effectively if you have 100 machines, it was possible to get
a report of there being >200 CALs in use. One of the many reasons I force
disable the LicenseLogging service..



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Thursday, September 22, 2005 10:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Trust me... it's a religious thing  :-)

Those of us that have the religion of SBS don't see a problem with the
wizards .:-)

We're looking to start a support group for former Enterprise Admins who are
now SBSers <http://msmvps.com/bradley/archive/2005/07/27/59808.aspx>
http://msmvps.com/bradley/archive/2005/07/27/59808.aspx

I'll be honest with you ... the first time I set up 'normal' server and
'normal' exchange I was extremely surprised how much manual stuff you guys
do in big server land.  Forestprep and all that.  The next thing I was
absolutely flabergasted about was how they trust you on the number of cals.
'You just stick in a number there?  And they trust you to be honest? Wow."
Blew me away.

Actually it's near impossible to get WSS [sharepoint] on a same box as
Exchange anyway.  There are a couple of folks that tried and finally gave
up.

Roger Seielstad wrote:

>Actually, I don't think it's a religious issue. The problem with SBS is 
>that its not really the amalgam of Microsoft technologies that it's 
>billed as, and as such you can't administer it as you would with all 
>the same apps in a non-SBS implementation.
>
>It's a neat package overall, but the requirement to do the wizard thing 
>makes it hard for people like us to deal with it..
>
>
>
>Roger Seielstad
>E-mail Geek
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
>Smith
>Sent: Thursday, September 22, 2005 1:06 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)
>
>And that is a real difficulty.
>
>The wizards should integrate seamlessly. Or the other tools should 
>integrate seamlessly. Take your pick.
>
>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>I HATE touching the SBS clients because it's a fair bet there is a 
>wizard for something that I'm not going to use a wizard for, because I 
>can use one of my scripts or a native tool and do it quicker. (You can 
>argue that someone that knows the wizards can do it more quickly with 
>them -- and that's fine -- but I don't, and shouldn't have to.)
>
>It's a religious issue.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 12:19 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Difficulty?
>
>
>
>What difficulty?  [please feel free to take this offline] the only 
>difficult issues we have in SBSland is cleaning up the messes from 
>folks that don't follow the wizards
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>
>>
>night and the topic came up again. (Main topic was R2)  Sounds like 
>Microsoft is getting the message about the difficulty of working with SBS.
>  
>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>
>>
>Caesar III i. 
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Tuesday, September 20, 2005 1:57 PM
>>To: A

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

Actually, I don't think it's a religious issue. The problem with SBS is that
its not really the amalgam of Microsoft technologies that it's billed as,
and as such you can't administer it as you would with all the same apps in a
non-SBS implementation.

It's a neat package overall, but the requirement to do the wizard thing
makes it hard for people like us to deal with it.. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)

And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should integrate
seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a wizard
for something that I'm not going to use a wizard for, because I can use one
of my scripts or a native tool and do it quicker. (You can argue that
someone that knows the wizards can do it more quickly with them -- and
that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only difficult
issues we have in SBSland is cleaning up the messes from folks that don't
follow the wizards

[EMAIL PROTECTED] wrote:

>Thanks!  This must be SBS Week.  Was at a user's group meeting last
night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with SBS.
>
>Al Maurer
>Service Manager, Naming and Authentication Services IT | Information 
>Technology Agilent Technologies
>(719) 590-2639; Telnet 590-2639
>http://activedirectory.it.agilent.com
>--
>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,

>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tuesday, September 20, 2005 1:57 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Transition pack or www.sbsmigration.com
>
>Transition pack is the best way however lets you keep the Remote web 
>workplace and monitoring email even after you break away from SBSland.
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>OK, since the topic came up:  I'm trying to figure out how to migrate
off SBS2003.
>>
>>Scenario is a recent acquisition where we want to migrate from company
SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is both
dangerous and illegal.
>>
>>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
normal AD.  Is there any other way?  LDIF export?
>>
>>Thanks,
>>AL
>>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, September 14, 2005 12:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS Server Question
>>
>>Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
>>hold all the FSMO roles.  We can do some funky stuff with pass through

>>authentication, but no trusts.
>>
>>US versus THEM:
>>http://www.sbslinks.com/Us_v_them.htm
>>
>>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
>>domain controller' is supported and not calling it a BDC.
>>
>>Member servers are covered by the SBS cals but last I read in the PUR 
>>the additional DC would need server cals.  [that's my interpretation 
>>anyway but I get a headache reading that doc in the first place]
>>
>>Honestly ...keep in mind that with XPs, they will used cached 
>>credentials and you can log into that profile even if the net

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

The bigger trick is getting yourself a client cert to get on Corpnet
wireless 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Very Cool.  I would love to see that list :-)

Wireless aircard and a tablet PC...you just gotta bring your own
connectivity that's all.

See ya next week!

Michael B. Smith wrote:

>I'm an Exchange MVP. We were invited to come up with a list of "why we 
>hate to support SBS" about a month ago for submission to the SBS 
>product team (apparently one of "our" product managers is across the 
>hall from one of "your" product managers). I think we came up with 11 
>specific items dealing mainly with Exchange/User management and the 
>integration of ISA/RRAS. I'll see if I archived the list.
>
>I think the groups and the mailing lists are gonna be really quiet next 
>week, with little connectivity on campus for us!
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 4:31 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Amen brother.
>
>I wish though you would be more specific though as I just happen to be 
>meeting with some folks next week and would love the inside from big 
>server land.  [Please feel free to ping me directly]
>
>Our OU structure sucks.  We know that.  But ...boy ... you ain't 
>ripping my fingers off RWW or my monitoring email.  :-)
>
>Michael B. Smith wrote:
>
>  
>
>>And that is a real difficulty.
>>
>>The wizards should integrate seamlessly. Or the other tools should 
>>integrate seamlessly. Take your pick.
>>
>>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>>I HATE touching the SBS clients because it's a fair bet there is a 
>>wizard for something that I'm not going to use a wizard for, because I 
>>can use one of my scripts or a native tool and do it quicker. (You can 
>>argue that someone that knows the wizards can do it more quickly with 
>>them -- and that's fine -- but I don't, and shouldn't have to.)
>>
>>It's a religious issue.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Thursday, September 22, 2005 12:19 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>Difficulty?
>>
>>
>>
>>What difficulty?  [please feel free to take this offline] the only 
>>difficult issues we have in SBSland is cleaning up the messes from 
>>folks that don't follow the wizards
>>
>>[EMAIL PROTECTED] wrote:
>>
>> 
>>
>>
>>
>>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>>   
>>>
>>>  
>>>
>>night and the topic came up again. (Main topic was R2)  Sounds like 
>>Microsoft is getting the message about the difficulty of working with 
>>SBS.
>> 
>>
>>
>>
>>>Al Maurer
>>>Service Manager, Naming and Authentication Services IT | Information 
>>>Technology Agilent Technologies
>>>(719) 590-2639; Telnet 590-2639
>>>http://activedirectory.it.agilent.com
>>>--
>>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>>   
>>>
>>>  
>>>
>>Caesar III i. 
>> 
>>
>>
>>
>>>-Original Message-
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>>Bradley,
>>>   
>>>
>>>  
>>>
>> 
>>
>>
>>
>>>CPA aka Ebitz - SBS Rocks [MVP]
>>>Sent: Tuesday, September 20, 2005 1:57 PM
>>>To: ActiveDir@mail.activedir.org
>>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>>
>>>Transition pack or www.sbsmigration.com
>>>
>>>Transition pack is the best way however lets you keep the Remote web 
>>>workplace and monitoring email even after you break away from SBSland.

RE: [ActiveDir] dns suffix search list

[Roger Seielstad]

I believe you can do it through WMI, but I don't have any of that code
handy. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is
this article correct and are these the only ways to programmatically alter
the dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
.+-wmibb+?KE
0+v*?.+-jq.+-j!ij)j!ribb4-

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

I know next to nothing about ISA. The last time I 
touched it it was still called MS Proxy 2.0 I'm assuming there's a 
security group somewhere that is used to control who can do what through the ISA 
server. Actually, I know there is because I'm part of one at work (just don't 
know how to configure it). See my response to Ken as to why this would be 
necessary...
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Thursday, September 22, 2005 2:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Hmmm, explain a little 
more where you would grant this access ….
 
Thanks 

Carlos
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: 22 September 
2005 08:23 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the De

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

By default, the IIS app pool and (I believe) sharepoint 
both run under Network Service. Therefore, when Sharepoint makes the request 
outbound, it will be making it within the context of the NetworkService account, 
which means its going to present the server's domain 
credentials.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
SchaeferSent: Wednesday, September 21, 2005 11:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Could I ask why he’d 
need to do that?
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: Thursday, 22 
September 2005 4:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can presen

RE: [ActiveDir] disabling users

[Roger Seielstad]

Honestly, I'd avoid perl like the plague. Its about the 
least readable language on the planet - especially if you haven't touched a 
script for a few months.
As was already suggested, python is a pretty good cross 
platform option. 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, September 21, 2005 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling 
users

you don't think one can get by in IT with just one lang?
can't you do everything in perl that you can do in _vbscript_ and then 
some?
I'm sure you can get by on windows with just perl.
i'm in a multi platform enviorment and frankly i just don't have the time 
to learn both _vbscript_ and perl.
i would end up just knowing both a little and badly.
my brain can't keep jumping from one to the other and in scripting, if you 
don't use one lang for a while, you forget it.
in which case i'd just end up bugging you guys on this list again for 
examples.
i'd like to get to the point where i can do it myself and trying to learn 
both will never work for me.
i have a hard enough time keeping as much as i can about windows and AD and 
exchange and some linux stuff in my head.
2 scripting langs will make my head explode. i'll never remeber them at 
all.
i just need to learn one and devote myself to learning it well instead of 
being a scripting jack of all trades and master of none.
 
as to perl books, then where can one lern COM on perl? 
 
thanks alot guys! 
On 9/21/05, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 
Joe 
  Richards might know some Win32 Perl resources._vbscript_ isn't 
  that hard, really. If you know the COM & ADSI stuff for Perl as far as 
  methods, names, etc, its just a different syntax for using it._vbscript_ you 
  have the advantage of the technet scriptcenter which hasexamples complete 
  enough to copy and paste together and run.I'm not a CS major 
  either, I don't even have any formal training in thisfield. The only 
  things I've been taught in a classroom are how to read,write, and do some 
  math. Everything I know I learnt going to work everyday and doing new 
  things, asking questions here and there around this list andother places. 
  I realized I needed to learn _vbscript_ and so I startedtackling projects 
  with _vbscript_s, and with a bit of work I got to be pretty good at it. I 
  still need a copy of the platform sdk on my other monitor toremember 
  methods, parameters, etc, but I know the syntax. That said, if I'mfeeling 
  lazy I still go and piece things together with scriptcenter 
  snippets.My point here is that it would probably be long 
  term beneficial to you to atleast be able to do simple things in _vbscript_ 
  like read a file, run aexternal command, etc. As I said in my first 
  message, if you post what you have, I'll try and edit it as an example for 
  you.Thanks,Brian 
  Desmond[EMAIL PROTECTED]> [EMAIL PROTECTED]c 
  - 312.731.3132_From: [EMAIL PROTECTED][mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kern, TomSent: 
  Wednesday, September 21, 2005 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] disabling users I only have time to learn one 
  scripting lang.i figured perl is the better way to go as i have to 
  work with linux andsolaris as well.know of any good 
  docs,books,sites on perl and COM+ or adsi? something that will teach 
  you both like the _vbscript_ resources do?i really think there 
  is a market for perl and AD/win32 out there that 
  isuntapped.O'reilly has let most of their win32 perl books become 
  outdated and stop at Win NT as has Dave Roth.I'm not a 
  programmer and i don't have time to learn multipe scripting langs,so i 
  always thought perl would be the best way to go.I find it as 
  approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources 
  for using it on win32 systems.I'm afraid learning perl and working 
  with windows might be an uphill battle.are there resources for 
  teaching you how to use perl withcdo,wmi,adsi,ado,etc?i'm not a 
  total newbie to perl, i've used it on linux but i've never reallydone much 
  on windows with activestate.and as i've said, i'm not a programmer and 
  i didn''t major in comp sci, so alot of this stuff is not second nature to 
  me and hasn't been pounded in for years.so jumping from lang to 
  lang for me is not really an 
  option.thanks-Original 
  Message-From: Brian Desmond [mailto:[EMAIL PROTECTED] ]Sent: Wed 
  9/21/2005 2:46 PMTo: ActiveDir@mail.activedir.orgCc:Subject: 
  RE: [ActiveDir] disabling 
users

RE: [ActiveDir] disabling users

[Roger Seielstad]

Monad docs are really not out in any sort of usable context right now.
Especially since Microsoft released a new beta at PDC this month and it's a
whole lot different than the previous version (different as in better). 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Wednesday, September 21, 2005 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling users

Tom

I think you should also consider Python. It has the following features.
1. Works well with windows
2. Very large functionality out of the box 3. Multi platform (Windows, Mac,
Linus, Unix, Palm, etc..) 4. Simple to learn - straight forward non cryptic
syntax 5. Very well supported 6. GUIs available

Inevitably one has to know VBScript as well because it is so widely used and
most  Windows scripting is done in VBScript.

By the way does anyone know where Monad documentation can be found?

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

So have you granted domain\IISServer$ access through 
ISA?
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can present delegated credentials:"  It would seem logical to me to have to 
specify the ISA here.  Now whether you need to do configure this setting in 
ADUC on the account being used for the identity of the application pool, or the 
SharePoint server itself I don't know. 

 

Cheers

Tony

 

PS.  See you next 
week :-)
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 1:38 a.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Hey 
Tony,
 
Well can you explain 
“but wouldn't you also 
need an SPN for the web service on the ISA Server?”  I don’t understand 
why, the ISA server is the server that is needing the authentication to allow 
the web server to browse the internet. 
So to 
elaborate:
 
I

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

Speaking of being here next week - keep me informed on the 
activities... 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, September 21, 2005 5:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can present delegated credentials:"  It would seem logical to me to have to 
specify the ISA here.  Now whether you need to do configure this setting in 
ADUC on the account being used for the identity of the application pool, or the 
SharePoint server itself I don't know. 

 

Cheers

Tony

 

PS.  See you next 
week :-)
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 1:38 a.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Hey 
Tony,
 
Well can you explain 
“but wouldn't you also 
need an SPN for the web service on the ISA Server?”  I don’t understand 
why, the ISA server is the server that is needing the authentication to allow 
the web server to browse the internet. 
So to 
elaborate:
 
I have a Share Point 
site it has a RSS feed web part, this web part is requesting a RSS feed for 
example http://www.dirteam.com/blogs/carlos/default.aspx 
now I monitor on the ISA 2004 server and I see the web server trying to access 
the internet the user specified = Anonymous. The delegation is so that the user 
viewing the Share Point site (hence calling the RSS web part) will be the user 
credentials passed to the ISA server to be able to browse the 
internet.
 
That’s why I don’t see 
why we need to register a SPN for the ISA server?
 
ThanksC
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
01:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
I'm just starting to 
look at Kerberos delegation for something myself, but wouldn't you also 
need an SPN for the web service on the ISA Server?  And then specify that 
serviced in the delegation tab on the user object?
 
Cheers
Tony
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Tuesday, 20 
September 2005 9:31 a.m.To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos 
Delegation
Hey 
all,
 
Ok late at night here and I’ve hit a 
mental block (don’t laugh Dean). I have set this up like a gazillion times but 
this time cant get it to work.
 
Environment: 

 
Windows 2003 Native Forest Mode – 
All clients Windows XP SP2 and above
 
Single forest single domain 
setup
 
Web Server – Windows Server 2003 Web 
Edition
Share Point Team Services 
installed.
 
That site has a web part that 
requires Kerb delegation for access to a ISA firewall in order to stream RSS 
feeds. I can see on the ISA server that when ever any user hits the site the 
HTTP reques

RE: [ActiveDir] OT: Outsourcing OS Patching

[Roger Seielstad]

Why not run something like WSUS (Windows Software Update Services) and
manage it yourselves Seems kinda silly to outsource that piece 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Thursday, September 15, 2005 1:22 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] OT: Outsourcing OS Patching

Group,

Odd question.  I just got out of a meeting with a consulting group that
wants us to outsource the patching of our servers that are not in our data
center (we have a number of servers that are at our remote locations and our
staff is struggling with our patching cycle on these for one reason or
another).

Does anyone know of an outsourcing group that will only do the MS patchiness
on the servers and let the owners of the boxes do everything else?  

We are looking for a basis of comparison and this consultant said that they
don't have any competitors in this field.  Either people outsource all of
their servers, all of the services or they don't outsource at all.  They
don't know of anyone who only outsourcers the patching and monitoring of the
boxes.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sysvol and AV exclusions

[Roger Seielstad]

Trend Micro's products are fairly robust there too. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, September 14, 2005 11:40 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Sysvol and AV exclusions

The only product I have seen the full exclusion capabilities in, is Mcafee;
from ePO this can all be configured centrally. With symantec, paths and file
types can be excluded centrally, but the actual files have to be configured
manually on every DC, thus leading to more donkey work and an increased
scope for error. The only other quirk with symantec is that it does not
allow for "future" files, that is if its not there, you can't exclude it.
This was the case up until version 9, 10 I have yet to see. All that being
said, there is an unsupported hack available from symantec to enable the
centralised mgmt.

Mark


-Original Message-
From: "Tony Murray" <[EMAIL PROTECTED]>
Date: Thu, 15 Sep 2005 14:09:18
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

Ah, you mean my expectations are too high.  :-)

As an illustration of the problem, I have attached a screenshot from CA's
eTrust AV product.  I'm not familiar with the product (nor do I wish to be),
but from a quick look it does not appear possible to set the exclsions
according to the 822158 article.  Apart from the potential issue of only
being able to specify a maximum of 16 paths for exclusion, the real problem
is the inability to include subfolders of folders that have been excluded.

I would imagine that a reasonable percentage of the installed base of AD
uses CA's product.  We're probably talking 10s of thousands of organisations
worldwide.  Our local CA representative was unable to provide a CA
recommendation for the exclusion list and suggested we refer to Microsoft's
best practices. 

I guess I'm going to have to come up with a "best efforts" compromise
configuration, combining the recommendations in the 822158 article and the
capabilities of the CA product. 

Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Thursday, 15 September 2005 10:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

You obviously haven't dealt with the Exchange Team enough. 

:-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, September 14, 2005 6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

Hi Brett

Thanks for your detailed response.  I see you've also managed to sort out
the formatting of the table in the article.  Oh, what power you wield! :-)

The main issue I have is that the article introduces some "new"
exclusions.  I don't think I'm alone in thinking that the general approach
before this article came out was, "If your AV product is FRS-compliant then
include SYSVOL in scans.".  I am fully aware of the effects of a virus being
replicated by SYSVOL, having seen it first-hand.  SYSVOL does a great job of
moving a virus around a network very quickly. :-)  So it's important to scan
SYSVOL (or at least parts thereof).

Going back to the issue, the 822158 article sets out exclusions, but doesn't
indicate why they should be exlcuded.  In other words, what is the risk of
including them?  This is relevant for at least one major AV product vendor,
which has a (somewhat stupid) low limit on the number of files and folders
that can be excluded on any one server.  I'm also not convinced that the AV
product I'm thinking of can perform the level of granularity of
inclusion/exclusion suggested in the table.

I can sort of understand why the staging areas would be excluded (compressed
files, possibility of locking), but why exclude %systemroot%\sysvol and
%systemroot%\sysvol\sysvol?  I can't see anything in my test environment
that would pose any problems by scanning these folders.

Call me a control freak, but I just don't like seeing a statement such as,
"Do not scan the following files and folders." with no additional
explanation.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, 13 September 2005 10:47 p.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Sysvol and AV exclusions


The articles should not be inconsistent.
The 822158 does mention 814263 (see bullet 2).

284947 - is how to detect and diagnose excessive FRS replication.
Noting it might be caused by Anti-Virus software.  And mentioning how to
recover.  
It is not SYSVOL specific, it is FRS specific.  But sincej SYSVOL is an FRS
share, so it applies to SYSVOL, if this should happen to your SYSVOL.

814263 - is abo

RE: [ActiveDir] Joining a domain from offsite

[Roger Seielstad]

Could be an MTU size issue. Its often an issue across 
VPNs
 
Look up how to set the MTU to less than 1500 (or just set 
the reg key to disable PMTU detection) for the box you're trying to bring 
up
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
WilliamsSent: Wednesday, September 14, 2005 12:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Joining a domain 
from offsite

It 
will ping by name or IP number. Ping times are about 100 
ms..

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Brian 
  DesmondSent: Wednesday, September 14, 2005 1:23 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Joining a 
  domain from offsite
  
  Are 
  WINS and DNS working over the VPN? Try specifying the FQDN or shortname of the 
  domain instead of what you’re specifying now to join it … this certainly 
  smells like nonworking DNS though. 
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mike 
  WilliamsSent: Wednesday, 
  September 14, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Joining a domain 
  from offsite
   
  
  Hi 
  all:
  
   
  
  We are setting up a server 
  off-site using a PIX 525 and a PIX 501 to establish the VPN connection. If I 
  join the domain locally and then take the server offsite I can login to the 
  domain without any problems. If I disjoin the server and then try to rejoin 
  the domain from offsite I get errors that no domain controller is available. 
  In the error message it lists the domain controllers. 
  
  
   
  
  any 
  ideas?
  
   
  
  Thanks
  
   
  
  Mike
  
   
  
  The domain name () might 
  be a NetBIOS domain name.  If this is the case, verify that the domain 
  name is properly registered with WINS.
  
   
  
  If you are certain that the name 
  is not a NetBIOS domain name, then the following information can help you 
  troubleshoot your DNS configuration.
  
   
  
  DNS was successfully queried for 
  the service location (SRV) resource record used to locate a domain controller 
  for domain cvl:
  
   
  
  The query was for the SRV record 
  for _ldap._tcp.dc._msdcs.cvl
  
   
  
  The following domain controllers 
  were identified by the query:
  
   
  
  dc-001.corpdc-002.corp
  
   
  
  Common causes of this error 
  include:
  
   
  
  - Host (A) records that map the 
  name of the domain controller to its IP addresses are missing or contain 
  incorrect addresses.
  
   
  
  - Domain controllers registered in 
  DNS are not connected to the network or are not 
  running.
  
   
  
  For information about correcting 
  this problem, click 
Help.

RE: [ActiveDir] SBS Server Question

[Roger Seielstad]

Yeah, but his MVP is in MSDS (as in Dining Services). We've got pictures to
prove it



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 14, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

EULA dear.

There's Can and there is legal.

No you can't and be legal... and for a MVP shame on you  ;-)

[EMAIL PROTECTED] wrote:

>Actually, depending on your level of tolerance for pains, I know that 
>you can.
> 
>http://www.akomolafe.com/Portals/1/Creating%20a%20trust%20relationship%
>20betw een%20two%20Small%20Business%20Server%202000%20domains.htm
> 
> 
>Sincerely,
>
>Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>Microsoft MVP - Directory Services
>www.readymaids.com - we know IT
>www.akomolafe.com
>Do you now realize that Today is the Tomorrow you were worried about 
>Yesterday?  -anon
>
>
>
>From: [EMAIL PROTECTED] on behalf of Sakari Kouti
>Sent: Wed 9/14/2005 11:46 AM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] SBS Server Question
>
>
>
>Hi Jose,
>
>No, an SBS domain cannot have trusts, so it cannot be a child domain.
>
>And yes, after you have installed an SBS box, you can install 
>additional DCs, if they are normal Windows Server 2003 boxes.
>
>Yours, Sakari
> 
>
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
>>Jose
>>Sent: Wednesday, September 14, 2005 8:47 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: [ActiveDir] SBS Server Question
>>
>>Hi Susan,
>>
>>Since we have an SBS MVP on the Active Dir list, let me ask a 
>>question.
>>
>>Can I now make an SBS 2003 server a child domain in an AD
>>2003 forest?
>>
>>Before you ask why, some one asked me this recently at a Linux users 
>>group meeting, as his company has several remote offices using SBS 
>>2003.
>>
>>Also on SBS 4.5, one could have a BDC as a backup, can this also be 
>>done with a DC or are you " Sh.T out of luck " when a box fails?
>>
>>Jose
>>
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>  
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Printers

[Roger Seielstad]

IIRC exception code 0xc005 is an access denied. Do normal users have the
right to install drivers on their workstations?



