[ActiveDir] Merging GPO's

[Roger Seielstad]

Yeah, so I've been gone a while - too long, but I'll try to fix that.

Anyway - does anyone have/know of a tool to merge multiple GPO's into a
single policy?

I inherited a conglomeration of about 40 GPO's which have conflicting
settings and are generally just a miserable pain to work with, and rather
than manually recreating them (since some are fairly involved) I'd love to
be able to select 2 or more and do for GPO's what WinMerge does for text
fles.


Roger Seielstad
E-mail Geek


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group policy security setting

[Roger Seielstad]

The other way that works is to add the UNC for the file server
(file://server/share) to the Trusted Sites, under 
User Config / Windows Settings / IE Maintenance /Security / Security Zones
and Content ratings

Now that I look, there's the setting you're trying to change - which is why
it probably didn't work with a template.







Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, September 02, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group policy security setting

This is driving me nuts

I'm trying to set up a W2K3 SP1 terminal server machine, managed by group
policy, that will allow users to run certain apps that actually load from
another server. Here's the problem...

When I try and launch one of those apps, I get the security warning box
"open file - security warning" "Are you sure you want to run this software?"
I finally figured out how to disable it; in IE properties, security, trusted
sites, custom level, there's a setting: "Launching applications and unsafe
files". If I set that to enable, the box goes away. (I'm using software
restrictions to only allow certain apps, so the warning box is irrelevant).

I want to be able to set this value via GP rather than through the IE
interface. The IE ADM template seems to include every setting except for
this one.

Why? I've tried creating a custom ADM for the setting, but I'm getting
nowhere with that. I'll probably try that again next week.
But I'm curious why this particular setting is not available in the
template? Any ideas? Am I missing something?

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Merging GPO's

[Roger Seielstad]

I had been looking at the backup files created by GPMC, which look like they
could be munged together, but that's a bit more manual than I'd like. I'll
have to look at them again to see if running them through something like
WinMerge would do the trick. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Saturday, September 03, 2005 12:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging GPO's

Roger-
If you actually need to, say, merge Admin Template policies from two
different GPOs, then I've not seen any tool to do this, unfortunately,
though I do hear the need from time to time. If you want to take a GPO that
contains Admin Template policy and merge it into another GPO that contains
security policy, then that is do-able through some hacking around. 

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Saturday, September 03, 2005 2:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Merging GPO's

Yeah, so I've been gone a while - too long, but I'll try to fix that.

Anyway - does anyone have/know of a tool to merge multiple GPO's into a
single policy?

I inherited a conglomeration of about 40 GPO's which have conflicting
settings and are generally just a miserable pain to work with, and rather
than manually recreating them (since some are fairly involved) I'd love to
be able to select 2 or more and do for GPO's what WinMerge does for text
fles.


Roger Seielstad
E-mail Geek


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

I'd create smaller subnet records in AD (probably matching 
the /25 VLANs) and assign those to the sites which house the domain controller 
which you want them to use. You can keep the /21 subnet entry as a catch all as 
well, just in case.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Monday, September 05, 2005 3:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - 
prioritization

Dear All,
 
We have around 50 sites with 80 DCs, all in single domain.
 
Now issue is three sites, have very restrictive network configuration for 
subnets. (all having 500+ machines)
 
i.e. their subnet specification in AD is  10.*/21
but at the network level they have divided this subnet into VLANs with mask 
of /25, all inclusive in mask /21 defined for subnet at AD level.
 
Problem:  when machine tries to find the nearest DC using domain DNS 
name, DNS server doesn't give IP of nearest DC first.
as server falls into only into one of the /25 subnets. ( "subnet mask 
request" in DNS server is enabled)
And as a result, machines go to other DCs for netlogon related 
activities/scripts. (generating unnecessary WAN traffic, slow login)
 
I am working with Network team to initiate the feasibility of so many 
VLANs, (long process)
and if its possible to merge some VLAN, then I will move the DC in that 
subnet.
 
Any solution other than hard coding nearest DC in host file of all these 
machines.
 
Regards,
Kamlesh-- ~~~"Fortune and Love befriend 
the bold"~~~ 

RE: [ActiveDir] Moving forest root domains to child domains in another forest

[Roger Seielstad]

Title: Re: [ActiveDir] Moving forest root domains to child domains in another forest



Link speed really has nothing to do with the decision to 
split into separate domains. You've got a LOT of control over replication and 
really can build a topology that works for just about any WAN design you care to 
put out there.
 
Keeping in mind that forests are the true security 
boundary, are you getting any real benefit from moving from 3 forsts to 4 
domains?
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chaves, Jan 
Amcil L.Sent: Monday, September 05, 2005 5:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving forest 
root domains to child domains in another forest

Right. Mostly for administrative and exchange consolidation. And 
to implement a logically consistent naming convention.The domains are 
related enough to put into a single forest, but not quite that “intimate” to all 
fit in a single domain, due to raidcal differences in GPOs, etc. Not to mention 
slow links connect global sites thus necessitating the split in the 
domains.Our objective, just recently revised, is to come up with an 
empty forest root and three (possibly more) child domains under it. And then 
build exchange around the forest.Jan-Original 
Message-From: [EMAIL PROTECTED]To: 
ActiveDir@mail.activedir.orgSent: Mon Sep 05 16:07:23 2005Subject: RE: 
[ActiveDir] Moving forest root domains to child domains in another 
forestcan you mention some of your reasons WHY you want to merge your 
three forests in the way you describe?I certainly understand that you 
might want to consolidate, but why in the world would you want to go from three 
single-domain forests to one forest with a root + 2 child domains, leaving you 
with managing three domains? I'd actually vote that this is worse 
than what you have right now.  If you do consolidate, then I'd suggest you 
migrate the objects from those two forests directly to the existing root of your 
third forest, leaving you with a single domain to 
manage./GuidoFrom: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Chaves, Jan Amcil L.Sent: Sonntag, 4. September 2005 
03:15To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving forest 
root domains to child domains in another forestHi!  I 
have a huge task to do.  I have three separate Windows Server 2003 forests, 
each with a single domain (and Exchange 2003 servers to boot).  I have to 
combine all three into a single forest and end up with just one root domain, 
with the other two as child domains of the first.Is there any way (by 
hook or by crook) to do this?  Pointers to third-party apps are very much 
appreciated.Thanks,Jan

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

You are correct - the DNS server won't provide any 
intelligence with regards to what it returns to a request. DNS should be 
returning ALL records for the appropriate domain, which I believe NetLogon on 
the local machine then parses against AD Sites by subnet.
 
Gil Kirkpatrick wrote an extensive article for Windows IT 
Pro Magazine (or whatever they're calling it now) about 12-18 months ago that 
detailed how the whole process works.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Tuesday, September 06, 2005 12:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - 
prioritization
Thanks Roger for the reply,Problem is not the site setting, 
you see... when I ping for my domain's DNS name... or access the netlogon folder 
on DC as  \\example.com\netlogonThis DNS resolution, will NOT consider site boundaries and give me 
appropriate IP of local DC.this DNS resolution will ask for client's subnet 
mask and if it finds any matching IP of DC which falls into this client network, 
it will provide that DC IP as first one. (making sure traffic remains inside 
LAN)but, since client IP network is restrictive /21,  the server 
which is there in the same physical LAN but in different subnet, will not be 
returned as first choice.I hope it clears it a bit.
On 9/6/05, Roger 
Seielstad <[EMAIL PROTECTED]> wrote:

  I'd 
  create smaller subnet records in AD (probably matching the /25 VLANs) and 
  assign those to the sites which house the domain controller which you want 
  them to use. You can keep the /21 subnet entry as a catch all as well, just in 
  case.
   
  Roger SeielstadE-mail Geek 
   
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Kamlesh ParmarSent: Monday, September 05, 2005 3:30 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  DNS resolution - prioritization
  
  Dear All,
   
  We have around 50 sites with 80 DCs, all in single domain.
   
  Now issue is three sites, have very restrictive network configuration for 
  subnets. (all having 500+ machines)
   
  i.e. their subnet specification in AD is  10.*/21
  but at the network level they have divided this subnet into VLANs with 
  mask of /25, all inclusive in mask /21 defined for subnet at AD level.
   
  Problem:  when machine tries to find the nearest DC using domain DNS 
  name, DNS server doesn't give IP of nearest DC first.
  as server falls into only into one of the /25 subnets. ( "subnet 
  mask request" in DNS server is enabled)
  And as a result, machines go to other DCs for netlogon related 
  activities/scripts. (generating unnecessary WAN traffic, slow login)
   
  I am working with Network team to initiate the feasibility of so many 
  VLANs, (long process)
  and if its possible to merge some VLAN, then I will move the DC in that 
  subnet.
   
  Any solution other than hard coding nearest DC in host file of all these 
  machines.
   
  Regards,
  Kamlesh-- ~~~"Fortune and Love 
  befriend the 
bold"~~~ -- ~~~"Fortune and Love befriend 
the bold"~~~

RE: [ActiveDir] 2003 SP1

[Roger Seielstad]

I haven't done it on DC's yet (since I no longer run any...) but with
regards to member servers I'm finding it rock solid.

For a higher traffic DC or member server, I'd expect you'll see a relatively
large decrease in CPU utilization for network related things.



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Tuesday, September 06, 2005 11:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1


Good morning folks, I am entertaining the idea of applying SP1 to our
2003 domain controllers. I figured I would start with
http://support.microsoft.com/kb/889101  but if you have any 1st hand
knowledge of any issues, please let me know.

For that matter, if you have a good link about applying 2003 SP1 to "member
servers" please send it to me. I will probably assist with this task also.

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the use of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If you
receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS resolution - prioritization

[Roger Seielstad]

Ahh - there's the issue. That's not the same thing as logon 
traffic.
 
Switching that to a domain DFS will certainly fix the issue 
- DFS understands AD Sites
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Tuesday, September 06, 2005 8:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - 
prioritization

I agree client logon won't be a issue, as clients & DC fit in 
the site boundary. 
 
But some of my startup script access netlogon as \\example.com\netlogon, and I 
suppose accessing any network resource by UNC has nothing to do with 
site boundary, it is pure DNS resolution. 
 
also what about domain DFS traffic ? will it consider site boundaries 
while, finding the nearest replica partner? or it will use plain DNS 
resolution? 
-
Kamlesh 
On 9/6/05, Phil 
Renouf <[EMAIL PROTECTED]> 
wrote: 

  Just wondering what the actual issue is here though, when a client logs 
  in they will get a DC within their local site, that shouldn't be dependant on 
  the clients subnet mask, just whether their IP falls within the scope of a 
  site defined in AD. If there is a DC in that site then they should be reffered 
  to that DC during logon processes. 
   
  The behaviour of ping is not going to be site aware, but logon traffic 
  will be.
   
  Phil 
  
  On 9/6/05, Kamlesh 
  Parmar <[EMAIL PROTECTED] > 
  wrote: 
  Thanks 
Roger for the reply,Problem is not the site setting, you see... when 
I ping for my domain's DNS name... or access the netlogon folder on DC 
as  \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me 
appropriate IP of local DC.this DNS resolution will ask for client's 
subnet mask and if it finds any matching IP of DC which falls into this 
client network, it will provide that DC IP as first one. (making sure 
traffic remains inside LAN) but, since client IP network is 
restrictive /21,  the server which is there in the same physical LAN 
but in different subnet, will not be returned as first choice.I hope 
it clears it a bit. 

On 9/6/05, Roger 
Seielstad <[EMAIL PROTECTED] 
> wrote: 

  I'd 
  create smaller subnet records in AD (probably matching the /25 VLANs) and 
  assign those to the sites which house the domain controller which you want 
  them to use. You can keep the /21 subnet entry as a catch all as well, 
  just in case. 
   
  Roger SeielstadE-mail Geek 
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] DNS resolution - prioritization 
  
  Dear All,
   
  We have around 50 sites with 80 DCs, all in single domain.
   
  Now issue is three sites, have very restrictive network configuration 
  for subnets. (all having 500+ machines)
   
  i.e. their subnet specification in AD is  10.*/21
  but at the network level they have divided this subnet into VLANs 
  with mask of /25, all inclusive in mask /21 defined for subnet at AD 
  level.
   
  Problem:  when machine tries to find the nearest DC using domain 
  DNS name, DNS server doesn't give IP of nearest DC first.
  as server falls into only into one of the /25 subnets. ( "subnet 
  mask request" in DNS server is enabled)
  And as a result, machines go to other DCs for netlogon related 
  activities/scripts. (generating unnecessary WAN traffic, slow login)
   
  I am working with Network team to initiate the feasibility of so many 
  VLANs, (long process)
  and if its possible to merge some VLAN, then I will move the DC in 
  that subnet.
   
  Any solution other than hard coding nearest DC in host file of all 
  these machines.
   
  Regards,
  Kamlesh-- ~~~"Fortune and Love 
  befriend the 
bold"~~~ -- ~~~"Fortune and Love 
befriend the 
  bold"~~~-- ~~~"Fortune and Love befriend 
the bold" ~~~

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Roger Seielstad]

Last time I checked, you needed about 12-14 ports open to authenticate
against a domain.

It would make significantly more sense to put a proxy outside your firewall
and keep sharepoint inside. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
Sent: Wednesday, September 07, 2005 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Which ports to open in the DMZ to communicate with AD &
SQL...

We are putting a MS sharepoint server in the DMZ and need to have it on the
domain and communicating with a SQL server on the domain.  Because of these
needs, we only want to open the minimum number of ports to get
functionality.  We have LDAP (389) opened and SQL (1433) opened.  What other
ports will we need to open to be able to log in on the sharepoint server
with a domain account?  Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.

Any help is MUCH appreciated. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group policy security setting

[Roger Seielstad]

I *think* there's a policy setting to override that first connect to MS.com
- I just can't remember what it is right now 


----
Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, September 07, 2005 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group policy security setting

OK; I finally figured this one out; I had to set a couple of other settings
for this to work. 
Computer config\admin templates\Internet explorer\internet control
panel\security page. 
Intranet sites: Include all local (intranet) sites not listed in
other zones
Intranet sites: Include all network paths (UNCs)

That let it work as expected. 

But I'm seeing another problem as well This is one of those things that bug
us when we log on to a new machine for the first time. :-)

I've set the IE home page to our intranet, which is the only site allowed;
everything else goes to a bit-bucket proxy. So in:
User config\windows settings\internet explorer maintenance\URLs\Important
URLs, I've set the home page. But it doesn't work. With a new user login, IE
starts by going to MS site, and since the proxy won't let it, it doesn't
move forward from there. I can type in the intranet URL manually and get
there. If I allow the browser to reach the internet, it goes to the MS site
first, then to windows update on the second launch, then to the expected
home page on the third launch.

Any way to get around this?
Thanks!

PS: Roger; good to see you back. How's things? Pam and I are moving to AZ
soon. Gimme a call sometime and we can chat...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> Seielstad
> Sent: Friday, September 02, 2005 9:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Group policy security setting
> 
> The other way that works is to add the UNC for the file server
> (file://server/share) to the Trusted Sites, under User Config / 
> Windows Settings / IE Maintenance /Security / Security Zones and 
> Content ratings
> 
> Now that I look, there's the setting you're trying to change
> - which is why
> it probably didn't work with a template.
> 
> 
> 
> 
> 
> 
> 
> Roger Seielstad
> E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> Kaiser
> Sent: Friday, September 02, 2005 3:51 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Group policy security setting
> 
> This is driving me nuts
> 
> I'm trying to set up a W2K3 SP1 terminal server machine, managed by 
> group policy, that will allow users to run certain apps that actually 
> load from another server. Here's the problem...
> 
> When I try and launch one of those apps, I get the security warning 
> box "open file - security warning" "Are you sure you want to run this 
> software?"
> I finally figured out how to disable it; in IE properties, security, 
> trusted sites, custom level, there's a setting: "Launching 
> applications and unsafe files". If I set that to enable, the box goes 
> away. (I'm using software restrictions to only allow certain apps, so 
> the warning box is irrelevant).
> 
> I want to be able to set this value via GP rather than through the IE 
> interface. The IE ADM template seems to include every setting except 
> for this one.
> 
> Why? I've tried creating a custom ADM for the setting, but I'm getting 
> nowhere with that. I'll probably try that again next week.
> But I'm curious why this particular setting is not available in the 
> template? Any ideas? Am I missing something?
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Roger Seielstad]

Again to clarify, 
the ISA server often (but not always) resides in the semi-trusted network while 
the SharePoint server should always reside on a fully-trusted network.  

 
Actually - you really should look at that differently. It should 
read:
 
ISA 
server should reside in the semi-trusted network while the SharePoint server 
should reside on a more trusted network.
 
Many 
people seem to think they should only have 3 classes of networks - Untrusted 
(i.e. the big I), Semi-trusted (DMZ) and fully trusted (internal). I think its 
fairly trivial and significantly safer to layer services like this, mail relays, 
and other servers which make outbound calls to the 'Net into what I would 
describe as an internal DMZ. Yes, its more trusted, but you can still ACL off 
and obscure the internal workings of your network.
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, 
AricSent: Wednesday, September 07, 2005 5:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & SQL...


I should make sure I 
was clear – in no way did I encourage the placement of ISA AND the SharePoint 
server onto the semi-trusted (DMZ) network. Again to clarify, the ISA server 
often (but not always) resides in the semi-trusted network while the SharePoint 
server should always reside on a fully-trusted network.  The key benefit 
here is that the only required configuration through the firewall to the 
internal network is the web ports (i.e. 80, 443) necessary to allow proper 
communication between the ISA server and the SharePoint server.  If the ISA 
server were compromised, however unlikely, the only path through the firewall to 
the internal network would be via the web ports to the SharePoint server. 

 
Another problem with 
the IPSec solution is that if your SharePoint server in the DMZ is compromised 
(it is running IIS ;-) the IPSec path it has through to the internal network 
will be compromised as well.  Of course this will then allow a potential 
hacker to ride the IPSec tunnel straight to all of the systems/ports (i.e. 88, 
123, 389, 3268, 3269, and [god forbid] 135 and 445) you have configured the 
SharePoint server to communicate with on the internal LAN.  BTW I think you 
can configure IPSec to work between clients/member servers and DCs so long as 
the correct exceptions are in place or as long as you use certificates (which 
would be the best approach if using it in the DMZ).
 
 
BTW, Jason, never say 
never.  With enough good arguments and still meeting the stated 
requirements you can certainly change people’s 
opinions…
 
 
Aric 
  
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, 
September 07, 2005 5:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & 
SQL...
 


Looks like we have 
plenty of ideas and opinions ;)

 

ISA is a great way to deal with 
this, but I believe the decision was made to put the SP machine in the DMZ 
regardless of the technical merit or viability. And whether or not it is a good 
idea.  That said, ISA doesn't offer much if you put it AND this machine in 
a semi-trusted network (for whatever that means these days.) 


 

Shame there's no leeway 
though.  The downside to using IPSec is that as others have pointed out, it 
won't work on member server <->DC for W2K servers (limitation of the 
OS) but will for 2K3 member servers but that still leaves you with a secure 
channel from the DMZ host to your internal network.  That means you can't 
monitor the traffic from the DMZ to your internal network because it's encrypted 
(sounds like a broken record, I know.) 

 

Too bad you can't sway the decision 
makers to do this differently. But hopefully you've received a lot of ideas to 
pick from. 

 

Best of 
luck,

Al

 

 

 



From: 
[EMAIL PROTECTED] on behalf of Bernard, AricSent: Wed 9/7/2005 7:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to 
open in the DMZ to communicate with AD & 
SQL...

I agree with Phil – I 
think using an ISA (or other reverse proxy solution) is the best way to go given 
your constraints.
 
Using a reverse proxy 
solution allows you the following:

  Keep you Sharepoint server behind 
  the firewall, yet make it accessible to external clients as if it was in the 
  DMZ. 
  Restrict your [additional] holes 
  through the firewall to only that needed by the reverse proxy solution to 
  interact with the Sharepoint server (port 80). 

 
BTW - this scenario is 
becoming extremely common.  The next common addition you will see to this 
will likely be the use of ADFS to provide an identity trust bridge between the 
internal forest and a partner forest (or other identity 
system).
 
Regards,
 
Aric 
Bernard
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Wednesday,

RE: [ActiveDir] OT: Exmerge 2003

[Roger Seielstad]

ExMerge supports doing select merging based on criteria like dates. That's
how I always approached that issue in the past.

You need to run ExMerge in batch mode with a config file to do it though.
Its all in the docs. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 08, 2005 8:25 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exmerge 2003


I have to archive some mailboxes on an Exchange 2003 server and would like
to use the Exchange 2003 Mailbox Merge Wizard. However, these mailboxes are
over 2GB and I was wondering if exmerge 2003 has the same 2GB .pst file size
limitation as Outlook 2000 and XP, or can it create .pst files larger than
2GB like Outlook 2003?


Thanks in advance,

Dan DeStefano


NOTICE:  The information contained in this transmission is privileged,
confidential, and intended only for the use of the individual or entity
named above.  If you are not the intended recipient, you are hereby notified
that any disclosure, copying, distribution, or the taking of any action in
reliance on the contents of this transmission is strictly prohibited.  If
you have received this transmission in error, please notify Eze Castle
Integration, Inc. by e-mail and destroy the original message and all copies.
Thank you.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Printers

[Roger Seielstad]

IIRC exception code 0xc005 is an access denied. Do normal users have the
right to install drivers on their workstations?



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, September 09, 2005 7:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Printers

I have an HP 2430 and an HP 9050 in my environment.  I just got them and
installed them on my server and shared them out.  When I go to a local
workstation and login as a regular user, go to START, RUN and type in the
UNC path of the server to install the network printer on the workstation I
am unable to print and get the following error message when I go to the
properties of that printer.  Older printers have worked fine like this in
the past.

Function address 0x4f56a0bd caused a protection fault. (exception code
0xc005) Some or all property pages may not be displayed.

Has any one seen this and fixed it?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS Server Question

[Roger Seielstad]

Yeah, but his MVP is in MSDS (as in Dining Services). We've got pictures to
prove it



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 14, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

EULA dear.

There's Can and there is legal.

No you can't and be legal... and for a MVP shame on you  ;-)

[EMAIL PROTECTED] wrote:

>Actually, depending on your level of tolerance for pains, I know that 
>you can.
> 
>http://www.akomolafe.com/Portals/1/Creating%20a%20trust%20relationship%
>20betw een%20two%20Small%20Business%20Server%202000%20domains.htm
> 
> 
>Sincerely,
>
>Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>Microsoft MVP - Directory Services
>www.readymaids.com - we know IT
>www.akomolafe.com
>Do you now realize that Today is the Tomorrow you were worried about 
>Yesterday?  -anon
>
>
>
>From: [EMAIL PROTECTED] on behalf of Sakari Kouti
>Sent: Wed 9/14/2005 11:46 AM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] SBS Server Question
>
>
>
>Hi Jose,
>
>No, an SBS domain cannot have trusts, so it cannot be a child domain.
>
>And yes, after you have installed an SBS box, you can install 
>additional DCs, if they are normal Windows Server 2003 boxes.
>
>Yours, Sakari
> 
>
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
>>Jose
>>Sent: Wednesday, September 14, 2005 8:47 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: [ActiveDir] SBS Server Question
>>
>>Hi Susan,
>>
>>Since we have an SBS MVP on the Active Dir list, let me ask a 
>>question.
>>
>>Can I now make an SBS 2003 server a child domain in an AD
>>2003 forest?
>>
>>Before you ask why, some one asked me this recently at a Linux users 
>>group meeting, as his company has several remote offices using SBS 
>>2003.
>>
>>Also on SBS 4.5, one could have a BDC as a backup, can this also be 
>>done with a DC or are you " Sh.T out of luck " when a box fails?
>>
>>Jose
>>
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>  
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Joining a domain from offsite

[Roger Seielstad]

Could be an MTU size issue. Its often an issue across 
VPNs
 
Look up how to set the MTU to less than 1500 (or just set 
the reg key to disable PMTU detection) for the box you're trying to bring 
up
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
WilliamsSent: Wednesday, September 14, 2005 12:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Joining a domain 
from offsite

It 
will ping by name or IP number. Ping times are about 100 
ms..