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, September 09, 2005 7:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Printers

I have an HP 2430 and an HP 9050 in my environment.  I just got them and
installed them on my server and shared them out.  When I go to a local
workstation and login as a regular user, go to START, RUN and type in the
UNC path of the server to install the network printer on the workstation I
am unable to print and get the following error message when I go to the
properties of that printer.  Older printers have worked fine like this in
the past.

Function address 0x4f56a0bd caused a protection fault. (exception code
0xc005) Some or all property pages may not be displayed.

Has any one seen this and fixed it?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exmerge 2003

[Roger Seielstad]

ExMerge supports doing select merging based on criteria like dates. That's
how I always approached that issue in the past.

You need to run ExMerge in batch mode with a config file to do it though.
Its all in the docs. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 08, 2005 8:25 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exmerge 2003


I have to archive some mailboxes on an Exchange 2003 server and would like
to use the Exchange 2003 Mailbox Merge Wizard. However, these mailboxes are
over 2GB and I was wondering if exmerge 2003 has the same 2GB .pst file size
limitation as Outlook 2000 and XP, or can it create .pst files larger than
2GB like Outlook 2003?


Thanks in advance,

Dan DeStefano


NOTICE:  The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity
named above.  If you are not the intended recipient, you are hereby notified
that any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited.  If
you have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Roger Seielstad]

Again to clarify, 
the ISA server often (but not always) resides in the semi-trusted network while 
the SharePoint server should always reside on a fully-trusted network.  

 
Actually - you really should look at that differently. It should 
read:
 
ISA 
server should reside in the semi-trusted network while the SharePoint server 
should reside on a more trusted network.
 
Many 
people seem to think they should only have 3 classes of networks - Untrusted 
(i.e. the big I), Semi-trusted (DMZ) and fully trusted (internal). I think its 
fairly trivial and significantly safer to layer services like this, mail relays, 
and other servers which make outbound calls to the 'Net into what I would 
describe as an internal DMZ. Yes, its more trusted, but you can still ACL off 
and obscure the internal workings of your network.
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, 
AricSent: Wednesday, September 07, 2005 5:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & SQL...


I should make sure I 
was clear – in no way did I encourage the placement of ISA AND the SharePoint 
server onto the semi-trusted (DMZ) network. Again to clarify, the ISA server 
often (but not always) resides in the semi-trusted network while the SharePoint 
server should always reside on a fully-trusted network.  The key benefit 
here is that the only required configuration through the firewall to the 
internal network is the web ports (i.e. 80, 443) necessary to allow proper 
communication between the ISA server and the SharePoint server.  If the ISA 
server were compromised, however unlikely, the only path through the firewall to 
the internal network would be via the web ports to the SharePoint server. 

 
Another problem with 
the IPSec solution is that if your SharePoint server in the DMZ is compromised 
(it is running IIS ;-) the IPSec path it has through to the internal network 
will be compromised as well.  Of course this will then allow a potential 
hacker to ride the IPSec tunnel straight to all of the systems/ports (i.e. 88, 
123, 389, 3268, 3269, and [god forbid] 135 and 445) you have configured the 
SharePoint server to communicate with on the internal LAN.  BTW I think you 
can configure IPSec to work between clients/member servers and DCs so long as 
the correct exceptions are in place or as long as you use certificates (which 
would be the best approach if using it in the DMZ).
 
 
BTW, Jason, never say 
never.  With enough good arguments and still meeting the stated 
requirements you can certainly change people’s 
opinions…
 
 
Aric 
  
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, 
September 07, 2005 5:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & 
SQL...
 


Looks like we have 
plenty of ideas and opinions ;)

 

ISA is a great way to deal with 
this, but I believe the decision was made to put the SP machine in the DMZ 
regardless of the technical merit or viability. And whether or not it is a good 
idea.  That said, ISA doesn't offer much if you put it AND this machine in 
a semi-trusted network (for whatever that means these days.) 


 

Shame there's no leeway 
though.  The downside to using IPSec is that as others have pointed out, it 
won't work on member server <->DC for W2K servers (limitation of the 
OS) but will for 2K3 member servers but that still leaves you with a secure 
channel from the DMZ host to your internal network.  That means you can't 
monitor the traffic from the DMZ to your internal network because it's encrypted 
(sounds like a broken record, I know.) 

 

Too bad you can't sway the decision 
makers to do this differently. But hopefully you've received a lot of ideas to 
pick from. 

 

Best of 
luck,

Al

 

 

 



From: 
[EMAIL PROTECTED] on behalf of Bernard, AricSent: Wed 9/7/2005 7:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & 
SQL...

I agree with Phil – I 
think using an ISA (or other reverse proxy solution) is the best way to go given 
your constraints.
 
Using a reverse proxy 
solution allows you the following:

  Keep you Sharepoint server behind 
  the firewall, yet make it accessible to external clients as if it was in the 
  DMZ. 
  Restrict your [additional] holes 
  through the firewall to only that needed by the reverse proxy solution to 
  interact with the Sharepoint server (port 80). 

 
BTW - this scenario is 
becoming extremely common.  The next common addition you will see to this 
will likely be the use of ADFS to provide an identity trust bridge between the 
internal forest and a partner forest (or other identity 
system).
 
Regards,
 
Aric 
Bernard
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Wednesday,

RE: [ActiveDir] Group policy security setting

[Roger Seielstad]

I *think* there's a policy setting to override that first connect to MS.com
- I just can't remember what it is right now 


----
Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, September 07, 2005 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group policy security setting

OK; I finally figured this one out; I had to set a couple of other settings
for this to work. 
Computer config\admin templates\Internet explorer\internet control
panel\security page. 
Intranet sites: Include all local (intranet) sites not listed in
other zones
Intranet sites: Include all network paths (UNCs)

That let it work as expected. 

But I'm seeing another problem as well This is one of those things that bug
us when we log on to a new machine for the first time. :-)

I've set the IE home page to our intranet, which is the only site allowed;
everything else goes to a bit-bucket proxy. So in:
User config\windows settings\internet explorer maintenance\URLs\Important
URLs, I've set the home page. But it doesn't work. With a new user login, IE
starts by going to MS site, and since the proxy won't let it, it doesn't
move forward from there. I can type in the intranet URL manually and get
there. If I allow the browser to reach the internet, it goes to the MS site
first, then to windows update on the second launch, then to the expected
home page on the third launch.

Any way to get around this?
Thanks!

PS: Roger; good to see you back. How's things? Pam and I are moving to AZ
soon. Gimme a call sometime and we can chat...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> Seielstad
> Sent: Friday, September 02, 2005 9:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Group policy security setting
> 
> The other way that works is to add the UNC for the file server
> (file://server/share) to the Trusted Sites, under User Config / 
> Windows Settings / IE Maintenance /Security / Security Zones and 
> Content ratings
> 
> Now that I look, there's the setting you're trying to change
> - which is why
> it probably didn't work with a template.
> 
> 
> 
> 
> 
> 
> 
> Roger Seielstad
> E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> Kaiser
> Sent: Friday, September 02, 2005 3:51 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Group policy security setting
> 
> This is driving me nuts
> 
> I'm trying to set up a W2K3 SP1 terminal server machine, managed by 
> group policy, that will allow users to run certain apps that actually 
> load from another server. Here's the problem...
> 
> When I try and launch one of those apps, I get the security warning 
> box "open file - security warning" "Are you sure you want to run this 
> software?"
> I finally figured out how to disable it; in IE properties, security, 
> trusted sites, custom level, there's a setting: "Launching 
> applications and unsafe files". If I set that to enable, the box goes 
> away. (I'm using software restrictions to only allow certain apps, so 
> the warning box is irrelevant).
> 
> I want to be able to set this value via GP rather than through the IE 
> interface. The IE ADM template seems to include every setting except 
> for this one.
> 
> Why? I've tried creating a custom ADM for the setting, but I'm getting 
> nowhere with that. I'll probably try that again next week.
> But I'm curious why this particular setting is not available in the 
> template? Any ideas? Am I missing something?
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Roger Seielstad]

Last time I checked, you needed about 12-14 ports open to authenticate
against a domain.

It would make significantly more sense to put a proxy outside your firewall
and keep sharepoint inside. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
Sent: Wednesday, September 07, 2005 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Which ports to open in the DMZ to communicate with AD &
SQL...

We are putting a MS sharepoint server in the DMZ and need to have it on the
domain and communicating with a SQL server on the domain.  Because of these
needs, we only want to open the minimum number of ports to get
functionality.  We have LDAP (389) opened and SQL (1433) opened.  What other
ports will we need to open to be able to log in on the sharepoint server
with a domain account?  Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.

Any help is MUCH appreciated. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

Ahh - there's the issue. That's not the same thing as logon 
traffic.
 
Switching that to a domain DFS will certainly fix the issue 
- DFS understands AD Sites
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Tuesday, September 06, 2005 8:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - 
prioritization

I agree client logon won't be a issue, as clients & DC fit in 
the site boundary. 
 
But some of my startup script access netlogon as \\example.com\netlogon, and I 
suppose accessing any network resource by UNC has nothing to do with 
site boundary, it is pure DNS resolution. 
 
also what about domain DFS traffic ? will it consider site boundaries 
while, finding the nearest replica partner? or it will use plain DNS 
resolution? 
-
Kamlesh 
On 9/6/05, Phil 
Renouf <[EMAIL PROTECTED]> 
wrote: 

  Just wondering what the actual issue is here though, when a client logs 
  in they will get a DC within their local site, that shouldn't be dependant on 
  the clients subnet mask, just whether their IP falls within the scope of a 
  site defined in AD. If there is a DC in that site then they should be reffered 
  to that DC during logon processes. 
   
  The behaviour of ping is not going to be site aware, but logon traffic 
  will be.
   
  Phil 
  
  On 9/6/05, Kamlesh 
  Parmar <[EMAIL PROTECTED] > 
  wrote: 
  Thanks 
Roger for the reply,Problem is not the site setting, you see... when 
I ping for my domain's DNS name... or access the netlogon folder on DC 
as  \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me 
appropriate IP of local DC.this DNS resolution will ask for client's 
subnet mask and if it finds any matching IP of DC which falls into this 
client network, it will provide that DC IP as first one. (making sure 
traffic remains inside LAN) but, since client IP network is 
restrictive /21,  the server which is there in the same physical LAN 
but in different subnet, will not be returned as first choice.I hope 
it clears it a bit. 

On 9/6/05, Roger 
Seielstad <[EMAIL PROTECTED] 
> wrote: 

  I'd 
  create smaller subnet records in AD (probably matching the /25 VLANs) and 
  assign those to the sites which house the domain controller which you want 
  them to use. You can keep the /21 subnet entry as a catch all as well, 
  just in case. 
   
  Roger SeielstadE-mail Geek 
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] DNS resolution - prioritization 
  
  Dear All,
   
  We have around 50 sites with 80 DCs, all in single domain.
   
  Now issue is three sites, have very restrictive network configuration 
  for subnets. (all having 500+ machines)
   
  i.e. their subnet specification in AD is  10.*/21
  but at the network level they have divided this subnet into VLANs 
  with mask of /25, all inclusive in mask /21 defined for subnet at AD 
  level.
   
  Problem:  when machine tries to find the nearest DC using domain 
  DNS name, DNS server doesn't give IP of nearest DC first.
  as server falls into only into one of the /25 subnets. ( "subnet 
  mask request" in DNS server is enabled)
  And as a result, machines go to other DCs for netlogon related 
  activities/scripts. (generating unnecessary WAN traffic, slow login)
   
  I am working with Network team to initiate the feasibility of so many 
  VLANs, (long process)
  and if its possible to merge some VLAN, then I will move the DC in 
  that subnet.
   
  Any solution other than hard coding nearest DC in host file of all 
  these machines.
   
  Regards,
  Kamlesh-- ~~~"Fortune and Love 
  befriend the 
bold"~~~ -- ~~~"Fortune and Love 
befriend the 
  bold"~~~-- ~~~"Fortune and Love befriend 
the bold" ~~~

RE: [ActiveDir] 2003 SP1

[Roger Seielstad]

I haven't done it on DC's yet (since I no longer run any...) but with
regards to member servers I'm finding it rock solid.

For a higher traffic DC or member server, I'd expect you'll see a relatively
large decrease in CPU utilization for network related things.



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Tuesday, September 06, 2005 11:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1


Good morning folks, I am entertaining the idea of applying SP1 to our
2003 domain controllers. I figured I would start with
http://support.microsoft.com/kb/889101  but if you have any 1st hand
knowledge of any issues, please let me know.

For that matter, if you have a good link about applying 2003 SP1 to "member
servers" please send it to me. I will probably assist with this task also.

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the use of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If you
receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

You are correct - the DNS server won't provide any 
intelligence with regards to what it returns to a request. DNS should be 
returning ALL records for the appropriate domain, which I believe NetLogon on 
the local machine then parses against AD Sites by subnet.
 
Gil Kirkpatrick wrote an extensive article for Windows IT 
Pro Magazine (or whatever they're calling it now) about 12-18 months ago that 
detailed how the whole process works.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Tuesday, September 06, 2005 12:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - 
prioritization
Thanks Roger for the reply,Problem is not the site setting, 
you see... when I ping for my domain's DNS name... or access the netlogon folder 
on DC as  \\example.com\netlogonThis DNS resolution, will NOT consider site boundaries and give me 
appropriate IP of local DC.this DNS resolution will ask for client's subnet 
mask and if it finds any matching IP of DC which falls into this client network, 
it will provide that DC IP as first one. (making sure traffic remains inside 
LAN)but, since client IP network is restrictive /21,  the server 
which is there in the same physical LAN but in different subnet, will not be 
returned as first choice.I hope it clears it a bit.
On 9/6/05, Roger 
Seielstad <[EMAIL PROTECTED]> wrote:

  I'd 
  create smaller subnet records in AD (probably matching the /25 VLANs) and 
  assign those to the sites which house the domain controller which you want 
  them to use. You can keep the /21 subnet entry as a catch all as well, just in 
  case.
   
  Roger SeielstadE-mail Geek 
   
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Monday, September 05, 2005 3:30 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  DNS resolution - prioritization
  
  Dear All,
   
  We have around 50 sites with 80 DCs, all in single domain.
   
  Now issue is three sites, have very restrictive network configuration for 
  subnets. (all having 500+ machines)
   
  i.e. their subnet specification in AD is  10.*/21
  but at the network level they have divided this subnet into VLANs with 
  mask of /25, all inclusive in mask /21 defined for subnet at AD level.
   
  Problem:  when machine tries to find the nearest DC using domain DNS 
  name, DNS server doesn't give IP of nearest DC first.
  as server falls into only into one of the /25 subnets. ( "subnet 
  mask request" in DNS server is enabled)
  And as a result, machines go to other DCs for netlogon related 
  activities/scripts. (generating unnecessary WAN traffic, slow login)
   
  I am working with Network team to initiate the feasibility of so many 
  VLANs, (long process)
  and if its possible to merge some VLAN, then I will move the DC in that 
  subnet.
   
  Any solution other than hard coding nearest DC in host file of all these 
  machines.
   
  Regards,
  Kamlesh-- ~~~"Fortune and Love 
  befriend the 
bold"~~~ -- ~~~"Fortune and Love befriend 
the bold"~~~

RE: [ActiveDir] Moving forest root domains to child domains in another forest

[Roger Seielstad]

Title: Re: [ActiveDir] Moving forest root domains to child domains in another forest



Link speed really has nothing to do with the decision to 
split into separate domains. You've got a LOT of control over replication and 
really can build a topology that works for just about any WAN design you care to 
put out there.
 
Keeping in mind that forests are the true security 
boundary, are you getting any real benefit from moving from 3 forsts to 4 
domains?
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chaves, Jan 
Amcil L.Sent: Monday, September 05, 2005 5:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving forest 
root domains to child domains in another forest

Right. Mostly for administrative and exchange consolidation. And 
to implement a logically consistent naming convention.The domains are 
related enough to put into a single forest, but not quite that “intimate” to all 
fit in a single domain, due to raidcal differences in GPOs, etc. Not to mention 
slow links connect global sites thus necessitating the split in the 
domains.Our objective, just recently revised, is to come up with an 
empty forest root and three (possibly more) child domains under it. And then 
build exchange around the forest.Jan-Original 
Message-From: [EMAIL PROTECTED]To: 
ActiveDir@mail.activedir.orgSent: Mon Sep 05 16:07:23 2005Subject: RE: 
[ActiveDir] Moving forest root domains to child domains in another 
forestcan you mention some of your reasons WHY you want to merge your 
three forests in the way you describe?I certainly understand that you 
might want to consolidate, but why in the world would you want to go from three 
single-domain forests to one forest with a root + 2 child domains, leaving you 
with managing three domains? I'd actually vote that this is worse 
than what you have right now.  If you do consolidate, then I'd suggest you 
migrate the objects from those two forests directly to the existing root of your 
third forest, leaving you with a single domain to 
manage./GuidoFrom: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Chaves, Jan Amcil L.Sent: Sonntag, 4. September 2005 
03:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving forest 
root domains to child domains in another forestHi!  I 
have a huge task to do.  I have three separate Windows Server 2003 forests, 
each with a single domain (and Exchange 2003 servers to boot).  I have to 
combine all three into a single forest and end up with just one root domain, 
with the other two as child domains of the first.Is there any way (by 
hook or by crook) to do this?  Pointers to third-party apps are very much 
appreciated.Thanks,Jan

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

I'd create smaller subnet records in AD (probably matching 
the /25 VLANs) and assign those to the sites which house the domain controller 
which you want them to use. You can keep the /21 subnet entry as a catch all as 
well, just in case.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Monday, September 05, 2005 3:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - 
prioritization

Dear All,
 
We have around 50 sites with 80 DCs, all in single domain.
 
Now issue is three sites, have very restrictive network configuration for 
subnets. (all having 500+ machines)
 
i.e. their subnet specification in AD is  10.*/21
but at the network level they have divided this subnet into VLANs with mask 
of /25, all inclusive in mask /21 defined for subnet at AD level.
 
Problem:  when machine tries to find the nearest DC using domain DNS 
name, DNS server doesn't give IP of nearest DC first.
as server falls into only into one of the /25 subnets. ( "subnet mask 
request" in DNS server is enabled)
And as a result, machines go to other DCs for netlogon related 
activities/scripts. (generating unnecessary WAN traffic, slow login)
 
I am working with Network team to initiate the feasibility of so many 
VLANs, (long process)
and if its possible to merge some VLAN, then I will move the DC in that 
subnet.
 
Any solution other than hard coding nearest DC in host file of all these 
machines.
 
Regards,
Kamlesh-- ~~~"Fortune and Love befriend 
the bold"~~~ 

RE: [ActiveDir] Merging GPO's

[Roger Seielstad]

I had been looking at the backup files created by GPMC, which look like they
could be munged together, but that's a bit more manual than I'd like. I'll
have to look at them again to see if running them through something like
WinMerge would do the trick. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Saturday, September 03, 2005 12:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging GPO's

Roger-
If you actually need to, say, merge Admin Template policies from two
different GPOs, then I've not seen any tool to do this, unfortunately,
though I do hear the need from time to time. If you want to take a GPO that
contains Admin Template policy and merge it into another GPO that contains
security policy, then that is do-able through some hacking around. 

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Saturday, September 03, 2005 2:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Merging GPO's

Yeah, so I've been gone a while - too long, but I'll try to fix that.

Anyway - does anyone have/know of a tool to merge multiple GPO's into a
single policy?

I inherited a conglomeration of about 40 GPO's which have conflicting
settings and are generally just a miserable pain to work with, and rather
than manually recreating them (since some are fairly involved) I'd love to
be able to select 2 or more and do for GPO's what WinMerge does for text
fles.


Roger Seielstad
E-mail Geek


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group policy security setting

[Roger Seielstad]

The other way that works is to add the UNC for the file server
(file://server/share) to the Trusted Sites, under 
User Config / Windows Settings / IE Maintenance /Security / Security Zones
and Content ratings

Now that I look, there's the setting you're trying to change - which is why
it probably didn't work with a template.







Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, September 02, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group policy security setting

This is driving me nuts

I'm trying to set up a W2K3 SP1 terminal server machine, managed by group
policy, that will allow users to run certain apps that actually load from
another server. Here's the problem...

When I try and launch one of those apps, I get the security warning box
"open file - security warning" "Are you sure you want to run this software?"
I finally figured out how to disable it; in IE properties, security, trusted
sites, custom level, there's a setting: "Launching applications and unsafe
files". If I set that to enable, the box goes away. (I'm using software
restrictions to only allow certain apps, so the warning box is irrelevant).

I want to be able to set this value via GP rather than through the IE
interface. The IE ADM template seems to include every setting except for
this one.

Why? I've tried creating a custom ADM for the setting, but I'm getting
nowhere with that. I'll probably try that again next week.
But I'm curious why this particular setting is not available in the
template? Any ideas? Am I missing something?

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Merging GPO's

[Roger Seielstad]

Yeah, so I've been gone a while - too long, but I'll try to fix that.

Anyway - does anyone have/know of a tool to merge multiple GPO's into a
single policy?

I inherited a conglomeration of about 40 GPO's which have conflicting
settings and are generally just a miserable pain to work with, and rather
than manually recreating them (since some are fairly involved) I'd love to
be able to select 2 or more and do for GPO's what WinMerge does for text
fles.


Roger Seielstad
E-mail Geek


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] joe makes Windows IT Pro....

[Roger Seielstad]

Look out Detroit! Joe's hopped up on caffiene...


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 05, 2005 4:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] joe makes Windows IT Pro
> 
> LOL.
> 
> Thanks for the heads up Rick. I guess I need to walk on up to 
> Border's now and buy the darn thing. I used to have a 
> subscription to them for several years but I let it drop as 
> they were getting more and more expensive and I was finding 
> less and less value. 
> 
> I hate it when they write me up and don't let me know ahead 
> of time... ;oP
> 
> I am a little surprised that was published as it is kind of a 
> repeat. Robbie did a top 5 must have command line tools 
> article in Windows IT Pro mag a little while back[1] and 
> joeware was 1,2, and 3. The specific tools were adfind, 
> admod, and oldcmp and the tools got several pages of text in 
> that article.
> 
> Oh, also if you aren't aware, the Windows Server Cookbook is 
> now out for purchase, including the world famous chapter 17 
> with some Exchange recipes that I wrote. You know it has to 
> be good because I started with an analogy in the chapter intro 
> 
> "If you like analogies, SMTP/POP3 services are to Exchange 
> what the Model-T is to the modern automobile. You can 
> certainly recognize the basic pieces but there have been 
> notable extensions to those pieces to make the product more 
> flexible and powerful for today's needs."[2]
> 
> I need to start making money off this joeware thing...
> 
>joe
> 
> 
> [1] I actually think it was the first time they used that 
> name but it may have been a special edition. Interestingly 
> enough I recall the article was on page 66. I recall that 
> because I thought Robbie should have done top 6 tools so he 
> could have had a 666 combo there... No one has written up the 
> extremely popular unlock in a big way in a magazine yet[3].
> 
> [2] Windows Server Cookbook, page 542. 
> 
> [3] That I am aware of... Though there is a nice blurb in AD 
> Cookbook, recipe 6.9. I won't explain why I remember that 
> recipe number[4].
> 
> [4] Completely unneeded footnote[5]. 
> 
> [5] Too much caffeine today... Writing up internal corporate 
> KBs and documentation and I "caffeined" up to keep going. 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Kingslan, Rick T.
> Sent: Thursday, May 05, 2005 6:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] joe makes Windows IT Pro
> 
> Well, OK - maybe not 'joe', but ADFind and ADMod get a nod in 
> Sean Deuby's feature article on command-line control of your servers.
> 
> On page 67, Sean deals with third-party tools.  First up - 
> ADFind and ADMod.
> 
> "AdFind and AdMod are two powerful, easy-to-use freeware 
> utilities by Joe Richards."  Roughly three paragraphs on how 
> to best use the tools is a realy NICE nod, IMHO. (It goes on 
> to discuss and praise the massive usefulness of the tools and 
> that they ought to be on every DC
> everywhere.)  Ok, maybe that last part was an embellishment.
> 
> Good job joe, you big stud you!
> 
> Rick Kingslan CISSP, MCSE, MCSA, MCT
> Microsoft MVP
> Windows Server / Directory Services
> Windows Server / Rights Management
> Windows Security (Affiliate)
> LAN Administration - Windows Srv Apps
> West Corporation
> 1-800-542-1000 ext. 116-1636
> Direct# 402-716-1636
> Fax# 402-965-7367
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Locating FTP Revisited

[Roger Seielstad]

Definitely do the DMZ.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Thursday, April 21, 2005 2:08 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Locating FTP 
  Revisited
  
  
  Hi –
   
  A month or so ago, I started us 
  off on a discussion of the wisdom of tying an FTP directly into AD. In the 
  end, I decided that it was not a good idea to give it direct access to the 
  forest (thanks, Joe). The box will be stand-alone and use only local accounts 
  with local policies preventing interactive login, requiring complex passwords, 
  and enforcing password lockouts (etc).
   
  One thing that I did not really 
  resolve is where to put the thing: directly on the Internet with a public IP 
  or inside the firewall with FTP forwarded.
   
  My inclination is toward the 
  latter scenario. I ran through the “if the box is compromised” scenario and 
  felt that the risks are limited to the box alone (namely data loss, need to 
  rebuild the OS, etc.). Is that correct? We don’t really have a DMZ per se but 
  could stick the thing on a separate, isolated subnet. 
  
   
  Thoughts?
   
  Thanks.
   
  -- nme

RE: [ActiveDir] IPsec policy

[Roger Seielstad]

The only place I've seen per user network rules is in the authpf code in
OpenBSD:
http://www.openbsd.org/faq/pf/authpf.html


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Thursday, April 21, 2005 12:41 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] IPsec policy
> 
> I set up an IPsec filter to block traffic outgoing on port 
> 80/443. That works fine.
> I was wondering if its possible to do this per user and not 
> just machine specfic.
> Thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Restricting sensitive information

[Roger Seielstad]

THat's a philisophical issue. Frankly, the bottom line is two-fold:
 
1. Use the concept of least necessary permissions - only grant specific
people enough access to do their job - no more. Currently, I manage 1000
servers in a domain in which I have nothing more than a general "user"
account - no domain admin access at all. Only explicit elevation of
privileges is having rights for our OU.
 
2. If you can't trust the admins, replace them. There are plenty (and I mean
PLENTY) of ways to validate that someone isn't doing something they
shouldn't - auditing is your friend. 
 


Roger Seielstad
E-mail Geek 

 


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm
Sent: Wednesday, April 20, 2005 3:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting sensitive information


I think if you use the 'deny' flag you should be able to restrict the access
to just the 2 admins if you like. As the deny options overrides everything
else deny the 12 admin accounts and do nothing to the last two. Deny should
over ride the privileges they got from the admin group.
 
Hope this helps.
 
Kat

  _  

From: [EMAIL PROTECTED] on behalf of Perdue David J Contr
InDyne/Enterprise IT
Sent: Thu 21/04/2005 6:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting sensitive information


You could.  If you're trying to keep Admin's out of the information there is
a good bet they'd have the password for the local admin account or they
could change it with less notice than a user's network account.
 
Dave
//SIGNED//

David J. Perdue

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, April 20, 2005 10:48 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Restricting sensitive information


Can you use a local administrator account of a machine to unencrypt files?
I do it all the time on laptops that we have deployed when they bring them
in for service.  I'm not sure how well this works on servers, but if it does
then this might not be such a great option.
 
Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 20, 2005 11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting sensitive information


You could encrypt the files/folders and add in the user accounts of the
folks who need access as well as one or two admins to help maintain it.
Depending on what your policy has setup for a recovery agent, this would
prevent individuals from accessing the files.  They could still
rename/delete/take ownership, but they couldn't access the data.
 
Dave
//SIGNED//

David J. Perdue

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Wednesday, April 20, 2005 04:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Restricting sensitive information


Original Message:

We have a problem in discussion where we need to restrict sensitive HIPAA
information to a very select few employees in the US and only one or two
people overseas.  The problem is, we have about 10-15 domain admins
worldwide in our single domain, and this is too many people to have access
to the HIPAA data.  Rather than take domain admin priviledges away, whereby
breaking their ability to promote domain controllers, etc - what's an easy
way to have a share on a file server restricted to only a select few of the
domain admins? 

We were thinking of maybe adding a 2nd domain just for the server with this
share on it.  Then only enterprise admins would have access to that other
domain, so only they could see that share.  Is there an alternative to
something this drastic? 

Reply

Why not simply install the server out of the domain completely and use it's
local accounts?

Regards

Peter Jessop



;Arial;Confidentiality:

The contents contain privileged and/or confidential information intended for
the named recipient of this email.

CVGT does not warrant that the contents of any electronically transmitted
information will remain confidential.

If the reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email is prohibited.

If you receive this email in error, please reply to us immediately and
delete the document.


Viruses:


It is the recipient/client's duties to virus scan and otherwise test the
information provided before loading onto any computer system.

No warranty is made that this material is free from computer virus or any
other defect or error.

Any loss/damage incu

RE: [ActiveDir] Sniffer

[Roger Seielstad]

Tahe the scenario of trying to sniff a 100 boxes which are all connected via
GigE in a single subnet. Assuming each box only uses 1% of its bandwidth,
even with spanning set up[1] your sniffer will see packets faster than it
can capture. Any sort of real utilization on those links and your sniffer
will be worthless.

You could sniff at 10Gbit, but I don't know of any server adapters for that
speed right now - and even if they did exist, I'm not sure what OS and
hardware could keep up with logging all of it.

----
Roger Seielstad
E-mail Geek 

[1] Meaning all ports also forward their traffic to a specific port for
sniffing purposes - its supported in most switches


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
> Sent: Monday, April 18, 2005 1:41 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Sniffer
> 
> So what is going to cut it then?
> Are there any ready ones that sniff a subnet?
> 
> r.c.
> 
> On 4/15/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:
> > Ethereal (and most other sniffers for that matter) use the host 
> > machine's NIC drivers.
> > 
> > Of course, if you're doing a promiscuous sniff on a full 
> GigE network 
> > - a single Gig interface isn't going to cut it.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Medeiros, 
> > > Jose
> > > Sent: Wednesday, April 13, 2005 8:54 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Sniffer
> > >
> > > I am sure that Wildpackets has the latest driver support for most 
> > > Gigabit adapters.
> > >
> > > Jose
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] Behalf Of rubix cube
> > > Sent: Wednesday, April 13, 2005 12:07 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Sniffer
> > >
> > >
> > > Thanks guys
> > > I will try them all, they do support giga bit right? 
> because when we 
> > > upgraded to giga the sniffer I used to use couldn't do me 
> any good.
> > >
> > > r.c.
> > >
> > > On 4/12/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> > > > Greetings,
> > > >
> > > > Try the demo from http://www.wildpackets.com/ Etherpeek is
> > > for Ethernet Networks and Airopeek is for Wireless 
> Network Cards. In 
> > > my opinion Wildpackets has the easiest to use and understand 
> > > sniffer, Laura Chappell http://www.packet-level.com/ swears by it.
> > > >
> > > 
> http://www.amazon.com/exec/obidos/search-handle-form/104-0192535-473
> > > 51
> > > > 32
> > > >
> > > > Hope this helps,
> > > >
> > > > Jose :-)
> > > >
> > > > ---
> > > >
> > > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] Behalf Of 
> rubix cube
> > > > Sent: Tuesday, April 12, 2005 1:09 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Sniffer
> > > >
> > > > Any one recommends a specific good sniffer that he uses?
> > > > Thanks
> > > > List info   : http://www.activedir.org/List.aspx
> > > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > > > List info   : http://www.activedir.org/List.aspx
> > > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > > List archive:
> > > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > >
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How much of the DIT is cached in RAM ?

[Roger Seielstad]

By checking the working set size of by LSASS?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Fugleberg, David A
> Sent: Thursday, April 14, 2005 2:22 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] How much of the DIT is cached in RAM ?
> 
> How can I determine how much of the DIT is being cached in 
> RAM on a given DC ?
> 
> Dave
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sniffer

[Roger Seielstad]

Ethereal (and most other sniffers for that matter) use the host machine's
NIC drivers.

Of course, if you're doing a promiscuous sniff on a full GigE network - a
single Gig interface isn't going to cut it.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Medeiros, Jose
> Sent: Wednesday, April 13, 2005 8:54 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Sniffer
> 
> I am sure that Wildpackets has the latest driver support for 
> most Gigabit adapters.
> 
> Jose
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of rubix cube
> Sent: Wednesday, April 13, 2005 12:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Sniffer
> 
> 
> Thanks guys
> I will try them all, they do support giga bit right? because 
> when we upgraded to giga the sniffer I used to use couldn't 
> do me any good.
> 
> r.c.
> 
> On 4/12/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> > Greetings,
> > 
> > Try the demo from http://www.wildpackets.com/ Etherpeek is 
> for Ethernet Networks and Airopeek is for Wireless Network 
> Cards. In my opinion Wildpackets has the easiest to use and 
> understand sniffer, Laura Chappell 
> http://www.packet-level.com/ swears by it.
> > 
> http://www.amazon.com/exec/obidos/search-handle-form/104-0192535-47351
> > 32
> > 
> > Hope this helps,
> > 
> > Jose :-)
> > 
> > ---
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of rubix cube
> > Sent: Tuesday, April 12, 2005 1:09 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Sniffer
> > 
> > Any one recommends a specific good sniffer that he uses?
> > Thanks
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS queries and actual trace

[Roger Seielstad]

I tend to use dig from *nix hosts for real DNS work. IIRC 
there are windows ports available.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Murray 
  WallSent: Tuesday, April 12, 2005 2:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS queries and 
  actual trace
  
  
  I was wondering what tools/options 
  are required to get an actual dns lookup trace, including internal machine 
  cached/hosts file lookups and external requests to the dns server.  Does 
  such a beast exist?
   
  Murray 
  Wall, 
  MCSE, B.Ed CCNA/DA Master 
  ASE Messaging
   [EMAIL PROTECTED]
   

RE: [ActiveDir] Sniffer

[Roger Seielstad]

That's a cute marketing slogan - so it's a User Interface for a user
interface?

Ethereal is the User Interface for the WinPCAP library that actually does
the captures.

----
Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jorge de Almeida Pinto
> Sent: Tuesday, April 12, 2005 1:44 AM
> To: 'Tomasz Onyszko '; '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Sniffer
> 
> same comment as below for
> http://www.networkchemistry.com/products/packetyzer/
> 
> Packetyzer(tm) is a Windows user interface for the Ethereal 
> packet capture and dissection library. Packetyzer can decode 
> more than 483 protocols. 
> 
> jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 4/12/2005 10:24 AM
> Subject: Re: [ActiveDir] Sniffer
> 
> rubix cube wrote:
> > Any one recommends a specific good sniffer that he uses?
> 
> ethereal - http://www.ethereal.com/
> 
> It's good and it's Open Source
> 
> --
> Tomasz Onyszko [MVP]
> [EMAIL PROTECTED]
> http://www.w2k.pl
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the 
> intended recipient(s) only. It may contain proprietary 
> material, confidential information and/or be subject to legal 
> privilege. It should not be copied, disclosed to, retained or 
> used by, any other party. If you are not an intended 
> recipient then please promptly delete this e-mail and any 
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] alias not working

[Roger Seielstad]

Try changing it from a Cname to an A record. Chances are it gets fixed.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Cothern Jeff D. Team EITC
> Sent: Monday, April 11, 2005 1:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] alias not working
> 
> It's a cname 
> 
> Fs1  for Fileserver1.domain.com
> 
> This server is a Netapps machine so not running windows on 
> it.  Our 2000 machine can user the short name just fine and 
> get to the shares.  
> 
> Only the machines that have had security applied seem to have 
> an issue using the short name.  
> 
> I even checked wins and we have a static wins name setup for 
> the short one also.  
> 
> I think its something with wins though.  On a 2000 machine I 
> bring up a command prompt and do this
> 
>   Net view fileserver1
>I get the proper response back
> 
> When I do
> 
>   Net View fs1
>I get the proper response back
> 
> If I do the same thing on a 2003 or xp machine when I do the alias. 
> 
>   I get system error 50 has occurred. 
> 
>   The request is not supported. 
> 
> Thanks for any help you can give.
> 
> Jeff
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Saturday, April 09, 2005 2:14 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] alias not working
> 
> Actually, we do it with a number of our servers.
> 
> Is the DNS record a CNAME or an A record? 
> 
> If it's a CNAME, is the target the FQDN of the box??
>   fs1 in cname fileserver1.domain.com
> Or is it
>   fs1 in cname fileserver1
> Unless it is the former, it won't work.
> 
> Alternately (but less elegant IMO) you could just cut an A record:
>   fs1 in a 192.168.0.1
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > [EMAIL PROTECTED]
> > Sent: Friday, April 08, 2005 2:10 PM
> > To: ActiveDir@mail.activedir.org
> > Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] alias not working
> > 
> > Hi Jeff
> > 
> > This is because when I access a server it verifies that the server 
> > that I am requesting matches the netbios name on the server 
> itself.  
> > Aliases, A records and WINS / LMHosts will not fix this in any 
> > configuration we have tried.  The access denied is server name does 
> > not match.
> > 
> > Regards;
> > 
> > James R. Day
> > Active Directory Core Team
> > Office of the Chief Information Officer National Park Service
> > (202) 354-1464 (direct)
> > (202) 371-1549 (fax)
> > [EMAIL PROTECTED]
> > 
> > 
> > |-+-->
> > | |   "Cothern Jeff D. Team  |
> > | |   EITC"  |
> > | |   <[EMAIL PROTECTED]>|
> > | |   Sent by:   |
> > | |   [EMAIL PROTECTED]|
> > | |   tivedir.org|
> > | |  |
> > | |  |
> > | |   04/08/2005 04:33 PM AST|
> > | |   Please respond to  |
> > | |   ActiveDir  |
> > |-+-->
> >   
> > >-
> > -|
> >   |   
> >|
> >   |   To:   
> >|
> >   |   cc:   (bcc: James Day/Contractor/NPS)   
> >|
> >   |   Subject:  [ActiveDir] alias not working 
> >|
> >   
> > >-
> > -|
> > 
> > 
> > 
> > 
> > Ok for some reason 2003 and xp machines that are locked down with 
> > policies are not working with an a

Re: [ActiveDir] SSL on OWA to change password

[Roger Seielstad]

It was like 10:30 or 11... Remember, I'm on the West coast US now.. Were I 
still in Atlanta, yeah you'd be right..

Roger


On Fri, Apr 08, 2005 at 11:27:46PM -0700, [EMAIL PROTECTED] wrote:
> Don't you ever sleep?
> 
>  
> 
> Jze!!! :-)
> 
>  
> 
> Sincerely,
> 
> D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I
> 
> Microsoft MVP - Dir. Services / Security
> 
> www.readymaids.com <http://www.readymaids.com/>  - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> 
> ____
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
> Sent: Friday, April 08, 2005 11:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>  
> 
> Yeah. What he said. ;)
> 
>  
> 
> Thanks Deji
> 
>  
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
>  
> 
>
> 
>   
> 
> 
> 
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
>   Sent: Friday, April 08, 2005 11:04 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>   https://myowa.mycompany.blah/exchange";>
> 
>
> 
>   That goes into a standard default.htm or index.htm page located on
> the inetpub/wwwroot folder.
> 
>
> 
>   Sincerely,
> 
>
> 
>   D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I
> 
>   Microsoft MVP - Dir. Services / Security
> 
>   www.readymaids.com - we know IT
> 
>   www.akomolafe.com
> 
>   Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> 
>   -Original Message-
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
>   Sent: Friday, April 08, 2005 10:59 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>
> 
>   There's an ASP command called response.redirect that will do it, as
> well as
> 
>   a static HTML meta tag for redirects - should be able to search
> pretty
> 
>   quickly for the specific syntax.
> 
>
> 
>   
> 
>   Roger Seielstad
> 
>   E-mail Geek 
> 
>
> 
>   > -Original Message-
> 
>   > From: [EMAIL PROTECTED] 
> 
>   > [mailto:[EMAIL PROTECTED] On Behalf Of 
> 
>   > Salandra, Justin A.
> 
>   > Sent: Thursday, April 07, 2005 10:01 AM
> 
>   > To: ActiveDir@mail.activedir.org
> 
>   > Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>   > 
> 
>   > Not to sound naive but how do I do that?
> 
>   > 
> 
>   > -Original Message-
> 
>   > From: [EMAIL PROTECTED]
> 
>   > [mailto:[EMAIL PROTECTED] On Behalf Of 
> 
>   > Roger Seielstad
> 
>   > Sent: Tuesday, April 05, 2005 11:41 PM
> 
>   > To: ActiveDir@mail.activedir.org
> 
>   > Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>   > 
> 
>   > What's to change? Put an http redirect page on port 80 and redirect
> to
> 
>   > 443 -
> 
>   > they'll never know the difference.
> 
>   > 
> 
>   > 
> 
>   > Roger Seielstad
> 
>   > E-mail Geek 
> 
>   > 
> 
>   > > -Original Message-
> 
>   > > From: [EMAIL PROTECTED]
> 
>   > > [mailto:[EMAIL PROTECTED] On Behalf Of
> Salandra, 
> 
>   > > Justin A.
> 
>   > > Sent: Tuesday, April 05, 2005 2:32 PM
> 
>   > > To: ActiveDir@mail.activedir.org
> 
>   > > Subject: RE: [ActiveDir] SSL on OWA to change password
> 
>   > > 
> 
>   > > I would however my organization is not ready to change yet 
> 
>   > to it, but 
> 
>   > > I need the Change password function working
> 
>   > > 
> 
>   > > -Original Message-
> 
>   > > From: [EMAIL PROTECTED]
> 
>   > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
> Al
> 
>   > > Sent: Tuesday, April 05, 2005 3:31 PM
> 
>   > > To: ActiveDir@mail.activedir.org
> 
>   > > Subject: RE: [ActiveDir] SSL on OWA to change password
>

RE: [ActiveDir] SSL on OWA to change password

[Roger Seielstad]

Yeah. What he said. ;)
 
Thanks Deji
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 08, 2005 11:04 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] SSL on OWA to change password
  
  
  <META 
  HTTP-EQUIV="Refresh" CONTENT="1; 
  URL="">
   
  That goes into a standard default.htm or index.htm 
  page located on the inetpub/wwwroot folder.
   
  Sincerely,
   
  Dèjì Akómöláfé, MCSE+M MCSA+M 
  MCP+I
  Microsoft MVP - Dir. Services / 
  Security
  www.readymaids.com - we know 
  IT
  www.akomolafe.com
  Do you now realize that Today is the Tomorrow you were 
  worried about Yesterday?  -anon
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Roger SeielstadSent: Friday, April 08, 2005 10:59 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] SSL on OWA to change password
   
  There's an ASP command called response.redirect that 
  will do it, as well as
  a static HTML meta tag for redirects - should be able 
  to search pretty
  quickly for the specific 
  syntax.
   
  
  Roger Seielstad
  E-mail Geek 
   
  > -Original 
  Message-
  > From: [EMAIL PROTECTED] 
  
  > [mailto:[EMAIL PROTECTED] On 
  Behalf Of 
  > Salandra, Justin A.
  > Sent: Thursday, April 07, 2005 10:01 
  AM
  > To: ActiveDir@mail.activedir.org
  > Subject: RE: [ActiveDir] SSL on OWA to change 
  password
  > 
  > Not to sound naive but how do I do 
  that?
  > 
  > -Original 
  Message-
  > From: 
  [EMAIL PROTECTED]
  > [mailto:[EMAIL PROTECTED] On 
  Behalf Of 
  > Roger Seielstad
  > Sent: Tuesday, April 05, 2005 11:41 
  PM
  > To: ActiveDir@mail.activedir.org
  > Subject: RE: [ActiveDir] SSL on OWA to change 
  password
  > 
  > What's to change? Put an http redirect page on 
  port 80 and redirect to
  > 443 -
  > they'll never know the 
  difference.
  > 
  > 
  > Roger Seielstad
  > E-mail Geek 
  > 
  > > -Original 
  Message-
  > > From: 
  [EMAIL PROTECTED]
  > > [mailto:[EMAIL PROTECTED] 
  On Behalf Of Salandra, 
  > > Justin A.
  > > Sent: Tuesday, April 05, 2005 2:32 
  PM
  > > To: ActiveDir@mail.activedir.org
  > > Subject: RE: [ActiveDir] SSL on OWA to 
  change password
  > > 
  > > I would however my organization is not ready 
  to change yet 
  > to it, but 
  > > I need the Change password function 
  working
  > > 
  > > -Original 
  Message-
  > > From: 
  [EMAIL PROTECTED]
  > > [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mulnick, Al
  > > Sent: Tuesday, April 05, 2005 3:31 
  PM
  > > To: ActiveDir@mail.activedir.org
  > > Subject: RE: [ActiveDir] SSL on OWA to 
  change password
  > > 
  > > Why would you not want to use it on the 
  entire site (for the sake of
  > > argument?)
  > > 
  > > I'm not sure I get it.  Wouldn't you 
  want it for all of owa?
  > > 
  > >  
  > > 
  > > -Original 
  Message-
  > > From: 
  [EMAIL PROTECTED]
  > > [mailto:[EMAIL PROTECTED] 
  On Behalf Of Salandra, 
  > > Justin A.
  > > Sent: Tuesday, April 05, 2005 12:34 
  PM
  > > To: ActiveDir@mail.activedir.org
  > > Subject: [ActiveDir] SSL on OWA to change 
  password
  > > 
  > > Guys, I sent this to a different list but 
  also wanted to 
  > bounce it off 
  > > of you.
  > > 
  > > Justin A. 
  Salandra
  > > MCSE Windows 2000 & 
  2003
  > > Network and Technology Services Manager 
  Catholic Healthcare System 
  > > 212.752.7300 - office 917.455.0110 - cell 
  [EMAIL PROTECTED]
  > > 
  > > -Original 
  Message-
  > > From: Salandra, Justin A. 
  [mailto:[EMAIL PROTECTED]
  > > Sent: Tuesday, April 05, 2005 11:10 
  AM
  > > To: 
  [EMAIL PROTECTED]
  > > Subject: [Exchange2000] SSL on OWA to change 
  password
  > > 
  > > 
  > > Please check my logic here.  TO enable 
  SSL on only the IISADMPWD 
  > > virtual Directory I do the following 
  steps
  > > 
  > > Create the IISADMPWD Virtual Directory 
  Ensure proper rights and 
  > > authenticated access are set on that 
  directory Apply the hotfixes 
  > > described in the KB Articles for Windows 
  2003 Run 
  > asutil.vbs script to 

  > > set the PasswordChangeFlag to 0 Generate the 
  SSL 
  > Certificate Apply the 
  
  > > SSL Certificate Set the IISADMPWD Virtual 
  Directory to require SSL 
  > > Modify the Registry to show the Change 
  Password button
  > > 
  > > 
  http:

RE: [ActiveDir] Netdom to Join

[Roger Seielstad]

That only applies to creating the computer account, which 
has already been done in the scenario described.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  AragonSent: Friday, April 08, 2005 3:42 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Netdom to 
  Join
  
  Noah,
   
  That depends on what you have "Computer Configuration/Windows 
  Settings/Security Settings/Local Policies/User Rights Assignment/Add 
  workstations to Domain" set to allow.  
   
  We are a medium sized University and have authorized a group, comprised 
  of specified users from each of the 13 colleges and major divisions on 
  our campus, to do this.  They do not have Administrative authority except 
  within their own OU, and even that is limited to adding computers and 
  creating/editing GPO's within that OU.  Several units Ghost their 
  machines and use Netdom without issue to join them to the 
  Domain.
   