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Brian 
  DesmondSent: Wednesday, September 14, 2005 1:23 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Joining a 
  domain from offsite
  
  Are 
  WINS and DNS working over the VPN? Try specifying the FQDN or shortname of the 
  domain instead of what you’re specifying now to join it … this certainly 
  smells like nonworking DNS though. 
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mike 
  WilliamsSent: Wednesday, 
  September 14, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Joining a domain 
  from offsite
   
  
  Hi 
  all:
  
   
  
  We are setting up a server 
  off-site using a PIX 525 and a PIX 501 to establish the VPN connection. If I 
  join the domain locally and then take the server offsite I can login to the 
  domain without any problems. If I disjoin the server and then try to rejoin 
  the domain from offsite I get errors that no domain controller is available. 
  In the error message it lists the domain controllers. 
  
  
   
  
  any 
  ideas?
  
   
  
  Thanks
  
   
  
  Mike
  
   
  
  The domain name () might 
  be a NetBIOS domain name.  If this is the case, verify that the domain 
  name is properly registered with WINS.
  
   
  
  If you are certain that the name 
  is not a NetBIOS domain name, then the following information can help you 
  troubleshoot your DNS configuration.
  
   
  
  DNS was successfully queried for 
  the service location (SRV) resource record used to locate a domain controller 
  for domain cvl:
  
   
  
  The query was for the SRV record 
  for _ldap._tcp.dc._msdcs.cvl
  
   
  
  The following domain controllers 
  were identified by the query:
  
   
  
  dc-001.corpdc-002.corp
  
   
  
  Common causes of this error 
  include:
  
   
  
  - Host (A) records that map the 
  name of the domain controller to its IP addresses are missing or contain 
  incorrect addresses.
  
   
  
  - Domain controllers registered in 
  DNS are not connected to the network or are not 
  running.
  
   
  
  For information about correcting 
  this problem, click 
Help.

RE: [ActiveDir] Sysvol and AV exclusions

[Roger Seielstad]

Trend Micro's products are fairly robust there too. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, September 14, 2005 11:40 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Sysvol and AV exclusions

The only product I have seen the full exclusion capabilities in, is Mcafee;
from ePO this can all be configured centrally. With symantec, paths and file
types can be excluded centrally, but the actual files have to be configured
manually on every DC, thus leading to more donkey work and an increased
scope for error. The only other quirk with symantec is that it does not
allow for "future" files, that is if its not there, you can't exclude it.
This was the case up until version 9, 10 I have yet to see. All that being
said, there is an unsupported hack available from symantec to enable the
centralised mgmt.

Mark


-Original Message-
From: "Tony Murray" <[EMAIL PROTECTED]>
Date: Thu, 15 Sep 2005 14:09:18
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

Ah, you mean my expectations are too high.  :-)

As an illustration of the problem, I have attached a screenshot from CA's
eTrust AV product.  I'm not familiar with the product (nor do I wish to be),
but from a quick look it does not appear possible to set the exclsions
according to the 822158 article.  Apart from the potential issue of only
being able to specify a maximum of 16 paths for exclusion, the real problem
is the inability to include subfolders of folders that have been excluded.

I would imagine that a reasonable percentage of the installed base of AD
uses CA's product.  We're probably talking 10s of thousands of organisations
worldwide.  Our local CA representative was unable to provide a CA
recommendation for the exclusion list and suggested we refer to Microsoft's
best practices. 

I guess I'm going to have to come up with a "best efforts" compromise
configuration, combining the recommendations in the 822158 article and the
capabilities of the CA product. 

Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Thursday, 15 September 2005 10:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

You obviously haven't dealt with the Exchange Team enough. 

:-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, September 14, 2005 6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysvol and AV exclusions

Hi Brett

Thanks for your detailed response.  I see you've also managed to sort out
the formatting of the table in the article.  Oh, what power you wield! :-)

The main issue I have is that the article introduces some "new"
exclusions.  I don't think I'm alone in thinking that the general approach
before this article came out was, "If your AV product is FRS-compliant then
include SYSVOL in scans.".  I am fully aware of the effects of a virus being
replicated by SYSVOL, having seen it first-hand.  SYSVOL does a great job of
moving a virus around a network very quickly. :-)  So it's important to scan
SYSVOL (or at least parts thereof).

Going back to the issue, the 822158 article sets out exclusions, but doesn't
indicate why they should be exlcuded.  In other words, what is the risk of
including them?  This is relevant for at least one major AV product vendor,
which has a (somewhat stupid) low limit on the number of files and folders
that can be excluded on any one server.  I'm also not convinced that the AV
product I'm thinking of can perform the level of granularity of
inclusion/exclusion suggested in the table.

I can sort of understand why the staging areas would be excluded (compressed
files, possibility of locking), but why exclude %systemroot%\sysvol and
%systemroot%\sysvol\sysvol?  I can't see anything in my test environment
that would pose any problems by scanning these folders.

Call me a control freak, but I just don't like seeing a statement such as,
"Do not scan the following files and folders." with no additional
explanation.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, 13 September 2005 10:47 p.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Sysvol and AV exclusions


The articles should not be inconsistent.
The 822158 does mention 814263 (see bullet 2).

284947 - is how to detect and diagnose excessive FRS replication.
Noting it might be caused by Anti-Virus software.  And mentioning how to
recover.  
It is not SYSVOL specific, it is FRS specific.  But sincej SYSVOL is an FRS
share, so it applies to SYSVOL, if this should happen to your SYSVOL.

814263 - is abo

RE: [ActiveDir] OT: Outsourcing OS Patching

[Roger Seielstad]

Why not run something like WSUS (Windows Software Update Services) and
manage it yourselves Seems kinda silly to outsource that piece 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Thursday, September 15, 2005 1:22 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] OT: Outsourcing OS Patching

Group,

Odd question.  I just got out of a meeting with a consulting group that
wants us to outsource the patching of our servers that are not in our data
center (we have a number of servers that are at our remote locations and our
staff is struggling with our patching cycle on these for one reason or
another).

Does anyone know of an outsourcing group that will only do the MS patchiness
on the servers and let the owners of the boxes do everything else?  

We are looking for a basis of comparison and this consultant said that they
don't have any competitors in this field.  Either people outsource all of
their servers, all of the services or they don't outsource at all.  They
don't know of anyone who only outsourcers the patching and monitoring of the
boxes.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

Speaking of being here next week - keep me informed on the 
activities... 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, September 21, 2005 5:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can present delegated credentials:"  It would seem logical to me to have to 
specify the ISA here.  Now whether you need to do configure this setting in 
ADUC on the account being used for the identity of the application pool, or the 
SharePoint server itself I don't know. 

 

Cheers

Tony

 

PS.  See you next 
week :-)
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 1:38 a.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Hey 
Tony,
 
Well can you explain 
“but wouldn't you also 
need an SPN for the web service on the ISA Server?”  I don’t understand 
why, the ISA server is the server that is needing the authentication to allow 
the web server to browse the internet. 
So to 
elaborate:
 
I have a Share Point 
site it has a RSS feed web part, this web part is requesting a RSS feed for 
example http://www.dirteam.com/blogs/carlos/default.aspx 
now I monitor on the ISA 2004 server and I see the web server trying to access 
the internet the user specified = Anonymous. The delegation is so that the user 
viewing the Share Point site (hence calling the RSS web part) will be the user 
credentials passed to the ISA server to be able to browse the 
internet.
 
That’s why I don’t see 
why we need to register a SPN for the ISA server?
 
ThanksC
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
01:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
I'm just starting to 
look at Kerberos delegation for something myself, but wouldn't you also 
need an SPN for the web service on the ISA Server?  And then specify that 
serviced in the delegation tab on the user object?
 
Cheers
Tony
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Tuesday, 20 
September 2005 9:31 a.m.To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos 
Delegation
Hey 
all,
 
Ok late at night here and I’ve hit a 
mental block (don’t laugh Dean). I have set this up like a gazillion times but 
this time cant get it to work.
 
Environment: 

 
Windows 2003 Native Forest Mode – 
All clients Windows XP SP2 and above
 
Single forest single domain 
setup
 
Web Server – Windows Server 2003 Web 
Edition
Share Point Team Services 
installed.
 
That site has a web part that 
requires Kerb delegation for access to a ISA firewall in order to stream RSS 
feeds. I can see on the ISA server that when ever any user hits the site the 
HTTP reques

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

So have you granted domain\IISServer$ access through 
ISA?
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can present delegated credentials:"  It would seem logical to me to have to 
specify the ISA here.  Now whether you need to do configure this setting in 
ADUC on the account being used for the identity of the application pool, or the 
SharePoint server itself I don't know. 

 

Cheers

Tony

 

PS.  See you next 
week :-)
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 1:38 a.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Hey 
Tony,
 
Well can you explain 
“but wouldn't you also 
need an SPN for the web service on the ISA Server?”  I don’t understand 
why, the ISA server is the server that is needing the authentication to allow 
the web server to browse the internet. 
So to 
elaborate:
 
I

RE: [ActiveDir] disabling users

[Roger Seielstad]

Monad docs are really not out in any sort of usable context right now.
Especially since Microsoft released a new beta at PDC this month and it's a
whole lot different than the previous version (different as in better). 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Wednesday, September 21, 2005 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling users

Tom

I think you should also consider Python. It has the following features.
1. Works well with windows
2. Very large functionality out of the box 3. Multi platform (Windows, Mac,
Linus, Unix, Palm, etc..) 4. Simple to learn - straight forward non cryptic
syntax 5. Very well supported 6. GUIs available

Inevitably one has to know VBScript as well because it is so widely used and
most  Windows scripting is done in VBScript.

By the way does anyone know where Monad documentation can be found?

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] disabling users

[Roger Seielstad]

Honestly, I'd avoid perl like the plague. Its about the 
least readable language on the planet - especially if you haven't touched a 
script for a few months.
As was already suggested, python is a pretty good cross 
platform option. 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, September 21, 2005 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling 
users

you don't think one can get by in IT with just one lang?
can't you do everything in perl that you can do in _vbscript_ and then 
some?
I'm sure you can get by on windows with just perl.
i'm in a multi platform enviorment and frankly i just don't have the time 
to learn both _vbscript_ and perl.
i would end up just knowing both a little and badly.
my brain can't keep jumping from one to the other and in scripting, if you 
don't use one lang for a while, you forget it.
in which case i'd just end up bugging you guys on this list again for 
examples.
i'd like to get to the point where i can do it myself and trying to learn 
both will never work for me.
i have a hard enough time keeping as much as i can about windows and AD and 
exchange and some linux stuff in my head.
2 scripting langs will make my head explode. i'll never remeber them at 
all.
i just need to learn one and devote myself to learning it well instead of 
being a scripting jack of all trades and master of none.
 
as to perl books, then where can one lern COM on perl? 
 
thanks alot guys! 
On 9/21/05, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 
Joe 
  Richards might know some Win32 Perl resources._vbscript_ isn't 
  that hard, really. If you know the COM & ADSI stuff for Perl as far as 
  methods, names, etc, its just a different syntax for using it._vbscript_ you 
  have the advantage of the technet scriptcenter which hasexamples complete 
  enough to copy and paste together and run.I'm not a CS major 
  either, I don't even have any formal training in thisfield. The only 
  things I've been taught in a classroom are how to read,write, and do some 
  math. Everything I know I learnt going to work everyday and doing new 
  things, asking questions here and there around this list andother places. 
  I realized I needed to learn _vbscript_ and so I startedtackling projects 
  with _vbscript_s, and with a bit of work I got to be pretty good at it. I 
  still need a copy of the platform sdk on my other monitor toremember 
  methods, parameters, etc, but I know the syntax. That said, if I'mfeeling 
  lazy I still go and piece things together with scriptcenter 
  snippets.My point here is that it would probably be long 
  term beneficial to you to atleast be able to do simple things in _vbscript_ 
  like read a file, run aexternal command, etc. As I said in my first 
  message, if you post what you have, I'll try and edit it as an example for 
  you.Thanks,Brian 
  Desmond[EMAIL PROTECTED]> [EMAIL PROTECTED]c 
  - 312.731.3132_From: [EMAIL PROTECTED][mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kern, TomSent: 
  Wednesday, September 21, 2005 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] disabling users I only have time to learn one 
  scripting lang.i figured perl is the better way to go as i have to 
  work with linux andsolaris as well.know of any good 
  docs,books,sites on perl and COM+ or adsi? something that will teach 
  you both like the _vbscript_ resources do?i really think there 
  is a market for perl and AD/win32 out there that 
  isuntapped.O'reilly has let most of their win32 perl books become 
  outdated and stop at Win NT as has Dave Roth.I'm not a 
  programmer and i don't have time to learn multipe scripting langs,so i 
  always thought perl would be the best way to go.I find it as 
  approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources 
  for using it on win32 systems.I'm afraid learning perl and working 
  with windows might be an uphill battle.are there resources for 
  teaching you how to use perl withcdo,wmi,adsi,ado,etc?i'm not a 
  total newbie to perl, i've used it on linux but i've never reallydone much 
  on windows with activestate.and as i've said, i'm not a programmer and 
  i didn''t major in comp sci, so alot of this stuff is not second nature to 
  me and hasn't been pounded in for years.so jumping from lang to 
  lang for me is not really an 
  option.thanks-Original 
  Message-From: Brian Desmond [mailto:[EMAIL PROTECTED] ]Sent: Wed 
  9/21/2005 2:46 PMTo: ActiveDir@mail.activedir.orgCc:Subject: 
  RE: [ActiveDir] disabling 
users

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

By default, the IIS app pool and (I believe) sharepoint 
both run under Network Service. Therefore, when Sharepoint makes the request 
outbound, it will be making it within the context of the NetworkService account, 
which means its going to present the server's domain 
credentials.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
SchaeferSent: Wednesday, September 21, 2005 11:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Could I ask why he’d 
need to do that?
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: Thursday, 22 
September 2005 4:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can presen

RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

I know next to nothing about ISA. The last time I 
touched it it was still called MS Proxy 2.0 I'm assuming there's a 
security group somewhere that is used to control who can do what through the ISA 
server. Actually, I know there is because I'm part of one at work (just don't 
know how to configure it). See my response to Ken as to why this would be 
necessary...
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Thursday, September 22, 2005 2:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Hmmm, explain a little 
more where you would grant this access ….
 
Thanks 

Carlos
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: 22 September 
2005 08:23 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the De

RE: [ActiveDir] dns suffix search list

[Roger Seielstad]

I believe you can do it through WMI, but I don't have any of that code
handy. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is
this article correct and are these the only ways to programmatically alter
the dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
.+-wmibb+?KE
0+v*?.+-jq.+-j!ij)j!ribb4-

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

The bigger trick is getting yourself a client cert to get on Corpnet
wireless 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Very Cool.  I would love to see that list :-)

Wireless aircard and a tablet PC...you just gotta bring your own
connectivity that's all.

See ya next week!

Michael B. Smith wrote:

>I'm an Exchange MVP. We were invited to come up with a list of "why we 
>hate to support SBS" about a month ago for submission to the SBS 
>product team (apparently one of "our" product managers is across the 
>hall from one of "your" product managers). I think we came up with 11 
>specific items dealing mainly with Exchange/User management and the 
>integration of ISA/RRAS. I'll see if I archived the list.
>
>I think the groups and the mailing lists are gonna be really quiet next 
>week, with little connectivity on campus for us!
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 4:31 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Amen brother.
>
>I wish though you would be more specific though as I just happen to be 
>meeting with some folks next week and would love the inside from big 
>server land.  [Please feel free to ping me directly]
>
>Our OU structure sucks.  We know that.  But ...boy ... you ain't 
>ripping my fingers off RWW or my monitoring email.  :-)
>
>Michael B. Smith wrote:
>
>  
>
>>And that is a real difficulty.
>>
>>The wizards should integrate seamlessly. Or the other tools should 
>>integrate seamlessly. Take your pick.
>>
>>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>>I HATE touching the SBS clients because it's a fair bet there is a 
>>wizard for something that I'm not going to use a wizard for, because I 
>>can use one of my scripts or a native tool and do it quicker. (You can 
>>argue that someone that knows the wizards can do it more quickly with 
>>them -- and that's fine -- but I don't, and shouldn't have to.)
>>
>>It's a religious issue.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Thursday, September 22, 2005 12:19 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>Difficulty?
>>
>>
>>
>>What difficulty?  [please feel free to take this offline] the only 
>>difficult issues we have in SBSland is cleaning up the messes from 
>>folks that don't follow the wizards
>>
>>[EMAIL PROTECTED] wrote:
>>
>> 
>>
>>
>>
>>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>>   
>>>
>>>  
>>>
>>night and the topic came up again. (Main topic was R2)  Sounds like 
>>Microsoft is getting the message about the difficulty of working with 
>>SBS.
>> 
>>
>>
>>
>>>Al Maurer
>>>Service Manager, Naming and Authentication Services IT | Information 
>>>Technology Agilent Technologies
>>>(719) 590-2639; Telnet 590-2639
>>>http://activedirectory.it.agilent.com
>>>--
>>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>>   
>>>
>>>  
>>>
>>Caesar III i. 
>> 
>>
>>
>>
>>>-Original Message-
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>>Bradley,
>>>   
>>>
>>>  
>>>
>> 
>>
>>
>>
>>>CPA aka Ebitz - SBS Rocks [MVP]
>>>Sent: Tuesday, September 20, 2005 1:57 PM
>>>To: ActiveDir@mail.activedir.org
>>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>>
>>>Transition pack or www.sbsmigration.com
>>>
>>>Transition pack is the best way however lets you keep the Remote web 
>>>workplace and monitoring email even after you break away from SBSland.

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

Actually, I don't think it's a religious issue. The problem with SBS is that
its not really the amalgam of Microsoft technologies that it's billed as,
and as such you can't administer it as you would with all the same apps in a
non-SBS implementation.

It's a neat package overall, but the requirement to do the wizard thing
makes it hard for people like us to deal with it.. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)

And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should integrate
seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a wizard
for something that I'm not going to use a wizard for, because I can use one
of my scripts or a native tool and do it quicker. (You can argue that
someone that knows the wizards can do it more quickly with them -- and
that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only difficult
issues we have in SBSland is cleaning up the messes from folks that don't
follow the wizards

[EMAIL PROTECTED] wrote:

>Thanks!  This must be SBS Week.  Was at a user's group meeting last
night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with SBS.
>
>Al Maurer
>Service Manager, Naming and Authentication Services IT | Information 
>Technology Agilent Technologies
>(719) 590-2639; Telnet 590-2639
>http://activedirectory.it.agilent.com
>--
>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,

>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tuesday, September 20, 2005 1:57 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Transition pack or www.sbsmigration.com
>
>Transition pack is the best way however lets you keep the Remote web 
>workplace and monitoring email even after you break away from SBSland.
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>OK, since the topic came up:  I'm trying to figure out how to migrate
off SBS2003.
>>
>>Scenario is a recent acquisition where we want to migrate from company
SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is both
dangerous and illegal.
>>
>>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
normal AD.  Is there any other way?  LDIF export?
>>
>>Thanks,
>>AL
>>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, September 14, 2005 12:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS Server Question
>>
>>Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
>>hold all the FSMO roles.  We can do some funky stuff with pass through

>>authentication, but no trusts.
>>
>>US versus THEM:
>>http://www.sbslinks.com/Us_v_them.htm
>>
>>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
>>domain controller' is supported and not calling it a BDC.
>>
>>Member servers are covered by the SBS cals but last I read in the PUR 
>>the additional DC would need server cals.  [that's my interpretation 
>>anyway but I get a headache reading that doc in the first place]
>>
>>Honestly ...keep in mind that with XPs, they will used cached 
>>credentials and you can log into that profile even if the net

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

The "manual" issue comes down to scale. Without going into too much detail,
my current team (5 engineers including myself) manage 1000 application
servers. Obviously, the concept of using a wizard to configure things there
wouldn't work. That's where all the scripting and command line tools come
into play.

With regards to CALs, the license tracking functionality outside of SBS is,
well, broken. Its never worked right. I can't remember all the specifics,
but basically its nearly impossible for indvidual machines to not be counted
multiple times. Effectively if you have 100 machines, it was possible to get
a report of there being >200 CALs in use. One of the many reasons I force
disable the LicenseLogging service..



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Thursday, September 22, 2005 10:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Trust me... it's a religious thing  :-)

Those of us that have the religion of SBS don't see a problem with the
wizards .:-)

We're looking to start a support group for former Enterprise Admins who are
now SBSers <http://msmvps.com/bradley/archive/2005/07/27/59808.aspx>
http://msmvps.com/bradley/archive/2005/07/27/59808.aspx

I'll be honest with you ... the first time I set up 'normal' server and
'normal' exchange I was extremely surprised how much manual stuff you guys
do in big server land.  Forestprep and all that.  The next thing I was
absolutely flabergasted about was how they trust you on the number of cals.
'You just stick in a number there?  And they trust you to be honest? Wow."
Blew me away.

Actually it's near impossible to get WSS [sharepoint] on a same box as
Exchange anyway.  There are a couple of folks that tried and finally gave
up.

Roger Seielstad wrote:

>Actually, I don't think it's a religious issue. The problem with SBS is 
>that its not really the amalgam of Microsoft technologies that it's 
>billed as, and as such you can't administer it as you would with all 
>the same apps in a non-SBS implementation.
>
>It's a neat package overall, but the requirement to do the wizard thing 
>makes it hard for people like us to deal with it..
>
>
>
>Roger Seielstad
>E-mail Geek
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
>Smith
>Sent: Thursday, September 22, 2005 1:06 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)
>
>And that is a real difficulty.
>
>The wizards should integrate seamlessly. Or the other tools should 
>integrate seamlessly. Take your pick.
>
>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>I HATE touching the SBS clients because it's a fair bet there is a 
>wizard for something that I'm not going to use a wizard for, because I 
>can use one of my scripts or a native tool and do it quicker. (You can 
>argue that someone that knows the wizards can do it more quickly with 
>them -- and that's fine -- but I don't, and shouldn't have to.)
>
>It's a religious issue.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 12:19 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Difficulty?
>
>
>
>What difficulty?  [please feel free to take this offline] the only 
>difficult issues we have in SBSland is cleaning up the messes from 
>folks that don't follow the wizards
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>
>>
>night and the topic came up again. (Main topic was R2)  Sounds like 
>Microsoft is getting the message about the difficulty of working with SBS.
>  
>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>
>>
>Caesar III i. 
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Tuesday, September 20, 2005 1:57 PM
>>To: A

RE: [ActiveDir] GPO Restricted Groups gotchas ?

[Roger Seielstad]

Actually, the ideal would be the option to append or 
override.
 
Sometimes you don't care if other's are in a specific 
group, as long as a specific set of accounts/groups are in that group. Case in 
point is IT shops where the user is granted/required to have local admin. 
Ideally, you'd set that user, plus your IT support staff, as local admin. 
Without having the option to append, all you can do is override, which means 
that one user is then oout.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, September 23, 2005 2:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GPO Restricted 
Groups gotchas ?

But then it defeats the purpose of restricted group, as you want to be sure 
that, only known members are part of the restricted group. If the operation is 
merge than it is not restricted by definition? 
When u ask for merge or append, you are doing some group membership 
modification. You better use some scripts for that.
 
I would suggest create a separate group of those app servers, and apply 
group policy with restricted group populated as you want.
Make sure Group Policy is applies to that Group of appservers only. it is 
must that you Remove "Authenticated Users" group from group policy 
security.
 
On 9/23/05, Mark 
Parris <[EMAIL PROTECTED]> 
wrote: 

  
  The biggest gottcha, 
  is that any existing group memberships for groups managed by the restricted 
  group policy are overridden by the restricted group policy – this is my 
  biggest gripe, I wish they would merge\append. 
   
  Mark
   
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: 23 September 2005 06:36 
  To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Restricted 
  Groups gotchas ?
  
   
  I would like to use 
  restricted groups policies to specifiy local Administrative access to 
  application servers. I am sure this has already been tried. I would like to 
  know how this worked or did not work for those who have tried it  and 
  where there any unexpected gotchas that happened ? Thank You ! And have a 
  nice day 
  !**Mark 
  Lunsford KAISER 
PERMANENTE-- ~~~"Fortune and Love befriend 
the bold"~~~

RE: [ActiveDir] Domain Controller Security

[Roger Seielstad]

That's really what a TAM's job is. They're supposed to be advocates for
their customer within Microoft. If they're not beatting down (virtual) doors
within MS to get issues resolved for their customer, they're failing at what
they get paid to do... 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

Yep it is very hit and miss. Sort of the same with MCS and PSS folks and
honestly any consultants or support folks anywhere. There are good ones, not
so good ones, and those that couldn't get a job anywhere else.

My favorite TAM/PSS/MCS/CONSULTANT/SUPPORT folks are the ones that can
proudly say, I don't know, but I will try to find out.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Friday, September 23, 2005 6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

We have a great TAM.  The guy is extremely knowledgeable on a wide variety
of MS products.  What he doesn't know, he knows who to get in touch with in
Las Colinas to get the right answers fast.  That's why I was shocked when I
went to some MS training on MIIS in San Jose, and heard the technical people
in the class bagging on TAMs and how non-technical they tend to be. 

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...

Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for. 
 
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM... 


Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it. 

   joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

Us in SBSland have newsgroups and MVPs.



Brian Desmond wrote:

> *Technical Account Manager. When you spend ample money with MS, you 
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
> **c - 312.731.3132**
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *DeStefano, 
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase 
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as 
> folks have pointed out, since there are no viable workarounds, it 
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you 
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP,

RE: [ActiveDir] Applications that extend the schema...

[Roger Seielstad]

Applications should never, and I mean NEVER, be trusted to auto update the
schema as necessary.

I'd expect schema modifications to be handled as a one off,
quasi-interactive process. Quasi-interactive meaning a human logs in with an
account holding the appropriate permissions and does the modification. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, September 23, 2005 7:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Applications that extend the schema...

Given the # of variations that may exist in AD deployments, anywhere from a
small business with a single forest/tree/domain all the way up to a large
enterprise with multiple forests each containing multiple trees with each
tree having numerous domains, there may be many differences of opinion on
the part of administrators regarding schema extensions and applications the
create them.

I'm interested in hearing those opinions in regards to an enterprise type of
resource provisioning application that will run primarily as a service under
a specific domain account, with the caveat that the application does require
some schema extensions in order to run properly.  In particular, the
question pertains to whether or not the main application should attempt to
perform the schema extension work when it detects that they are not present,
and if so, should it want/need to do so under it's own set of credentials
used to perform the service logon by the service control manager when the
service is started, or should the application's UI request an elevated set
of credentials in order to perform the schema extension.  Alternatively,
should the schema extension be performed using an additional program
provided with the application so that it would be relatively easy for an
administrator to logon, run the schema extension tool, and then be done with
their part so that the application's "owner" could continue with the
installation & configuration of the application.

I'm familiar with many of the issues in terms of Novell's eDirectory, but
with AD there may be some other concerns due to differences in the two
directory services and how they are implmented.  It's the AD-specific
concerns that interest me.


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Restricted Groups gotchas ?

[Roger Seielstad]

That's not the same net effect. Those settings are only applied at restart as 
opposed to being applied every 90 minutes (or whatever your refresh interval 
is). Its quite possible to remove the perms granted by that script and run like 
that for months. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 24, 2005 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?

I agree it would be better to give that option of append alongwith override.I 
assume, they didn't implement, because it is very easy to get thedesired result 
thru other means like this batch file, which can  runas computer startup 
script, for intended machines. This works likeappend operation.
:: Add support admin to administrators groupnet localgroup administrators  
domain\supportadmin /add

On 9/25/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:>> Actually, the ideal 
would be the option to append or override.>> Sometimes you don't care if 
other's are in a specific group, as long as a> specific set of accounts/groups 
are in that group. Case in point is IT shops> where the user is 
granted/required to have local admin. Ideally, you'd set> that user, plus your 
IT support staff, as local admin. Without having the> option to append, all you 
can do is override, which means that one user is> then oout.>>> > Roger 
Seielstad> E-mail Geek>>>  >  From: [EMAIL 
PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> Kamlesh Parmar> Sent: 
Friday, September 23, 2005 2:42 AM> To: ActiveDir@mail.activedir.org> Subject: 
Re: [ActiveDir] GPO Restricted Groups gotchas ?>>>> But then it defeats the 
purpose of restricted group, as you want to be sure> that, only known members 
are part of the restricted group. If the operation> is merge than it is not 
restricted by definition?> When u ask for merge or append, you are doing some 
group membership> modification. You better use some scripts for that.>> I would 
suggest create a separate group of those app servers, and apply> group policy 
with restricted group populated as you want.> Make sure Group Policy is applies 
to that Group of appservers only. it is> must that you Remove "Authenticated 
Users" group from group policy security.>>> On 9/23/05, Mark Parris <[EMAIL 
PROTECTED]> wrote:> >> >> >> > The biggest gottcha, is that any existing group 
memberships for groups> managed by the restricted group policy are overridden 
by the restricted> group policy – this is my biggest gripe, I wish they would 
merge\append.> >> >> >> > Mark> >> >> >> > >> 
>> > From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> [EMAIL 
PROTECTED]> > Sent: 23 September 2005 06:36> > To: 
ActiveDir@mail.activedir.org> > Subject: [ActiveDir] GPO Restricted Groups 
gotchas ?> >> >> >> >> >> > I would like to use restricted groups policies to 
specifiy local> Administrative access to application servers. I am sure this 
has already> been tried. I would like to know how this worked or did not work 
for those> who have tried it  and where there any unexpected gotchas that 
happened ?> >> > Thank You ! And have a nice day !> >> >> 
**> > Mark 
Lunsford> > KAISER PERMANENTE>>>> --> ~~~> "Fortune and 
Love befriend the bold"> ~~~>

--~~~"Fortune and Love befriend the 
bold"~~~.+-Šwèþm§ÿÿÃ
ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËE
á¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃæj)ÿj·!Š÷ÿr‰¿iËb½çb¯þ4™¨¥ý§-Š÷Š¿è

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS migration (was SBS Server Question)

[Roger Seielstad]

Its really been a while since I laid hands on SBS, so I'm shooting from some
pretty dusty memories.




Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Saturday, September 24, 2005 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

I'd still like get more specifics ...what exactly ..what scripts.. what
things. what doesn't work in an SBS deployment?  Once you build the box
it's the real bits.  And you can sign up to be a system builder and get the
OEM build kit and do your own.

As far as the CEICW you can dump out the xml file and just dump it in to
another setup.

Actually the dev team would love to know what you find that drives you crazy
as the more IT pros can deploy these little guys... be more converts to
SBSlnad I get :-)

Roger Seielstad wrote:

>The "manual" issue comes down to scale. Without going into too much 
>detail, my current team (5 engineers including myself) manage 1000 
>application servers. Obviously, the concept of using a wizard to 
>configure things there wouldn't work. That's where all the scripting 
>and command line tools come into play.
>
>With regards to CALs, the license tracking functionality outside of SBS 
>is, well, broken. Its never worked right. I can't remember all the 
>specifics, but basically its nearly impossible for indvidual machines 
>to not be counted multiple times. Effectively if you have 100 machines, 
>it was possible to get a report of there being >200 CALs in use. One of 
>the many reasons I force disable the LicenseLogging service..
>
>
>
>Roger Seielstad
>E-mail Geek
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
>Sent: Thursday, September 22, 2005 10:01 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Trust me... it's a religious thing  :-)
>
>Those of us that have the religion of SBS don't see a problem with the 
>wizards .:-)
>
>We're looking to start a support group for former Enterprise Admins who 
>are now SBSers 
><http://msmvps.com/bradley/archive/2005/07/27/59808.aspx>
>http://msmvps.com/bradley/archive/2005/07/27/59808.aspx
>
>I'll be honest with you ... the first time I set up 'normal' server and 
>'normal' exchange I was extremely surprised how much manual stuff you 
>guys do in big server land.  Forestprep and all that.  The next thing I 
>was absolutely flabergasted about was how they trust you on the number of
cals.
>'You just stick in a number there?  And they trust you to be honest? Wow."
>Blew me away.
>
>Actually it's near impossible to get WSS [sharepoint] on a same box as 
>Exchange anyway.  There are a couple of folks that tried and finally 
>gave up.
>
>Roger Seielstad wrote:
>
>  
>
>>Actually, I don't think it's a religious issue. The problem with SBS 
>>is that its not really the amalgam of Microsoft technologies that it's 
>>billed as, and as such you can't administer it as you would with all 
>>the same apps in a non-SBS implementation.
>>
>>It's a neat package overall, but the requirement to do the wizard 
>>thing makes it hard for people like us to deal with it..
>>
>>
>>
>>Roger Seielstad
>>E-mail Geek
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
>>Smith
>>Sent: Thursday, September 22, 2005 1:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>And that is a real difficulty.
>>
>>The wizards should integrate seamlessly. Or the other tools should 
>>integrate seamlessly. Take your pick.
>>
>>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>>I HATE touching the SBS clients because it's a fair bet there is a 
>>wizard for something that I'm not going to use a wizard for, because I 
>>can use one of my scripts or a native tool and do it quicker. (You can 
>>argue that someone that knows the wizards can do it more quickly with 
>>them -- and that's fine -- but I don't, and shouldn't have to.)
>>
>>It's a religious issue.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Thursday, September 22, 2005 12:19 PM
>>To: ActiveDir@mail.activedir.org
&g

RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs

[Roger Seielstad]

Title: Domain Controller Consolidation utilizing Dual Core CPUs



Its a fairly simple equation.
 
Dual Core processors have 2 full CPU's per chip. Therefore, 
they have two sets of cache, and can have two instructions being executed at the 
same time.
 
Hyperthreading is a single CPU per chip that supports two 
parallel "trains" of instructions and data into the processor. The only real 
benefit to Hyperthreading is that it reduces some of the pain of context 
switching within a processor, thereby speeding things up. Regardless of how the 
OS presents it (IMO it should NOT reflect as 2 processors), its still only able 
to execute a single instruction at a time.
 
With those ideas in mind, IMO its better to scale AD out 
rather than up with regards to performance, depending of course on database 
size. I doubt there are a lot of environments where this question is of any real 
relevance. Dual core is interesting more from a rack/power density stance than 
from its outright speed of processing. In my current environment, we're 
seriously limited with data center space in part due to growth of our services, 
so we're trying to find more efficient uses of space and power. For instance, 
the AMD64 x2 processors[1] draw roughly the same power at full utilization as 
their single core bretheren. That's a HUGE savings for power and cooling versus 
traditional dual processor machines.
 
If you do go dual core, I'd also go as far as saying 
*which* dual core technology you choose. There's a huge difference between the 
architectures from Intel and AMD, both of which have their benefits. However my 
personal opinion is that in the vast majority of cases AMD's design is vastly 
superior for general computing tasks - the last time I checked, the AMD64 
platform uses about half as many clock cycles to go to RAM than the Intel EM64T 
design requires. The end result is that for servers tasked with randomized 
data retrieval (which AD definitely qualifies as), AMD has 
the edge.
 
It is worth noting however that the Intel EM64T 
architecture is better suited for applications where there can be a long, 
somewhat predictable, pipeline of data to be processed. For example, I'd expect 
things like hard core scientific and statistical processing to be faster on the 
EM64Ts. 
 

Roger D. 
Seielstad
E-mail Geek
 
[1] Which is what my new toy here at home is running - spanking 
fast!
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. 
FunesSent: Thursday, October 13, 2005 9:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Consolidation utilizing Dual Core CPUs 

Gentleman, Does 
anyone has any information regarding Domain Controller consolidation utilizing 
Dual Core CPUs? I have not seen anything 
reports from microsoft indicating the performance boost gained by utilizing Dual 
Core technology on DCs. It is presume to be much better that the 20% to 30% gain 
from Hyper Threading CPUs.
Thanks for your input, 
Mauricio Funes [EMAIL PROTECTED] Pasadena, CA 

RE: [ActiveDir] rebooting a patched, but stubborn DC

[Roger Seielstad]

I see that occasionally, but rarely. But I'm not running any DC's these days
- just a whole boatload of application servers. 



Roger D. Seielstad
E-mail Geek

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Sunday, October 16, 2005 4:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC

Hi Susan,
 Thanks for the response.  No UPS issues.  Checked the services remotely
and didn't find anything unusual.  The DC did finally reboot on its own
shortly after I sent out my first message - about 2 hours after the original
patching and message saying it wanted to reboot and I clicked OK.  The event
logs showed nothing of any consequence, just a big (2 hour) gap in the
system event log entries (between the entry saying it initiated shutdown and
the entry saying the system was coming back up).   The security log showed
no gaps at all.  Am I the only one that sees this kind of behavior on
W2K3/SP1 servers?  I normally don't use the "/console" switch when I TS in
(eg, mstsc.exe /console).  I wonder if that could speed the process up.
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP]
Sent: Sat 10/15/2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC



APC UPS's and you don't have the latest ver on there?
HP with a UPS?

Can you get into services and see if something is 'stopping'?

Got any ILO ability there [or suitable other remote techniques]?

Thommes, Michael M. wrote:

>So I have remotely (TS connection) applied the latest Windows patches 
>to one of my DCs.  Patches went on fine.  Said it needed to reboot.  I 
>clicked "Restart".  And two hours later, it still has not rebooted, but 
>it did terminate the TS session.  I have tried to "kick it" via a 
>"shutdown /f /r" command from another DC.  Still no luck.  Issue same 
>command remotely with the big Kahuna account, and it says a shutdown is 
>in progress.  It appears to still be serving up clients, e.g., no 
>discernable ill effects.  I have seen this periodically in the past 
>with other servers.  Anyone have any comments/thoughts are this 
>irritating, weekend  activity?  TIA!
>
>Mike Thommes
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: 
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> 
>

--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Scripting a DNS Host Record Update

[Roger Seielstad]

Title: Message



Do 
you have any references to this method?
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Dean Wells 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 
  11:59 AMTo: AD mailing list (Send)Subject: RE: 
  [ActiveDir] Scripting a DNS Host Record Update
  I'm 
  coming in to this thread rather late and most of the solutions commonly 
  available to you have already been proposed.  It is, however, feasible 
  (though rarely used) to update a DNS record using ADSI or LDAP assuming the 
  zone is;
   
  * 
  maintained by the Windows 2000/2003 DNS service
  * 
  the name server is running on a Domain Controller
  * 
  the record in question is housed within an Active Directory integrated 
  zone
   
  If 
  the requirements above are met, a simple script to modify the dnsNode 
  instances beneath the MicrosoftDNS container will suffice (the DN of this 
  container varies dependant upon the partition into which the zone is 
  integrated).  It's important to note that this approach will, in most 
  cases, impose a delay with regard to the DNS service becoming aware of 
  the changes made since much of a zone's content is cached.  The delay 
  varies in my experience from seconds to minutes.
   
  If 
  this is approach is of any use and you need any further details, feel free to 
  post back.
   
  In 
  my opinion, the constraints and limitations of this technique are a little too 
  extreme but since you specifically mentioned ADSI and LDAP, I felt it worth a 
  mention.
   
  Dean
  -- Dean Wells MSEtechnology ( Tel: +1 (954) 
  501-4307 * Email: 
  dwells@msetechnology.com http://msetechnology.com 
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Holland 
Matthew BC GBSent: Tuesday, December 02, 2003 9:59 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Scripting a DNS Host Record Update

Greetings!
Does anyone know how I can 
script an update to a host record in a DNS Zone (either Windows 2000 or 
2003)?  I found a WMI Provider Class (ftp://ftp.microsoft.com/reskit/win2000/dnsprov.zip) 
but would also be interested to know if there is another way, using ADSI or 
LDAP maybe?
Cheers, 

Matty
 
 

RE: [ActiveDir] Scripting a DNS Host Record Update

[Roger Seielstad]

Title: Message



More 
or less yes. Care to share the scripts?
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Dean Wells 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 
  12:28 PMTo: AD mailing list (Send)Subject: RE: 
  [ActiveDir] Scripting a DNS Host Record Update
  If, 
  by references, you mean formal documentation, no, I'm afraid not.  This 
  is a technique I theorized some time ago, I developed a couple of adhoc 
  scripts back then to test it and experienced an unexpected level of 
  success.  IIRC, the last 4 bytes of the dnsRecord attribute (of the 
  dnsNode instance whose cn matches that of the A records primary label [short 
  name]) represent the IP address of the A record in 
  question.
   
  Does 
  this answer your question ... at least to some extent?
  -- Dean Wells MSEtechnology ( Tel: +1 (954) 
  501-4307 * Email: 
  dwells@msetechnology.com http://msetechnology.com 
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Roger 
SeielstadSent: Tuesday, December 02, 2003 12:14 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Scripting 
a DNS Host Record Update
Do you have any references to this method?
 
Roger
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Dean Wells 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 
  2003 11:59 AMTo: AD mailing list (Send)Subject: RE: 
  [ActiveDir] Scripting a DNS Host Record Update
  I'm coming in to this thread rather late and most 
  of the solutions commonly available to you have already been 
  proposed.  It is, however, feasible (though rarely used) to update a 
  DNS record using ADSI or LDAP assuming the zone is;
   
  * maintained by the Windows 2000/2003 DNS 
  service
  * the name server is running on a Domain 
  Controller
  * the record in question is housed within an 
  Active Directory integrated zone
   
  If the requirements above are met, a simple 
  script to modify the dnsNode instances beneath the MicrosoftDNS container 
  will suffice (the DN of this container varies dependant upon the partition 
  into which the zone is integrated).  It's important to note that this 
  approach will, in most cases, impose a delay with regard to the DNS 
  service becoming aware of the changes made since much of a zone's content 
  is cached.  The delay varies in my experience from seconds to 
  minutes.
   
  If this is approach is of any use and you need 
  any further details, feel free to post back.
   
  In my opinion, the constraints and limitations of 
  this technique are a little too extreme but since you specifically 
  mentioned ADSI and LDAP, I felt it worth a mention.
   
  Dean
  -- Dean Wells MSEtechnology ( Tel: +1 (954) 
  501-4307 * Email: 
  dwells@msetechnology.com http://msetechnology.com 
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Holland 
Matthew BC GBSent: Tuesday, December 02, 2003 9:59 
AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Scripting a DNS Host Record Update

Greetings!
Does anyone know how I can 
script an update to a host record in a DNS Zone (either Windows 2000 or 
2003)?  I found a WMI Provider Class (ftp://ftp.microsoft.com/reskit/win2000/dnsprov.zip) 
but would also be interested to know if there is another way, using ADSI 
or LDAP maybe?
Cheers, 

Matty
 
 

RE: [ActiveDir] Computer account migration

[Roger Seielstad]

That definitely sounds like a rights issue on the source domain side.

I'd definitely try logging in as an account on the source domain with
sufficient credentials to install software on the client machines.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Farr, Rob UKCA [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 8:14 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Computer account migration
> 
> 
> Hi Dave
> I know what you are saying and I was hoping this was the case 
> as the ADMT2
> tool has a very admin friendly GUI.
> I get as far as despatching the agents no problem, but then 
> the agent fails
> to install with access denied
> 
> Question
> 1.  I am doing the migration from the w2k3 ad server and 
> drilling into the
> NT4 domain for the machine account migration, it denies 
> access when the
> agent is trying to install.  I have run the tool with the 
> "run as" command
> and have used the NT4 domain admin account but still fails at 
> the same point
> of installing the agent
> Is there something I am missing?
> 2.  Should I logon to the w2k3 ad dc as the NT4 admin account?
> 
> Over. 
> 
> -Original Message-
> From: Thornley, Dave H [mailto:[EMAIL PROTECTED] 
> Sent: 05 December 2003 11:58
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Computer account migration
> 
> Hi Rob,
> 
> Perhaps I've missed something, but why don't you use ADMT to 
> migrate the
> machines?
> 
> It has a two stage process where the machine accounts are 
> migrated first of
> all, then an agent is dispatched to the workstations which changes the
> domain affiliation, translates any ACLs on the machine that 
> refer to the old
> domain and reboots the workstation.
> 
> We've done hundreds of machines like this with very few problems.
> Cheers
> 
> dave
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Farr, Rob 
> > UKCA
> > Sent: 05 December 2003 10:59
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Computer account migration
> > 
> > 
> > Thanks for this Lee!
> > I will give it a go ASAP.
> > 
> > Could I use this tool say once I have used ADMT2?
> > What I mean is, if I use admt2 to migrate the machine account names 
> > from the NT4 domain it will put them in the ad domain as 
> there is over 
> > 250 to do. Then can I use netdom to join the machines themselves to 
> > the ad domain?
> > 
> > Rob
> > 
> > -Original Message-
> > From: Grocott Lee BC GB [mailto:[EMAIL PROTECTED]
> > Sent: 05 December 2003 09:53
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] Computer account migration
> > 
> > Hi!
> > You can use netdom quite easily to remotely remove an NT 
> client from 
> > its currnet domain and rejoin it to a new domain.
> >  For example, migrating an NT4 client from an NT4 domain to an AD 
> > domain.
> > 
> > Netdom is in the Windows 2000 resource kit.  Make sure you use the 
> > most recent version you can find, as earlier versions don't support 
> > the JOIN method :-/
> > 
> > You can use an almost identical syntax for both the REMOVE and JOIN
> > commands:
> > 
> > Netdom.exe REMOVE ComputerName /domain:DomainName /userd:DomainUser 
> > /passwordd:DomainUserPassword /usero:LocalUser 
> > /passwordO:LocalUserPassword
> > 
> > ComputerName = The computer's name you wish to connect to (no
> > backslashes!) DomainName = Your AD domain's name DomainUser 
> = A user 
> > name on the AD which has sufficient rights to join the domain 
> > DomainUserPassword = Password for the domain user account 
> LocalUser = 
> > An account which has local administrator rights on the 
> remote machine 
> > (ComputerName) LocalUserPassword = Password for the local admin 
> > account
> > 
> > This will remove the machine from it's domain.
> > To rejoin it to the new domain, use almost the same syntax:
> > 
> > Netdom.exe JOIN ComputerName /domain:DomainName /userd:DomainUser 
> > /passwordd:DomainUserPassword /usero:LocalUser 
> > /passwordO:LocalUserPassword
> > 
> > Hope this helps!  Please ask away if you have any questions it 
> > works fine here.
> > 
> > Cheers,
> > 
> > Lee
> > 
> > -Original Message-
> > From: Farr, Rob UKCA [mailto:[EMAIL PROTECTED]
> > Sent: 04 December 2003 16:46
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Computer account migration
> > 
> > Tony,
> > Thanks for this, this is what I am trying to find out 
> really, how do 
> > you use the netdom tool and where do u get it, I guess its from a 
> > resource kit? I can migrate the computer accounts from the 
> NT4 domain 
> > to w2k3 AD, e.g it basically creates the account for me, but then I 
> > need to actually make sure that specific computer is joined to the 
> > domain when you look in network identification
> > 
> > Can you please point me in the right direction if netdom is the 
> > an

RE: [ActiveDir] Computer account migration

[Roger Seielstad]

Can you take one of the machines that's failing and manually change domains
- just to ensure that there's no problem?