  David Aragon 
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Friday, April 08, 2005 2:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Netdom to 
Join


Hi 
–
 
What are the minimum credentials 
that a user needs to join a computer to the domain when the computer account 
is already created? I am trying to script netdom 
to do this and getting denied if the user has less than administrative 
access.
 
Thanks.
 
-- 
nme

RE: [ActiveDir] Netdom to Join

[Roger Seielstad]

Via the ADU&C GUI, there's a permissions page when you 
create the computer account which corresponds to which principles have access to 
associate a machine with the account, I don't, however, know what the specific 
permission name is for that setting.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Friday, April 08, 2005 2:23 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Netdom to 
  Join
  
  
  Hi –
   
  What are the minimum credentials 
  that a user needs to join a computer to the domain when the computer account 
  is already created? I am trying to script netdom to 
  do this and getting denied if the user has less than administrative 
  access.
   
  Thanks.
   
  -- 
  nme

RE: [ActiveDir] alias not working

[Roger Seielstad]

Actually, we do it with a number of our servers.

Is the DNS record a CNAME or an A record? 

If it's a CNAME, is the target the FQDN of the box??
fs1 in cname fileserver1.domain.com
Or is it
fs1 in cname fileserver1
Unless it is the former, it won't work.

Alternately (but less elegant IMO) you could just cut an A record:
fs1 in a 192.168.0.1

----
Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Friday, April 08, 2005 2:10 PM
> To: ActiveDir@mail.activedir.org
> Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] alias not working
> 
> Hi Jeff
> 
> This is because when I access a server it verifies that the 
> server that I am requesting matches the netbios name on the 
> server itself.  Aliases, A records and WINS / LMHosts will 
> not fix this in any configuration we have tried.  The access 
> denied is server name does not match.
> 
> Regards;
> 
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> (202) 354-1464 (direct)
> (202) 371-1549 (fax)
> [EMAIL PROTECTED]
> 
> 
> |-+-->
> | |   "Cothern Jeff D. Team  |
> | |   EITC"  |
> | |   <[EMAIL PROTECTED]>|
> | |   Sent by:   |
> | |   [EMAIL PROTECTED]|
> | |   tivedir.org|
> | |  |
> | |  |
> | |   04/08/2005 04:33 PM AST|
> | |   Please respond to  |
> | |   ActiveDir  |
> |-+-->
>   
> >-
> -|
>   |   
>|
>   |   To:   
>|
>   |   cc:   (bcc: James Day/Contractor/NPS)   
>|
>   |   Subject:  [ActiveDir] alias not working 
>|
>   
> >-
> -|
> 
> 
> 
> 
> Ok for some reason 2003 and xp machines that are locked down 
> with policies are not working with an alias that was created 
> within DNS for a server.
> 
> To shortin the length of a server name for share purposes we 
> created an alias.
> 
> IE.  Fileserver1   alias  FS1.
> 
> If you go onto the machine and type in \\fs1 you get an 
> access denied message.  If you type \\Fileserver1  it takes 
> you right into the server.
> Anyone have a clue on which policies may be affecting this.
> 
> Jeff
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] alias not working

[Roger Seielstad]

Do your clients have a dns suffix search order defined? Without it they
generally won't do host name to FQDN transitions for cnames.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Cothern Jeff D. Team EITC
> Sent: Friday, April 08, 2005 1:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] alias not working
> 
> Ok for some reason 2003 and xp machines that are locked down 
> with policies are not working with an alias that was created 
> within DNS for a server.  
> 
> To shortin the length of a server name for share purposes we 
> created an alias.
> 
> IE.  Fileserver1   alias  FS1. 
> 
> If you go onto the machine and type in \\fs1 you get an 
> access denied message.  If you type \\Fileserver1  it takes 
> you right into the server.
> Anyone have a clue on which policies may be affecting this.  
> 
> Jeff
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IPSec and Group Policy

[Roger Seielstad]

Hey Laura!

Yes - closest GPO will win in that scenario.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Hunter, Laura E.
> Sent: Friday, April 08, 2005 6:56 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] IPSec and Group Policy
> 
> Morning all,
> 
> I'm getting conflicting references on this question from 
> Google, but I imagine someone here can answer definitively in 
> about 5 seconds:
> 
> Am I able to assign a single common IPSec policy to a domain 
> GPO, but also have separate IPSec configurations for OUs 
> lower in the AD infrastructure, so that boxen in individual 
> OUs can have different IPSec rulesets?  Or is IPSec one of 
> those GPO settings like Account Lockouts or Password Policies 
> where you only get one per domain?
> 
> Thanks!
> 
> Laura
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping

[Roger Seielstad]

You are correct - it is kerberos delegation. I've never 
done it, but it is well documented. Start here: http://msdn.microsoft.com/library/default.asp?url="">
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of sergio 
  leraSent: Friday, April 08, 2005 2:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] problem 
  accesing AD when the user has been authenticated via certificate 
  mapping
  
  I think I need Kerberos delegation to pass the security 
  context from the web server to the AD server...has anybody done 
  this? Can u help me?
   
  Thanks a lot!Roger Seielstad 
  <[EMAIL PROTECTED]> wrote:
  

Taking a wag at it - you're dealing with an 
impersonation issue. Take a look at the fourth question and answer 
in:
http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx
 
You might also have to set the computer account to be 
trusted for delegation (I think that's the setting)  - but I'm not 
sure.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of sergio 
  leraSent: Tuesday, April 05, 2005 3:45 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] problem 
  accesing AD when the user has been authenticated via certificate 
  mapping
  
  hello list,
   
  I am developing an ASP.NET web application which interacts with 
  AD. Client/User authentication must be via AD certificate mapping, 
  so  I have configured IIS to do UPN mapping:
  -- In the IIS manager ...  
  -- in the properties of the web site...
  -- under "directory security"..
  -- under "Secure Communications", select Edit. 
  -- select "Require secure channel"; select "require client 
  certificates" and also select "Enable client certificate 
  mapping".
   
  I think the mapping is done ok, because when I get the current user 
  by using Context.User.Identity.Name or 
  WindowsIdentity.GetCurrent().Name the result is the user who is the owner 
  of the certificate used to do the client authentication. So, I suppose the 
  web application is running under the user account credentials.  

   
  The problem is that i can not access AD via ADSI (using .NET 
  DirectoryServices API).  I get an operational error related with 
  authentication.
   
  The source code of the DirectoryEntry creation is something like 
  this:
  
  DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);
  The description of the AuthenticationTypes.Secure 
  flag says that "it requests secure authentication.  When the user 
  name and password are a null reference, ADSI binds to the object using the 
  security context of the calling thread, which is either the security 
  context of the user account under which the application is running or of 
  the client user account that the calling thread is 
  impersonating".
  The web application is running under an user account which 
  has got the required permissions to do the operation, but AD server must 
  not permit to do the operation.
  I am sure that user account has got the suitable permissions becasue if 
  I enable anonymous access in IIS and I use the user account for the 
  anonymous access, AD server permits to do the operations..
  Any idea? What could be the problem? could be the authentication 
  type? problems related with impersonation? I am a bit lost...
  Thanks is advance! ...and sorry for my poor english 
  ;)zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new 
  Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 
  
  
  250MB gratis, Antivirus y 
  AntispamCorreo Yahoo!, el mejor correo web 
  del mundoAbrí tu 
  cuenta 
  aquízZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow 
  new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
  
  
  250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta 
aquí

RE: [ActiveDir] Filtering for GPO's

[Roger Seielstad]

IIRC, user settings in a GPO only apply to user accounts in the OU to which
the GPO applies - so if its on a workstation-only GPO, it shouldn't affect
the users regardless of what machine they sign into

Security group filtering is probably the best way to pull this off for your
transition period.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Cothern Jeff D. Team EITC
> Sent: Thursday, April 07, 2005 3:56 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Filtering for GPO's
> 
> I have been looking at different ways I could filter a GPO.  
> Basically here is the scenario.  We are starting a migration 
> to XP here shortly.
> Currently users on 2000 workstations.  There are some 
> specific policies that change the way we do business on the 
> XP machines that I want to ensure do not effect the 2000 
> workstations. I thought of WMI filtering but according to the 
> GPMC_administering.doc, 2000 will ignore the filtering and 
> apply the GPO anyways.  So that wont work.  If I put all the 
> 2000 workstations into a group and denied apply rights to 
> that GPO would it keep that GPO from running if a user signed 
> into the 2000 machine.  But it would apply If the user signed 
> into an XP machine.  The policies are on the User side of the GPO.  
> 
> Thanks
> 
> Jeff
> 
> "scripting is my enemy" 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SSL on OWA to change password

[Roger Seielstad]

There's an ASP command called response.redirect that will do it, as well as
a static HTML meta tag for redirects - should be able to search pretty
quickly for the specific syntax.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Thursday, April 07, 2005 10:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
> Not to sound naive but how do I do that?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Tuesday, April 05, 2005 11:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
> What's to change? Put an http redirect page on port 80 and redirect to
> 443 -
> they'll never know the difference.
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, 
> > Justin A.
> > Sent: Tuesday, April 05, 2005 2:32 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] SSL on OWA to change password
> > 
> > I would however my organization is not ready to change yet 
> to it, but 
> > I need the Change password function working
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> > Sent: Tuesday, April 05, 2005 3:31 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] SSL on OWA to change password
> > 
> > Why would you not want to use it on the entire site (for the sake of
> > argument?)
> > 
> > I'm not sure I get it.  Wouldn't you want it for all of owa?
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, 
> > Justin A.
> > Sent: Tuesday, April 05, 2005 12:34 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] SSL on OWA to change password
> > 
> > Guys, I sent this to a different list but also wanted to 
> bounce it off 
> > of you.
> > 
> > Justin A. Salandra
> > MCSE Windows 2000 & 2003
> > Network and Technology Services Manager Catholic Healthcare System 
> > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
> > 
> > -Original Message-
> > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, April 05, 2005 11:10 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Exchange2000] SSL on OWA to change password
> > 
> > 
> > Please check my logic here.  TO enable SSL on only the IISADMPWD 
> > virtual Directory I do the following steps
> > 
> > Create the IISADMPWD Virtual Directory Ensure proper rights and 
> > authenticated access are set on that directory Apply the hotfixes 
> > described in the KB Articles for Windows 2003 Run 
> asutil.vbs script to 
> > set the PasswordChangeFlag to 0 Generate the SSL 
> Certificate Apply the 
> > SSL Certificate Set the IISADMPWD Virtual Directory to require SSL 
> > Modify the Registry to show the Change Password button
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;297121
> > http://support.microsoft.com/kb/833734/EN-US/
> > http://support.microsoft.com/kb/327134/
> > 
> > I only want to use HTTPS on the change password screen, not 
> the entire 
> > OWA Site.
> > 
> > Thanks
> > 
> > Justin A. Salandra
> > MCSE Windows 2000 & 2003
> > Network and Technology Services Manager Catholic Healthcare System 
> > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
> > 
> > 
> > 
> > 
> >   Post message: [EMAIL PROTECTED]
> >   Unsubscribe:  [EMAIL PROTECTED]
> > 
> >   Exchange 2000 FAQ: 
> >   http://www.exchange-mail.org/faq.html
> >  
> > Yahoo! Groups Links
> > 
> > <*> To visit your group on the web, go to:
> > http://groups.yahoo.com/group/Exchange2000/
> > 
> > <*> To unsubscribe from this group, send an email to:
> > [EMAIL PROTECTED]
> > 
> > <*> Your use of Yahoo! Groups is subject to:
> > http://docs.yahoo.com/info/terms/
> >  
> > 
> > 
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40

RE: [ActiveDir] Change Password Policy

[Roger Seielstad]

The mantra from day one has always been that password 
policy is domain wide - that leads me to the conclusion that it can't be 
blocked. I'm sure ~eric or one of the other's with vast URL's of docs can point 
to something that proves it, but that's how I've always known the case to 
be.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Christine 
  AllenSent: Thursday, April 07, 2005 8:06 AMTo: 
  'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Change 
  Password Policy
  
  Really?  This is what I'm afraid of and I'm having a hard time 
  confirming.  Does anyone know for sure?  Thanks
  
    -Original Message-From: Roger Seielstad 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, April 06, 2005 
10:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Change Password Policy
I don't believe you can block inheritance on domain 
password policy.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Francis 
  OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change 
  Password Policy
  
  Hi Christine,
   
  It's going to be domain wide unless you set certain 
  OUs to block inheritance.
   
  Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspx for 
  more info!
   
  Thanks,
  Francis
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Christine 
  AllenSent: 6 avril 2005 14:58To: 
  'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change 
  Password Policy
  
  Hello,
   
  We are looking 
  to implement a gpo to force password changes.  Is there anyway to 
  restrict who this applies too?  Or if I set it for the domain, it's 
  domain wide.
   
  Thanks
   
   
   
   

RE: [ActiveDir] SLOWWWWWW Logons

[Roger Seielstad]

I think if you set that to 1 it basically forces TCP rather than UDP as
well. We do that with the hosts on our production network.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim
> Sent: Thursday, April 07, 2005 5:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> This sounds very much like an issue we had and the problem 
> had to do with UDP packet fragmentation.  Perhaps you can try 
> the following Kerberos change.  If it doesn't work, remove it.
> 
> Add the following Value to the registry on one of the remote 
> workstations, reboot and try again:
> 
> HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/
> MaxPacketS
> ize   DWORD 0x580  (1408 decimal)
> 
> 
> Jim Becker
> 
> Asst. Dir. of Administrative Systems
> State University of New York
> System Administration
> [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Wednesday, April 06, 2005 4:07 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> How much data are those two users pulling down from the 
> domain controllers (network trace?)  What's different about them? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Wednesday, April 06, 2005 3:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] SLOWW Logons
> 
> I have two users amongst 50 in a remote site that no matter 
> what PC they login to it takes forever, but if someone else 
> logs into that PC, they log on quickly with no problems.
> 
> I have already run netdiag and everything passed, I have 
> deleted the local profile on the computer, disjoined and 
> rejoined the domain, changed the network card, provided a 
> different IP address, verified I can access 
> \\domainname\sysvol\domainname and rebooted the PC as well as 
> all the domain controllers and the routers inbetween the 
> sites.  No ports are being blocked by anything, no changes to 
> policies have been done, no new servers have been made domain 
> controllers and none have been demoted.  There are two Global 
> Catalogs in that AD Site, replications is working and I have 
> not thrown the PC out the window yet.
> 
> What else could be happening here?
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SLOWWWWWW Logons

[Roger Seielstad]

http://www.winguides.com/registry/display.php/280/
I'd suggest 1400 as a good setting.

The problem is that the VPN encapsulation adds size to the packets (like 60
bytes IIRC) and that can kick it over the top of the MTU of the links.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Wednesday, April 06, 2005 2:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> They are connecting through a VPN Connection.  How do you 
> change the MTU Size?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Carerros, Charles
> Sent: Wednesday, April 06, 2005 4:47 PM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> Do they use a different logon script as everyone else or 
> could the logon script have an additional program that might 
> run for them and not some others.
> 
> Also, are you connecting through a VPN connection?  I had an 
> issue at one of my locations where half the staff were having 
> about a 30 minute logon time and the fix was to reset the 
> default MTU packet size on the workstations.  I think this 
> had something to do with fragmentation and 2003 AD security
> packets that weren't supposed to be fragmented.   It was an odd issue
> with a
> quick solution.
> 
> Charlie
> 
> -Original Message-
> From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 06, 2005 3:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> 
> Deleting the profile does this does it not?  How would that 
> explain the same problem on another computer?
> 
> Roaming profiles are NOT being used
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike 
> Hogenauer
> Sent: Wednesday, April 06, 2005 4:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SLOWW Logons
> 
> Have you tried deleting their account from the Document and 
> settings folder then having them log back on? Back up their 
> desktops first of course :) 
> 
> Mike 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Wednesday, April 06, 2005 12:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] SLOWW Logons
> 
> I have two users amongst 50 in a remote site that no matter 
> what PC they login to it takes forever, but if someone else 
> logs into that PC, they log on quickly with no problems.
> 
> I have already run netdiag and everything passed, I have 
> deleted the local profile on the computer, disjoined and 
> rejoined the domain, changed the network card, provided a 
> different IP address, verified I can access 
> \\domainname\sysvol\domainname and rebooted the PC as well as 
> all the domain controllers and the routers inbetween the 
> sites.  No ports are being blocked by anything, no changes to 
> policies have been done, no new servers have been made domain 
> controllers and none have been demoted.  There are two Global 
> Catalogs in that AD Site, replications is working and I have 
> not thrown the PC out the window yet.
> 
> What else could be happening here?
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change Password Policy

[Roger Seielstad]

I don't believe you can block inheritance on domain 
password policy.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Francis 
  OuelletSent: Wednesday, April 06, 2005 12:09 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change 
  Password Policy
  
  Hi Christine,
   
  It's going to be domain wide unless you set certain OUs 
  to block inheritance.
   
  Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspx for 
  more info!
   
  Thanks,
  Francis
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Christine 
  AllenSent: 6 avril 2005 14:58To: 
  'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password 
  Policy
  
  Hello,
   
  We are looking to 
  implement a gpo to force password changes.  Is there anyway to restrict 
  who this applies too?  Or if I set it for the domain, it's domain 
  wide.
   
  Thanks
   
   
   
   

RE: [ActiveDir] Audit Policies are not applying in windows 2000

[Roger Seielstad]

Have you tried "gpupdate.exe /force" and "gpresult.exe 
/scope computer /v" and looked at what's really happening?
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, 
  MarcSent: Wednesday, April 06, 2005 8:13 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Audit Policies are 
  not applying in windows 2000
  
  
  We have many servers that are not 
  getting the correct auditing policies applied, although all other policy 
  settings are working correctly.  I’ve already checked for Blocked 
  Inheritance, enabled UserEnv.log and I cannot find anything that indicates any 
  problems.  When I change the audit policies on the Domain, these 
  problematic servers don’t seem to see the change when they do a policy 
  refresh.  It doesn’t seem to matter what OU the servers are in 
  either.  Some machine work in the same OU as another machine that 
  doesn’t.  Another thing is that the userenv.log entries for the security 
  extension seem to change.  They are listed below from earliest to 
  oldest.  Does anyone know why this would occur, or how to fix it?  
  
   
   
   
  USERENV(d0.358) 09:56:30:107 
  ProcessGPOs: Processing extension Security
  USERENV(d0.358) 09:56:30:107 
  CompareGPOLists:  The lists are the same.
  USERENV(d0.358) 09:56:30:107 
  CheckGPOs: No GPO changes and no security group membership change and 
  extension Security has NoGPOChanges set.
   
  USERENV(d0.350) 10:00:00:515 
  ProcessGPOs: Processing extension Security
  USERENV(d0.350) 10:00:00:515 
  CompareGPOLists:  The lists are the same.
  USERENV(d0.350) 10:00:00:515 
  CheckGPOs: No GPO changes but extension Security's MaxNoGPOListChangesInterval 
  has been exceeded.
   
  USERENV(d0.350) 10:00:00:515 
  ProcessGPOs: Processing extension Security
  USERENV(b7c.bb8) 10:20:51:039 
  ProcessGPOs: Extension Security skipped with flags 
  0x6.
   
   
  Thank 
  you,
   
  Marc 
  Schmieder
   
   
   
   

RE: [ActiveDir] Script to add a group to the local administrator's group?

[Roger Seielstad]

Some clown named Joe that runs a site called joeware.net has some tool
called lg that would handle it remotely.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Tuesday, April 05, 2005 6:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Script to add a group to the local 
> administrator's group?
> 
> Hi Jose
> 
> We do it as a GPO based startup script here.  You can also 
> use the GPO restricted groups, but you have to be a bit more careful.
> 
> PSExecute will allow you to run it remotely on several 
> machines at once as well (I believe PSExecute is a free 
> Winternals or Sysinterals tool)
> 
> Regards;
> 
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> (202) 354-1464 (direct)
> (202) 371-1549 (fax)
> [EMAIL PROTECTED]
> 
> 
>   
>   
>  
>   "Medeiros, Jose"
>   
>  
>   <[EMAIL PROTECTED]To:  
> 
>  
>   com>   cc:  
>  (bcc: James Day/Contractor/NPS)  
>  
>   Sent by:   Subject: 
>  RE: [ActiveDir] Script to add a group to the local 
> administrator's group? 
>   [EMAIL PROTECTED] 
>   
>  
>   tivedir.org 
>   
>  
>   
>   
>  
>   
>   
>  
>   04/05/2005 05:29 PM MST 
>   
>  
>   Please respond to   
>   
>  
>   ActiveDir   
>   
>  
>   
>   
>  
> 
> 
> 
> 
> Sounds easy enough, now how can I have this run and update 
> 500 servers without having to logon to each one or add it as 
> a logon script?
> 
> Thanks in advance for your help!
> 
> Senior System Engineer
> ADP National Accounts, ProBusiness Division Jose Medeiros
> 
> 
> ---
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of 
> [EMAIL PROTECTED]
> Sent: Tuesday, April 05, 2005 5:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Script to add a group to the local 
> administrator's group?
> 
> 
> Hi Jose
> 
> net localgroup administrators "grupnametoadd" /add
> 
> Only 11 words!
> 
> Regards;
> 
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> (202) 354-1464 (direct)
> (202) 371-1549 (fax)
> [EMAIL PROTECTED]
> 
> 
> 
>   "Medeiros, Jose"
> 
>   <[EMAIL PROTECTED]To:
> 
> 
>   com>   cc:  
>  (bcc: James
> Day/Contractor/NPS)
>   Sent by:   Subject: 
>  [ActiveDir]
> Script to add a group to the local administrator's group?
>   [EMAIL PROTECTED]
> 
>   tivedir.org
> 
> 
> 
>   04/05/2005 04:28 PM MST
> 
>   Please respond to
> 
>   ActiveDir
> 
> 
> 
> 
> 
> 
> Greetings,
> 
> I am new to the list, so please forgive me if this has been 
> posted in the past.
> 
> Does anyone have a Script to add a doma

RE: [ActiveDir] Script to add a group to the local administrator's group?

[Roger Seielstad]

Would it not make more sense to use the restricted group's functionality and
insert it that way?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Medeiros, Jose
> Sent: Tuesday, April 05, 2005 4:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Script to add a group to the local 
> administrator's group?
> 
> Greetings, 
> 
> I am new to the list, so please forgive me if this has been 
> posted in the past.
> 
> Does anyone have a Script to add a domain group to the local 
> administrator's group on member servers or workstations?
> 
> Sincerely, 
> 
> Jose Medeiros
> 408-449-6621 Cell
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SSL on OWA to change password

[Roger Seielstad]

What's to change? Put an http redirect page on port 80 and redirect to 443 -
they'll never know the difference.

----
Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Tuesday, April 05, 2005 2:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
> I would however my organization is not ready to change yet to 
> it, but I need the Change password function working
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Tuesday, April 05, 2005 3:31 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
> Why would you not want to use it on the entire site (for the sake of
> argument?)
> 
> I'm not sure I get it.  Wouldn't you want it for all of owa?
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Tuesday, April 05, 2005 12:34 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] SSL on OWA to change password
> 
> Guys, I sent this to a different list but also wanted to 
> bounce it off of you.
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 05, 2005 11:10 AM
> To: [EMAIL PROTECTED]
> Subject: [Exchange2000] SSL on OWA to change password
> 
> 
> Please check my logic here.  TO enable SSL on only the 
> IISADMPWD virtual Directory I do the following steps
> 
> Create the IISADMPWD Virtual Directory
> Ensure proper rights and authenticated access are set on that 
> directory Apply the hotfixes described in the KB Articles for 
> Windows 2003 Run asutil.vbs script to set the 
> PasswordChangeFlag to 0 Generate the SSL Certificate Apply 
> the SSL Certificate Set the IISADMPWD Virtual Directory to 
> require SSL Modify the Registry to show the Change Password button
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;297121
> http://support.microsoft.com/kb/833734/EN-US/
> http://support.microsoft.com/kb/327134/
> 
> I only want to use HTTPS on the change password screen, not 
> the entire OWA Site.
> 
> Thanks
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> 
> 
>   Post message: [EMAIL PROTECTED]
>   Unsubscribe:  [EMAIL PROTECTED]
> 
>   Exchange 2000 FAQ: 
>   http://www.exchange-mail.org/faq.html
>  
> Yahoo! Groups Links
> 
> <*> To visit your group on the web, go to:
> http://groups.yahoo.com/group/Exchange2000/
> 
> <*> To unsubscribe from this group, send an email to:
> [EMAIL PROTECTED]
> 
> <*> Your use of Yahoo! Groups is subject to:
> http://docs.yahoo.com/info/terms/
>  
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SSL on OWA to change password

[Roger Seielstad]

Maybe to protect the data within the emails? Specifically company
confidential mail?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Perdue David J Contr InDyne/Enterprise IT
> Sent: Tuesday, April 05, 2005 1:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] SSL on OWA to change password
> 
> The potential problem with this is that when the user 
> initially authenticates to OWA, their logon/password is sent 
> plain text as well. 
> I'm not sure why you wouldn't want to enable SSL for the 
> entire session.
> 
> Dave
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Tuesday, April 05, 2005 09:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] SSL on OWA to change password
> 
> Guys, I sent this to a different list but also wanted to 
> bounce it off of you.
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 05, 2005 11:10 AM
> To: [EMAIL PROTECTED]
> Subject: [Exchange2000] SSL on OWA to change password
> 
> 
> Please check my logic here.  TO enable SSL on only the 
> IISADMPWD virtual Directory I do the following steps
> 
> Create the IISADMPWD Virtual Directory
> Ensure proper rights and authenticated access are set on that 
> directory Apply the hotfixes described in the KB Articles for 
> Windows 2003 Run asutil.vbs script to set the 
> PasswordChangeFlag to 0 Generate the SSL Certificate Apply 
> the SSL Certificate Set the IISADMPWD Virtual Directory to 
> require SSL Modify the Registry to show the Change Password button
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;297121
> http://support.microsoft.com/kb/833734/EN-US/
> http://support.microsoft.com/kb/327134/
> 
> I only want to use HTTPS on the change password screen, not 
> the entire OWA Site.
> 
> Thanks
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> 
> 
>   Post message: [EMAIL PROTECTED]
>   Unsubscribe:  [EMAIL PROTECTED]
> 
>   Exchange 2000 FAQ: 
>   http://www.exchange-mail.org/faq.html
>  
> Yahoo! Groups Links
> 
> <*> To visit your group on the web, go to:
> http://groups.yahoo.com/group/Exchange2000/
> 
> <*> To unsubscribe from this group, send an email to:
> [EMAIL PROTECTED]
> 
> <*> Your use of Yahoo! Groups is subject to:
> http://docs.yahoo.com/info/terms/
>  
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping

[Roger Seielstad]

Taking a wag at it - you're dealing with an impersonation 
issue. Take a look at the fourth question and answer in:
http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx
 
You might also have to set the computer account to be 
trusted for delegation (I think that's the setting)  - but I'm not 
sure.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of sergio 
  leraSent: Tuesday, April 05, 2005 3:45 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] problem accesing 
  AD when the user has been authenticated via certificate 
  mapping
  
  hello list,
   
  I am developing an ASP.NET web application which interacts with 
  AD. Client/User authentication must be via AD certificate mapping, 
  so  I have configured IIS to do UPN mapping:
  -- In the IIS manager ...  
  -- in the properties of the web site...
  -- under "directory security"..
  -- under "Secure Communications", select Edit. 
  -- select "Require secure channel"; select "require client certificates" 
  and also select "Enable client certificate mapping".
   
  I think the mapping is done ok, because when I get the current user by 
  using Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name the 
  result is the user who is the owner of the certificate used to do the client 
  authentication. So, I suppose the web application is running under the user 
  account credentials.  
   
  The problem is that i can not access AD via ADSI (using .NET 
  DirectoryServices API).  I get an operational error related with 
  authentication.
   
  The source code of the DirectoryEntry creation is something like 
  this:
  
  DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);
  The description of the AuthenticationTypes.Secure flag 
  says that "it requests secure authentication.  When the user name and 
  password are a null reference, ADSI binds to the object using the security 
  context of the calling thread, which is either the security context of the 
  user account under which the application is running or of the client user 
  account that the calling thread is impersonating".
  The web application is running under an user account which has 
  got the required permissions to do the operation, but AD server must not 
  permit to do the operation.
  I am sure that user account has got the suitable permissions becasue if I 
  enable anonymous access in IIS and I use the user account for the 
  anonymous access, AD server permits to do the operations..
  Any idea? What could be the problem? could be the authentication type? 
  problems related with impersonation? I am a bit lost...
  Thanks is advance! ...and sorry for my poor english 
  ;)zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new 
  Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
  
  
  250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta 
aquí

RE: [ActiveDir] Unmapped IP Subnets in Another AD Forest

[Roger Seielstad]

I'd think that it would be considered expected behavior - I don't believe
one forest would have a concept of the other's sites and subnets.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
> Sent: Monday, April 04, 2005 9:00 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Unmapped IP Subnets in Another AD Forest
> 
> I agree...my question is whether this is expected behavior or 
> not.  As a very good Microsoft engineer once told me, "we 
> don't want to cover up evil".  If AD is acting as expected, 
> then you're right and we'll handle it.  If not, then it would 
> be good to know that as well.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Monday, April 04, 2005 10:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Unmapped IP Subnets in Another AD Forest
> 
> It strikes me like the best way to handle that is to provide 
> correct site and subnet mappings across both (all) forests - 
> especially when there are cross forest processes happening.
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Rachui, Scott
> > Sent: Monday, April 04, 2005 6:20 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Unmapped IP Subnets in Another AD Forest
> > 
> > I have an odd problem.  I checked one of our AD 2000 (SP4) forests 
> > today.  It had a flurry of Event ID 5778s as shown below:
> > 
> > Event Type: Information
> > Event Source:   NETLOGON
> > Event Category: None
> > Event ID:   5778
> > Date:   4/4/2005
> > Time:   9:14:17 PM
> > User:   N/A
> > Computer:   
> > Description:
> > '' tried to determine its site by looking up its IP 
> > address ('') in the Configuration\Sites\Subnets 
> container 
> > in the DS.  No subnet matched the IP address.  Consider adding a 
> > subnet object for this IP address.
> > 
> > The only problem was that in some cases, the computers mentioned in 
> > the events were authenticating to another forest.  There is a 2-way 
> > trust between Forest A and Forest B.  The user and computer 
> are both 
> > in Forest A, with only resources in Forest B (a migration is 
> > underway).
> > 
> > My understanding of unmapped subnets is that DNS will give you a 
> > random list of DCs and you'll query them to find you're 
> optimal site.  
> > If your IP Address is unmapped, you'll use whichever DC 
> replies first.  
> > But you'll also re-query AD every 15 minutes until your IP 
> Subnet is 
> > defined and you are using AD optimally.
> > 
> > Now if a computer is authenticating to Forest A and then only 
> > accessing resources in Forest B, why would he post 5778 events just 
> > because his IP Subnet from Forest A isn't also defined in 
> Forest B?  
> > This seems wrong to me, somehow.  But I thought I'd ask the 
> experts on 
> > this alias to see if you had any thoughts.
> > 
> > Thanks in advance for your thoughts and help.
> > 
> > Scott
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Unmapped IP Subnets in Another AD Forest

[Roger Seielstad]

It strikes me like the best way to handle that is to provide correct site
and subnet mappings across both (all) forests - especially when there are
cross forest processes happening.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
> Sent: Monday, April 04, 2005 6:20 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Unmapped IP Subnets in Another AD Forest
> 
> I have an odd problem.  I checked one of our AD 2000 (SP4) 
> forests today.  It had a flurry of Event ID 5778s as shown below:
> 
> Event Type:   Information
> Event Source: NETLOGON
> Event Category:   None
> Event ID: 5778
> Date: 4/4/2005
> Time: 9:14:17 PM
> User: N/A
> Computer: 
> Description:
> '' tried to determine its site by looking up 
> its IP address ('') in the 
> Configuration\Sites\Subnets container in the DS.  No subnet 
> matched the IP address.  Consider adding a subnet object for 
> this IP address.
> 
> The only problem was that in some cases, the computers 
> mentioned in the events were authenticating to another 
> forest.  There is a 2-way trust between Forest A and Forest 
> B.  The user and computer are both in Forest A, with only 
> resources in Forest B (a migration is underway).
> 
> My understanding of unmapped subnets is that DNS will give 
> you a random list of DCs and you'll query them to find you're 
> optimal site.  If your IP Address is unmapped, you'll use 
> whichever DC replies first.  But you'll also re-query AD 
> every 15 minutes until your IP Subnet is defined and you are 
> using AD optimally.
> 
> Now if a computer is authenticating to Forest A and then only 
> accessing resources in Forest B, why would he post 5778 
> events just because his IP Subnet from Forest A isn't also 
> defined in Forest B?  This seems wrong to me, somehow.  But I 
> thought I'd ask the experts on this alias to see if you had 
> any thoughts.
> 
> Thanks in advance for your thoughts and help.
> 
> Scott
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS ?

[Roger Seielstad]

Sure. Get into advanced DNS Punk ;)

Of course, my last AD/Exchange implementation had about 400 users and 25+
email domains, none of which mapped to the DNS name of our AD domains. This
really gets more into the concepts of split horizon DNS and the intricasies
that are mail routing via DNS.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Sunday, April 03, 2005 4:07 PM
> To: ActiveDir@mail.activedir.org; 'Jorge de Almeida Pinto'
> Subject: RE: [ActiveDir] DNS ?
> 
> I agree with everything that Roger says.  Exactly correct in 
> all regards.
> 
> However, I have a similar environment (BIND except for the AD 
> / Windows necessary DNS) where my Exchange servers sit on the 
> internal network - corp.company.com, with the actual SMTP 
> alias of external mail being acme.com.  So, in this case, I'm 
> not going to have my Exchange servers registered with MX 
> records on company.com - because it serves no useful purpose.
> 
> The MX records, are in fact, registered in the Linux BIND 
> servers to qmail servers that then forward in to Ironmail and 
> then to CA AV servers, then finally to the Exchange servers.
> 
> In the above case, as you can see - MX records for my 
> Exchange servers would need to be in the external DNS - even 
> though it might initially seem to be that the internal would 
> need the records - because the Exchange servers are in the 
> corp. domain - but send a receive SMTP to the outside through 
> the alias 'acme.com'
> 
> -rtk
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Sunday, April 03, 2005 12:48 AM
> To: ActiveDir@mail.activedir.org; 'Jorge de Almeida Pinto'
> Cc: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS ?
> 
> If the AD servers are authoritative for the domain that the 
> web server is in (i.e. its www.domain.com and the AD server 
> is authoritatve for domain.com), then the answer is yes, 
> you'll need it in your AD servers as well.
> 
> Simple rule of thumb - if a dns server is authoritative for a 
> zone, it needs to know EVERY record you want it to resolve in 
> that zone. It won't forward to another DNS server for records 
> in a zone for which it is authoritative.
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> > Sent: Saturday, April 02, 2005 1:00 PM
> > To: Jorge de Almeida Pinto
> > Cc: '[EMAIL PROTECTED] '; 
> > 'ActiveDir@mail.activedir.org '
> > Subject: RE: [ActiveDir] DNS ?
> > 
> > Active Directory Integrated
> > Both Forward and Reverse Look Up zones. Wins enabled. 
> Dynamic updates 
> > enabled and secured.
> > 
> > Host www created and pointed to an IP. When accessed www.domain.com 
> > within our subnets it worked fine.
> > 
> > The main webserver is a member of AD forest. Only different 
> is its IP 
> > is registered with main DNS servers.
> > 
> > I do not know anything about the DNS zone on the Linux machines.
> > 
> > -Z.V.
> > 
> > 
> > 
> > Quoting Jorge de Almeida Pinto 
> <[EMAIL PROTECTED]>:
> > 
> > > what's the zone configuration on the DNS servers?
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > To: ActiveDir@mail.activedir.org
> > > Sent: 4/2/2005 9:27 PM
> > > Subject: [ActiveDir] DNS ?
> > >
> > > My situation:
> > >
> > > 1) Main DNS servers are managed by main network core 
> group running 
> > > Linux/Unix.
> > > 2) My internal DNS servers(W2k AD) are forwarded to main
> > DNS servers.
> > > 3) Do my Mail and WWW servers have to be registered with main DNS 
> > > servers or can I just create them in my DNS servers?
> > >
> > > TX,
> > > Z.V.
> > >
> > >
> > >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS ?

[Roger Seielstad]

If the AD servers are authoritative for the domain that the web server is in
(i.e. its www.domain.com and the AD server is authoritatve for domain.com),
then the answer is yes, you'll need it in your AD servers as well.

Simple rule of thumb - if a dns server is authoritative for a zone, it needs
to know EVERY record you want it to resolve in that zone. It won't forward
to another DNS server for records in a zone for which it is authoritative.

----
Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
> Sent: Saturday, April 02, 2005 1:00 PM
> To: Jorge de Almeida Pinto
> Cc: '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] DNS ?
> 
> Active Directory Integrated
> Both Forward and Reverse Look Up zones. Wins enabled. Dynamic 
> updates enabled and secured.
> 
> Host www created and pointed to an IP. When accessed 
> www.domain.com within our subnets it worked fine.
> 
> The main webserver is a member of AD forest. Only different 
> is its IP is registered with main DNS servers.
> 
> I do not know anything about the DNS zone on the Linux machines.
> 
> -Z.V.
> 
> 
> 
> Quoting Jorge de Almeida Pinto <[EMAIL PROTECTED]>:
> 
> > what's the zone configuration on the DNS servers?
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > To: ActiveDir@mail.activedir.org
> > Sent: 4/2/2005 9:27 PM
> > Subject: [ActiveDir] DNS ?
> >
> > My situation:
> >
> > 1) Main DNS servers are managed by main network core group running 
> > Linux/Unix.
> > 2) My internal DNS servers(W2k AD) are forwarded to main 
> DNS servers.
> > 3) Do my Mail and WWW servers have to be registered with main DNS 
> > servers or can I just create them in my DNS servers?
> >
> > TX,
> > Z.V.
> >
> >
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Very OT: Server room fire suppression

[Roger Seielstad]

Apparently its been found that the non-water based systems 
are just as bad as the water based ones for the electronics, and generally much 
worse for the living occupants of the room.
 
Preaction systems are a must - basically the water lines IN 
the data center are dry - they are only pressurized when they "go 
off".
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Friday, April 01, 2005 6:00 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Server 
  room fire suppression
  
  
  Hello:
   
  Sorry for the very OT, but 
  knowing what I know about this list, there will be plenty of opinions about 
  this one. 
   
  I am outfitting a 
  ground-up server room install for a medium-size business (fewer than 200 
  employees). The entire building is being built from the ground up. The 
  architects claim that they have done many server rooms and none have used 
  anything but water-based systems. I also realize that "clean agent" systems 
  are very expensive. I have done some reading about "pre-action water systems" 
  that seems to allow a little delay before going off. 
  
   
  Any thoughts on this topic 
  are welcome.  Again, sorry for the OT.
   
  Thanks.
   
  -- nme
   

RE: [ActiveDir] Compelling arguments?

[Roger Seielstad]

Title: Compelling arguments?



That should have said it shoudn't be that 
hard to delegate
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Thursday, March 31, 2005 7:44 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  It should be that hard to delegate those - you should be 
  able to create a stub zone for them pointing back to your AD 
  servers.
   
  Roger SeielstadE-mail Geek 
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 8:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

Just the service records.  I don't care about the 
A records, our process for getting those statically created is pretty 
painless.  It's the ACLs for dynamic updates that cause us 
pain.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Wednesday, March 30, 2005 8:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

What are you trying to delegate - PTR creation or the A 
record creation?
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:49 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  This is a bit off the topic of the thread, but since 
  we are talking about using BIND DNS with AD I'll go ahead and ask.  
  Has anyone figured out a good way of delegating the update DNS right to 
  your DCs?  At my company the DNS admins are on a completely different 
  team and getting them to manage the ACLs is a real pain.  I'd love to 
  use TSIG or something along those lines but as far as I can tell this is 
  not supported in windows.
   
  Any suggestions?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  True,
   
  I've had the same experience with SQL and 
  Kerberos.  On the bright side the issues forced all of our server 
  admins to understand Kerberos and engage my team to make sure that it's 
  working properly.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  SQL Server has all sorts of dorked up issues with 
  SPNs, you have to always check them anyway. Someone was on crack that 
  worked out that functionality for SQL Server, I have had my share of 
  arguments with PSS over that. Instead of trying to do things through 
  the computer account they do things through the admin installing the 
  service who often doesn't have the appropriate rights in 
  AD.
   
    joe
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  Not only is being able to register it important, but 
  also that DNS resolves to the correct SPN.  Let's say you have a SQL 
  server that is a member of the us.widget.net domain; however, in DNS it is 
  registered as sql1.sea.widget.net.  If you look in AD it's likely 
  that the SPN registered will be: MSSql/sql1.us.widget.net.  So when a 
  user attempts to get a service ticket, they will pass 
  sql.sea.widget.net and it will fail and the user will use NTLM auth 
  instead.  So if you're going to use a different DNS domain model 
  (like we do at my company, we us QIP with regionalized domains) then make 
  sure your SPNs match up.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  The permission mod you need to make is to correct 
  this. 
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
   
   
  Again, disjoint namespace works fine in the core OS. 
  The issues that crop up are around poorly written/tested 
  applications.
   
     joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 

RE: [ActiveDir] 2003 SP1 RTM

[Roger Seielstad]

I'd rephrase Eric's question slightly differently - what will *you* do over
the next few months to get comfortable with it in your environment. That's
really the only question that needs to be answered prior to deployment into
your environment.

Roger

Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 11:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Hello Eric,
> 
> I went to the M$ Windows 2003 server page and found this Doc 
> that lays out all of the changes:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003
> /servicepa
> ck/overview.mspx 
> 
> > You referred to SP1 having "too many changes." How did you make this
> determination?
> 
> I just read the above doc and it seems that this is more of a 
> complete overhaul of the OS vs. some fixes rolled up like Win 
> XP SP1. Also, just my opinion here, but I am in the 
> healthcare field and everything is mission critical as far as 
> the directory is concerned. I personally will let other make 
> the jump and find all the pitfalls as MS isn't always as 
> forth coming in issues and fixes for those issues.
> 
> > What is the threshold where we cross in to too many?
> 
> When you are altering the core OS ad the way it works vs. a 
> security fix.
> 
> >2) What steps will you be going through between now and when you do 
> >install it?
> 
> I will cruise the newsgroups to read other accounts as the KB 
> site often has confusing documentation on resolving issues. I 
> find it is better to find the direction one needs to go by 
> other experiences.
> 
> >What will you do between now and deployment to give you the 
> confidence 
> >level you need to fire it up on a box and see how it goes?
> 
> I will just give it a go as soon as it seems safe in a couple 
> of months.
> 
> It is just like SP2 for win xp. If you install it, the sp2 
> will break the ability to view other people's sessions on 
> their systems. This was a show stopper for me until I spent 
> about a month searching for a little know regedit that needs 
> to be made on the users system to restore this functionality. 
> 
> Just my 2 cents. If you have a good firewall and anti-virus 
> protection, things can slide for a little while as others 
> test it out first.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Thursday, March 31, 2005 12:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Dave can you quantify this statement please? I ask out of 
> curiosity, not disagreement.
> 
> Specifically:
> 1) You referred to SP1 having "too many changes." How did you 
> make this determination? What is the threshold where we cross 
> in to too many?
> 2) What steps will you be going through between now and when 
> you do install it? What will you do between now and 
> deployment to give you the confidence level you need to fire 
> it up on a box and see how it goes?
> 
> Interested, so we can perhaps think through ways to make that 
> less painful going forward.
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 8:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I am certainly going to be waiting to install this one for a 
> while to many changes to jump right into it.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, March 31, 2005 6:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2003 SP1 RTM
> 
> FYI. Windows Server 2003 SP1 went RTM yesterday
> 
> http://www.microsoft.com/downloads/details.aspx?familyid=22CFC
> 239-337C-4
> D81-
> 8354-72593B1C1F43&displaylang=en
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail message, including all attachments, is for the 
> sole use of the intended recipients(s) and may contain 
> confidential and privileged information. You may NOT use, 
> disclose, copy, or disseminate this information. If you are 
> not the intended recipient, p

RE: [ActiveDir] 2003 SP1 RTM

[Roger Seielstad]

What I find interesting is some of the things that I know are in SP1 that
*aren't* listed on that page. Specifically a huge performance improvement in
the TCP stack for servers with more than a few thousand concurrent
connections.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 11:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Hello Eric,
> 
> I went to the M$ Windows 2003 server page and found this Doc 
> that lays out all of the changes:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003
> /servicepa
> ck/overview.mspx 
> 
> > You referred to SP1 having "too many changes." How did you make this
> determination?
> 
> I just read the above doc and it seems that this is more of a 
> complete overhaul of the OS vs. some fixes rolled up like Win 
> XP SP1. Also, just my opinion here, but I am in the 
> healthcare field and everything is mission critical as far as 
> the directory is concerned. I personally will let other make 
> the jump and find all the pitfalls as MS isn't always as 
> forth coming in issues and fixes for those issues.
> 
> > What is the threshold where we cross in to too many?
> 
> When you are altering the core OS ad the way it works vs. a 
> security fix.
> 
> >2) What steps will you be going through between now and when you do 
> >install it?
> 
> I will cruise the newsgroups to read other accounts as the KB 
> site often has confusing documentation on resolving issues. I 
> find it is better to find the direction one needs to go by 
> other experiences.
> 
> >What will you do between now and deployment to give you the 
> confidence 
> >level you need to fire it up on a box and see how it goes?
> 
> I will just give it a go as soon as it seems safe in a couple 
> of months.
> 
> It is just like SP2 for win xp. If you install it, the sp2 
> will break the ability to view other people's sessions on 
> their systems. This was a show stopper for me until I spent 
> about a month searching for a little know regedit that needs 
> to be made on the users system to restore this functionality. 
> 
> Just my 2 cents. If you have a good firewall and anti-virus 
> protection, things can slide for a little while as others 
> test it out first.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Thursday, March 31, 2005 12:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Dave can you quantify this statement please? I ask out of 
> curiosity, not disagreement.
> 
> Specifically:
> 1) You referred to SP1 having "too many changes." How did you 
> make this determination? What is the threshold where we cross 
> in to too many?
> 2) What steps will you be going through between now and when 
> you do install it? What will you do between now and 
> deployment to give you the confidence level you need to fire 
> it up on a box and see how it goes?
> 
> Interested, so we can perhaps think through ways to make that 
> less painful going forward.
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 8:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I am certainly going to be waiting to install this one for a 
> while to many changes to jump right into it.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, March 31, 2005 6:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2003 SP1 RTM
> 
> FYI. Windows Server 2003 SP1 went RTM yesterday
> 
> http://www.microsoft.com/downloads/details.aspx?familyid=22CFC
> 239-337C-4
> D81-
> 8354-72593B1C1F43&displaylang=en
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail message, including all attachments, is for the 
> sole use of the intended recipients(s) and may contain 
> confidential and privileged information. You may NOT use, 
> disclose, copy, or disseminate this information. If you are 
> not the intended recipient, please contact the sender by 

RE: [ActiveDir] 2003 SP1 RTM

[Roger Seielstad]

What process, specifically, is running at 100% CPU?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
> Sent: Thursday, March 31, 2005 11:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I have a specific problem related in some way to SP1.
> 
> I have several test environments.  In each I use Virtual Server 2005.
> Each environment is 100% Windows Server 2003.  After 
> upgrading any of the VMs with SP1, the upgraded VM runs at 
> nearly 100% CPU consistently. 
> 
> Removing and reinstalling the VM Additions has no affect.
> 
> Removing SP1 also removes the visible problem.
> 
> You might understand that I have an apprehension towards 
> installing SP1 in production, especially on those systems 
> running as VMs.
> 
> Any ideas?
> 
> Regards,
> 
> Aric Bernard 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Thursday, March 31, 2005 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Dave can you quantify this statement please? I ask out of 
> curiosity, not disagreement.
> 
> Specifically:
> 1) You referred to SP1 having "too many changes." How did you 
> make this determination? What is the threshold where we cross 
> in to too many?
> 2) What steps will you be going through between now and when 
> you do install it? What will you do between now and 
> deployment to give you the confidence level you need to fire 
> it up on a box and see how it goes?
> 
> Interested, so we can perhaps think through ways to make that 
> less painful going forward.
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 8:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I am certainly going to be waiting to install this one for a 
> while to many changes to jump right into it.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, March 31, 2005 6:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2003 SP1 RTM
> 
> FYI. Windows Server 2003 SP1 went RTM yesterday
> 
> http://www.microsoft.com/downloads/details.aspx?familyid=22CFC
> 239-337C-4
> D81-
> 8354-72593B1C1F43&displaylang=en
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail message, including all attachments, is for the 
> sole use of the intended recipients(s) and may contain 
> confidential and privileged information. You may NOT use, 
> disclose, copy, or disseminate this information. If you are 
> not the intended recipient, please contact the sender by 
> reply e-mail immediately. Please destroy all copies of the 
> original message and all attachments.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[Roger Seielstad]

Title: Compelling arguments?