I'm wondering if the account which is being used needs to have both rights
to the client machine in the old domain AND rights to add machines to the
new domain. Now that I think about it, that's a very likely cause.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Farr, Rob UKCA [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 9:30 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Computer account migration
> 
> 
> Roger
> I have done this just now, and get completed with errors
> When I look in the dispatch log everything is ok and it 
> basically states
> that "all agents are installed, the dispatcher is finished"
> 
> When I check the log on the remote machine's c drive under
> c:\windows\temp\dctlog I get the following
> 
> 2003-12-05 14:19:06 
> 2003-12-05 14:19:06 Active Directory Migration Tool, Starting...
> 2003-12-05 14:19:13 ERR3:7075 Failed to change domain affiliation,
> hr=8007054b   The specified domain either does not exist or 
> could not be
> contacted.
> 2003-12-05 14:19:13 Wrote result file C:\Program
> Files\OnePointDomainAgent\UKCA-LX-6191340216781.result
> 2003-12-05 14:19:13 Operation completed.
> 
> When looking for the result file I don't see it
> 
> When I chose the migration options I made sure this time that 
> I didn't tick
> any of the options and just tried a simple migration
> 
> I also had a look on technet for the above error but couldn't 
> find anything
> 
> Any pointers Roger?
> 
> Thanks
> 
> Rob
>  
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: 05 December 2003 13:59
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Computer account migration
> 
> That definitely sounds like a rights issue on the source domain side.
> 
> I'd definitely try logging in as an account on the source domain with
> sufficient credentials to install software on the client machines.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Farr, Rob UKCA [mailto:[EMAIL PROTECTED]
> > Sent: Friday, December 05, 2003 8:14 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Computer account migration
> > 
> > 
> > Hi Dave
> > I know what you are saying and I was hoping this was the 
> case as the 
> > ADMT2 tool has a very admin friendly GUI.
> > I get as far as despatching the agents no problem, but then 
> the agent 
> > fails to install with access denied
> > 
> > Question
> > 1.  I am doing the migration from the w2k3 ad server and 
> drilling into 
> > the
> > NT4 domain for the machine account migration, it denies access when 
> > the agent is trying to install.  I have run the tool with 
> the "run as" 
> > command and have used the NT4 domain admin account but 
> still fails at 
> > the same point of installing the agent Is there something I am 
> > missing?
> > 2.  Should I logon to the w2k3 ad dc as the NT4 admin account?
> > 
> > Over. 
> > 
> > -Original Message-
> > From: Thornley, Dave H [mailto:[EMAIL PROTECTED]
> > Sent: 05 December 2003 11:58
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Computer account migration
> > 
> > Hi Rob,
> > 
> > Perhaps I've missed something, but why don't you use ADMT 
> to migrate 
> > the machines?
> > 
> > It has a two stage process where the machine accounts are migrated 
> > first of all, then an agent is dispatched to the workstations which 
> > changes the domain affiliation, translates any ACLs on the machine 
> > that refer to the old domain and reboots the workstation.
> > 
> > We've done hundreds of machines like this with very few problems.
> > Cheers
> > 
> > dave
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Farr, Rob 
> > > UKCA
> > > Sent: 05 December 2003 10:59
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Computer account migration
> > > 
> > > 
> > > Thanks for this Lee!
> > > I will give it a go ASAP.
> > > 
> > > Could I us

RE: [ActiveDir] SunOne synchronization???

[Roger Seielstad]

I'd think that something like Simple Sync from CPS Systems
(http://www.cps-systems.com) would do it. I'd expect Microsoft's Internet
Identity Server (MIIS) would do it as well, or something like LDSU from
HP/Compaq

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 11:03 AM
> To: [EMAIL PROTECTED] activedir. org
> Subject: [ActiveDir] SunOne synchronization???
> 
> 
> Does anyone synchronize users and passwords between Sun One 
> directory server
> and their AD? If so, what product do you use? Any tips?
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SunOne synchronization???

[Roger Seielstad]

Ok. I missed that. And that's a BIG issue, frankly.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 2:20 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> 
> Sadly, MIIS does not synch passwords, per se.  It does give a web
> interface for a user to choose which of the configured 
> services in which
> to update their password in.
> 
> But, it does not - as the perception of many people have, allow you to
> change your password in AD then propogate to all other configured
> services being managed by the product.  If you need that, MS does
> suggest Psynch to do the replication portion, IIRC. 
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> LAN Administration - Windows 2000
> West Corporation
> [EMAIL PROTECTED]
> 
> 
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Friday, December 05, 2003 12:51 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> I'd think that something like Simple Sync from CPS Systems
> (http://www.cps-systems.com) would do it. I'd expect Microsoft's
> Internet Identity Server (MIIS) would do it as well, or something like
> LDSU from HP/Compaq
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Douglas M. Long [mailto:[EMAIL PROTECTED]
> > Sent: Friday, December 05, 2003 11:03 AM
> > To: [EMAIL PROTECTED] activedir. org
> > Subject: [ActiveDir] SunOne synchronization???
> > 
> > 
> > Does anyone synchronize users and passwords between Sun One 
> directory 
> > server and their AD? If so, what product do you use? Any tips?
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SunOne synchronization???

[Roger Seielstad]

Isn't that really the end goal though? I mean not necessarily single sign on
(one authentication per session) but the goal of a single unique name and a
single password for the systems.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 2:43 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> 
> What may also be of interest is not synching passwords, but 
> rather using one
> directory as the master (is that still a PC term? :) so that 
> you only have
> to authenticate against one. Much more complex, but may fit the bill.
> 
> 
> Al
> 
>  
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 2:36 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> Ok. I missed that. And that's a BIG issue, frankly.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED]
> > Sent: Friday, December 05, 2003 2:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] SunOne synchronization???
> > 
> > 
> > Sadly, MIIS does not synch passwords, per se.  It does give a web 
> > interface for a user to choose which of the configured services in 
> > which to update their password in.
> > 
> > But, it does not - as the perception of many people have, 
> allow you to 
> > change your password in AD then propogate to all other configured 
> > services being managed by the product.  If you need that, MS does 
> > suggest Psynch to do the replication portion, IIRC.
> > 
> > Rick Kingslan  MCSE, MCSA, MCT
> > Microsoft MVP - Active Directory
> > LAN Administration - Windows 2000
> > West Corporation
> > [EMAIL PROTECTED]
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Friday, December 05, 2003 12:51 PM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] SunOne synchronization???
> > 
> > I'd think that something like Simple Sync from CPS Systems
> > (http://www.cps-systems.com) would do it. I'd expect Microsoft's 
> > Internet Identity Server (MIIS) would do it as well, or 
> something like 
> > LDSU from HP/Compaq
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Douglas M. Long [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, December 05, 2003 11:03 AM
> > > To: [EMAIL PROTECTED] activedir. org
> > > Subject: [ActiveDir] SunOne synchronization???
> > > 
> > > 
> > > Does anyone synchronize users and passwords between Sun One
> > directory
> > > server and their AD? If so, what product do you use? Any tips?
> > > 
> > > List info   : http://www.activedir.org/mail_list.htm
> > > List FAQ: http://www.activedir.org/list_faq.htm
> > > List archive: 
> > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SunOne synchronization???

[Roger Seielstad]

Definitely good to hear. 

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Jackson Shaw [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 05, 2003 3:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> 
> ...and we recognize it is a BIG issue and are "fixing" that!
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Friday, December 05, 2003 11:36 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SunOne synchronization???
> 
> Ok. I missed that. And that's a BIG issue, frankly.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
> > Sent: Friday, December 05, 2003 2:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] SunOne synchronization???
> > 
> > 
> > Sadly, MIIS does not synch passwords, per se.  It does give a web
> > interface for a user to choose which of the configured 
> > services in which
> > to update their password in.
> > 
> > But, it does not - as the perception of many people have, 
> allow you to
> > change your password in AD then propogate to all other configured
> > services being managed by the product.  If you need that, MS does
> > suggest Psynch to do the replication portion, IIRC. 
> > 
> > Rick Kingslan  MCSE, MCSA, MCT
> > Microsoft MVP - Active Directory
> > LAN Administration - Windows 2000
> > West Corporation
> > [EMAIL PROTECTED]
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Roger Seielstad
> > Sent: Friday, December 05, 2003 12:51 PM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] SunOne synchronization???
> > 
> > I'd think that something like Simple Sync from CPS Systems
> > (http://www.cps-systems.com) would do it. I'd expect Microsoft's
> > Internet Identity Server (MIIS) would do it as well, or 
> something like
> > LDSU from HP/Compaq
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Douglas M. Long [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, December 05, 2003 11:03 AM
> > > To: [EMAIL PROTECTED] activedir. org
> > > Subject: [ActiveDir] SunOne synchronization???
> > > 
> > > 
> > > Does anyone synchronize users and passwords between Sun One 
> > directory 
> > > server and their AD? If so, what product do you use? Any tips?
> > > 
> > > List info   : http://www.activedir.org/mail_list.htm
> > > List FAQ: http://www.activedir.org/list_faq.htm
> > > List archive: 
> > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: batch/command file and "child-processes" kill ing

[Roger Seielstad]

Title: Message



Try 
using Process Explorer from Systernals.com to see how the spawn process works - 
depending on how the batch files are called (ie using START or CALL) that might 
create a PID tree rather than discrete top level pids, then you might be able to 
use something like pskill from the pstools (also at 
Systernals.com).
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Baekelant, Erik 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 
  10, 2003 9:31 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: 
  batch/command file and "child-processes" kill ing
  >>> why are you killing a.cmd vs. letting it finish it's run? 
  <<<
  a) 
  Ask the Operators ;o)
  b) 
  The scheduling client is killing a.cmd and not b.exe, as it doesn't know about 
  b.exe being a child from a.cmd.
  The 
  trick would be to lauch/spawn b.exe in that way that it is automatically 
  killed when a.cmd gets killed.
   
  anyway, thanks for the reply !!
   
  
  -Original Message-From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 
  3:16 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] OT: batch/command file and "child-processes" kill 
  ing
  That raises some interesting questions, such as why are 
  you killing a.cmd vs. letting it finish it's run?  I assume since 
  it's a scheduler, you're killing it at the end of the process 
  window.  But killing a cmd is not going to kill the child process.  
  A cmd is about the same as a bat file: it's can call the other commands 
  asynchronously and they can spawn separate from the cmd 
  parent.
  What you probably want to do is enumerate the processes 
  under a.cmd and kill those first.  Walk up the tree rather than lopping 
  the top off as it were.  You can see what the tree looks like with tlist 
  -t 
  Taskkill?  New to me.  Kill.exe is a reskit 
  utility that can be used.  Kill.exe pid -f is what usually works, 
  but not always depending on the app.  
   
  More background on the kill concept: http://msdn.microsoft.com/library/default.asp?url="">
  
  
  From: Baekelant, Erik 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 
  10, 2003 8:52 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: 
  batch/command file and "child-processes" kill ing
  
  BTW,
   
  I know I could use 
  
     
  taskkill /t
   
  But the Scheduling 
  software uses a regular "kill" thing . . .
   
  
  -Original Message-From: Baekelant, Erik 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 
  10, 2003 2:29 PMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] OT: 
  batch/command file and "child-processes" killing
  Hello 
  First of all, apologies for going OT . . . 
  
  We are introducing our Scheduler software 
  (Client-side, CA Autosys) in the Windows environment. Everything starts fine, except stopping/killing jobs. 
  
  Batch-file (a.cmd) calls another program 
  (b.exe) a.cmd gets killed but b.exe keeps running. It is like (without using scheduler things) killing the 
  batch and wanting the "child-processes" to quit too. 
  Anyone any idea on how to execute b.exe from within 
  a batch/command-file a.cmd ? 
  Much appreciated, 
  Erik 

RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC

[Roger Seielstad]

It strikes me that excliding *.dit is probably all that's necessary on the
DCs

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Tony Murray [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 11, 2003 8:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: AD as a possible target of attack? RE: 
> [ActiveDir] Virus softwareon DC
> 
> 
> > DO scan your DCs and reconsider excluding things like the Sysvol
> 
> I fully agree with you here, John.  I have seen for myself 
> how good FRS is at distributing viruses throughout the 
> infrastructure in short period of time!!  Some of the major 
> AV vendors previously had products that caused problems when 
> scanning SYSVOL, but the recent offerings have resolved this. 
>  Bottom line:  there is no good reason not to include SYSVOL 
> (as long as you've checked with your AV vendor first).
> 
> Tony
> 
> -- Original Message --
> Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU
> Reply-To: [EMAIL PROTECTED]
> Date:  Wed, 10 Dec 2003 23:18:52 +0100
> 
> I totally agree with all the guys out there that urge you to scan your
> DCs!!! I've been thinking about this issue for some time and 
> I've come to
> the conclusion that Active Directory would be THE IDEAL 
> target for a virus
> attack. The robustness of AD replication makes it the ideal 
> distribution
> mechanism for virusses. Hey ... distributing virusses by mail 
> is ancient
> technology ;-). Why not use the intense integration of 
> Exchange 2000+ and AD
> to transport a virus from Exchange to AD? 
> 
> No guys... I'm very serious! DO scan your DCs and reconsider excluding
> things like the Sysvol because this is another possible 
> target for the sick
> minds out there that like to screw up enterprise 
> environments! It's only a
> matter of time before the first AD virus is a fact of life we 
> have to deal
> with!
> 
> So go out and check (before you go to bed) whether or not 
> dat-file updates
> are really succeeding ;-).
> 
> Cheers!
> John
>  
> 
> -Original Message-
> Wrom: WLSZLKBRNVW
> To: [EMAIL PROTECTED]
> Sent: 10-12-2003 18:07
> Subject: RE: [ActiveDir] Virus software on DC
> 
> Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol
> folder and sub-folders, but run the real-time scanner on everything
> else.  These two folders deal with replication and are too volatile to
> play with.
> 
> S
> 
> *
> Steve Shaff
> Active Directory / Exchange Administrator
> Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 
> 
> 
> -Original Message-
> Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Burkes, Jeremy
> [contractor]
> Sent: Wednesday, December 10, 2003 8:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
> Same here, never had any problems either.
> 
> Jeremy
> 
> -Original Message-
> Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI
> Sent: Wednesday, December 10, 2003 11:47 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
> 
> We run Symantec AV corporate edition and don't exclude any 
> directories.
> We haven't had any problems related to AV software.. 
> 
> -Original Message-
> Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO
> [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
> Sent: Wednesday, December 10, 2003 11:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
>  >What directories should I not be scanning?
> 
> We use the exclusions in this list-
> 
> 822158 - Virus Scanning Recommendations on a Windows 2000 Domain
> Controller:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
> 
> 
> 
> 
>   Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX
>   Sent: Wednesday, December 10, 2003 8:30 AM
>   To: [EMAIL PROTECTED]
>   Subject: RE: [ActiveDir] Virus software on DC
>   
>   
>   We run Trend here.
>   Never have run into any issues and we are using the realtime
> scan.
>   Just out of curiosity though, I am scanning all except for a few
> select dirs/
>   What directories should I not be scanning?
> 
> 
> 
>   John Parker, MCSE 
>   IS Admin. 
>   Senior Technical Specialist 
>   Alpha Display Systems. 
> 
>   Alpha Video 
>   7711 Computer Ave. 
>   Edina, MN. 55435 
> 
>   952-896-9898 Local 
>   800-388-0008 Watts 
>   952-896-9899 Fax 
>   612-804-8769 Cell 
>   952-841-3327 Direct 
> 
>   [EMAIL PROTECTED] 
>   "Be excellent to each other" 
>   ---End of Line--- 
> 
> 
>   -Original Message-
>   Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG
>   Sent: Wednesday, December 10, 2003 10:24 AM
>   To: [EMAIL PROTEC

RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC

[Roger Seielstad]

I'm not as worried about malicious, entry changing attacks due to the built
in security model. Its cake and pie to do a denial of service attack against
an LDAP system. Add to that a simple DNS query to find all the DC's, and the
whole domain drops like a lead filled balloon.

Is there a way to limit the number of LDAP queries per second on a DC, at
least from a specific source address?

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: GRILLENMEIER,GUIDO (HP-Germany,ex1) 
> [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 11, 2003 4:14 PM
> To: [EMAIL PROTECTED]
> Subject: RE: AD as a possible target of attack? RE: 
> [ActiveDir] Virus soft wareon DC
> 
> 
> I don't even think you have to restrict the AD-related virus 
> issue to the
> file-system.  
> 
> Something that your AV tools won't help you with is a 
> "virus", that simply
> runs malicious LDAP queries - i.e. changing all kinds of attributes on
> objects in AD or even delete a whole lot of objects at 
> once...  Obviously
> this virus would only be harmful for users with appropriate 
> permissions on
> the AD objects.
> 
> Again, AD will ensure that these malicious changes are 
> replicated to all DCs
> and you could end up with quite a disaster which is certainly 
> not very easy
> to recover of.
> 
> /Guido
> 
> -Original Message-
> From: Tony Murray [mailto:[EMAIL PROTECTED] 
> Sent: Donnerstag, 11. Dezember 2003 14:55
> To: [EMAIL PROTECTED]
> Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus
> softwareon DC
> 
> > DO scan your DCs and reconsider excluding things like the Sysvol
> 
> I fully agree with you here, John.  I have seen for myself 
> how good FRS is
> at distributing viruses throughout the infrastructure in 
> short period of
> time!!  Some of the major AV vendors previously had products 
> that caused
> problems when scanning SYSVOL, but the recent offerings have 
> resolved this.
> Bottom line:  there is no good reason not to include SYSVOL 
> (as long as
> you've checked with your AV vendor first).
> 
> Tony
> 
> -- Original Message --
> Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU
> Reply-To: [EMAIL PROTECTED]
> Date:  Wed, 10 Dec 2003 23:18:52 +0100
> 
> I totally agree with all the guys out there that urge you to scan your
> DCs!!! I've been thinking about this issue for some time and 
> I've come to
> the conclusion that Active Directory would be THE IDEAL 
> target for a virus
> attack. The robustness of AD replication makes it the ideal 
> distribution
> mechanism for virusses. Hey ... distributing virusses by mail 
> is ancient
> technology ;-). Why not use the intense integration of 
> Exchange 2000+ and AD
> to transport a virus from Exchange to AD? 
> 
> No guys... I'm very serious! DO scan your DCs and reconsider excluding
> things like the Sysvol because this is another possible 
> target for the sick
> minds out there that like to screw up enterprise 
> environments! It's only a
> matter of time before the first AD virus is a fact of life we 
> have to deal
> with!
> 
> So go out and check (before you go to bed) whether or not 
> dat-file updates
> are really succeeding ;-).
> 
> Cheers!
> John
>  
> 
> -Original Message-
> Wrom: WLSZLKBRNVW
> To: [EMAIL PROTECTED]
> Sent: 10-12-2003 18:07
> Subject: RE: [ActiveDir] Virus software on DC
> 
> Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol
> folder and sub-folders, but run the real-time scanner on everything
> else.  These two folders deal with replication and are too volatile to
> play with.
> 
> S
> 
> *
> Steve Shaff
> Active Directory / Exchange Administrator
> Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 
> 
> 
> -Original Message-
> Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Burkes, Jeremy
> [contractor]
> Sent: Wednesday, December 10, 2003 8:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
> Same here, never had any problems either.
> 
> Jeremy
> 
> -Original Message-
> Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI
> Sent: Wednesday, December 10, 2003 11:47 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
> 
> We run Symantec AV corporate edition and don't exclude any 
> directories.
> We haven't had any problems related to AV software.. 
> 
> -Original Message-
> Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO
> [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
> Sent: Wednesday, December 10, 2003 11:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Virus software on DC
> 
>  >What directories should I not be scanning?
> 
> We use the exclusions in this list-
> 
> 822158 - Virus Scanning Recommendations on a W

RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC

[Roger Seielstad]

I honestly don't think it would be that hard to write some maliciously bad
LDAP queries (expensive as Robbie called them) that a limited number of
systems would bring to bear to hinder or even bring to rubble a DC.

My users and my DC's happen to be on 100MB switch fabrics, which means a few
clients could easily flood my two local DC's. Add to that a purposefully
crafted nightmarish query, and watch the spin cycle.

As I mentioned earlier, MTA's are starting to support this kind of
functionality - limit concurrent connects from a given source address. In
the mail world, that's strictly to slow down spammers, but it could be added
DOS protection for the directory.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 11, 2003 5:38 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: AD as a possible target of attack? RE: 
> [ActiveDir] Virus soft wareon DC
> 
> 
> The problem with the built-in security model is that in most 
> environments
> its easy to get around it by using one of the various LocalSystem
> escalations on the DC. All of a sudden the ACLs are 
> meaningless, and AD will
> happily replicate the corrupted data for you.
> 
> Its hard to do a system wide denial-of-service by flooding 
> the DCs with
> queries (I assume this is what you were talking about) 
> because of the number
> of clients you would have to bring to bear. It takes a lot of 
> clients to
> generate enough traffic to kill a DC, and a lot more to kill 
> all the DCs in
> the system. And if the clients are connected to the DCs via slower WAN
> links, its probably impossible.
> 
> You can disable anonymous queries (already done by default in 
> W2K3), and you
> can configure IP addresses to deny connections from, but I 
> don't know of a
> way to limit the number of LDAP queries per second. Sounds like a cool
> feature.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Thursday, December 11, 2003 2:36 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: AD as a possible target of attack? RE: 
> [ActiveDir] Virus soft
> wareon DC
> 
> 
> I'm not as worried about malicious, entry changing attacks 
> due to the built
> in security model. Its cake and pie to do a denial of service 
> attack against
> an LDAP system. Add to that a simple DNS query to find all 
> the DC's, and the
> whole domain drops like a lead filled balloon.
> 
> Is there a way to limit the number of LDAP queries per second 
> on a DC, at
> least from a specific source address?
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: GRILLENMEIER,GUIDO (HP-Germany,ex1)
> > [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, December 11, 2003 4:14 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: AD as a possible target of attack? RE: 
> > [ActiveDir] Virus soft wareon DC
> > 
> > 
> > I don't even think you have to restrict the AD-related virus
> > issue to the
> > file-system.  
> > 
> > Something that your AV tools won't help you with is a
> > "virus", that simply
> > runs malicious LDAP queries - i.e. changing all kinds of 
> attributes on
> > objects in AD or even delete a whole lot of objects at 
> > once...  Obviously
> > this virus would only be harmful for users with appropriate 
> > permissions on
> > the AD objects.
> > 
> > Again, AD will ensure that these malicious changes are
> > replicated to all DCs
> > and you could end up with quite a disaster which is certainly 
> > not very easy
> > to recover of.
> > 
> > /Guido
> > 
> > -Original Message-
> > From: Tony Murray [mailto:[EMAIL PROTECTED]
> > Sent: Donnerstag, 11. Dezember 2003 14:55
> > To: [EMAIL PROTECTED]
> > Subject: Re: AD as a possible target of attack? RE: 
> [ActiveDir] Virus
> > softwareon DC
> > 
> > > DO scan your DCs and reconsider excluding things like the Sysvol
> > 
> > I fully agree with you here, John.  I have seen for myself
> > how good FRS is
> > at distributing viruses throughout the infrastructure in 
> > short period of
> > time!!  Some of the major AV vendors previously had products 
> > that caused
> > problems w

RE: [ActiveDir] DNS question

[Roger Seielstad]

My experience is that you can change one from AD integrated to Standard
Primary and change the others to standard secondaries from the new primary
without much worry.

If you're at all worried, I'd reverse the process - change all the
secondaries first, and have the last change you make be the change of one
from AD-Int to Primary.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Hughes. Daryn (IT Solutions) [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 8:08 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DNS question
> 
> 
> All,
> 
> Here's a problem you guys might be able to help us with.
> 
> Background:
> We have setup an Active Directory-integrated zone which 
> replicates to three
> of our domain controllers. In addition, we have setup 
> secondary zones on a
> Windows NT servers to support existing clients with static 
> DNS settings. On
> the Zone Transfer tab we have specified to "Allow Zone 
> Transfers" "to the
> following servers", the ip address of the NT DNS server. 
> The zones transferred ok. 
> 
> Problem:
> The following day the Zone Transfer tab had changed. "Allow 
> Zone Transfers"
> was un-selected and the options beneath, greyed out. The ip 
> address of the
> NT DNS server was removed.
> 
> The result is that the AD DNS server is refusing to transfer to the NT
> server. 
> Not sure if this is by design or is a bug.
>  
> Our proposed solution, is to change the zone back to a 
> standard primary. 
> 
> My question is:
> If we change the zone back on one server, I suspect that we 
> will end up with
> the same standard primary zone on all three servers. Is there 
> a documented
> procedure to change a Active Directory integrated zone to a 
> standard primary
> when there are several AD servers hosting the zone. 
> 
> thanks in advance
> 
> regards 
> Daryn Hughes 
> 
> 
> * ** *** ** * ** *** ** * ** *** ** * 
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. 
> Any views or opinions presented are solely those of the 
> author, and do not necessarily 
> represent those of ESB. 
> If you have received this email in error please notify the sender. 
>  
> Although ESB scans e-mail and attachments for viruses, it 
> does not guarantee 
> that either are virus-free and accepts no liability for any 
> damage sustained 
> as a result of viruses. 
>  
> * ** *** ** * ** *** ** * ** *** ** *
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] a bit OT: vbscript to vb.net

[Roger Seielstad]

Its not impossible, but its not as easy as just compiling it. They're really
fairly different languages, they just share a common base.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Mike Baudino [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 9:34 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] a bit OT: vbscript to vb.net
> 
> 
> 
> 
> 
> 
> All,
> 
> How difficult is it to take vbscript code and convert it to 
> compiled vb.net
> code?  We're discussing automating many functions and would 
> prefer to use
> compiled code in order to eliminate improper/unexpected 
> modification to the
> code.
> 
> 
> Thanks,
> Mike Baudino
> 
> 
> 
> *** PLEASE NOTE ***
> This E-Mail/telefax message and any documents accompanying this
> transmission may contain privileged and/or confidential 
> information and is
> intended solely for the addressee(s) named above.  If you are not the
> intended addressee/recipient, you are hereby notified that any use of,
> disclosure, copying, distribution, or reliance on the contents of this
> E-Mail/telefax information is strictly prohibited and may 
> result in legal
> action against you. Please reply to the sender advising of 
> the error in
> transmission and immediately delete/destroy the message and any
> accompanying documents.  Thank you.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] What is your favorite scripting language?

[Roger Seielstad]

Sliding off topic a bit more here.. Why? What's it buy you that perl and
VBScript don't?

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Hutchins, Mike [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 9:58 AM
> To: [EMAIL PROTECTED]
> Cc: Roger Seielstad
> Subject: RE: [ActiveDir] What is your favorite scripting language?
> 
> 
> I use python alot of the time actually. :-)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 7:31 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] What is your favorite scripting language?
> 
> BS
> 
> I find it interesting that Python is third, behind perl and VBScript.
> I've not seen a lot of references to Python on Windows platforms.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Robbie Allen (rallen) [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 11, 2003 8:52 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] What is your favorite scripting language?
> > 
> > 
> > O'Reilly is hosting a poll for the most popular scripting 
> language on 
> > the Windows platform.  To vote for your favorite language, 
> visit the 
> > O'Reilly website (http://www.oreilly.com/) and look on the 
> right side 
> > of the page under O'Reilly Poll.
> > 
> > FYI, Perl has the early lead and no I didn't vote twice :-)
> > 
> > Regards,
> > Robbie Allen
> > http://www.rallenhome.com/
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] What is your favorite scripting language?

[Roger Seielstad]

Its got a lot of, well, interesting features to it, and it supports some
object types that aren't available in VBScript.

And its cross platform, which makes it handy to know.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 10:29 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] What is your favorite scripting language?
> 
> 
> I'm afraid to ask... but... why is Perl the preferred 
> language (besides "it
> works on Unix/Linux")?
> 
> Rich
> 
> -Original Message-
> From: Joe [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 11, 2003 10:13 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] What is your favorite scripting language?
> 
> But I did :oP
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
> (rallen)
> Sent: Thursday, December 11, 2003 8:52 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] What is your favorite scripting language?
> 
> O'Reilly is hosting a poll for the most popular scripting 
> language on the
> Windows platform.  To vote for your favorite language, visit 
> the O'Reilly
> website (http://www.oreilly.com/) and look on the right side 
> of the page
> under O'Reilly Poll.
> 
> FYI, Perl has the early lead and no I didn't vote twice :-)
> 
> Regards,
> Robbie Allen
> http://www.rallenhome.com/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> ---APPLEBEE'S INTERNATIONAL, INC. 
> CONFIDENTIALITY NOTICE---
> PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in 
> this message or
> any attachments. This information is strictly confidential and may be
> subject to attorney-client privilege. This message is 
> intended only for the
> use of the named addressee. If you are not the intended 
> recipient of this
> message, unauthorized forwarding, printing, copying, 
> distribution, or using
> such information is strictly prohibited and may be unlawful. 
> If you have
> received this in error, you should kindly notify the sender 
> by reply e-mail
> and immediately destroy this message. Unauthorized 
> interception of this
> e-mail is a violation of federal criminal law. Applebee's 
> International,
> Inc. reserves the right to monitor and review the content of 
> all messages
> sent to and from this e-mail address. Messages sent to or 
> from this e-mail
> address may be stored on the Applebee's International, Inc. 
> e-mail system.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Delegation of control for WINS

[Roger Seielstad]

We keep the DC/DNS boxes as single purpose, but in the sites with WINS, I'm
usually using a single box for WINS, DHCP, and often running our Web Content
Filtering application.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: W2K List [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 12, 2003 12:06 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Delegation of control for WINS
> 
> 
> Rocky,
> 
> I run WINS on my DCs with not problem.  My resoning was to elimate two
> machines from our infrastruction.  We have one site with 3 domain
> controllers and about 4000 users.
> 
> Dennis 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
> Sent: Friday, December 12, 2003 10:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Delegation of control for WINS
> 
> This message is for Joe.
> Dear Joe,
> 
> I was surprised to not see you mention, in this thread, anything about
> whether or not you should run WINS on a DC.  Could you please 
> just tell
> me
> if you are doing it?  I am trying to troubleshoot why turning 
> WINS on on
> a
> FSMO in a small Forest (2 DCs, 3 member servers, 5 Users) takes the DC
> offline.  It worked fine for two months, then I went home one Friday
> night
> and came in Monday and it stopped working.
> 
> I hope the Chicken Shack Broasted Chicken was good.  I need 
> you to keep
> your
> strength up ;-D
> 
> Rocky Habeeb
> Microsoft Systems Administrator
> James W. Sewall Company
> www.jws.com
> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Gregoire Maux
> Sent: Thursday, December 04, 2003 8:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Delegation of control for WINS
> 
> 
> Dennis,
> 
> - If we are in the case that the WINS Server is also a DC, 
> what could be
> the
> solution?
> 
> Thanks & Regards
> 
> 
> Gregoire MAUX
> Network & Security Consultant
> 
> Schlumberger Network Solutions
> Mail:   [EMAIL PROTECTED]
> Phone:  + 33 (0)1 46 00 47 80
> Fax:+ 33 (0)1 46 00 44 83
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of W2K List
> Sent: Thursday, December 04, 2003 2:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Delegation of control for WINS
> 
> 
> To manage a WINS server, the user has to be a local 
> administrator on the
> WINS box.  As long as your WINS servers are not domain 
> controllers, this
> is not a problem.  If your domain controllers are performing 
> double duty
> as WINS servers well
> 
> You might consider standing up one member server as a WINS 
> server.  Any
> local admins on this machine will be able to manage WINS from this
> server.
> 
> Dennis
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gregoire Maux
> Posted At: Wednesday, December 03, 2003 7:57 AM
> Posted To: W2K List
> Conversation: [ActiveDir] Delegation of control for WINS
> Subject: [ActiveDir] Delegation of control for WINS
> 
> Dennis and members,
> 
> - I saw in ActiveDir archives that you asked (see below mail) if it is
> possible to have account dedicated to do WINS administration. At that
> time,
> you did not receive any clear answer on that.
> - Could you please tell what you did in fact? What access 
> rights did you
> give to people in charge of WINS service?
> 
> - One more question, I am wondering if you still have many WINS Server
> in
> your architecture or if you reduce its number as some other
> administrators
> strongly suggest you to do?
> 
> - Many thanks in advance for your help.
> 
> > > > > > -Original Message-
> > > > > > From: Dennis Meyer [mailto:[EMAIL PROTECTED]
> > > > > > Sent: Friday, October 11, 2002 12:43 PM
> > > > > > To: '[EMAIL PROTECTED]'
> > > > > > Subject: [ActiveDir] WINS administration
> > > > > >
> > > > > >
> > > > > > Anyone:
> > > > > > We would like to control who has the ability to make
> > > > > > modifications to WINS, like adding static entries,
> > tombstoning
> > > > > > bad records,etc.  We have deployed Active
> > Directory DC's to
> > > > > > several nationwide offices and want to be able to
> > delegate this
> > > > > > control to local administrators without making them a domain
> > > > > > admin.  There is a built in group called DNS Admins
> > that allows
> > > > > > this kind of functionality and you can set 
> permissions on DNS
> > > > > > zones so that only certain accounts can add/delete zone
> > > > > > entries...etc. but there is no
> > > > > > corresponding WINS admin group.   Does anyone know of a way
> > > > > > to accomplish this kind of delegation of control for WINS?
> > > > > >
> 

RE: [ActiveDir] User setup question.

[Roger Seielstad]

There are a number of automatic profile creation tools - such as autoprof -
that will do that, with varying degrees of ease.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: John Parker [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 16, 2003 9:41 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [ActiveDir] User setup question.
> 
> 
> Morning all!
> 
> Is there a way I can setup outlook (Exchange server name, 
> View style etc.) automatically when the new user logs in on 
> 2000 or XP.
> 
> I am thinking that there must be some way to utilize group 
> policy for this.
> 
> Any help?
> 
> 
> 
> John Parker, MCSE
> IS Admin.
> Senior Technical Specialist
> Alpha Display Systems.
> 
> Alpha Video
> 7711 Computer Ave.
> Edina, MN. 55435
>  
> 952-896-9898 Local
> 800-388-0008 Watts
> 952-896-9899 Fax
> 612-804-8769 Cell
> 952-841-3327 Direct
> 
> [EMAIL PROTECTED]
> "Be excellent to each other"
> ---End of Line---
> 
> 
> 
> 
> -Original Message-
> From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 16, 2003 8:23 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] AD replication, RPC server unavailable
> 
> 
> To help eliminate the island effect, I leave all my DC's, 
> which are also DNS
> Servers pointing to other DNS Servers at all times.  I found 
> that this will
> prevent the island effect.
> 
>  -Original Message-
> From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 16, 2003 9:07 AM
> To:   '[EMAIL PROTECTED]'
> Subject:  RE: [ActiveDir] AD replication, RPC server unavailable
> 
> Nice thing about netdiag is that you can run it with the /fix 
> switch and
> often get some good results :)   
> 
> One thing to remember is the idea of the "island" effect.  When first
> configuring your DC, be sure the primary DNS server is one of 
> your other
> DC's until replication finishes.  You also want to be sure that on
> promotion, that DCPROMO puts the DNS records in their place, 
> meaning that
> DNS allows dynamic updates for that zone and that you have a 
> reverse zone in
> place prior (not really necessary, but much neater).
> 
> 
> Al
> 
> 
> 
> -Original Message-
> From: Bruce Clingaman [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 15, 2003 5:42 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AD replication, RPC server unavailable
> 
> dcdiag and netdiag are giving dns config errors.
> I'll be checking thru my dns entries again.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
> Sent: Monday, December 15, 2003 4:23 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] AD replication, RPC server unavailable
> 
> 
> Did you check DCDIAG to see what errors get thrown?
> 
> Al
> 
> -Original Message-
> From: Bruce Clingaman [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 15, 2003 5:17 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] AD replication, RPC server unavailable
> 
> 
> I just added a third DC to my domain. The Sysvol would not 
> replicate to DC3
> until after I manually added an A record in the DNS.
> In sites and services on DC3, I initiate replication from DC1 
> and 2 to DC3,
> it gives "The following error occured when trying to contact 
> the domain
> controller DC3: the RPC server is unavailable."  DC3 cannot 
> contact DC3. DC3
> dns settings look right to me. All DCs point to DC1 as primary.
> 
> Also, in the AD | FRS | Domain Sysvol, DC3 does not appear in 
> the list.
> 
> Events:
> FRS- 13516,13509,13562,13508
> DNS- 6702
> 
> What do I need to check next?
> 
> thanks.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.h

RE: [ActiveDir] DC IP Address

[Roger Seielstad]

Its more or less scriptable with netsh, too...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Ben Schorr [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, December 17, 2003 8:22 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC IP Address
> 
> 
> And if it is a WINS or DNS server that highlights a good 
> reason for using DHCP to hand out IP information from a 
> central location; rather than hard-coding that information at 
> each workstation.
> 
> Making these kinds of changes is much easier with DHCP.
> 
> -Ben-
> Ben M. Schorr, MVP-OneNote, CNA, MCPx4
> Director of Information Services
> Damon Key Leong Kupchak Hastert
> http://www.hawaiilawyer.com
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> Sent: Wednesday, December 17, 2003 2:17 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC IP Address
> 
> Shouldn't be a huge issue unless 
> 
> 1. It is a WINS Server
> 2. It is a DNS Server
> 
> In those cases you will need to repoint any machines hard 
> coded to the old IP.
> 
> Other than that, once the ip changes, make sure it gets 
> updated in DNS/WINS ok and verify that the IP address is 
> assigned to the proper site.
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> George Arezina
> Sent: Tuesday, December 16, 2003 3:25 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DC IP Address
> 
> Hi guys,
> Can anyone tell me if they had a problem after changing the 
> ip address on a DC? What we are facing is a major network 
> reconstruction, and the network address scheme may change. 
> Therefore, I may need to change an ip address of a DC already 
> in function.
> Thanks.
> 
>   
> George Arezina
> BA, A+, Net+, MCSE 2000
> Information Technology Consultant
> National Bank of Serbia
> Pop Lukina 7-9, 11000 Belgrade.
> P E-mail: [EMAIL PROTECTED]
> @ Phone:+381 (11) 3202-474
>   GSM:  +381 (63)  342-321
>  
> 
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] net time

[Roger Seielstad]

Title: Message



That 
would appear to be working correctly.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Salandra, Justin 
  A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 
  12:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] net time
  
  That 
  is the thing, all my other DCs point to a DC that is not configured as the 
  Authoritative Time Source
   
  For 
  Example
   
  DC1
  DC2 - 
  PDCE
  DC3
   
  DC2 is 
  set to time.windows.com
   
  Run a 
  net time /set on DC3 and it asks if you want to reset the clock to the one on 
  DC1
   
  Net 
  time /querysntp on DC3 and DC1 returns that the sntp is not 
  configured
   
  Net 
  time on DC3, DC2 and DC1 shows the time on 
  DC1
   
  -Original 
  Message-From: Celone, 
  Mike [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003 12:45 
  PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net 
  time
   
  That's the way it's 
  supposed to work.  All your DCs will act as time servers and your clients 
  will synch with them.  They just synch their time with the PDC-E which 
  should be set to use and outside time service.
  Mike 
  Celone 
  Systems Specialist Radio Frequency 
  Systems 
  v 203-630-3311 x1031 f 
  203-634-2027 
  m 203-537-2406 
  -Original 
  Message- 
  From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] 
  Sent: Friday, December 19, 2003 12:38 
  PM 
  To: ActiveDir 
  (E-mail) 
  Subject: [ActiveDir] net 
  time 
  
  Everyone, 
  I have my PDC Emulator on a 
  server that is set to a SNTP server on the web, however all my others servers 
  when I type in net time /set point to a different server that holds no roles 
  what so ever for AD, it is just a DC.
  What am I doing 
  worng. 
  
  Justin A. Salandra, 
  MCSE 
  Senior Network 
  Engineer 
  Catholic Healthcare 
  System 
  212.752.7300 - office 917.455.0110 - 
  cell 
  [EMAIL PROTECTED]  
  
  List info   : http://www.activedir.org/mail_list.htm List FAQ    
  : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

RE: [ActiveDir] inactive computers question

[Roger Seielstad]

Title: Message



I'd 
still use the last password set date
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Rich Milburn 
  [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 
  11:00 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] inactive computers question
  
  I know that dsquery and dsrm are 
  good for AD2003 environments to find and remove inactive computer accounts in 
  AD, as is Robbie's script.  Someone on the SMS list has AD 2000 though, 
  dsquery doesn't work, and Robbie's script is returning nothing.  Even if 
  the info is not easily convertible to a date, seems like you should be able to 
  sort by a column in a csvde export and see the same information - i.e. sort by 
  pwdLastSet?  Any ideas?  It looked like lastLogonTimestamp might be 
  a good one... but alas that's new with 2003 so that's no good for him.  The 
  main source of my confusion is that dsquery and a sort by pwdLastSet do not 
  show the same computers as being inactive the longest.
   
  Thanks
  Rich
  ---APPLEBEE'S INTERNATIONAL, INC. 
  CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be 
  contained in this message or any attachments. This information is strictly 
  confidential and may be subject to attorney-client privilege. This message is 
  intended only for the use of the named addressee. If you are not the intended 
  recipient of this message, unauthorized forwarding, printing, copying, 
  distribution, or using such information is strictly prohibited and may be 
  unlawful. If you have received this in error, you should kindly notify the 
  sender by reply e-mail and immediately destroy this message. Unauthorized 
  interception of this e-mail is a violation of federal criminal law. Applebee's 
  International, Inc. reserves the right to monitor and review the content of 
  all messages sent to and from this e-mail address. Messages sent to or from 
  this e-mail address may be stored on the Applebee's International, Inc. e-mail 
  system.

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

Actually, removing a computer from the domain on the client side (i.e.
changing its domain membership to a workgroup) does NOT remove the machine
account from AD (nor did it remove the account in NT4 domains). No domain
rights are required to remove a machine from the domain - you can prove this
by using the local admin account of a machine to remove it from the domain.
Local admin has no domain rights, yet you can remove the machine from the
domain.

The only action I know of which will remove the computer account
automatically is running DCPromo to remove a DC.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:32 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Irwan forgive me if I read you wrong... 
> 
> I think what he's asking is about leaving the computer 
> accounts in AD or
> deleting them.  When you remove the computer from the domain 
> (like join it
> to a workgroup) it removes the computer account from the 
> domain.  Or you can
> turn the computer off and delete the account forcefully with 
> ADUC or dsrm or
> whatever.  Or you can reset the account - something I've rarely used,
> because I didn't know what the difference was from deleting 
> the account and
> adding the new computer with the same name.
> 
> Rich
> 
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, December 28, 2003 1:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Irwan,
> 
> I would concur that option two is the most successful method, from my
> experience.  For all intents and purposes, the Computer object is a
> derivative of the User object and has a SID associated with 
> it.  Simply
> naming a computer the same as an existing object will not 
> yield the desired
> result, and will often cause unpredicatble results. 
> 
> I might not be reading the options correctly, but I see 
> option one and three
> as the same.
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> WebLog - www.msmvps.com/willhack4food
>   
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> Sent: Sunday, December 28, 2003 7:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Upgrading computers and computer objects
> 
> I'm curious what is the best practice or recommended way for 
> the following
> case:
> I have several computers that are joined to the domain, and 
> I'm going to
> upgrade some of thse computers with a different computer 
> (newer), though the
> UNC name of these computers will remain the same.
> Should I:
> 1. Remove the old computers from the domain, install the new 
> computers, and
> join them to the domain?
> 2. Since there are several computers, can I just delete the 
> corresponding
> computer objects in the ADUC, install the new computers, and 
> join them to
> the domain?
> 3. Just put the new computers in place, and join them with 
> the same name?
> 
> So far, I'm doing the second way, because I think it is the 
> cleanest way.
> 
> Thanks
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> ---APPLEBEE'S INTERNATIONAL, INC. 
> CONFIDENTIALITY NOTICE---
> PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in 
> this message or
> any attachments. This information is strictly confidential and may be
> subject to attorney-client privilege. This message is 
> intended only for the
> use of the named addressee. If you are not the intended 
> recipient of this
> message, unauthorized forwarding, printing, copying, 
> distribution, or using
> such information is strictly prohibited and may be unlawful. 
> If you have
> received this in error, you should kindly notify the sender 
> by reply e-mail
> and immediately destroy this message. Unauthorized 
> interception of this
> e-mail is a violation of federal criminal law. Applebee's 
> International,
> Inc. reserves the right to monitor and review the content of 
> all messages
> sent to and from this e-mail address. Messages sent to or 
> from this e-mail
> address may be stored on the Applebee's International, Inc. 
> e-mail system.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List inf

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

I've only been prompted for credentials when joining a domain, not when
leaving one. And those are always for the new domain, not the old.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 10:38 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> You know... it's one of those things I rarely bother to do 
> because I do #2
> below, and the couple of times I have done it, I've never 
> checked to see if
> the account was gone.  Seems like you _should_ need domain 
> privs to remove a
> computer from the domain, and it _should_ delete the computer 
> account... now
> that you mention it I have "removed" computers from the 
> domain without being
> able to contact the DC.  What's the point of asking for an 
> account that can
> remove it from the domain, if you have to be an admin to get 
> that far in the
> first place? (though I've never tried switching to workgroup 
> as a non-admin
> account so maybe it will let you try to remove the computer 
> from the domain
> as a regular user and just ask for an admin account?)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 8:58 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Actually, removing a computer from the domain on the client side (i.e.
> changing its domain membership to a workgroup) does NOT 
> remove the machine
> account from AD (nor did it remove the account in NT4 
> domains). No domain
> rights are required to remove a machine from the domain - you 
> can prove this
> by using the local admin account of a machine to remove it 
> from the domain.
> Local admin has no domain rights, yet you can remove the 
> machine from the
> domain.
> 
> The only action I know of which will remove the computer account
> automatically is running DCPromo to remove a DC.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 9:32 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > Irwan forgive me if I read you wrong... 
> > 
> > I think what he's asking is about leaving the computer 
> > accounts in AD or
> > deleting them.  When you remove the computer from the domain 
> > (like join it
> > to a workgroup) it removes the computer account from the 
> > domain.  Or you can
> > turn the computer off and delete the account forcefully with 
> > ADUC or dsrm or
> > whatever.  Or you can reset the account - something I've 
> rarely used,
> > because I didn't know what the difference was from deleting 
> > the account and
> > adding the new computer with the same name.
> > 
> > Rich
> > 
> > -Original Message-
> > From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> > Sent: Sunday, December 28, 2003 1:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Irwan,
> > 
> > I would concur that option two is the most successful 
> method, from my
> > experience.  For all intents and purposes, the Computer object is a
> > derivative of the User object and has a SID associated with 
> > it.  Simply
> > naming a computer the same as an existing object will not 
> > yield the desired
> > result, and will often cause unpredicatble results. 
> > 
> > I might not be reading the options correctly, but I see 
> > option one and three
> > as the same.
> > 
> > Rick Kingslan  MCSE, MCSA, MCT
> > Microsoft MVP - Active Directory
> > Associate Expert
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > WebLog - www.msmvps.com/willhack4food
> >   
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> > Sent: Sunday, December 28, 2003 7:29 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Upgrading computers and computer objects
> > 
> > I'm curious what is the best practice or recommended way for 
> > the following
> >

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

Wow. Never saw that before.