It should be that hard to delegate those - you should be 
able to create a stub zone for them pointing back to your AD 
servers.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 8:20 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  Just the service records.  I don't care about the A 
  records, our process for getting those statically created is pretty 
  painless.  It's the ACLs for dynamic updates that cause us 
  pain.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Wednesday, March 30, 2005 8:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  What are you trying to delegate - PTR creation or the A 
  record creation?
   
  Roger SeielstadE-mail Geek & MS-MVP 
  
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 7:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

This is a bit off the topic of the thread, but since we 
are talking about using BIND DNS with AD I'll go ahead and ask.  Has 
anyone figured out a good way of delegating the update DNS right to your 
DCs?  At my company the DNS admins are on a completely different team 
and getting them to manage the ACLs is a real pain.  I'd love to use 
TSIG or something along those lines but as far as I can tell this is not 
supported in windows.
 
Any suggestions?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

True,
 
I've had the same experience with SQL and 
Kerberos.  On the bright side the issues forced all of our server 
admins to understand Kerberos and engage my team to make sure that it's 
working properly.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

SQL Server has all sorts of dorked up issues with SPNs, 
you have to always check them anyway. Someone was on crack that worked out 
that functionality for SQL Server, I have had my share of arguments with PSS 
over that. Instead of trying to do things through the computer account 
they do things through the admin installing the service who often doesn't 
have the appropriate rights in AD.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

Not only is being able to register it important, but 
also that DNS resolves to the correct SPN.  Let's say you have a SQL 
server that is a member of the us.widget.net domain; however, in DNS it is 
registered as sql1.sea.widget.net.  If you look in AD it's likely that 
the SPN registered will be: MSSql/sql1.us.widget.net.  So when a user 
attempts to get a service ticket, they will pass sql.sea.widget.net and 
it will fail and the user will use NTLM auth instead.  So if you're 
going to use a different DNS domain model (like we do at my company, we us 
QIP with regionalized domains) then make sure your SPNs match 
up.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. 
The issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that 
by default computers register their SPN using the AD domain name.  
So if you have a server that registers HOST/someserver.myadname.net and the 
server actually resolves to someserver.mydnszone.net Kerberos will not work 
for the clients that try to connect using the DNS 
name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 20

RE: [ActiveDir] Compelling arguments?

[Roger Seielstad]

Title: Compelling arguments?



What are you trying to delegate - PTR creation or the A 
record creation?
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:49 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  This is a bit off the topic of the thread, but since we 
  are talking about using BIND DNS with AD I'll go ahead and ask.  Has 
  anyone figured out a good way of delegating the update DNS right to your 
  DCs?  At my company the DNS admins are on a completely different team and 
  getting them to manage the ACLs is a real pain.  I'd love to use TSIG or 
  something along those lines but as far as I can tell this is not supported in 
  windows.
   
  Any suggestions?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  True,
   
  I've had the same experience with SQL and Kerberos.  
  On the bright side the issues forced all of our server admins to understand 
  Kerberos and engage my team to make sure that it's working 
  properly.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  SQL Server has all sorts of dorked up issues with SPNs, 
  you have to always check them anyway. Someone was on crack that worked out 
  that functionality for SQL Server, I have had my share of arguments with PSS 
  over that. Instead of trying to do things through the computer account 
  they do things through the admin installing the service who often doesn't have 
  the appropriate rights in AD.
   
    joe
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  Not only is being able to register it important, but also 
  that DNS resolves to the correct SPN.  Let's say you have a SQL server 
  that is a member of the us.widget.net domain; however, in DNS it is registered 
  as sql1.sea.widget.net.  If you look in AD it's likely that the SPN 
  registered will be: MSSql/sql1.us.widget.net.  So when a user attempts to 
  get a service ticket, they will pass sql.sea.widget.net and it will fail 
  and the user will use NTLM auth instead.  So if you're going to use a 
  different DNS domain model (like we do at my company, we us QIP with 
  regionalized domains) then make sure your SPNs match 
  up.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  The permission mod you need to make is to correct this. 
  
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
   
   
  Again, disjoint namespace works fine in the core OS. The 
  issues that crop up are around poorly written/tested 
  applications.
   
     joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  If you're also talking about servers don't forget that by 
  default computers register their SPN using the AD domain name.  So 
  if you have a server that registers HOST/someserver.myadname.net and the 
  server actually resolves to someserver.mydnszone.net Kerberos will not work 
  for the clients that try to connect using the DNS 
name.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
  WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
  arguments?
  Are there compelling arguments to use the DNS Domain 
  name of your AD Domain as the primary DNS Suffix versus a different DNS 
  extension from a client functionality perspective?Clients are still 
  able to resolve the AD DNS Domain but most do not use it as their primary 
  suffix.Any thoughts welcome. 

RE: [ActiveDir] W32Time and *nix

[Roger Seielstad]

It gets around the domain membership requirement for your non-domain boxes.

Of course, with the W32Time piece working correctly, there's no need to go
to a third party app.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Monday, February 21, 2005 7:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] W32Time and *nix
> 
> So if our core switch is currently configured to sync with an 
> outside time source, and our AD picks it up from there, what, 
> if anything, would be the advantage of using an app like K9 
> or About Time? Or would that be more appropriate for an 
> environment that didn't lend itself (for tech or territorial 
> reasons) to using an infrastructure component as a time source?
> 
> **
> Charlie Kaiser
> MCSE, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Friday, February 18, 2005 8:50 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] W32Time and *nix
> > 
> > You could also grab a copy of K9 and sync time with it
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> > > Kaiser
> > > Sent: Thursday, February 17, 2005 11:01 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] W32Time and *nix
> > > 
> > > Maybe try what we did; set the AD time source to be a router or 
> > > switch that can act as a time server. That router or switch then 
> > > connects to an external time source. Different flavors of 
> time synch 
> > > can then connect to that router or switch and get time... 
> That way, 
> > > you also don't have to have a connection open on the time 
> ports into 
> > > your DC...
> > > 
> > > **
> > > Charlie Kaiser
> > > MCSE, CCNA
> > > Systems Engineer
> > > Essex Credit / Brickwalk
> > > 510 595 5083
> > > **
> > >  
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Creamer, Mark
> > > > Sent: Thursday, February 17, 2005 10:51 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] W32Time and *nix
> > > > 
> > > > Folks, I'd like to throw this back out for comments if I can. 
> > > > A while back I asked about using our current W32Time 
> server, the 
> > > > forest root AD box, as the
> > > authoritative
> > > > time server for the non-Windows clients on our network. I
> > > haven't had
> > > > any luck getting this to work. If I remember correctly,
> > > W32Time is a
> > > > derivation of the NTP protocol, (is it SNTP maybe??).
> > > > Anyway, nothing I've tried enables the Linux and Unix
> > boxes to sync
> > > > with this server. One article I read said it will not
> > work, but you
> > > > obviously can't rely on everything posted on the net :-)
> > > > 
> > > > Am I missing something, or do I need to maybe look at a 
> 3rd party 
> > > > solution to handle all of the time services? What are 
> some of you 
> > > > using for this situation? Thanks!
> > > > 
> > > > Mark Creamer
> > > > 
> > > > This e-mail transmission contains information that is
> > > intended to be
> > > > confidential and privileged.  If you receive this e-mail
> > > and you are
> > > > not a named addressee you are hereby notified that you are not 
> > > > authorized to read, print, retain, copy or disseminate this 
> > > > communication without the consent of the sender and that
> > > doing so is
> > > > prohibited and may be unlawful.  Please reply to the message 
> > > > immediately by informing the sender that the message was
> > > misdirected.  
> > > > After replying, please delete and otherwise erase it and any 
> > > > attachments from your computer system. 

RE: [ActiveDir] W32Time and *nix (OT)

[Roger Seielstad]

True. But, the specific reference I used was for Dr. Who's companion, which
makes somewhat more sense in the context of discussions concerning time, as
time (travel, specifically) was Dr. Who's thing.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Monday, February 21, 2005 2:08 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] W32Time and *nix (OT)
> 
> K9 was also the name of Marvin's dog 
> (http://www.gargaro.com/marvin.html) and he (the dog) 
> appeared in a cartoon in 1948. That pre-dates even Dr Who, I 
> believe :)
> 
> neil
> 
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: 20 February 2005 20:33
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] W32Time and *nix
> 
> 
> Actually, K9 was the name of Dr. Who's mechanical dog.
> http://freespace.virgin.net/steve.preston/K9.html
> 
> 
> I was thinking of the time sync app of the same name - which 
> was named for that character. http://www.kaska.demon.co.uk/k9.htm
> 
> Charlie - for reference, I put Tardis (same link) on the PDC 
> in the Harbinger domain back in the NT4 days.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Ken Cornetet
> > Sent: Saturday, February 19, 2005 5:39 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] W32Time and *nix
> > 
> > Marvin the Martian's dog?
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Friday, February 18, 2005 11:50 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] W32Time and *nix
> > 
> > You could also grab a copy of K9 and sync time with it
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> > > Kaiser
> > > Sent: Thursday, February 17, 2005 11:01 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] W32Time and *nix
> > > 
> > > Maybe try what we did; set the AD time source to be a
> > router or switch
> > > that can act as a time server. That router or switch then
> > connects to
> > > an external time source. Different flavors of time synch can then 
> > > connect to that router or switch and get time... That 
> way, you also 
> > > don't have to have a connection open on the time ports into
> > your DC...
> > > 
> > > **
> > > Charlie Kaiser
> > > MCSE, CCNA
> > > Systems Engineer
> > > Essex Credit / Brickwalk
> > > 510 595 5083
> > > **
> > >  
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Creamer, Mark
> > > > Sent: Thursday, February 17, 2005 10:51 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] W32Time and *nix
> > > > 
> > > > Folks, I'd like to throw this back out for comments if I can.
> > > > A while back I asked about using our current W32Time 
> server, the 
> > > > forest root AD box, as the
> > > authoritative
> > > > time server for the non-Windows clients on our network. I
> > > haven't had
> > > > any luck getting this to work. If I remember correctly,
> > > W32Time is a
> > > > derivation of the NTP protocol, (is it SNTP maybe??). Anyway, 
> > > > nothing I've tried enables the Linux and Unix
> > boxes to sync
> > > > with this server. One article I read said it will not
> > work, but you
> > > > obviously can't rely on everything posted on the net :-)
> > > > 
> > > > Am I missing something, or do I need to maybe look at a 
> 3rd party 
> > > > solution to handle all of the time services? What are 
> some of you 
> > > > using for this situation? Thanks!
> > > > 
> > > > Mark Creamer
> > > > 
> > > > This e-mail transmission contains informatio

RE: [ActiveDir] W32Time and *nix

[Roger Seielstad]

Actually, K9 was the name of Dr. Who's mechanical dog.
http://freespace.virgin.net/steve.preston/K9.html


I was thinking of the time sync app of the same name - which was named for
that character.
http://www.kaska.demon.co.uk/k9.htm

Charlie - for reference, I put Tardis (same link) on the PDC in the
Harbinger domain back in the NT4 days.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Saturday, February 19, 2005 5:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] W32Time and *nix
> 
> Marvin the Martian's dog?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Friday, February 18, 2005 11:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] W32Time and *nix
> 
> You could also grab a copy of K9 and sync time with it
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> > Kaiser
> > Sent: Thursday, February 17, 2005 11:01 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] W32Time and *nix
> > 
> > Maybe try what we did; set the AD time source to be a 
> router or switch 
> > that can act as a time server. That router or switch then 
> connects to 
> > an external time source. Different flavors of time synch can then 
> > connect to that router or switch and get time... That way, you also 
> > don't have to have a connection open on the time ports into 
> your DC...
> > 
> > **
> > Charlie Kaiser
> > MCSE, CCNA
> > Systems Engineer
> > Essex Credit / Brickwalk
> > 510 595 5083
> > **
> >  
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Creamer, Mark
> > > Sent: Thursday, February 17, 2005 10:51 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] W32Time and *nix
> > > 
> > > Folks, I'd like to throw this back out for comments if I can. 
> > > A while back I asked about using our current W32Time server, the 
> > > forest root AD box, as the
> > authoritative
> > > time server for the non-Windows clients on our network. I
> > haven't had
> > > any luck getting this to work. If I remember correctly,
> > W32Time is a
> > > derivation of the NTP protocol, (is it SNTP maybe??).
> > > Anyway, nothing I've tried enables the Linux and Unix 
> boxes to sync 
> > > with this server. One article I read said it will not 
> work, but you 
> > > obviously can't rely on everything posted on the net :-)
> > > 
> > > Am I missing something, or do I need to maybe look at a 3rd party 
> > > solution to handle all of the time services? What are some of you 
> > > using for this situation? Thanks!
> > > 
> > > Mark Creamer
> > > 
> > > This e-mail transmission contains information that is
> > intended to be
> > > confidential and privileged.  If you receive this e-mail
> > and you are
> > > not a named addressee you are hereby notified that you are not 
> > > authorized to read, print, retain, copy or disseminate this 
> > > communication without the consent of the sender and that
> > doing so is
> > > prohibited and may be unlawful.  Please reply to the message 
> > > immediately by informing the sender that the message was
> > misdirected.  
> > > After replying, please delete and otherwise erase it and any 
> > > attachments from your computer system.  Your assistance in
> > correcting
> > > this error is appreciated.  Thank you.  Cintas Corporation.
> > > 
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: 
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] W32Time and *nix

[Roger Seielstad]

You could also grab a copy of K9 and sync time with it


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Thursday, February 17, 2005 11:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] W32Time and *nix
> 
> Maybe try what we did; set the AD time source to be a router 
> or switch that can act as a time server. That router or 
> switch then connects to an external time source. Different 
> flavors of time synch can then connect to that router or 
> switch and get time... That way, you also don't have to have 
> a connection open on the time ports into your DC...
> 
> **
> Charlie Kaiser
> MCSE, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Creamer, Mark
> > Sent: Thursday, February 17, 2005 10:51 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] W32Time and *nix
> > 
> > Folks, I'd like to throw this back out for comments if I can. 
> > A while back I asked about using our
> > current W32Time server, the forest root AD box, as the 
> authoritative 
> > time server for the non-Windows clients on our network. I 
> haven't had 
> > any luck getting this to work. If I remember correctly, 
> W32Time is a 
> > derivation of the NTP protocol, (is it SNTP maybe??).
> > Anyway, nothing I've tried enables the Linux and Unix boxes to sync 
> > with this server. One article I read said it will not work, but you 
> > obviously can't rely on everything posted on the net :-)
> > 
> > Am I missing something, or do I need to maybe look at a 3rd party 
> > solution to handle all of the time services? What are some of you 
> > using for this situation? Thanks!
> > 
> > Mark Creamer
> > 
> > This e-mail transmission contains information that is 
> intended to be 
> > confidential and privileged.  If you receive this e-mail 
> and you are 
> > not a named addressee you are hereby notified that you are not 
> > authorized to read, print, retain, copy or disseminate this 
> > communication without the consent of the sender and that 
> doing so is 
> > prohibited and may be unlawful.  Please reply to the message 
> > immediately by informing the sender that the message was 
> misdirected.  
> > After replying, please delete and otherwise erase it and any 
> > attachments from your computer system.  Your assistance in 
> correcting 
> > this error is appreciated.  Thank you.  Cintas Corporation.
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account policies and groups

[Roger Seielstad]

Title: Account policies and groups



Yes, the password policy will still apply to that user - it 
applies to every object in the domain, regardless of block inheritance 
settings.
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tim 
  SuttonSent: Thursday, February 17, 2005 6:27 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies 
  and groups
  
  If a user is in an OU which has the block 
  inheritance selected but is in member of group that's in a different OU and 
  doesn’t have block inheritance applied, will the password policy for 
  example still apply to that user?
  Just curios really 
  For Troup Bywaters + Anders     
  
  Tim Sutton  
      
  T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024     
      E: [EMAIL PROTECTED]      W: www.TBandA.com   
      
      
      
  Eastgate House 10 Eastgate 
      
      
      
      Leeds LS2 7JL Office Location 
  Map     
  
  
  
  Groupshield 6.0 - Troup Bywaters & AndersPrivilege and Confidentiality 
  NoticeThis email and any attachments to it are intended only for the party 
  to whom they are addressed. They may contain privileged and / or confidential 
  information. If you have received this transmission in error please notify the 
  sender immediately and delete any digital copies and destroy any paper copies. 
  Thank you.
  

RE: [ActiveDir] DC or not DC

[Roger Seielstad]

Its logical separation vs. physical separation. Mainframes have had LPAR's
(logical partitions) for ever, which do the same basic thing.

Logically separating the platforms does protect from most of the issues
caused by putting a crapload of services on one box.

However, I'd never use a virtualizing solution like this on anything that
has intensive hardware level requirements like file, network or memory.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Fuller, Stuart
> Sent: Wednesday, February 16, 2005 11:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC or not DC
> 
> I hate to drag this off subject slightly and since no one has 
> mentioned it, but isn't the whole point of Microsoft Virtual 
> Server and VMware GSX/ESX so that you can run multiple 
> servers on the same physical server and not have the 
> application/security/resource conflicts that you can get by 
> running everything on one server?  At the last MS TechEd 
> several of the MS people I talked to were pitching Virtual 
> Server as *the* solution to the "I only have one server" and 
> branch office scenarios.
> 
> -Stuart Fuller
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, February 16, 2005 9:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC or not DC
> 
> Yeah MS has always said best practice is not to put back 
> office apps or IIS on domain controllers for as long as I can 
> recall. Ditto file and print.
> There are possible resource and security issues. 
> 
> Then they have SBS SBS bothers me because you take 
> everything MS has every said and you say, hmmm, forget about 
> it At that point, what do you and don't you listen to 
> from MS? My thoughts? Listen to all of it but don't trust any 
> of it until you have proven it yourself. I generally (there 
> are exceptions to make the rule) consider anything from MS as 
> propaganda until I have proven with my direct experience or 
> it has been stated to me by my very few trusted advisors. 
> Like if Dean tells me something, I tend to listen closely, I 
> may argue, but I start from a losing position because if I 
> don't agree it is probably because I don't understand through 
> no fault of Dean's explanation. Many conversations I have 
> with Dean start out with me thinking, oh shit, he expects I 
> know what I am talking about with this functionality... With 
> Rick, well you argue with Rick about everything because he is 
> a hoot to argue with. With Deji... Check it twice - all of it.
> ;oP  Tony... Never argue with Tony's dinner wine choice, never. 
> 
> My thoughts are that if you have a company small enough that 
> SBS works for you. You probably won't have too many resource 
> issues unless you have some serious power users. However 
> security concerns will *always* be there simply because you 
> are adding additional vectors. You can't add more services to 
> service users and NOT open up more possible security holes. 
> Additionally one of the methods for fixing replication hangs 
> and such in AD is a reboot because attempting to stop and 
> start the AD services is less than helpful.
> Tougher to do that when you have people using fixed services 
> such as F&P, SQL, Exchange, etc as they tend to get cranky 
> when the server side of the equation disappears. 
> 
> My personal reaction to anything but DHCP/DNS/WINS on a DC 
> are sort of a blanched look and I don't even really like 
> DHCP/WINS/DNS on the DC because I think that also raises the 
> security vectors too much. Keep in mind, AD is the bastion of 
> your enterprise security. Why give people holes to poke at to 
> see if they can compromise the entire forest? 
> 
>   joe
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
> Sent: Wednesday, February 16, 2005 11:24 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC or not DC
> 
> If you have the resources on the box and can not afford to 
> purchase a new box for SQL or Exchange, then you are stuck 
> with the only one option.
> However, I am a big believer of keeping the server roles 
> separate.  I find that the overhead of SQL (and even 
> Exchange) is rather high during peek times.  And, if SQL runs 
> on the DC, this may cause latency issues with DNS lookups, 
> group policy updates to clients and/or log in issues.  I 
> believe that Microsoft's best practices said to keep things 
> separ

RE: [ActiveDir] DC or not DC

[Roger Seielstad]

Keep in mind you can run a DC for even a moderately sized org on a typical
desktop machine.

Since DC's (except the FSMO role holders) are scale-out redundant, there's
no reason not to add additional capacity by using desktop class machines.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, February 16, 2005 8:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC or not DC
> 
> Yeah MS has always said best practice is not to put back 
> office apps or IIS on domain controllers for as long as I can 
> recall. Ditto file and print.
> There are possible resource and security issues. 
> 
> Then they have SBS SBS bothers me because you take 
> everything MS has every said and you say, hmmm, forget about 
> it At that point, what do you and don't you listen to 
> from MS? My thoughts? Listen to all of it but don't trust any 
> of it until you have proven it yourself. I generally (there 
> are exceptions to make the rule) consider anything from MS as 
> propaganda until I have proven with my direct experience or 
> it has been stated to me by my very few trusted advisors. 
> Like if Dean tells me something, I tend to listen closely, I 
> may argue, but I start from a losing position because if I 
> don't agree it is probably because I don't understand through 
> no fault of Dean's explanation. Many conversations I have 
> with Dean start out with me thinking, oh shit, he expects I 
> know what I am talking about with this functionality... With 
> Rick, well you argue with Rick about everything because he is 
> a hoot to argue with. With Deji... Check it twice - all of it.
> ;oP  Tony... Never argue with Tony's dinner wine choice, never. 
> 
> My thoughts are that if you have a company small enough that 
> SBS works for you. You probably won't have too many resource 
> issues unless you have some serious power users. However 
> security concerns will *always* be there simply because you 
> are adding additional vectors. You can't add more services to 
> service users and NOT open up more possible security holes. 
> Additionally one of the methods for fixing replication hangs 
> and such in AD is a reboot because attempting to stop and 
> start the AD services is less than helpful.
> Tougher to do that when you have people using fixed services 
> such as F&P, SQL, Exchange, etc as they tend to get cranky 
> when the server side of the equation disappears. 
> 
> My personal reaction to anything but DHCP/DNS/WINS on a DC 
> are sort of a blanched look and I don't even really like 
> DHCP/WINS/DNS on the DC because I think that also raises the 
> security vectors too much. Keep in mind, AD is the bastion of 
> your enterprise security. Why give people holes to poke at to 
> see if they can compromise the entire forest? 
> 
>   joe
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
> Sent: Wednesday, February 16, 2005 11:24 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC or not DC
> 
> If you have the resources on the box and can not afford to 
> purchase a new box for SQL or Exchange, then you are stuck 
> with the only one option.
> However, I am a big believer of keeping the server roles 
> separate.  I find that the overhead of SQL (and even 
> Exchange) is rather high during peek times.  And, if SQL runs 
> on the DC, this may cause latency issues with DNS lookups, 
> group policy updates to clients and/or log in issues.  I 
> believe that Microsoft's best practices said to keep things 
> separate.  (But, I may be dreaming...Like I often do...) 
> However, with everything that I have said, it is just my 
> opinion and is dependant on how many users you have and if 
> your company can afford the cost.
> 
> *
> Steve Shaff
> Active Directory / Exchange Administrator Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 
>  
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess
> Sent: Wednesday, February 16, 2005 7:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DC or not DC
> 
> 
> Last night I received the latest MCPMag email newsletter and 
> always read the questions that people ask. I was kind of 
> surprised by the opening sentence of the question. "I know 
> that the Microsoft gospel is never to run Exchange, SQL 
> Server, etc. on a domain controller." I've never seen or 
> heard this be

RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic

[Roger Seielstad]

So. the other option is to take a little bit of your time 
and do some investigation.
 