I'll have to play with my crashbox a bit later. Maybe its just because I
usually rebuild the box then worry about the domain account later...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Just tried it, XP SP1 on a 2003 domain, Network 
> Identification, switched
> from domain member to workgroup member:
> 
> Enter the name and password of an account with permission to 
> remove this
> computer from the domain.
> 
> User name:
> 
> Password:
> 
> This is while logged in as a domain admin.  It seems to be fairly new
> behavior, I can't recall if AD 2000 did this or not.  It 
> might be an XP
> thing.
> 
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:41 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> I've only been prompted for credentials when joining a 
> domain, not when
> leaving one. And those are always for the new domain, not the old.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 10:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > You know... it's one of those things I rarely bother to do 
> > because I do #2
> > below, and the couple of times I have done it, I've never 
> > checked to see if
> > the account was gone.  Seems like you _should_ need domain 
> > privs to remove a
> > computer from the domain, and it _should_ delete the computer 
> > account... now
> > that you mention it I have "removed" computers from the 
> > domain without being
> > able to contact the DC.  What's the point of asking for an 
> > account that can
> > remove it from the domain, if you have to be an admin to get 
> > that far in the
> > first place? (though I've never tried switching to workgroup 
> > as a non-admin
> > account so maybe it will let you try to remove the computer 
> > from the domain
> > as a regular user and just ask for an admin account?)
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 8:58 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Actually, removing a computer from the domain on the client 
> side (i.e.
> > changing its domain membership to a workgroup) does NOT 
> > remove the machine
> > account from AD (nor did it remove the account in NT4 
> > domains). No domain
> > rights are required to remove a machine from the domain - you 
> > can prove this
> > by using the local admin account of a machine to remove it 
> > from the domain.
> > Local admin has no domain rights, yet you can remove the 
> > machine from the
> > domain.
> > 
> > The only action I know of which will remove the computer account
> > automatically is running DCPromo to remove a DC.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > > Sent: Monday, December 29, 2003 9:32 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > > 
> > > 
> > > Irwan forgive me if I read you wrong... 
> > > 
> > > I think what he's asking is about leaving the computer 
> > > accounts in AD or
> > > deleting them.  When you remove the computer from the domain 
> > > (like join it
> > > to a workgroup) it removes the computer account from the 
> > > domain.  Or you can
> > > turn the computer off and delete the account forcefully with 
> > > ADUC or dsrm or
> > > whatever.  Or you can reset the account - something I've 

RE: [ActiveDir] Policy to distribute domain wide HOSTS file

[Roger Seielstad]

There isn't a way to do that per se, but I don't think that's a bad thing.

What's the reason for adding a hosts file entry rather than fixing DNS?

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 30, 2003 11:44 AM
> To: 'ActiveDir ([EMAIL PROTECTED])
> Subject: [ActiveDir] Policy to distribute domain wide HOSTS file
> 
> 
> Either I've been hit with the stupid stick or I'm looking in the wrong
> place!  Can anyone assist me in creating a policy to add an 
> entry to the
> HOSTS file on our domain computers?  Thank you for any help...
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Policy to distribute domain wide HOSTS file

[Roger Seielstad]

Title: Message



You 
really need to set up split DNS for mycompany.org
 
Just 
add a zone (AD integrated is fine) for mycompany.org on your internal DNS 
servers, and add A records for www and intranet pointing to the appropriate 
IP's.
 
You 
don't want to go down the hosts file road - that makes troubleshooting 
impossible down the line.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Dolphin, Jeff 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 12:17 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Policy to distribute domain wide HOSTS file
  Sure...We have a in-house domain (inside.local) and we 
  also own a registered domain (mycompany.org) .  People needing 
  the company website go to www.mycompany.org .  This is hosted 
  by our ISP.  Recently we developed and began hosting a company 
  intranet in-house (using 1 to 1 NAT back to a apple g4).  Employees on 
  the internet can access the in-house intranet using 
  "intranet.mycompany.org".  Users on the LAN can access the intranet using 
  "intranet.inside.local".  The webmaster is complaining that he has to 
  make two sets of links and lists etc...one for users in-house and one for 
  users on the outside.  He would like it if in-house employees could be 
  able to access the intranet at "intranet.mycompany.org".  I did some 
  reading on split DNS etc...but I dont think that is feasible at this 
  time.  Adding a line in the HOSTS file for "intranet.mycompnay.org" does 
  the trick.  But going around to every workstation is out of the question 
  for now.
  

-Original Message-From: deji Agba 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 9:05 
AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Policy to distribute domain wide HOSTS file

What would be the 
purpose? Maybe letting us in on your line of thoughts would make it easier 
for someone to help you with this or recommend an alternative.
 


 
Sincerely,Dèjì 
Akómöláfé, MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon


From: Dolphin, JeffSent: Tue 
12/30/2003 8:43 AMTo: 'ActiveDir 
([EMAIL PROTECTED])Subject: [ActiveDir] Policy to 
distribute domain wide HOSTS file
Either I've been hit with the stupid stick or I'm looking in the wrong
place!  Can anyone assist me in creating a policy to add an entry to the
HOSTS file on our domain computers?  Thank you for any help...
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Policy to distribute domain wide HOSTS file

[Roger Seielstad]

Title: Message



Actually. let me amend that. You need to add the appropriate records into 
the internal copy of the zone to allow for any internal access. In other words, 
you probably also need to account for MX records for mail delivery, as well as 
any other published resources that are used from inside the 
company.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Roger Seielstad 
  Sent: Tuesday, December 30, 2003 1:01 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Policy to 
  distribute domain wide HOSTS file
  You 
  really need to set up split DNS for mycompany.org
   
  Just add a zone (AD integrated is fine) for mycompany.org on your 
  internal DNS servers, and add A records for www and intranet pointing to 
  the appropriate IP's.
   
  You 
  don't want to go down the hosts file road - that makes troubleshooting 
  impossible down the line.
   
  Roger
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Dolphin, Jeff 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 12:17 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Policy to distribute domain wide HOSTS file
Sure...We have a in-house domain (inside.local) and we 
also own a registered domain (mycompany.org) .  People 
needing the company website go to www.mycompany.org .  This is hosted 
by our ISP.  Recently we developed and began hosting a company 
intranet in-house (using 1 to 1 NAT back to a apple g4).  Employees on 
the internet can access the in-house intranet using 
"intranet.mycompany.org".  Users on the LAN can access the intranet 
using "intranet.inside.local".  The webmaster is complaining that he 
has to make two sets of links and lists etc...one for users in-house and one 
for users on the outside.  He would like it if in-house employees could 
be able to access the intranet at "intranet.mycompany.org".  I did some 
reading on split DNS etc...but I dont think that is feasible at this 
time.  Adding a line in the HOSTS file for "intranet.mycompnay.org" 
does the trick.  But going around to every workstation is out of the 
question for now.

  
  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 9:05 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Policy to distribute domain wide HOSTS 
  file
  
  What would be the 
  purpose? Maybe letting us in on your line of thoughts would make it easier 
  for someone to help you with this or recommend an 
alternative.
   
  
  
   
  Sincerely,Dèjì 
  Akómöláfé, MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo 
  you now realize that Today is the Tomorrow you were worried about 
  Yesterday?  -anon
  
  
  From: Dolphin, JeffSent: Tue 
  12/30/2003 8:43 AMTo: 'ActiveDir 
  ([EMAIL PROTECTED])Subject: [ActiveDir] Policy to 
  distribute domain wide HOSTS file
  Either I've been hit with the stupid stick or I'm looking in the wrong
place!  Can anyone assist me in creating a policy to add an entry to the
HOSTS file on our domain computers?  Thank you for any help...
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Policy to distribute domain wide HOSTS file

[Roger Seielstad]

Title: Message



We 
run something like 8-10 split zones, so missing something isn't 
uncommon...
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Rich Milburn 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 
  2003 2:23 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Policy to distribute domain wide HOSTS file
  
  Nice save, I’ve been 
  caught out by that… went to an internal DNS name, split DNS, and missed adding 
  an alias that was in use in some Intranet apps and it broke the whole Intranet 
  site… once you go to split DNS the server doesn’t forward to the external DNS 
  for mycompany.org resolution anymore, so if it isn’t in your internal zone, it 
  no longer exists to your internal devices.
   
  
  
  
  
  From: Roger 
  Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 12:08 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Policy to 
  distribute domain wide HOSTS file
   
  
  Actually. let me 
  amend that. You need to add the appropriate records into the internal copy of 
  the zone to allow for any internal access. In other words, you probably also 
  need to account for MX records for mail delivery, as well as any other 
  published resources that are used from inside the 
  company.
  
   
  
   
  -- 
  Roger D. Seielstad - 
  MTS MCSE MS-MVP Sr. Systems 
  Administrator Inovis 
  Inc. 
  
-Original 
Message-From: Roger 
Seielstad Sent: Tuesday, 
December 30, 2003 1:01 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Policy to 
distribute domain wide HOSTS file

You really need to 
set up split DNS for mycompany.org

 

Just add a zone 
(AD integrated is fine) for mycompany.org on your internal DNS servers, and 
add A records for www and intranet pointing to the appropriate 
IP's.

 

You don't want to 
go down the hosts file road - that makes troubleshooting impossible down the 
line.

 

Roger

-- 
Roger D. Seielstad 
- MTS MCSE MS-MVP Sr. 
Systems Administrator Inovis 
Inc. 

  -Original 
  Message-From: 
  Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 
  12:17 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Policy to 
  distribute domain wide HOSTS file
  
  Sure...We 
  have a in-house domain (inside.local) and we also own a 
  registered domain (mycompany.org) .  People needing the 
  company website go to www.mycompany.org .  This is 
  hosted by our ISP.  Recently we developed and began hosting a 
  company intranet in-house (using 1 to 1 NAT back to a apple g4).  
  Employees on the internet can access the in-house intranet using 
  "intranet.mycompany.org".  Users on the LAN can access the intranet 
  using "intranet.inside.local".  The webmaster is complaining that he 
  has to make two sets of links and lists etc...one for users in-house and 
  one for users on the outside.  He would like it if in-house employees 
  could be able to access the intranet at "intranet.mycompany.org".  I 
  did some reading on split DNS etc...but I dont think that is feasible at 
  this time.  Adding a line in the HOSTS file for 
  "intranet.mycompnay.org" does the trick.  But going around to every 
  workstation is out of the question for now.
  
-Original 
Message-From: deji 
Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 
9:05 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Policy to 
distribute domain wide HOSTS file


What would be 
the purpose? Maybe letting us in on your line of thoughts would make it 
easier for someone to help you with this or recommend an 
alternative.

 



 

Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that 
Today is the Tomorrow you were worried about Yesterday?  
-anon

 



From: 
Dolphin, JeffSent: Tue 
12/30/2003 8:43 AMTo: 
'ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] Policy to 
distribute domain wide HOSTS file
Either I've been hit with the stupid stick or I'm looking in the wrongplace!  Can anyone assist me in creating a policy to add an entry to theHOSTS file on our domain computers?  Thank you for any help...List info   : http://www.activedir.org/mail_list.htm

RE: [ActiveDir] KCC complain for sites with 2 different domains

[Roger Seielstad]

I doubt that's the issue.

My best guess is a DNS issue - is company1's DNS server pulling a secondary
from company2's DNS?

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Aaron Seet [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, January 04, 2004 12:49 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] KCC complain for sites with 2 
> different domains
> 
> 
> The second DC belongs to company2 (in the other tree). The 
> event logs posted
> are from the DC of company1. company2 DC doesn't have these 
> complaints.
> 
> They are connected via persistent router-router VPN - 
> demand-dial interface
> in RRAS.
> 
> My question is, the cause is the fact there is no DC for 
> company1 in Site2,
> right?
> 
> 
> - Original Message - 
> From: "Mulnick, Al" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 02, 2004 10:27 PM
> Subject: RE: [ActiveDir] KCC complain for sites with 2 
> different domains
> 
> 
> I'm confused by the question.  There is a second DC.  The 
> entry says that
> site2 cannot replicate to site1.  Is that ok for your environment (I
> wouldn't think so)?
> 
> If they're part of the same forest, they need to share the 
> configuration
> partition.  If they can't, then the KCC is going to complain and other
> issues may or may not arise in your environment.  Better to fix it.
> 
> 
> Is your VPN always on?
> 
> Does this answer the question?
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] KCC complain for sites with 2 different domains

[Roger Seielstad]

That seems to be how I'd set it up as well.

There's no reason (nor will it do any good) to change the zones to AD
integrated.

I'm at a loss at this point...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Aaron Seet [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 05, 2004 10:45 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] KCC complain for sites with 2 
> different domains
> 
> 
> The TCP/IP DNS properties are setup like
> 
> dc1.corporate.company1.com:
> 1. itself (192.168.252.4)
> 2. dc1.corporate.company2.com (192.168.1.12)
> 
> dc1.corporate.company2.com:
> 1. itself (192.168.1.12)
> 2. dc1.corporate.company1.com (192.168.252.4)
> 
> 
> Zone "corporate.company1.com" is in AD with 
> dc1.corporate.company1.com while
> dc1.corporate.company2.com has plain-text secondary, pulling from
> dc1.corporate.company1.com.
> 
> Zone "corporate.company2.com" is in AD with 
> dc1.corporate.company2.com while
> dc1.corporate.company1.com has plain-text secondary, pulling from
> dc1.corporate.company2.com.
> 
> 
> dc1.corporate.company2.com is also a GC.
> 
> >From your hint, I should make corporate.company1.com an AD 
> zone as well
> inside corporate.company2.com's AD repository, and vice versa. Is this
> correct?
> 
> 
> Regards,
> Aaron
> 
> - Original Message - 
> From: "Roger Seielstad" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, January 05, 2004 8:58 PM
> Subject: RE: [ActiveDir] KCC complain for sites with 2 
> different domains
> 
> 
> I doubt that's the issue.
> 
> My best guess is a DNS issue - is company1's DNS server 
> pulling a secondary
> from company2's DNS?
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Wierd issue with security descriptor reverting on replication

[Roger Seielstad]

WE use 3 character prefixes ourselves, but the same basic result.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Joe [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 06, 2004 8:23 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on replication
> 
> 
> I agree with Guido. In fact any ID that has any delegated 
> rights in our AD
> gets it on an ID called a $-ID. It is their normal userid 
> prefixed with a $.
> That way they all sort to the top when sorted and it is 
> really obvious when
> they are being used. I have been using $ ID's (and $$ ID's 
> for domain admins
> - to indicate even more power that isn't delegated) for about 
> 7 years now,
> it works fine though I have run into people who say it 
> doesn't for some odd
> reason. I think they just feel uncomfortable with the special 
> character in
> the name. 
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> GRILLENMEIER,GUIDO
> (HP-Germany,ex1)
> Sent: Tuesday, January 06, 2004 6:50 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on
> replication
> 
> yes, the adminSDholder is good for these kind of surprises, 
> but the main
> reason it exists is that you don't accidentally grand a "downlevel"
> group/user enough permissions to reset the PW on a highly priviledged
> account - thus compromising security.
> 
> You should definitely go with the "separate admin account" 
> model - this is
> not just for enterprise or domain admins protected by the 
> adminSDholder, but
> also for lower level OU or data admins, which could otherwise 
> be compromised
> as well by a simple helpdesk user who is allowed to reset PW 
> at the specific
> OU level containing your "lower level" admins...
> 
> Rgd. your name in the from field when sending eMail: this is 
> less up to you,
> than your Exchange Admins (unless you are the same guy).  
> Seems like your
> Exchange folks have configured your SMTP GW servers to remove the
> Display-Name and only to reveal the eMail address instead. I actually
> preferr it this way, instead of showing a somewhat obscure 
> Display Name
> (meant for internal handling of accounts) to the outside 
> world, like we do
> it...
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
> Sent: Dienstag, 6. Januar 2004 08:13
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on
> replication
> 
> That looks like it might be the culprit.  I need to do a 
> little bit more
> checking and see if there are any exceptions, but this seems 
> like the most
> logical explanation and so far it has born out.
> 
> I think we can fix this as the admins are SUPPOSED to be using special
> accounts for admin work and most of our applications that 
> require special
> permissions shouldn't run on these users.
> 
> Now, if I could figure out how to make my name show up in the 
> from field
> when mailing to the list from Outlook, I'd be all set :)
> 
> Thanks!
> 
> Joe K.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> Sent: Monday, January 05, 2004 11:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on
> replication
> 
> Joe it sounds like you are being bitten by adminSDHolder. 
> Poke around for it
> (archives for here and the newsgroups and MSKB) you will find 
> considerable
> info on it now.
> 
> Basically there is a process that goes through and protects 
> certain accounts
> (usually admin type accounts like Ent Admins, Dom Admins, 
> Admins, Acc Ops,
> Serv Ops, etc) by removing the inherit flag and setting the 
> ACL to the ACL
> of the adminSDHolder object in the system container. Once you 
> "clean up"
> an
> ID you should see it reset in about 5-10 minutes. 
> 
> Check to see if you have the admincount attribute populated 
> on these ID's,
> that is the flag for the process. Any groups that the users 
> are in that have
> that flag set will force the user to get that flag set as well. 
> 
>   joe
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information.  
> If you have
> received it in error, please notify the sender immediately 
> and delete the
> original.  Any other use of the email by you is prohibited.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/act

RE: [ActiveDir] Wierd issue with security descriptor reverting on replication

[Roger Seielstad]

That's a good idea. Didn't think about taking it the extra step, although
that makes a lot of sense for a project we're talking about..

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: GRILLENMEIER,GUIDO (HP-Germany,ex1) 
> [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 06, 2004 2:39 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on replication
> 
> 
> I also tend to use a prefix for admin accounts, however you 
> can debate if
> this really makes sense. It's definitely user-friendly as the 
> user only has
> to remember one account and then one pre- or postfix when he 
> wants to use
> the admin-version of this account.  And you shouldn't believe 
> that the users
> will use different passwords...
> 
> However, this approach also shows which account you ought to 
> attack if you
> want to gain higher privileges...  This is one of the reasons, why in
> addition to creating separte OUs for the admin accounts, I hide these
> special OUs in AD so that the normal Authenticated User can't 
> browse or
> query for all accounts with a special prefix - naturally, the OU is
> configured to be visible to the Admins themselves, but even 
> here we make a
> differentiation who can see which admins (viewing the OU with 
> the domain
> admin accounts is more restricted than viewing OUs with OU 
> admin accounts)
> 
> /Guido
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Dienstag, 6. Januar 2004 16:16
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> reverting on
> replication
> 
> WE use 3 character prefixes ourselves, but the same basic result.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Joe [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, January 06, 2004 8:23 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> > reverting on replication
> > 
> > 
> > I agree with Guido. In fact any ID that has any delegated 
> > rights in our AD
> > gets it on an ID called a $-ID. It is their normal userid 
> > prefixed with a $.
> > That way they all sort to the top when sorted and it is 
> > really obvious when
> > they are being used. I have been using $ ID's (and $$ ID's 
> > for domain admins
> > - to indicate even more power that isn't delegated) for about 
> > 7 years now,
> > it works fine though I have run into people who say it 
> > doesn't for some odd
> > reason. I think they just feel uncomfortable with the special 
> > character in
> > the name. 
> > 
> >   joe
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > GRILLENMEIER,GUIDO
> > (HP-Germany,ex1)
> > Sent: Tuesday, January 06, 2004 6:50 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Wierd issue with security descriptor 
> > reverting on
> > replication
> > 
> > yes, the adminSDholder is good for these kind of surprises, 
> > but the main
> > reason it exists is that you don't accidentally grand a "downlevel"
> > group/user enough permissions to reset the PW on a highly 
> priviledged
> > account - thus compromising security.
> > 
> > You should definitely go with the "separate admin account" 
> > model - this is
> > not just for enterprise or domain admins protected by the 
> > adminSDholder, but
> > also for lower level OU or data admins, which could otherwise 
> > be compromised
> > as well by a simple helpdesk user who is allowed to reset PW 
> > at the specific
> > OU level containing your "lower level" admins...
> > 
> > Rgd. your name in the from field when sending eMail: this is 
> > less up to you,
> > than your Exchange Admins (unless you are the same guy).  
> > Seems like your
> > Exchange folks have configured your SMTP GW servers to remove the
> > Display-Name and only to reveal the eMail address instead. 
> I actually
> > preferr it this way, instead of showing a somewhat obscure 
> > Display Name
> > (meant for internal handling of accounts) to the outside 
> > world, like

RE: [ActiveDir] Computer Accounts and request for comments on pro visioning.

[Roger Seielstad]

Title: Message



Answers inline.
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  
  1.    
  On average how long do you allow 
  computer accounts to stay deactivate in your domain, and what issues do you 
  run into when machines are disconnected longer than say the 60 days.  (I 
  think I remember reading somewhere that secure channel passwords get reset 
  every 30 days on machine accounts).  If the passwords are out of sync 
  when the machine try to join the domain again, will they auto renegotiate a 
  new secure channel password even though the password is out of sync or does it 
  always require resetting the secure channel?
  
   
   
  We generally do a 
  sweep once or twice a quarter, and kill anything older than 90 days. Then 
  again, we don't have huge amounts of machine turnover since we're not a huge 
  company.
   
   
  2.    
  Do you allow machines that are 
  primarily home machines connect in as domain resources, or do you use other 
  means to provide remote access to domain resources?  If so what 
  alternative means do you provide remote access to resources?
   