Go grab Regmon and Filemon from Sysinternals (both free) 
and watch what the app is trying to access. Chances are its doing something in 
%systemroot%\system32 or in the registry that is generally not accessible to 
non-PU style users. I'd be willing to guess that with the addition of a few 
changes (via a GPO) the issue is solved without starting a war, and you look 
like a hero.
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Tuesday, February 15, 2005 2:50 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to 
  install an MSI package - Slightly Off Topic
  
  Ah..."the business".  It's a pretty wild circle 
  huh?
   
  - IT doesn't want apps that aren't written properly, 
  but...
  - "the business" doesn't care and wants it anyway, 
  so...
  - IT can't put the kind of pressure they would like upon the company 
  developing the bad apps, so...
  - bad company makes their money anyway, and...
  - "business" is happy, because...
  - IT "made it work"
   
  So we all three [groups] still have jobs.  
  Hmm...
   
  By the way...love the "smoldering pile of crap" adjective.  
  Beautiful!
   
  -DaveC
  Reuters America
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darren 
  Mar-EliaSent: Tuesday, February 15, 2005 4:37 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to 
  install an MSI package - Slightly Off Topic
  
  Dave-
  Hallelujah! I'm with you here. Can we start some kind of 
  movement? I'm thinking a web site like dontwritestupidwindowsapps.org? Maybe 
  hold some rallies outside of offending software company's headquarters where 
  we burn their shrinkwrap? I'm serious. This used to bug the holy heck out of 
  me when I lived in the IT world. But of course "the business" would always 
  say, "well we absolutely must have this huge smoldering pile of crap 
  application and there is only one vendor in Upper East Moldoria that 
  provides it so we don't care if its not 'Windows compliant'." 
  
   
  Darren "Logo or Die" Mar-Elia
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Tuesday, February 15, 2005 8:39 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to 
  install an MSI package - Slightly Off Topic
  
  You guys gave some great suggestions to this tough question, and made 
  some good points.  For what it's worth, mine is a bit less realistic 
  - STOP purchasing software from a company that can't get this right 
  (regardless of excuse or reason).
   
  Perhaps the same can be said of applications that use NetBIOS 
  calls.  If we ever really want to get that out of the Windows world (do 
  we?), then the application providers need to STOP using 
it.
   
  If we don't buy it, they can't make it...right?  Sorry if this is 
  a bit simplistic!
   
  -DaveC
  Reuters America
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jason BSent: Tuesday, February 15, 2005 10:44 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Using GPO to install an MSI package
  
  Okay, our environment is that all our clients are 
  running Windows XP SP2, and our servers are Windows 2003.  The situation 
  is that our Accounting department uses Quickbooks, and about 70 of our 
  employees need to use an application that comes with Quickbooks called "QB 
  Timer".  It's free for use for our employees and it integrates with 
  Quickbooks without requiring a Quickbooks install on each machine.  Now, 
  the quandry:  according to Intuit/Quickbooks, the program requires at 
  least Power User permissions to install and run.  Neither I, nor our CIO 
  are willing to give local Power User permissions for these users, as that 
  opens things up to too many potential problems, but our CFO and COO are 
  REQUIRING the use of this application, or a similar one that integrates with 
  Quickbooks.  Now, the QBTimer is free, which is good, so that's the 
  *preferred* app to use.  It comes as an exe with a few other files, so I 
  used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI 
  file.  That worked well, and I can install it/assign it through GPO 
  - even if the user doesn't have local Power User privs.  However, true to 
  form with Intuit products, it won't run if the logged on user doesn't have 
  local admin or PU privs.  If I grant PU privs to the user, it runs 
  fine.  I feel like I am --> <-- this close to getting this done, 
  but I ran out of ideas to get this to work.  I tried looking at the reg 
  file that was made when I ran WinInstall and gave the users full rights to the 
  specific areas in the registry to see if that did anything; which it 
  didn't.
   
  Does anyone else have any siggestions, or am

RE: [ActiveDir] Very OT: Please Settle a Bet

[Roger Seielstad]

I think you're confusing DOS with a text based interface. 
Two separate things entirely.
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, 
  CharlesSent: Friday, February 11, 2005 2:18 PMTo: 
  'ActiveDir@mail.activedir.org'; Send - AD mailing listSubject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  My 
  vote is that Win 95 required DOS and therefore was a frontend DOS application 
  and not a true OS.  A good example, watch a Win 95 box boot, it always 
  starts out with DOS and then DOS runs the interface, WIN 
  95.
   
  Gnome isn't and OS its simply a shell, DOS is the same 
  thing.
  
-Original Message-From: Dean Wells 
[mailto:[EMAIL PROTECTED]Sent: Friday, February 11, 2005 
4:01 PMTo: Send - AD mailing listSubject: RE: 
[ActiveDir] Very OT: Please Settle a Bet
32 
bit cooperatively multitasked if memory serves ...but it might not 
;)
--Dean 
WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Friday, February 11, 2005 4:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet


Could anyone settle a bet for 
me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is 
saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the 
other one is saying the reverse: it was a 16-bit OS that was capable of 
running 32-bit apps in a VM.
 
Also, one person is saying that 
W95 required DOS (like Win3.1.1) and the other is saying that, while built 
on DOS, DOS was not required and the OS went above and beyond its DOS 
roots.
 
If anyone can settle these 
issues and offer proof like links to Web pages and such, we would be 
grateful.
 
_
 
Daniel 
DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park 
Avenue South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information 
contained in this communication is confidential, may be privileged and is 
intended for the exclusive use of the above named addressee(s). If you are 
not the intended recipient(s), you are expressly prohibited from copying, 
distributing, disseminating, or in any other way using any of the 
information contained within this communication. If you have received this 
communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

 
 

RE: [ActiveDir] Very OT: Please Settle a Bet

[Roger Seielstad]

I think you're confusing DOS with a text based interface. 
Two separate things entirely.
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, 
  CharlesSent: Friday, February 11, 2005 2:18 PMTo: 
  'ActiveDir@mail.activedir.org'; Send - AD mailing listSubject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  My 
  vote is that Win 95 required DOS and therefore was a frontend DOS application 
  and not a true OS.  A good example, watch a Win 95 box boot, it always 
  starts out with DOS and then DOS runs the interface, WIN 
  95.
   
  Gnome isn't and OS its simply a shell, DOS is the same 
  thing.
  
-Original Message-From: Dean Wells 
[mailto:[EMAIL PROTECTED]Sent: Friday, February 11, 2005 
4:01 PMTo: Send - AD mailing listSubject: RE: 
[ActiveDir] Very OT: Please Settle a Bet
32 
bit cooperatively multitasked if memory serves ...but it might not 
;)
--Dean 
WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Friday, February 11, 2005 4:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet


Could anyone settle a bet for 
me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is 
saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the 
other one is saying the reverse: it was a 16-bit OS that was capable of 
running 32-bit apps in a VM.
 
Also, one person is saying that 
W95 required DOS (like Win3.1.1) and the other is saying that, while built 
on DOS, DOS was not required and the OS went above and beyond its DOS 
roots.
 
If anyone can settle these 
issues and offer proof like links to Web pages and such, we would be 
grateful.
 
_
 
Daniel 
DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park 
Avenue South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information 
contained in this communication is confidential, may be privileged and is 
intended for the exclusive use of the above named addressee(s). If you are 
not the intended recipient(s), you are expressly prohibited from copying, 
distributing, disseminating, or in any other way using any of the 
information contained within this communication. If you have received this 
communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

 
 

RE: [ActiveDir] Very OT: Please Settle a Bet

[Roger Seielstad]

Win95 only "required" DOS as part of the installation on a 
bare machine, IIRC.
 
Roger
Roger SeielstadE-mail Geek & MS-MVP 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
  Contr InDyne/Enterprise ITSent: Friday, February 11, 2005 2:36 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  I'd have to agree with you.  An option was 
  to reboot to DOS from Win95.  For the life of me, I can't remember 
  what version it was at the command line though.
   
  //SIGNED//
  David J. 
  PerdueNetwork Security 
  Engineer, InDyne Inc Comm: (805) 606-4597    DSN: 
  276-4597 
  
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, 
  CharlesSent: Friday, February 11, 2005 14:18 PMTo: 
  'ActiveDir@mail.activedir.org'; Send - AD mailing listSubject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  My 
  vote is that Win 95 required DOS and therefore was a frontend DOS application 
  and not a true OS.  A good example, watch a Win 95 box boot, it always 
  starts out with DOS and then DOS runs the interface, WIN 
  95.
   
  Gnome isn't and OS its simply a shell, DOS is the same 
  thing.
  
-Original Message-From: Dean Wells 
[mailto:[EMAIL PROTECTED]Sent: Friday, February 11, 2005 
4:01 PMTo: Send - AD mailing listSubject: RE: 
[ActiveDir] Very OT: Please Settle a Bet
32 
bit cooperatively multitasked if memory serves ...but it might not 
;)
--Dean 
WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Friday, February 11, 2005 4:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet


Could anyone settle a bet for 
me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is 
saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the 
other one is saying the reverse: it was a 16-bit OS that was capable of 
running 32-bit apps in a VM.
 
Also, one person is saying that 
W95 required DOS (like Win3.1.1) and the other is saying that, while built 
on DOS, DOS was not required and the OS went above and beyond its DOS 
roots.
 
If anyone can settle these 
issues and offer proof like links to Web pages and such, we would be 
grateful.
 
_
 
Daniel 
DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park Avenue 
South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information 
contained in this communication is confidential, may be privileged and is 
intended for the exclusive use of the above named addressee(s). If you are 
not the intended recipient(s), you are expressly prohibited from copying, 
distributing, disseminating, or in any other way using any of the 
information contained within this communication. If you have received this 
communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

 
 

RE: [ActiveDir] Very OT: Please Settle a Bet

[Roger Seielstad]

I've alway described Win95 as a 24 bit operating system 
myself...
 
Actually, the OS (i.e. the kernel) is (was) definitely 
32-bit code. Rick backed into the correct answer with that damn logic thing 
again.
 
However. explorer.exe (i.e. the GUI) was most definitely a 
16-bit app, because at the time they hadn't figured out all the 32 bit 
optimizations for graphics - they had done all the 3.x work in 16 bit. IMO - 
this is one of the reasons 9x has always been relatively unstable - the mixture 
of 16 and 32 bit code.
 
Roger
Roger 
SeielstadE-mail Geek & MS-MVP 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
  KingslanSent: Saturday, February 12, 2005 12:18 PMTo: 
  ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  
  Charles,
   
  I follow your line of 
  thinking and would tend to agree except for my first foray into Networked OS’s 
  – Netware.  Netware is CLEARLY an OS – is CLEARLY 32-bit, but requires 
  DOS to boot the kernel, which then continues to load the required pieces of 
  Netware on the Netware kernel.  
   
  So, in that – Netware 
  is not a frontend for DOS – it simply uses the load routines of DOS to get 
  going, then switches the processor to privileged mode to operate with all of 
  the features of the processor in 32-bit mode.
   
  The question that 
  should be asked is this, which should solve the current puzzle and 
  bet:
   
  Can Windows 95 be run 
  on a 80286 processor?  If not – and must be run on a 80386 and greater – 
  it’s 32-bit and using privileged mode and the features that it 
  affords.
   
  The answer to the 
  above question is no – it must be run on a 386 or greater processor because it 
  requires 32-bit addressing.  It emulates 16-bit for those legacy apps the 
  needed it.  DOS was used, as in Netware, as a launching platform for the 
  ‘kernel’ (though not in anyway as complex).  The downside to Win95 was 
  the obvious leverage on some DOS functions, and complete lack of any security 
  and a very lackluster separation of program to program 
  corruption.
   
  If you want more info 
  – see here.  http://www.webdevelopersjournal.com/archive/win95.html
   
  I remember Greg from 
  the ‘Chicago’ 
  (code name for Win95) beta days, and thought he wrote an article or 
  two.
   
  Hope this 
  helps.
   
  Rick Kingslan  MCSE, 
  MCSA, MCT, CISSP
  Microsoft 
  MVP:
  Windows Server / Directory 
  Services
  Windows Server / Rights 
  Management
  Windows Security 
  (Affiliate)
  Associate 
  Expert
  Expert Zone - www.microsoft.com/windowsxp/expertzone
  WebLog - www.msmvps.com/willhack4food
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, 
  CharlesSent: Friday, 
  February 11, 2005 4:18 PMTo: 
  'ActiveDir@mail.activedir.org'; 
  Send - AD mailing listSubject: RE: [ActiveDir] Very OT: Please 
  Settle a Bet
   
  
  My vote is that Win 
  95 required DOS and therefore was a frontend DOS application and not a true 
  OS.  A good example, watch a Win 95 box boot, it always starts out with 
  DOS and then DOS runs the interface, WIN 
95.
  
   
  
  Gnome isn't and OS 
  its simply a shell, DOS is the same thing.
  
-Original 
Message-From: Dean 
Wells [mailto:[EMAIL PROTECTED]Sent: Friday, February 11, 2005 4:01 
PMTo: Send - AD mailing 
listSubject: RE: 
[ActiveDir] Very OT: Please Settle a Bet

32 bit 
cooperatively multitasked if memory serves ...but it might not 
;)
--Dean 
WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com

 
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Friday, February 11, 2005 4:54 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet
Could anyone settle a bet for 
me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is 
saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the 
other one is saying the reverse: it was a 16-bit OS that was capable of 
running 32-bit apps in a VM.
 
Also, one person is saying that 
W95 required DOS (like Win3.1.1) and the other is saying that, while built 
on DOS, DOS was not required and the OS went above and beyond its DOS 
roots.
 
If anyone can settle these 
issues and offer proof like links to Web pages and such, we would be 
grateful.
 
_
 
Daniel 
DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park 
Avenue South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information 
contained in this communication is confidential, may be privileged

RE: [ActiveDir] Very OT: Please Settle a Bet

[Roger Seielstad]

I've alway described Win95 as a 24 bit operating system 
myself...
 
Actually, the OS (i.e. the kernel) is (was) definitely 
32-bit code. Rick backed into the correct answer with that damn logic thing 
again.
 
However. explorer.exe (i.e. the GUI) was most definitely a 
16-bit app, because at the time they hadn't figured out all the 32 bit 
optimizations for graphics - they had done all the 3.x work in 16 bit. IMO - 
this is one of the reasons 9x has always been relatively unstable - the mixture 
of 16 and 32 bit code.
 
Roger
Roger 
SeielstadE-mail Geek & MS-MVP 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
  KingslanSent: Saturday, February 12, 2005 12:18 PMTo: 
  ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: 
  [ActiveDir] Very OT: Please Settle a Bet
  
  
  Charles,
   
  I follow your line of 
  thinking and would tend to agree except for my first foray into Networked OS’s 
  – Netware.  Netware is CLEARLY an OS – is CLEARLY 32-bit, but requires 
  DOS to boot the kernel, which then continues to load the required pieces of 
  Netware on the Netware kernel.  
   
  So, in that – Netware 
  is not a frontend for DOS – it simply uses the load routines of DOS to get 
  going, then switches the processor to privileged mode to operate with all of 
  the features of the processor in 32-bit mode.
   
  The question that 
  should be asked is this, which should solve the current puzzle and 
  bet:
   
  Can Windows 95 be run 
  on a 80286 processor?  If not – and must be run on a 80386 and greater – 
  it’s 32-bit and using privileged mode and the features that it 
  affords.
   
  The answer to the 
  above question is no – it must be run on a 386 or greater processor because it 
  requires 32-bit addressing.  It emulates 16-bit for those legacy apps the 
  needed it.  DOS was used, as in Netware, as a launching platform for the 
  ‘kernel’ (though not in anyway as complex).  The downside to Win95 was 
  the obvious leverage on some DOS functions, and complete lack of any security 
  and a very lackluster separation of program to program 
  corruption.
   
  If you want more info 
  – see here.  http://www.webdevelopersjournal.com/archive/win95.html
   
  I remember Greg from 
  the ‘Chicago’ 
  (code name for Win95) beta days, and thought he wrote an article or 
  two.
   
  Hope this 
  helps.
   
  Rick Kingslan  MCSE, 
  MCSA, MCT, CISSP
  Microsoft 
  MVP:
  Windows Server / Directory 
  Services
  Windows Server / Rights 
  Management
  Windows Security 
  (Affiliate)
  Associate 
  Expert
  Expert Zone - www.microsoft.com/windowsxp/expertzone
  WebLog - www.msmvps.com/willhack4food
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, 
  CharlesSent: Friday, 
  February 11, 2005 4:18 PMTo: 
  'ActiveDir@mail.activedir.org'; 
  Send - AD mailing listSubject: RE: [ActiveDir] Very OT: Please 
  Settle a Bet
   
  
  My vote is that Win 
  95 required DOS and therefore was a frontend DOS application and not a true 
  OS.  A good example, watch a Win 95 box boot, it always starts out with 
  DOS and then DOS runs the interface, WIN 
95.
  
   
  
  Gnome isn't and OS 
  its simply a shell, DOS is the same thing.
  
-Original 
Message-From: Dean 
Wells [mailto:[EMAIL PROTECTED]Sent: Friday, February 11, 2005 4:01 
PMTo: Send - AD mailing 
listSubject: RE: 
[ActiveDir] Very OT: Please Settle a Bet

32 bit 
cooperatively multitasked if memory serves ...but it might not 
;)
--Dean 
WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com

 
 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Friday, February 11, 2005 4:54 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet
Could anyone settle a bet for 
me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is 
saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the 
other one is saying the reverse: it was a 16-bit OS that was capable of 
running 32-bit apps in a VM.
 
Also, one person is saying that 
W95 required DOS (like Win3.1.1) and the other is saying that, while built 
on DOS, DOS was not required and the OS went above and beyond its DOS 
roots.
 
If anyone can settle these 
issues and offer proof like links to Web pages and such, we would be 
grateful.
 
_
 
Daniel 
DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park 
Avenue South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information 
contained in this communication is confidential, may be privileged

RE: [ActiveDir] Problem with redirected application Data

[Roger Seielstad]

Title: Message



In the user config section of the applicable GPO, you can 
assign the server(s) which hosts the application(s) in the Trusted Zone for IE. 
That should fix the issue.
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff 
  D. Team EITCSent: Wednesday, January 05, 2005 9:38 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem with 
  redirected application Data
  
  We are redirecting application data and everything is 
  working well accept for the quick launch.  When you click on a short cut 
  there you get a file download window asking if you want to open this file .lnk 
  as it may be unsafe etc. Is there a place in policies or else where that 
  i can put the .lnk extension so it wont come up with that dialog box and it 
  will go ahead process the shortcut and execute the program?  
  
   
  Jeff
   

RE: [ActiveDir] DHCP

[Roger Seielstad]

Let's just say that there's a fix in Win2k3 SP1 that does away with what was
a linked list In my current environment, n= 45000-ish...

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, January 05, 2005 8:04 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP
> 
> Linked list is really only a good data structure when n = 3-ish.
> When n > 3, linked lists look amateur.
> 
> I don't really know if it is a linked list, there are worse 
> data structures, unsorted array, that you completely 
> reallocate to expand, that would be worse ... 
> 
> Cheers,
> -Brett Shirley
> 
> 
> On Wed, 5 Jan 2005, Roger Seielstad wrote:
> 
> > I bet you're right. Based on some other design decisions 
> I've seen in 
> > Windows lately, I bet they do load scopes as a linked list.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
> > > Shirley
> > > Sent: Tuesday, January 04, 2005 8:30 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] DHCP
> > > 
> > > It may not be the registry that limits your servers' 
> > > scalability.  For instance the list of scopes could be 
> loaded into a 
> > > memory in a linked list, and thusly the scalability to 
> many scopes 
> > > degrades linearly (linear is usually unacceptable).
> > > 
> > > Just a thought.
> > > 
> > > Cheers,
> > > Brett Shirley
> > > 
> > > On Tue, 4 Jan 2005, Mulnick, Al wrote:
> > > 
> > > > That helps a great deal, thank you.  
> > > > 
> > > > Although I'll still need to know some of these limits, it
> > > looks like
> > > > I'll have to go to regmon and find out.
> > > > 
> > > > Brett, I appreciate the thought and understand that the 
> leases are 
> > > > recorded in the DB, but it won't be one scope.  It'll be
> > > multiple scopes.
> > > > 
> > > > Thanks folks.  This helps out a great deal.
> > > > 
> > > > Al
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Steve Patrick
> > > > Sent: Monday, January 03, 2005 11:50 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] DHCP
> > > > 
> > > > If you are only concerned about the RSL - does it help to
> > > know that in
> > > > XP and greater this isnt an issue?
> > > > 
> > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;292726
> > > > 
> > > > steve
> > > > 
> > > > - Original Message -
> > > > From: "Brett Shirley" <[EMAIL PROTECTED]>
> > > > To: 
> > > > Sent: Monday, January 03, 2005 8:45 PM
> > > > Subject: RE: [ActiveDir] DHCP
> > > > 
> > > > 
> > > > >
> > > > > So I got the info I needed out of band.
> > > > >
> > > > > If you manage the entire 10.*.*.* as a single scope I
> > > suspect* that
> > > > > you won't have any worries.  I happen to know that DHCP
> > > uses an ESE
> > > > > database, and looking at my sample DHCP DB (~66k 
> records), it is 
> > > > > quite clear** this is where it stores IPs it gives out.  Ergo 
> > > > > the size of the IP blocks is irrelevant to usage of registry,
> > > only the
> > > > > number of scopes you want to define.
> > > > >
> > > > > I suspect* (there is that word again), that just the
> > > definition of
> > > > > the scope is in the registry, but (I'm 87% sure of this part) 
> > > > > the actual per IP storage is pushed off to ESE / JET Blue
> > > (no, not the
> > > > > same JET that is in Microsoft Access, that's JET Red).
> > > > >
> > > > > Cheers,
> > > > > Brett Shirley
> > > > >
> > > > > * suspect = really that just means I'm making this all up.
> > > > >
> > > > > 

RE: [ActiveDir] DHCP

[Roger Seielstad]

I bet you're right. Based on some other design decisions I've seen in
Windows lately, I bet they do load scopes as a linked list.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Tuesday, January 04, 2005 8:30 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP
> 
> It may not be the registry that limits your servers' 
> scalability.  For instance the list of scopes could be loaded 
> into a memory in a linked list, and thusly the scalability to 
> many scopes degrades linearly (linear is usually unacceptable).
> 
> Just a thought.
> 
> Cheers,
> Brett Shirley
> 
> On Tue, 4 Jan 2005, Mulnick, Al wrote:
> 
> > That helps a great deal, thank you.  
> > 
> > Although I'll still need to know some of these limits, it 
> looks like 
> > I'll have to go to regmon and find out.
> > 
> > Brett, I appreciate the thought and understand that the leases are 
> > recorded in the DB, but it won't be one scope.  It'll be 
> multiple scopes.
> > 
> > Thanks folks.  This helps out a great deal.
> > 
> > Al
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Steve Patrick
> > Sent: Monday, January 03, 2005 11:50 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] DHCP
> > 
> > If you are only concerned about the RSL - does it help to 
> know that in 
> > XP and greater this isnt an issue?
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;292726
> > 
> > steve
> > 
> > - Original Message -
> > From: "Brett Shirley" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Monday, January 03, 2005 8:45 PM
> > Subject: RE: [ActiveDir] DHCP
> > 
> > 
> > >
> > > So I got the info I needed out of band.
> > >
> > > If you manage the entire 10.*.*.* as a single scope I 
> suspect* that 
> > > you won't have any worries.  I happen to know that DHCP 
> uses an ESE 
> > > database, and looking at my sample DHCP DB (~66k records), it is 
> > > quite clear** this is where it stores IPs it gives out.  Ergo the 
> > > size of the IP blocks is irrelevant to usage of registry, 
> only the 
> > > number of scopes you want to define.
> > >
> > > I suspect* (there is that word again), that just the 
> definition of 
> > > the scope is in the registry, but (I'm 87% sure of this part) the 
> > > actual per IP storage is pushed off to ESE / JET Blue 
> (no, not the 
> > > same JET that is in Microsoft Access, that's JET Red).
> > >
> > > Cheers,
> > > Brett Shirley
> > >
> > > * suspect = really that just means I'm making this all up.
> > >
> > > ** by clear, I mean the columns are called "HardwareAddress", 
> > > "IpAddress", "LeaseTerminates", "ServerName", etc ...
> > >
> > > On Mon, 3 Jan 2005, Brett Shirley wrote:
> > >
> > >> Is the 10.*.*.* block a single scope?
> > >>
> > >> Cheers,
> > >> Brett
> > >>
> > >> This posting is provided "AS IS" with no warranties, and 
> confers no 
> > >> rights.
> > >>
> > >>
> > >> On Mon, 3 Jan 2005, Roger Seielstad wrote:
> > >>
> > >> > Well, my friend, you could always break out a copy of 
> RegMon from 
> > >> > Sysinternals and build a dozen or so representative 
> scopes out on 
> > >> > a lab
> > 
> > >> > box.
> > >> > That should give you the per scope cost info you're after.
> > >> >
> > >> > >>From there, it seems like the number you really want is the 
> > >> > >>maximum registry
> > >> > size for a Win2k3 implementation.
> > >> >
> > >> > Personally, I never got the 80/20 split jazz. I always 
> do 50/50 
> > >> > (or 100% on one server in my current config, but 
> that's a whole 
> > >> > other story - redundancy isn't terribly important for 
> DHCP with 
> > >> > the boxes I manage).
> > >> >
> > >> > 
> > >> > Roger Seielstad
> > >> > E-mail Geek & MS-MVP
> > >> >
> >

RE: [ActiveDir] DHCP

[Roger Seielstad]

Well, my friend, you could always break out a copy of RegMon from
Sysinternals and build a dozen or so representative scopes out on a lab box.
That should give you the per scope cost info you're after.