  We only allow 
  corporate owned resources on the network - including limiting the distribution 
  of the VPN client to only company owned laptops. The only service we provide 
  for non-company remote access is Outlook web access for 
  email.
   
  3.    
  Finally, do you require machines 
  to go through a provisioning process when the computer account is created and 
  removed from the domain?  If so, how do you manage the process.  In 
  today's domains, I would think it would be desirable with the need to have 
  certificates issued for EFS, etc. 
   
  Not currently, 
  although we're trying to revamp our machine build process to a point 
  where this might be more easily 
accomplished.

RE: [ActiveDir] Changing domain name/joining a forest or parent d omain

[Roger Seielstad]

It doesn't remove domain accounts because you have an NT4 BDC in the domain
still (step 1).

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Bruce Clingaman [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 08, 2004 9:15 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Changing domain name/joining a 
> forest or parent d omain
> 
> 
> 
> I doubt this would work in my senario (step 1) since I am 
> running 2003 in
> native-mode.
> 
> Also, I am in doubt about your statement in the third 
> paragraph "demote ALL
> of your current Windows 2000 DCs to member servers.  This 
> procedure will
> retain all current users, groups, and computers." I was 
> thinking that the
> demoting process removes all the domain accounts.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
> Sent: Wednesday, January 07, 2004 8:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Changing domain name/joining a 
> forest or parent
> d omain
> 
> 
> Bruce,
> 
> I've been very successful with this method, but it does 
> involve some risk
> (and nerves of steel) - but it can be mitigated.  It's not a 
> completely
> supported method, although there used to be a KB article on 
> it.  Might still
> be there, but I'm not sure (and, not inclined to look  ;o)
> 
> There is a key requirement - you must still be in a 
> mixed-mode, not native.
> I.E. you must still be able to support Windows NT 4.0 BDCs.  
> If you can't -
> stop here, read no further, and delete the message - because 
> what I'm about
> to outline will be of no help at all.
> 
> There is one other key element - you must be willing to 
> demote ALL of your
> current Windows 2000 DCs to member servers.  This procedure 
> will retain all
> current users, groups, and computers.
> 
> 1.  Build a Windows NT 4.0 BDC in your 'DN' domain
> 2.  Go to the Protocol options and DNS - set the host and domain name,
> domain to DN.COM
> 3.  Force a synch of the domain (NET ACCOUNTS /SYNC) with the 
> Win2k DC (for
> good measure - let it bubble for a while... I like 24 hrs.)
> 4.  If you have only one DC, jump to Step 7
> 5.  Select the DC with, or transfer all roles to one DC.
> 6.  DCPromo down all other DCs via Start / Run / 'dcpromo' - 
> each DC, at
> completion will be a member server.
> 7.  Disconnect the last Win2k DC from the network.  DCPromo 
> the DC via Start
> / Run / 'DCPromo'.  After it restarts, it will be a member of 
> a workgroup.
> You can rejoin it to the domain at this point, if you choose.
> 8.  From Server Manager in NT 4.0, upgrade the BDC to a PDC.  If it
> complains that it cannot find a PDC, choose to proceed.
> 9.  Go to the Protocol options and DNS - set the host and domain name,
> domain to DN.COM
> 10. On the NT 4.0 PDC that you just promoted, upgrade to 
> Windows 2000, and
> when DCPromo starts, choose to name it the DN.COM domain.
> 11. Other member servers that you wish to promote to DCs, you 
> can now run
> DCPromo to add them as additional DC in an existing domain.
> 
> It would be wise around step 8 - 9 to review DNS.  The DN 
> domain and zone
> file will be no longer relevant, and you will need the DN.COM 
> domain.  Be
> sure that DNS will be able to receive and manage the new 
> domain and zone
> files.  If not, be prepared to allow DCPromo and the 
> processes therein to
> create a DNS server for you.  But, I suspect that you must 
> already have one
> - as you clearly already have AD
> 
> I hope this helps, Bruce.  It's fairly easy, but can be a bit 
> tense as you
> literally eviscerate your current domain.
> 
> Good luck!  Let us know how this works out!
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> WebLog - www.msmvps.com/willhack4food
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Bruce Clingaman
> Sent: Wednesday, January 07, 2004 4:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Changing domain name/joining a 
> forest or parent d
> omain
> 
> 
> That's an idea that may fit our needs since the child domain 
> needs to be
> kept separate from the parent anyway.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
> Sent: Wednesday, January 07, 2004 4:20 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Changing domain name/joining a 
> forest or parent d
> omain
> 
> 
> Have you considered a multi-forest deployment?  It's not 
> pretty, but may be
> worth it depending on your requirements.
> 
> Al
> 
> -Original Message-
> From: Bernard, Aric [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 07, 2004 4:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Changing domain name/joining a 
> fores

RE: [ActiveDir] Remote time sync of DC

[Roger Seielstad]

Title: Message



From 
a command line:
net 
time /setsntp:server.domain.com
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Jorge de Almeida 
  Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  January 08, 2004 10:59 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Remote time sync 
  of DC
  Hello all, 
  I'm trying to find an script/tool 
  to synchronize the time (remote from another computer) of a particular domain 
  controller (Windows 2000) with a domain controller that is specified by me. Is 
  this possible at all? Is it possible to use WMI?
  Thanx! 
  Kind regards, 
  
  Jorge de Almeida 
  Pinto Microsoft Infrastructure Consultant This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.

RE: [ActiveDir] Remote time sync of DC

[Roger Seielstad]

Title: Message



Then 
you'll either need to use rcmd or terminal services - I don't believe net time 
works remotely
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Jorge de Almeida 
  Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  January 08, 2004 11:25 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote time 
  sync of DC
  Hi Roger,
   
  I don't want to specify a SNTP 
  server that a server will use to sync the time from time to time, I just want 
  to force a time sync of a certain DC (task remote executed) with a DC 
  that I specify. Something that works like: "net time \\server /set" but remote 
  executed
   
  Regards,
  Jorge
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 
  2004 17:10To: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Remote time sync of DC
  
  From a command line:
  net 
  time /setsntp:server.domain.com
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 
Thursday, January 08, 2004 10:59 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Remote time sync 
of DC
Hello all, 
I'm trying to find an script/tool 
to synchronize the time (remote from another computer) of a particular 
domain controller (Windows 2000) with a domain controller that is specified 
by me. Is this possible at all? Is it possible to use WMI?
Thanx! 
Kind 
regards, 
Jorge de Almeida 
Pinto Microsoft Infrastructure Consultant This e-mail and 
any attachment is for authorised use by the intended recipient(s) only. It 
may contain proprietary material, confidential information and/or be subject 
to legal privilege. It should not be copied, disclosed to, retained or used 
by, any other party. If you are not an intended recipient then please 
promptly delete this e-mail and any attachment and all copies and inform the 
sender. Thank you.This e-mail and any attachment is for 
  authorised use by the intended recipient(s) only. It may contain proprietary 
  material, confidential information and/or be subject to legal privilege. It 
  should not be copied, disclosed to, retained or used by, any other party. If 
  you are not an intended recipient then please promptly delete this e-mail and 
  any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] Remote time sync of DC

[Roger Seielstad]

Title: Message



Forgot about that one, but you're correct.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Michael B. Smith 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 11:42 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Remote time sync of DC
  psexec is a better alternative, I 
  think.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Thursday, January 08, 2004 11:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote time 
  sync of DC
  
  Then you'll either need to use rcmd or terminal services - I don't 
  believe net time works remotely
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 
Thursday, January 08, 2004 11:25 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote time 
sync of DC
Hi 
Roger,
 
I don't want to specify a 
SNTP server that a server will use to sync the time from time to time, I 
just want to force a time sync of a certain DC (task remote executed) 
with a DC that I specify. Something that works like: "net time \\server /set" but remote 
executed
 
Regards,
Jorge


From: Roger Seielstad 
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 
2004 17:10To: '[EMAIL PROTECTED]'Subject: 
RE: [ActiveDir] Remote time sync of DC

From a command line:
net time /setsntp:server.domain.com
 
 
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Jorge de 
  Almeida Pinto [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, January 08, 2004 10:59 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Remote time 
  sync of DC
  Hello all, 
  I'm trying to find an 
  script/tool to synchronize the time (remote from another computer) of a 
  particular domain controller (Windows 2000) with a domain controller that 
  is specified by me. Is this possible at all? Is it possible to use 
  WMI?
  Thanx! 
  Kind 
  regards, 
  Jorge de 
  Almeida Pinto Microsoft Infrastructure Consultant 
  This e-mail and any attachment is for authorised use by the 
  intended recipient(s) only. It may contain proprietary material, 
  confidential information and/or be subject to legal privilege. It should 
  not be copied, disclosed to, retained or used by, any other party. If you 
  are not an intended recipient then please promptly delete this e-mail and 
  any attachment and all copies and inform the sender. Thank 
you.This e-mail and any attachment is for authorised 
use by the intended recipient(s) only. It may contain proprietary material, 
confidential information and/or be subject to legal privilege. It should not 
be copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] Remote time sync of DC

[Roger Seielstad]

Title: Message



I 
guess I'm having a hard time understanding what you're really trying to 
accomplish - the bigger picture. You're writing some sort of script that does 
functionality that's already inherent in the product.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Jorge de Almeida 
  Pinto [mailto:[EMAIL PROTECTED] Sent: Friday, 
  January 09, 2004 3:55 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote time 
  sync of DC
  I want to use a script and try 
  to use standard OS functionality (like WMI for example if ever possible) and I 
  don't want to depend on some executable like RCMD
   
  Jorge
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 
  2004 17:37To: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Remote time sync of DC
  
  Then you'll either need to use rcmd or terminal services - I don't 
  believe net time works remotely
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 
Thursday, January 08, 2004 11:25 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote time 
sync of DC
Hi 
Roger,
 
I don't want to specify a 
SNTP server that a server will use to sync the time from time to time, I 
just want to force a time sync of a certain DC (task remote executed) 
with a DC that I specify. Something that works like: "net time \\server /set" but remote 
    executed
 
Regards,
Jorge


From: Roger Seielstad 
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 
2004 17:10To: '[EMAIL PROTECTED]'Subject: 
RE: [ActiveDir] Remote time sync of DC

From a command line:
net time /setsntp:server.domain.com
 
 
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Jorge de 
  Almeida Pinto [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, January 08, 2004 10:59 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Remote time 
  sync of DC
  Hello all, 
  I'm trying to find an 
  script/tool to synchronize the time (remote from another computer) of a 
  particular domain controller (Windows 2000) with a domain controller that 
  is specified by me. Is this possible at all? Is it possible to use 
  WMI?
  Thanx! 
  Kind 
  regards, 
  Jorge de 
  Almeida Pinto Microsoft Infrastructure Consultant 
  This e-mail and any attachment is for authorised use by the 
  intended recipient(s) only. It may contain proprietary material, 
  confidential information and/or be subject to legal privilege. It should 
  not be copied, disclosed to, retained or used by, any other party. If you 
  are not an intended recipient then please promptly delete this e-mail and 
  any attachment and all copies and inform the sender. Thank 
you.This e-mail and any attachment is for authorised 
use by the intended recipient(s) only. It may contain proprietary material, 
confidential information and/or be subject to legal privilege. It should not 
be copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank 
  you.This e-mail and any attachment is for authorised use 
  by the intended recipient(s) only. It may contain proprietary material, 
  confidential information and/or be subject to legal privilege. It should not 
  be copied, disclosed to, retained or used by, any other party. If you are not 
  an intended recipient then please promptly delete this e-mail and any 
  attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] SidHistory migration

[Roger Seielstad]

Title: Message



Why 
are you doing another greenfield migration? Its a non-trivial but very straight 
forward upgrade from AD2k to AD2k3.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Pelle, Joe 
  [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 9:04 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  SidHistory migration
  
  Hello, All!  Happy New Year! 
  
   
  I'm hoping you can help me figure 
  this one out! 
   
  We've migrated from NT to 2000 
  with SIDHistory and have been running successfully for quite some time now. 
   We now want to move to 2003 with SIDHistory - which, will give our user 
  accounts 3 SIDs (NT, 2000, 2003).  We've tested this in the lab and with 
  the migration software we are using we are getting a successful SID migration, 
  however, when logging in as a migrated user in 2003 I don't have the same 
  access I had in 2000 (or NT).  
   
  It appears that SIDHistory is NOT 
  working.  We have a two way trust between our two forests as well as 
  trusts going back to NT.  I've disabled SID filtering on the 2003 
  trust.  
   
  Any help in this matter would be 
  greatly appreciated! 
   
  Thanks! 
  
   
  Joe 
  Pelle
  Infrastructure 
  Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 Victor 
  Parkway Livonia, MI 
  48152
  Tel 
  734.591.7324  Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
   
  This message may 
  have included proprietary or protected information.  This message and the 
  information contained herein are not to be further communicated without my 
  express written consent.
   

RE: [ActiveDir] ldifde and/or csdve

[Roger Seielstad]

Title: Message



You might want to look at another option. Depending on the mail transfer agent you're using at the 
relays, many can do LDAP verification "live" off AD. Sendmail can do it, 
and I believe postfix and others can as well.
 
Having worked in an environment in which we had to 
keep white and black lists up to date - at its worst, it was 3500 users and more 
or less constantly out of date. I'd strongly suggest you look at a different way 
to do it.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: marcus 
  [mailto:[EMAIL PROTECTED] Sent: Saturday, January 10, 2004 
  10:20 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] ldifde and/or csdve
  
  I'm 
  going to find out real soon if it meets requirements or not.  J  Thanks for taking the time, Joe.  Basically 
  we're trying to create blacklists and whitelists for email filters based on email address to 
  make sure user of x company does not have email parsed through various 
  stages.
   
  One 
  question... does adfind actually pull each value from 
  the proxyAddresses field and match up to the 
  parameter you've specified (e.g. the SMTP:*)... ?  Thanks 
  again!
   
  -m
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of JoeSent: Saturday, January 10, 2004 7:31 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] ldifde and/or 
  csdve
   
  I will probably get 
  dunned for the use of perl (except by Robbie and Richard) 
  but
   
  If this is a one off 
  thing, i.e. not a regular process and you just want to grab some data here is 
  a quick and dirty solution. This is a joeware whip it up on the spot special 
  for you no charge. :op
   
   
  __START 
  SCRIPT__
  `adfind -t 5 -gc 
  -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail proxyaddresses 
  >tempfile.txt`;
  
  open 
  fh,"%uniqueemail=();%ciuniqueemail=();foreach 
  $thisline () {  if ($thisline=~/.+: *([EMAIL PROTECTED])/)   
  {
  
      
  $uniqueemail{$1}=1;    
  $ciuniqueemail{lc($1)}=1;
  
     
  } }
  
   
  print "\n\nUnique 
  Email Addresses\n"map {print "$_\n"} sort keys 
  %uniqueemail;
  
   
  print "\n\nCase 
  Insensitive Unique Email Addresses\n"map {print "$_\n"} sort keys 
  %ciuniqueemail;
  __END 
  SCRIPT__
   
   
  It uses adfind (www.joeware.net on the free win32 tools 
  page) to query a global catalog to get all of the objects with either mail 
  attribute populated OR SMTP starting one of the values in proxyaddresses and 
  also retrieves those attributes. It sends this to a file both because I don't 
  know how big your forest is and your memory in your pc is. If you have 
  something smaller for a forest or a big box you can pull straight into memory 
  with 
   
  @output=`adfind -t 
  5 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail 
  proxyaddresses`;
   
   
  Also the base is 
  nothing which means search the entire directory, if you wanted a single domain 
  you could set -b parameter to some value like 
  dc=child1,dc=domain,dc=com.
   
   
  It also will give you 
  two hashes of unique IDs. One is case sensitive, one is case insensitive. 
  Shouldn't matter and I personally would do everything case insensitive but not 
  sure exactly what you are looking for so did it both ways. If you want case 
  insensitive, kill any line with uniqueemail in it and leave the lines with 
  ciuniqueemail in it. 
   
  ex:
   
  __START 
  SCRIPT__
  `adfind -t 5 -gc 
  -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail proxyaddresses 
  >tempfile.txt`;
  
  open 
  fh,"%ciuniqueemail=();foreach $thisline 
  () { if ($thisline=~/.+: *([EMAIL PROTECTED])/) 
  {$ciuniqueemail{lc($1)}=1}};
  
  print "\n\nCase 
  Insensitive Unique Email Addresses\n"map {print "$_\n"} sort keys 
  %ciuniqueemail;__END SCRIPT__
   
   
  Oh one quick thing, I 
  hate it when I don't easily see what a regular _expression_ is doing so the 
  regex above ($thisline=~/.+: *([EMAIL PROTECTED])/) breaks 
  down like this
   
  $thisline=~/.+: 
  *(.+)/
   
  $thisline=~   
  Take the $thisline variable and run a match against 
  it
  /.+: *([EMAIL PROTECTED])/    
  This is the match. Match any line that has a : and an @ sign in it. On a match 
  take the info following the : or a : with a trailing space and save 
  it. 
   
  This will match any 
  of the following lines:
   
  >mail: [EMAIL PROTECTED]
  >proxyaddresses: 
  SMTP:[EMAIL PROTECTED]
  >proxyaddresses: 
  smtp:[EMAIL PROTECTED]
   
  and save the email 
  address piece in the variable $1. 
   
   
   
  If you need to match 
  up the dn to the email addresses this gets more involved but is still 
  pretty easy. The following script will create a semi colon delimited list 
  with the DN as the first field and all other fields email addresses for the 
  specified dn.  
   
   
  __START 
  SCRIPT__
  `

RE: [ActiveDir] ldifde and/or csdve

[Roger Seielstad]

Not necessarily.

If this is a big enough deal to warrant the work, you could do one way sync
out to something like openldap (http://www.openldap.org) and use it -
replicating only the desired data there.

Trust me, when we had whitelists on our external relays, there was no end to
the problems and issues we had with inbound mail, and we only had 3500
people at the time. I'd think something like this is worth the effort if you
really want to reject prior to acceptance.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Tony Murray [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 9:08 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ldifde and/or csdve
> 
> 
> The only downside with this option is that it usually means 
> you need to expose your production AD DCs to servers in the 
> DMZ.  Even if you baton down the ports through your firewall, 
> use IPSec, etc. it still means there is a route through to your DCs.
> 
> Tony
> 
> -- Original Message --
> Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN
> Reply-To: [EMAIL PROTECTED]
> Date:  Mon, 12 Jan 2004 05:19:17 -0800
> 
> You might want to look at another option. Depending on the 
> mail transfer
> agent you're using at the relays, many can do LDAP 
> verification "live" off
> AD. Sendmail can do it, and I believe postfix and others can as well.
>  
> Having worked in an environment in which we had to keep white 
> and black
> lists up to date - at its worst, it was 3500 users and more or less
> constantly out of date. I'd strongly suggest you look at a 
> different way to
> do it.
>  
> Roger
> -- 
> Roger D. Seielstad - MTS MCSE MS-MVP 
> Sr. Systems Administrator 
> Inovis Inc. 
> -Original Message-
> Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI
> Sent: Saturday, January 10, 2004 10:20 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ldifde and/or csdve
> 
> 
> I'm going to find out real soon if it meets requirements or not.  :-)
> Thanks for taking the time, Joe.  Basically we're trying to create
> blacklists and whitelists for email filters based on email 
> address to make
> sure user of x company does not have email parsed through 
> various stages.
>  
> One question... does adfind actually pull each value from the 
> proxyAddresses
> field and match up to the parameter you've specified (e.g. 
> the SMTP:*)... ?
> Thanks again!
>  
> -m
>  
> 
>   _  
> 
> Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> Sent: Saturday, January 10, 2004 7:31 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ldifde and/or csdve
>  
> I will probably get dunned for the use of perl (except by Robbie and
> Richard) but
>  
> If this is a one off thing, i.e. not a regular process and 
> you just want to
> grab some data here is a quick and dirty solution. This is a 
> joeware whip it
> up on the spot special for you no charge. :op
>  
>  
> __START SCRIPT__
> `adfind -t 5 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail
> proxyaddresses >tempfile.txt`;
> open fh," %uniqueemail=();
> %ciuniqueemail=();
> foreach $thisline ()
>  {
>   if ($thisline=~/.+: *([EMAIL PROTECTED]  )/)
>{
> $uniqueemail{$1}=1;
> $ciuniqueemail{lc($1)}=1;
>}
>  }
>  
> print "\n\nUnique Email Addresses\n"
> map {print "$_\n"} sort keys %uniqueemail;
>  
> print "\n\nCase Insensitive Unique Email Addresses\n"
> map {print "$_\n"} sort keys %ciuniqueemail;
> __END SCRIPT__
>  
>  
> It uses adfind (www.joeware.net   on 
> the free win32
> tools page) to query a global catalog to get all of the 
> objects with either
> mail attribute populated OR SMTP starting one of the values in
> proxyaddresses and also retrieves those attributes. It sends 
> this to a file
> both because I don't know how big your forest is and your 
> memory in your pc
> is. If you have something smaller for a forest or a big box 
> you can pull
> straight into memory with 
>  
> @output=`adfind -t 5 -gc -b -f 
> \"&(mail=*)(proxyaddresses=SMTP:*)\" mail
> proxyaddresses`;
>  
>  
> Also the base is nothing which means search the entire 
> directory, if you
> wanted a single domain you could set -b parameter to some value like
> dc=child1,dc=domain,dc=com.
>  
>  
> It also will give you two hashes of unique IDs. One is case 
> sensitive, one
> is case insensitive. Shouldn't matter and I personally would 
> do everything
> case insensitive but not sure exactly what you are looking 
> for so did it
> both ways. If you want case insensitive, kill any line with 
> uniqueemail in
> it and leave the lines with ciuniqueemail in it. 
>  
> ex:
>  
> __START SCRIPT__
> `adfind -t 5 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail
> p

RE: [ActiveDir] ldifde and/or csdve

[Roger Seielstad]

In fact, I just went and looked. This looks like a fairly promissing idea.
http://www.openldap.org/devel/admin/syncrepl.html

OpenLDAP (open source) sitting in the DMZ (or even internally) doing pull
replication from AD, using a highly restricted account and only pulling the
absolute minimum number of attributes, could do exactly what I'm suggesting.