>From there, it seems like the number you really want is the maximum registry
size for a Win2k3 implementation.

Personally, I never got the 80/20 split jazz. I always do 50/50 (or 100% on
one server in my current config, but that's a whole other story - redundancy
isn't terribly important for DHCP with the boxes I manage).

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Monday, January 03, 2005 10:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP
> 
> Thanks John.  I saw that one as well, but it doesn't tell me 
> enough information about how much of an impact I can expect 
> on the registry.  I understand the paging file and the RSL, 
> but I can't get a solid amount of information about a) what 
> to expect to be put in the registry *exactly* and
> b) what exactly each registry entry can possibly take in 
> terms of size.  
> 
> A thousand scopes?  Nice to hear, but that doesn't solve the 
> problem for me.
> 
> 
> For more background, I currently have similar running across 
> four servers in two network sites. No problem.  What I want 
> to do is isolate two different business types.  As you can 
> imagine from the domain name, we're a financial institution 
> and we have retail branches across all lines of business.  We 
> also have back-office needs.  To make this more reliable, I 
> need to take into account the 8th layer and design 
> accordingly.  My current track is to simplify by separation 
> and put the branch scopes on two servers and the 
> rest/exceptions on the other two.  To do that, I need to know 
> the limits.
> The additional benefit of knowing the quantifiable benefits 
> is the ability to predict capacity and lifespan of the 
> solution.  That obviously plays into lifecycle management 
> planning of the solution. Due to the business nature of 
> finacial organizations, I have to plan for twice the capacity 
> of current.
> In practice, that means that I have to at least know the 
> capacity abilities of the current solution or the future 
> solution enough to know that if an acquisition occurs, I can 
> either deploy more capacity else know that I can use the 
> current to that scale. 
> 
> The docs I've found so far, including the one you posted and 
> the information from Jorge were too high-level for what I'm 
> after. I appreciate them but I still need additional 
> information to make this design right. 
> 
> Thoughts?
> 
> Thanks John,
> 
> Al
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John 
> Reijnders
> Sent: Monday, January 03, 2005 11:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP
> 
> Hi Al,
> 
> Looking in the Windows Server System Reference Architecture 
> you can read: 
> 
> "... scaling the DHCP service involves network infrastructure 
> issues for most enterprises." -> However, according to your 
> question this does not apply for your network. Lucky you ;-)!
> 
> The following quote relates to your question:
> 
> "You can create an unlimited number of scopes on a DHCP 
> server. However, a DHCP server should ideally host no more 
> than 1,000 scopes. When adding a large number of scopes to 
> the server, be aware that each scope creates a corresponding 
> need for additional disk space for the DHCP server registry 
> and the server paging file.
> 
> Before deployment, you should test your DHCP servers on the 
> network to determine any limitations and abilities of your 
> hardware and to see whether the network architecture, 
> traffic, and other factors affect DHCP server performance."
> 
> However, it still doesn't answer it. However, there is a 
> specific article about planning DHCP networks that might (not 
> sure) deal with this topic.
> This is the URL:
> http://www.microsoft.com/resources/documentation/WindowsServ/2
> 003/standard/p
> roddocs/en-us/Default.asp?url=/resources/documentation/Windows
Serv/2003/stan
> dard/proddocs/en-us/sag_DHCP_imp_PlanningNetworks.asp
> 
> Good luck!
> John Reijnders
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: maandag 3 januari 2005 17:08
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DHCP
> 
> Thanks Jorge, I did see and read t

RE: [ActiveDir] worm (very very OT)

[Roger Seielstad]

The way to track this down it so network scan on your egress router's
interface. It should be relatively trivial to filter for the traffic based
on destination port, and that will give you the MAC address of the sender
(that is VERY much harder to spoof - not impossible, but a heck of a lot
harder).

>From that, you can look at the ARP table of the router and the MAC address
will be there from the *valid* traffic the machine is doing. You can
guarantee that by ping sweeping the LAN, just in case. Then you're just
matching MAC to MAC and you get the right IP address.

Heck, I think there's perl code that will do most of that for you - I know
we've got a MAC hunter app at work that does something similar to this to
find the name of machines when all we have is a MAC address.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Thursday, December 23, 2004 8:30 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] worm (very very OT)
> 
> we're a switched network. i'd have to go to every pc(500) and 
> run it. i'm trying to avoid that. might as well run netstat 
> -an on all pc's.
> 
> ethereal won't tell me the real address.
> 
> thanks
> 
> -Original Message-
> From: Candee Vaglica [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 23, 2004 11:16 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] worm (very very OT)
> 
> 
> Use a network scanner, like Ethereal to monitor the traffic.
> 
> 
> On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom 
> <[EMAIL PROTECTED]> wrote:
> > this is way off and i apologize but you guys are really 
> knowledgable and such a great help, i thought i'd try here.
> > 
> > i have a number of pc's infected with some wom that goes 
> out on port 1 tcp and tries to attemp a DOS attack.
> > 
> > I don't know the worm and a google searched didn't really 
> turn anything up.
> > 
> > here's the thing. the worm uses a spoofed source address. 
> my question is, is there anyway to track down a spoofed 
> address internally to the real address?
> > 
> > I don't know how to find the infected pc's.
> > 
> > thanks
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions to start and stop the services

[Roger Seielstad]

We do this for our 1st tier support staff via a GPO. You can assign specific
permissions to users or groups for individual services.

The only gotcha is that you need to edit the GPO from a machine with that
service installed - that's the only way it gets enumerated in the GPO
service list.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton
> Sent: Thursday, December 23, 2004 8:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Permissions to start and stop the services
> 
> >From the command line:
> 
> Net start Service_name
> 
> Net stop service_name 
> 
> Works pretty well for me when I want to start / stop sysaid 
> server. If greater permissions are needed for that user I'd 
> add them in via a GPO or even just apply it direct to their pc.
> 
> HTH 
> 
> 
> Regards
> Tim Sutton
> IT Systems Manager
> 
> Troup Bywaters & Anders
> Eastgate House
> 10 Eastgate
> LEEDS LS2 7JL
> Tel: 01132432241
> Fax: 01132424024
> E-mail: [EMAIL PROTECTED]
> 
> Privilege and Confidentiality Notice
> This email and any attachments to it are intended only for 
> the party to whom they are addressed. They may contain 
> privileged and/or confidential information. If you have 
> received this transmission in error. please notify the sender 
> immediately and delete any digital copies and destroy any 
> paper copies. Thank you. 
> 
> 
> -Original Message-
> From: Al Lilianstrom [mailto:[EMAIL PROTECTED]
> Sent: 23 December 2004 15:24
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Permissions to start and stop the services
> 
> subinacl.exe allows you to set permissions on a service so 
> that a particular user or group can manage them.
> 
>   al
> 
> Sudhir Kaushal wrote:
> > 
> > Hi,
> > 
> > I have a user who wants to start and stop one perticular 
> application 
> > service on the server, whenever he wishes from his desktop. I cant 
> > give him any special rights. The O.S is Windows 2000. I am 
> not clear 
> > how i can do this. Like using security templates and give him the 
> > permissions to start or stop the service, or setting some policy.
> > Please suggest.
> >  
> > Regards,
> > Sudhir Kaushal*/
> > Systems Engineer /*/(GIS)*
> > Computer Sciences Corporation.
> > India -*/ /+ 91 120 2582323 Ext. 2649* Denmark -*/ + /45 
> 70100024 Ext.
> 
> > 2649/
> > * *
> > *"You never win Silver, You lose Gold"*
> > 
> >  
> > 
> >  
> > 
> > 
> > 
> --
> > -- This is a PRIVATE message. If you are not the 
> > intended recipient, please delete without copying and 
> kindly advise us
> 
> > by e-mail of the mistake in delivery. NOTE: Regardless of content, 
> > this e-mail shall not operate to bind CSC to any order or other 
> > contract unless pursuant to explicit written agreement or 
> government 
> > initiative expressly permitting the use of e-mail for such purpose.
> > 
> --
> > --
> > 
> 
> -- 
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> Groupshield 6.0 - Troup Bywaters & Anders Privilege and 
> Confidentiality Notice This email and any attachments to it 
> are intended only for the party to whom they are addressed. 
> They may contain privileged and / or confidential 
> information. If you have received this transmission in error 
> please notify the sender immediately and delete any digital 
> copies and destroy any paper copies. Thank you.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones?

[Roger Seielstad]

Just a SWAG, but AD Integrated secondaries would have the relatiely
undesirable effect of ballooning the DIT... At my former employer, we ran
something like 25-30 zones which were secondaried from the production side
of the business. That probably would have a more than noticable effect on
DIT size..


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Friday, November 19, 2004 8:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones?
> 
> Because I have a couple of dozen remote DCs that serve DNS 
> for their locations. Our unix boxes are in a DNS zone that is 
> handled by bind/unix server. All of my DCs carry this zone as 
> a secondary.
> 
> This works fine, but it is a bit of a pain to maintain. I 
> have to remember to configure the zone on any new DCs, and I 
> have to have the unix guys add a "notify" line on the bind 
> server for the new DCs (OK, I don't HAVE to do the notify 
> part...). Plus, replication of the zone is handled by DNS 
> instead of the much more efficient AD replication.
> 
> Ever since laying eyes on w2k3 DNS server, I've always 
> wondered why the developers didn't allow for integrated 
> secondaries. Don't get me wrong, integrated stubs are great, 
> but between the two, I'd have thought integrated secondaries 
> would have been the more desirable. I just assumed I was 
> missing some technical reason that made it unfeasible.
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Friday, November 19, 2004 11:13 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones?
> 
> 
> Because when it's integrated, there is no concept of 
> "secondaries" as we understood it to be in pre-2Kx world. 
> It's there in AD, and any DC can see and write to it. Now, if 
> you are secondarying the zones on another server located in 
> another forest/network, why would you want to store that info 
> in your own AD. You will not be modifying that zone locally 
> on the secondary anyway. Or, are you intending to?
>  
>  
> Sincerely,
> 
> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were 
> worried about Yesterday?  -anon
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Ken Cornetet
> Sent: Fri 11/19/2004 6:56 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones?
> 
> 
> 
> OK, integrated stub zones are cool, but I'm curious - why did 
> MS stop there? Why no integrated secondaries?
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Issues

[Roger Seielstad]

Correct. The generally accepted principle is that DNS source ports should be
53 as well. Regardless, the by default UDP behavior requires separate
firewall rules to allow responses back to the DNS servers.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Perdue David J Contr InDyne/Enterprise IT
> Sent: Thursday, November 18, 2004 8:38 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DNS Issues
> 
> Win2k DNS used a random port in addition to port 53 for DNS 
> resolution.  I don't know if Win2k3 is the same.  There is a 
> registry hack that will force it to a known port.  If you 
> sniff the traffic you should be able to see it.
> 
> 
> David J. Perdue
> Network Security Engineer, InDyne Inc 
> Comm: (805) 606-4597DSN: 276-4597 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, November 17, 2004 8:42 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> By default, DNS queries are done over UDP. UDP is stateless - 
> and therefore there is no automatic reverse allow created by 
> firewalls. So what's happening is that you're probably 
> failing the UDP request because the response can't come back 
> in to the DNS server, at which point your DNS servers fail 
> over to TCP and more often than not are able to complete the lookups.
> 
> Now - I also know some people block all TCP traffic to their 
> DNS servers so if you're DNS servers can't do UDP, you can't 
> resolve from their servers.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> > Russ
> > Sent: Wednesday, November 17, 2004 5:53 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > 
> > Our Win2k DNS servers are on our internal network.  I have a rule 
> > allowing
> > 53 tcp and 53 udp outbound to the Internet.  I don't have any other 
> > rules for DNS.  Why do I need to create an inbound rule?  
> Aren't the 
> > DNS servers doing all the lookups outbound?
> >  What would initiate a connection inbound to our DNS 
> servers from the 
> > outside?
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Tuesday, November 16, 2004 11:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > TCP shouldn't be an issue - since most firewalls will do 
> some sort of 
> > state management for those connects.
> > 
> > My money's on the fact there ISN'T an an inbound firewall rule 
> > allowing
> > UDP/53 to his DNS servers and tangental to that the fact 
> that there is 
> > no static NAT enabled for the DNS servers internally.
> > 
> > In other words, create a static NAT rule for the DNS 
> servers with root 
> > hints enabled, and enable UDP/53 inbound to those hosts. DNS starts 
> > working again
> > - this time consistently.
> > 
> > The reason for inconsistency is most likely caused by the fact some 
> > resolutions will fall over to TCP, due to response size and 
> some less 
> > regular occurances.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Mulnick, Al
> > > Sent: Tuesday, November 16, 2004 7:41 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] DNS Issues
> > > 
> > > TCP or UDP through the firewall?
> > > 
> > > What have you done to troubleshoot?  Logs?  ?? 
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Rimmerman, 
> > > Russ
> > > Sent: Tuesday, November 16, 2004 8:58 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] DNS Issues
> > > 
> > > Yes, all DNS is working fine except for some rare instances of 
> > > hostnames we've run into.  Last week we couldn't get to 
> ftp.nai.com 
> > >

RE: [ActiveDir] Master Browser

[Roger Seielstad]

The next corporate relocation requires my employer to include payment for a
divorce attorney.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Wednesday, November 17, 2004 8:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> I dunno; one more move and Allison might have put out a 
> contract on you...
> :-)
> 
> **
> Charlie Kaiser
> MCSE, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Wednesday, November 17, 2004 8:45 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > As opposed to my previous employer. I'm done moving for a 
> while. The 
> > last 5 months made me feel like I was in the witness protection 
> > program, minus the mob.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > > Sent: Wednesday, November 17, 2004 7:38 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > Your current employer? That makes it sound like you are ready to 
> > > jump to some other employer Rog.
> > > 
> > >   joe
> > > 
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Wednesday, November 17, 2004 12:23 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > You are correct - its all about enumerating NetBIOS shares.
> > > 
> > > My current employer rather likes personal shares - rather 
> there's no 
> > > resistence to having them.
> > > 
> > > 
> > > Roger Seielstad
> > > E-mail Geek & MS-MVP
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Noah Eiger
> > > > Sent: Monday, November 15, 2004 11:00 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > So, really the only thing this service does is allow
> > users to click
> > > > through the Network Neighborhood (or its successors).
> > > > Is it correct that it does not prevent users from finding
> > > devices from
> > > > the run line or (obviously) from mapped drives?
> > > > 
> > > > As for publishing shares from workstations ... (zoinks!)
> > > you may have
> > > > bigger fish to fry!  ;-)
> > > > 
> > > > -- nme
> > > > 
> > > > -Original Message-
> > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, November 15, 2004 10:13 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Master Browser
> > > > 
> > > > I personally favor disabling it on all workstation machines. 
> > > > There's little harm in leaving it running on servers,
> > even non DC's.
> > > > 
> > > > The big question is whether or not its needed - are the
> > browse list
> > > > issues relevant enough to fix. In other words, is there a
> > > minor change
> > > > to usage that would eliminate the issue entirely? The
> > biggest place
> > > > I'd expect to see this is if users are publishing shares
> > from their
> > > > own machines.
> > > > 
> > > > 
> > > > Roger Seielstad
> > > > E-mail Geek & MS-MVP
> > > > 
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > > Tyson Leslie
> > > > > Sent: Monday, November 15, 2004 4:47 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] Master Browser
> > > > > 
> > > > > Do you still suggest turning it off on all ser

RE: [ActiveDir] Master Browser

[Roger Seielstad]

As opposed to my previous employer. I'm done moving for a while. The last 5
months made me feel like I was in the witness protection program, minus the
mob.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, November 17, 2004 7:38 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> Your current employer? That makes it sound like you are ready 
> to jump to some other employer Rog. 
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, November 17, 2004 12:23 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Master Browser
> 
> You are correct - its all about enumerating NetBIOS shares.
> 
> My current employer rather likes personal shares - rather 
> there's no resistence to having them. 
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> > Sent: Monday, November 15, 2004 11:00 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > So, really the only thing this service does is allow users to click 
> > through the Network Neighborhood (or its successors).
> > Is it correct that it does not prevent users from finding 
> devices from 
> > the run line or (obviously) from mapped drives?
> > 
> > As for publishing shares from workstations ... (zoinks!) 
> you may have 
> > bigger fish to fry!  ;-)
> > 
> > -- nme
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 15, 2004 10:13 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Master Browser
> > 
> > I personally favor disabling it on all workstation machines. 
> > There's little harm in leaving it running on servers, even non DC's.
> > 
> > The big question is whether or not its needed - are the browse list 
> > issues relevant enough to fix. In other words, is there a 
> minor change 
> > to usage that would eliminate the issue entirely? The biggest place 
> > I'd expect to see this is if users are publishing shares from their 
> > own machines.
> > 
> > 
> > Roger Seielstad
> > E-mail Geek & MS-MVP
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Tyson Leslie
> > > Sent: Monday, November 15, 2004 4:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Master Browser
> > > 
> > > Do you still suggest turning it off on all servers and 
> workstations 
> > > (as per
> > > your KB article), even in an all W2K or better environment?   
> > > We have done
> > > so (via group policy) for quite some time, but recently ended up 
> > > having to defend this decision to an admin in one of our other 
> > > offices, because he was encountering browse list issues in
> > his domain.  
> > > (We have left it running on the Domain Controllers only.)
> > > 
> > >   Tyson.
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of ASB
> > > Sent: Monday, November 15, 2004 10:46 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] Master Browser
> > > 
> > > Turning off the service is a *much* better approach and doesn't 
> > > generate any errors in the EventLog.
> > > 
> > > 
> > > 
> > > - ASB
> > >   Cheap, Fast, Secure -- Pick Any TWO.
> > >   http://www.ultratech-llc.com/KB/
> > > 
> > >  
> > > 
> > > 
> > > On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino 
> <[EMAIL PROTECTED]>
> > > wrote:
> > > > 
> > > > 
> > > > 
> > > > I wouldn't turn of the service - -I would ( and do) go into the 
> > > > registry and tell the box it is NOT a Master Browser and NOT to 
> > > > maintain a list
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Adams, 
> &g

RE: [ActiveDir] AD integrated DNS

[Roger Seielstad]

I think they're dependent more on the existance of and the rate of change of
dynamic registrations. In my previous company, we were about 80% laptops, so
I ran short DHCP leases, short DNS TTLs and scavenged daily. In a more
static environment I'd lengthen those significantly.

----
Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Douglas M. Long
> Sent: Wednesday, November 17, 2004 7:10 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] AD integrated DNS
> 
> What settings are recommended for 2003 AD integrated DNS?
> 
>   Automatic scavenging? If so, how frequently?
>   Is there a way to automatically clear the cache on the 
> server every night, or do you just have to add a task to task 
> scheduler to do it? Would there be anything wrong with 
> clearing the cache every night?
> The reason I ask is because nslookups were timing out for 
> cnn.com today, and clearing the cache on the DNS server fixed it. 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Issues

[Roger Seielstad]

By default, DNS queries are done over UDP. UDP is stateless - and therefore
there is no automatic reverse allow created by firewalls. So what's
happening is that you're probably failing the UDP request because the
response can't come back in to the DNS server, at which point your DNS
servers fail over to TCP and more often than not are able to complete the
lookups.

Now - I also know some people block all TCP traffic to their DNS servers so
if you're DNS servers can't do UDP, you can't resolve from their servers.


Roger Seielstad
E-mail Geek & MS-MVP  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Rimmerman, Russ
> Sent: Wednesday, November 17, 2004 5:53 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> 
> Our Win2k DNS servers are on our internal network.  I have a 
> rule allowing
> 53 tcp and 53 udp outbound to the Internet.  I don't have any 
> other rules for DNS.  Why do I need to create an inbound 
> rule?  Aren't the DNS servers doing all the lookups outbound? 
>  What would initiate a connection inbound to our DNS servers 
> from the outside? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Tuesday, November 16, 2004 11:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DNS Issues
> 
> TCP shouldn't be an issue - since most firewalls will do some 
> sort of state management for those connects.
> 
> My money's on the fact there ISN'T an an inbound firewall 
> rule allowing
> UDP/53 to his DNS servers and tangental to that the fact that 
> there is no static NAT enabled for the DNS servers internally.
> 
> In other words, create a static NAT rule for the DNS servers 
> with root hints enabled, and enable UDP/53 inbound to those 
> hosts. DNS starts working again
> - this time consistently.
> 
> The reason for inconsistency is most likely caused by the 
> fact some resolutions will fall over to TCP, due to response 
> size and some less regular occurances.
> 
> 
> Roger Seielstad
> E-mail Geek & MS-MVP  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> > Sent: Tuesday, November 16, 2004 7:41 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > TCP or UDP through the firewall?
> > 
> > What have you done to troubleshoot?  Logs?  ?? 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> > Russ
> > Sent: Tuesday, November 16, 2004 8:58 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > Yes, all DNS is working fine except for some rare instances of 
> > hostnames we've run into.  Last week we couldn't get to ftp.nai.com 
> > but now we can.
> > All our workstations are pointed to our child DCs for DNS.  
> > They are set to forward to our empty root DCs, and the 
> empty root DCs 
> > have the root-hints, and the firewall allows them out port 53.
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Robert 
> > Rutherford
> > Sent: Tuesday, November 16, 2004 7:53 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DNS Issues
> > 
> > 
> > 
> > I'd advise using forwarding for the functions you require.
> > 
> >  
> > 
> > It may seem stupid... but I take it the DNS server/s have 
> appropriate 
> > rules in your firewall/s?
> > 
> >  
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
> > Russ
> > Sent: 16 November 2004 13:48
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] DNS Issues
> > 
> >  
> > 
> > Since changing our DNS design from forwarding to our old firewall 
> > which had root-hints built into it, to forwarding our DNS 
> to our empty 
> > forest root domain controllers with the root-hints on them, 
> we are not 
> > getting all our DNS lookups.
> > 
> >  
> > 
> > For example, http://www.volksbanksalzburg.at right now is not 
> > resolving for us.  Yet if we RDP into one of our home PCs, 
> it resolves 
> > fine.  So my question is, is there anything weird about 
> Windows 2000 
> > root-hints or DNS servers that would cause us to not be 
> able to lo