Too bad I don't have the time to crack this out on a system here.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Roger Seielstad 
> Sent: Monday, January 12, 2004 9:28 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve
> 
> 
> Not necessarily.
> 
> If this is a big enough deal to warrant the work, you could 
> do one way sync
> out to something like openldap (http://www.openldap.org) and use it -
> replicating only the desired data there.
> 
> Trust me, when we had whitelists on our external relays, 
> there was no end to
> the problems and issues we had with inbound mail, and we only had 3500
> people at the time. I'd think something like this is worth 
> the effort if you
> really want to reject prior to acceptance.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Tony Murray [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, January 12, 2004 9:08 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > The only downside with this option is that it usually means 
> > you need to expose your production AD DCs to servers in the 
> > DMZ.  Even if you baton down the ports through your firewall, 
> > use IPSec, etc. it still means there is a route through to your DCs.
> > 
> > Tony
> > 
> > -- Original Message --
> > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Mon, 12 Jan 2004 05:19:17 -0800
> > 
> > You might want to look at another option. Depending on the 
> > mail transfer
> > agent you're using at the relays, many can do LDAP 
> > verification "live" off
> > AD. Sendmail can do it, and I believe postfix and others 
> can as well.
> >  
> > Having worked in an environment in which we had to keep white 
> > and black
> > lists up to date - at its worst, it was 3500 users and more or less
> > constantly out of date. I'd strongly suggest you look at a 
> > different way to
> > do it.
> >  
> > Roger
> > -- 
> > Roger D. Seielstad - MTS MCSE MS-MVP 
> > Sr. Systems Administrator 
> > Inovis Inc. 
> > -Original Message-
> > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI
> > Sent: Saturday, January 10, 2004 10:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > I'm going to find out real soon if it meets requirements or 
> not.  :-)
> > Thanks for taking the time, Joe.  Basically we're trying to create
> > blacklists and whitelists for email filters based on email 
> > address to make
> > sure user of x company does not have email parsed through 
> > various stages.
> >  
> > One question... does adfind actually pull each value from the 
> > proxyAddresses
> > field and match up to the parameter you've specified (e.g. 
> > the SMTP:*)... ?
> > Thanks again!
> >  
> > -m
> >  
> > 
> >   _  
> > 
> > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE
> > [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> > Sent: Saturday, January 10, 2004 7:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> >  
> > I will probably get dunned for the use of perl (except by Robbie and
> > Richard) but
> >  
> > If this is a one off thing, i.e. not a regular process and 
> > you just want to
> > grab some data here is a quick and dirty solution. This is a 
> > joeware whip it
> > up on the spot special for you no charge. :op
> >  
> >  
> > __START SCRIPT__
> > `adfind -t 5 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail
> > proxyaddresses >tempfile.txt`;
> > open fh," > %uniqueemail=();
> > %ciuniqueemail=();
> > foreach $thisline ()
> >  {

RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]

[Roger Seielstad]

Ours was a bit more um, manual than that. And there were 2 groups (Exchange
admins and Unix admins) dealing with it. We didn't have a single point of
contact for fixing this kind of thing.

Not to mention, the whitelist was 8000+ lines for 3500 users.

I'm really just not a fan of whitelisting inbound. I like the idea of doing
it with the LDAP routing, but that's just me.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Tony Murray [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 9:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> 
> 
> What sort of problems did you have with whitelist management? 
>  I'd be interested to know because we have recently 
> introduced this type of whitelisting here.
> 
> We have around 15,000 mail users and send any whitelist 
> updates to the mail relays every 2 hours.  So far we haven't 
> come across any issues with this.
> 
> Tony
> -- Original Message --
> Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV
> Reply-To: [EMAIL PROTECTED]
> Date:  Mon, 12 Jan 2004 06:28:22 -0800
> 
> Not necessarily.
> 
> If this is a big enough deal to warrant the work, you could 
> do one way sync
> out to something like openldap (http://www.openldap.org) and use it -
> replicating only the desired data there.
> 
> Trust me, when we had whitelists on our external relays, 
> there was no end to
> the problems and issues we had with inbound mail, and we only had 3500
> people at the time. I'd think something like this is worth 
> the effort if you
> really want to reject prior to acceptance.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > Wrom: CJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUF
> > Sent: Monday, January 12, 2004 9:08 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > The only downside with this option is that it usually means 
> > you need to expose your production AD DCs to servers in the 
> > DMZ.  Even if you baton down the ports through your firewall, 
> > use IPSec, etc. it still means there is a route through to your DCs.
> > 
> > Tony
> > 
> > -- Original Message --
> > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Mon, 12 Jan 2004 05:19:17 -0800
> > 
> > You might want to look at another option. Depending on the 
> > mail transfer
> > agent you're using at the relays, many can do LDAP 
> > verification "live" off
> > AD. Sendmail can do it, and I believe postfix and others 
> can as well.
> >  
> > Having worked in an environment in which we had to keep white 
> > and black
> > lists up to date - at its worst, it was 3500 users and more or less
> > constantly out of date. I'd strongly suggest you look at a 
> > different way to
> > do it.
> >  
> > Roger
> > -- 
> > Roger D. Seielstad - MTS MCSE MS-MVP 
> > Sr. Systems Administrator 
> > Inovis Inc. 
> > -Original Message-
> > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI
> > Sent: Saturday, January 10, 2004 10:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > I'm going to find out real soon if it meets requirements or 
> not.  :-)
> > Thanks for taking the time, Joe.  Basically we're trying to create
> > blacklists and whitelists for email filters based on email 
> > address to make
> > sure user of x company does not have email parsed through 
> > various stages.
> >  
> > One question... does adfind actually pull each value from the 
> > proxyAddresses
> > field and match up to the parameter you've specified (e.g. 
> > the SMTP:*)... ?
> > Thanks again!
> >  
> > -m
> >  
> > 
> >   _  
> > 
> > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE
> > [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> > Sent: Saturday, January 10, 2004 7:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> >  
> > I will probably get dunned for the use of perl (except by Robbie and
> > Richard) but
> >  
> > If this is a one off thing, i.e. not a regular process and 
> > you just want to
> > grab some data here is a quick and dirty solution. This is a 
> > joeware whip it
> > up on the spot special for you no charge. :op
> >  
> >  
> > __START SCRIPT__
> > `adfind -t 5 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail
> > proxyaddresses >tempfile.txt`;
> > open fh," > %uniqueemail=();
> > %ciuniqueemail=();
> > foreach $thisline ()
> >  {
> >   if ($thisline=~/.+: *([EMAIL PROTECTED]  )/)
> >{
> > $uniqueemail{$1}=1;
> > $ciuniqueemail{lc($1)}=1;
> >  

[ActiveDir] Lab Refresh Process

[Roger Seielstad]

Title: Lab Refresh Process





I'm looking for info on how (and if) you are doing lab refreshes from your production forest.


My current test forest is, well, premigration (18 months old) at this point, and I'm staring down the barrel of a year or so of AD related projects, and I'd like to rebuild the lab environment from scratch.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

RE: [ActiveDir] Lab Refresh Process

[Roger Seielstad]

Title: Message



I was 
trying to think of a way in which I can get the SIDS & GUIDs without the 
swing server, but I can't think of another way.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Myrick, Todd 
  (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 
  2004 10:48 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: [ActiveDir] Lab Refresh Process
  Depends on what 
  you want to accomplish.  Initially we had full production simulation of 
  our multi-domain AD forest.  Today we simulate most of the deployments 
  using a few servers.  I do more work, using VMware.
   
  As to how to 
  keep them synced, if having the same SIDS and GUID is important, try joining 
  and removing a DC to the forest, then standing up a separate forest with the 
  rotated DC.  
   
  Todd
  

-Original Message-----From: Roger 
Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, 
January 12, 2004 10:42 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Lab Refresh 
Process
I'm looking for info on how (and 
if) you are doing lab refreshes from your production forest. 
My current test forest is, well, 
premigration (18 months old) at this point, and I'm staring down the barrel 
of a year or so of AD related projects, and I'd like to rebuild the lab 
environment from scratch.
Roger -- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis 
Inc. 

RE: [ActiveDir] ldifde and/or csdve

[Roger Seielstad]

I was thinking more along the the lines of the paranoid amongst us - you
know, those who don't trust Microsoft products with any exposure to the
Internet.

OpenLDAP would fit in nicely with our existing mail relay structure, really.
See, we run 4 boxes which boot OpenBSD from CD and do DNS and sendmail
relaying. In our scheme, we could easily build the necessary OpenLDAP
software into the boot image and just add a single config file to control
it. No additional boxes needed, and not a lot of overhead - not to mention
all lookups would be local.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 12:07 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ldifde and/or csdve
> 
> 
> AD/AM MMS
> 
> I refuse to call it MIIS. Stupid change. 
> 
>   joe
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Monday, January 12, 2004 9:28 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve
> 
> Not necessarily.
> 
> If this is a big enough deal to warrant the work, you could 
> do one way sync
> out to something like openldap (http://www.openldap.org) and use it -
> replicating only the desired data there.
> 
> Trust me, when we had whitelists on our external relays, 
> there was no end to
> the problems and issues we had with inbound mail, and we only had 3500
> people at the time. I'd think something like this is worth 
> the effort if you
> really want to reject prior to acceptance.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Tony Murray [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 12, 2004 9:08 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > The only downside with this option is that it usually means 
> you need 
> > to expose your production AD DCs to servers in the DMZ.  
> Even if you 
> > baton down the ports through your firewall, use IPSec, etc. 
> it still 
> > means there is a route through to your DCs.
> > 
> > Tony
> > 
> > -- Original Message --
> > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Mon, 12 Jan 2004 05:19:17 -0800
> > 
> > You might want to look at another option. Depending on the mail 
> > transfer agent you're using at the relays, many can do LDAP 
> > verification "live" off AD. Sendmail can do it, and I 
> believe postfix 
> > and others can as well.
> >  
> > Having worked in an environment in which we had to keep white and 
> > black lists up to date - at its worst, it was 3500 users 
> and more or 
> > less constantly out of date. I'd strongly suggest you look at a 
> > different way to do it.
> >  
> > Roger
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc. 
> > -Original Message-
> > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI
> > Sent: Saturday, January 10, 2004 10:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> > 
> > 
> > I'm going to find out real soon if it meets requirements or 
> not.  :-)
> > Thanks for taking the time, Joe.  Basically we're trying to create
> > blacklists and whitelists for email filters based on email 
> > address to make
> > sure user of x company does not have email parsed through 
> > various stages.
> >  
> > One question... does adfind actually pull each value from the 
> > proxyAddresses
> > field and match up to the parameter you've specified (e.g. 
> > the SMTP:*)... ?
> > Thanks again!
> >  
> > -m
> >  
> > 
> >   _  
> > 
> > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE
> > [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> > Sent: Saturday, January 10, 2004 7:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve
> >  
> > I will probably get dunned for the use of perl (except by Robbie and
> > Richard) but
> >  
> > If this is a one off thing, i.e. not a regular process and 
> &g

RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]

[Roger Seielstad]

We're talking what I'd call reverse whitelisting (or more apporpriately
recipient whitelisting) - in other words checking email validity at the
borders prior to acceptance for delivery. 

For instance, currently my external relays accept mail for [EMAIL PROTECTED],
which is passed inbound through a virus gateway then to Exchange, which is
where the validity of the address is first tested.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

[1] Minus the relaying hacks, obviously


> -Original Message-
> From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 12:11 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> 
> 
> Whitelisting has other issues as well for a company.  It's a 
> built in issue
> of not knowing which customer is trying to contact you ahead 
> of time and
> having that address or domain whitelisted.   
> In order for any blocking to work properly without losing 
> valid email from
> clients/customers, you have to be very accurate and in most 
> instances ahead
> of the request.  That provides a problem that does not have a valid
> technology solution in my mind.
> 
> You can tell I'm not a fan of whitelisting as well ;)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 10:27 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> 
> Ours was a bit more um, manual than that. And there were 2 
> groups (Exchange
> admins and Unix admins) dealing with it. We didn't have a 
> single point of
> contact for fixing this kind of thing.
> 
> Not to mention, the whitelist was 8000+ lines for 3500 users.
> 
> I'm really just not a fan of whitelisting inbound. I like the 
> idea of doing
> it with the LDAP routing, but that's just me.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Tony Murray [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 12, 2004 9:52 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> > 
> > 
> > What sort of problems did you have with whitelist management? 
> >  I'd be interested to know because we have recently introduced this 
> > type of whitelisting here.
> > 
> > We have around 15,000 mail users and send any whitelist 
> updates to the 
> > mail relays every 2 hours.  So far we haven't come across 
> any issues 
> > with this.
> > 
> > Tony
> > -- Original Message --
> > Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV
> > Reply-To: [EMAIL PROTECTED]
> > Date:  Mon, 12 Jan 2004 06:28:22 -0800
> > 
> > Not necessarily.
> > 
> > If this is a big enough deal to warrant the work, you could 
> do one way 
> > sync out to something like openldap 
> (http://www.openldap.org) and use 
> > it - replicating only the desired data there.
> > 
> > Trust me, when we had whitelists on our external relays, 
> there was no 
> > end to the problems and issues we had with inbound mail, 
> and we only 
> > had 3500 people at the time. I'd think something like this is worth 
> > the effort if you really want to reject prior to acceptance.
> > 
> > Roger
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > Wrom: CJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUF
> > > Sent: Monday, January 12, 2004 9:08 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] ldifde and/or csdve
> > > 
> > > 
> > > The only downside with this option is that it usually 
> means you need 
> > > to expose your production AD DCs to servers in the DMZ.  
> Even if you 
> > > baton down the ports through your firewall, use IPSec, 
> etc. it still 
> > > means there is a route through to your DCs.
> > > 
> > > Tony
> > > 
> > > -- Original Message --
> > > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN
> > > Reply-To: [EMAIL PROTECTED]
> > > Date:  Mon, 12 Jan 2004 05:19:17 -0800
> >

RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]

[Roger Seielstad]

Yup - just inbound recipient validation.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 1:25 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> 
> 
> So really, this is just recipient validation then?  
> 
> That makes it a different ball game altogether.  Then all the gateway
> machine has to have is information to make it a smarthost without the
> complicated routing, right? 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 12, 2004 12:40 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> 
> We're talking what I'd call reverse whitelisting (or more 
> apporpriately
> recipient whitelisting) - in other words checking email 
> validity at the
> borders prior to acceptance for delivery. 
> 
> For instance, currently my external relays accept mail for 
> [EMAIL PROTECTED],
> which is passed inbound through a virus gateway then to 
> Exchange, which is
> where the validity of the address is first tested.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> [1] Minus the relaying hacks, obviously
> 
> 
> > -Original Message-
> > From: Mulnick, Al [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 12, 2004 12:11 PM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> > 
> > 
> > Whitelisting has other issues as well for a company.  It's 
> a built in 
> > issue of not knowing which customer is trying to contact 
> you ahead of 
> > time and
> > having that address or domain whitelisted.   
> > In order for any blocking to work properly without losing 
> valid email 
> > from clients/customers, you have to be very accurate and in most 
> > instances ahead of the request.  That provides a problem 
> that does not 
> > have a valid technology solution in my mind.
> > 
> > You can tell I'm not a fan of whitelisting as well ;)
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 12, 2004 10:27 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT]
> > 
> > Ours was a bit more um, manual than that. And there were 2 groups 
> > (Exchange admins and Unix admins) dealing with it. We didn't have a 
> > single point of contact for fixing this kind of thing.
> > 
> > Not to mention, the whitelist was 8000+ lines for 3500 users.
> > 
> > I'm really just not a fan of whitelisting inbound. I like 
> the idea of 
> > doing it with the LDAP routing, but that's just me.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Tony Murray [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, January 12, 2004 9:52 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting 
> slightly OT]
> > > 
> > > 
> > > What sort of problems did you have with whitelist management? 
> > >  I'd be interested to know because we have recently 
> introduced this 
> > > type of whitelisting here.
> > > 
> > > We have around 15,000 mail users and send any whitelist
> > updates to the
> > > mail relays every 2 hours.  So far we haven't come across
> > any issues
> > > with this.
> > > 
> > > Tony
> > > -- Original Message --
> > > Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV
> > > Reply-To: [EMAIL PROTECTED]
> > > Date:  Mon, 12 Jan 2004 06:28:22 -0800
> > > 
> > > Not necessarily.
> > > 
> > > If this is a big enough deal to warrant the work, you could
> > do one way
> > > sync out to something like openldap
> > (http://www.openldap.org) and use
> > > it - replicating only the desired data there.
> > > 
> > > Trust me, when we had whitelists on our external relays,
> > the

RE: [ActiveDir] GPO and the Outlook Dumpster

[Roger Seielstad]

It strikes me that it might be part of the Office Administration Templates,
which can be distributed via GPOs, but aren't actually part of the GPO
settings.

http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm

There are similar templates for Office XP and Office 2000 that might do the
trick.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Oliver Marshall [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 13, 2004 11:19 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] GPO and the Outlook Dumpster
> 
> 
> Does anyone know a GPO setting that will allow me to prevent 
> users from
> accessing the Recover Deleted Items addin in Outlook ? Someone on an
> exchange mailing list said that there is a GP setting to prevent this
> addin being loaded.
> 
> Olly
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: slipstreaming Win2K

[Roger Seielstad]

Title: Message



There's a utility linked off the susserver.com site that can accomplish 
this as well.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Rich Milburn 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 
  3:19 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT: slipstreaming Win2K
  
  That's right, you 
  have to use qchain and put them in a subdirectory under i386 and so on... I had 
  the procedures once upon a time and decided it wasn't worth it, but if you 
  need them I could probably find them again.
  Rich
   
  
  
  
  
  From: 
  Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 10:06 
  AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] OT: slipstreaming 
  Win2K
   
  I've successfully slipstreamed 
  service packs into a Win2K install media before, but never looked into adding 
  any hotfixes to it. So I started looking into how to do it, and was surprised 
  to find dialog from one of Microsoft's online tech chats, in which the rep 
  said you can't do that. Did I misunderstand, or can I really not add hotfixes 
  to a slipstream image?
   
  Thanks...oh, and Tony - thanks also 
  from me for a great list!
   
  Mark 
  Creamer
  Systems 
  Engineer
  Cintas 
  Corporation
  Honesty and 
  Integrity in Everything We Do
   
  ---APPLEBEE'S INTERNATIONAL, INC. 
  CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be 
  contained in this message or any attachments. This information is strictly 
  confidential and may be subject to attorney-client privilege. This message is 
  intended only for the use of the named addressee. If you are not the intended 
  recipient of this message, unauthorized forwarding, printing, copying, 
  distribution, or using such information is strictly prohibited and may be 
  unlawful. If you have received this in error, you should kindly notify the 
  sender by reply e-mail and immediately destroy this message. Unauthorized 
  interception of this e-mail is a violation of federal criminal law. Applebee's 
  International, Inc. reserves the right to monitor and review the content of 
  all messages sent to and from this e-mail address. Messages sent to or from 
  this e-mail address may be stored on the Applebee's International, Inc. e-mail 
  system.

RE: [ActiveDir] OT: slipstreaming Win2K

[Roger Seielstad]

Title: Message



Nope. 
I mean this:
http://www.nextwish.org/geek.php?page=susutil
 
Its 
an exe that sets the correct registry settings and restarts the update service, 
and the system gets the updates in about 10 minutes, then following the reboot 
it sets the settings back (which would be done by the GPO anyway, if you're 
using one).
 
I use 
it quite a bit for servers when I'm ready to patch them.
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Celone, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 
  2:08 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] OT: slipstreaming Win2K
  You mean this?
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;828930&Product=win2000
   
  Mike
  
  
  From: Creamer, Mark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:06 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  OT: slipstreaming Win2K
  
  
  I've successfully slipstreamed 
  service packs into a Win2K install media before, but never looked into adding 
  any hotfixes to it. So I started looking into how to do it, and was surprised 
  to find dialog from one of Microsoft's online tech chats, in which the rep 
  said you can't do that. Did I misunderstand, or can I really not add hotfixes 
  to a slipstream image?
   
  Thanks...oh, and Tony - thanks 
  also from me for a great list!
   
  Mark 
  Creamer
  Systems 
  Engineer
  Cintas 
  Corporation
  Honesty and 
  Integrity in Everything We Do
   

RE: [ActiveDir] OT: slipstreaming Win2K

[Roger Seielstad]

Title: Message



What 
I've been thinking is rolling the exe I linked to into the runonce key of newly 
built machines. But since I don't build client machines, I pass this stuff off 
to my deployment guy.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, 
  January 13, 2004 5:28 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: 
  slipstreaming Win2K
  Mark,
   
  Easily done, maybe the rep meant that you 
  couldn't roll the hotfixes directly into the i386 dir like the service packs, 
  they have to be added as an "after thought" we use an 
  unattended bootable CD for our more remote locations and roll all the 
  available hotfixes into it, I do the same with RIS (Roll hotfixes into install 
  that is...), a good site to look at is:
   
  http://www.msfn.org/unattended/xp/index.htm
   
  I know it is XP but I have done it utilising the same 
  method for W2K, only slightly different for RIS:
   
  http://www.winnetmag.com/Articles/ArticleID/24892/pg/2/2.html
   
  Rogers suggestion looks pretty good will look into 
  that...
   
  James
   
  
  -Original Message-From: Roger 
  Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 
  January 2004 6:53 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: 
  slipstreaming Win2K
  
Nope. I mean this:
http://www.nextwish.org/geek.php?page=susutil
 
Its an exe that sets the correct registry settings and restarts the 
update service, and the system gets the updates in about 10 minutes, then 
following the reboot it sets the settings back (which would be done by the 
GPO anyway, if you're using one).
 
I 
use it quite a bit for servers when I'm ready to patch 
them.
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Celone, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 
  2004 2:08 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: 
  slipstreaming Win2K
  You mean this?
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;828930&Product=win2000
   
  Mike
  
  
  From: Creamer, Mark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 
  11:06 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] OT: slipstreaming Win2K
  
  
  I've successfully slipstreamed 
  service packs into a Win2K install media before, but never looked into 
  adding any hotfixes to it. So I started looking into how to do it, and was 
  surprised to find dialog from one of Microsoft's online tech chats, in 
  which the rep said you can't do that. Did I misunderstand, or can I really 
  not add hotfixes to a slipstream image?
   
  Thanks...oh, and Tony - thanks 
  also from me for a great list!
   
  Mark 
  Creamer
  Systems 
  Engineer
  Cintas 
  Corporation
  Honesty and 
  Integrity in Everything We Do
   

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

The big thing that VMWare has going for it, and in my option it's a big
thing, is the way they've built ESX server.

The problem with using Virtual Server (or GSX Server from VMWare) is that
you're still running a full blown OS underneath the virtual machines. This
really causes a problem in which a single OS patch which requires a reboot
means that all your VM servers also need to be rebooted - even if they're
not Windows.

ESX server uses a highly stripped down version of the Linux kernel[1], and
few ancillary services. This architecture should result in significantly
fewer issues in which the virtualization platform necessitates downtime. I
lump the virtualization engine more in the hardware than software side of
things - hardware should not require significant maintenance except in
break/fix scenarios.

Now, maybe I need to see how hard it is to get Virutal Server (or the PC
equivilent of it) running in WinPE. Maybe that's the fix to all these
problems. Of course, there are all those pesky licensing issues to deal with
then.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

[1] My thoughts on Linux in general are relatively well known[2]
[2] I've been quoted as saying "BSD Skunks the Penguin" on more than one
occasion


> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 13, 2004 7:51 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> Well right off the bat... MS doesn't support Windows on 
> VMWARE; it is best
> effort unless Microsoft can determine that the issue can be 
> reproduced on
> physical hardware. VMWARE claims this is because of 
> competitive reasons but
> MS never supported it even before they bought the Connectix product.
> 
> >From what I have heard, our dev guys have actually hit 
> things that they
> couldn't reproduce.
> 
> Personally I would run Windows on VMWARE all day in a lab (we 
> do) or at home
> (I did). I wouldn't even start to consider it for production 
> (never ever
> ever). If you want to look at virtualization software for 
> running Windows,
> get into the Virtual Server preview program that MS has as 
> obviously the
> Windows products will be fully supported on that software. 
> 
> IBM and HP both claim full support for Windows on VMWARE. 
> However you have
> to keep in mind, what can they really do? If there is a 
> problem with VMWARE
> they can send that info back to the vendor. If they find a problem in
> Windows they can send that back to MS. They have no power to 
> really fix
> anything. I have had a conversation with one of the guys at 
> IBM concerning
> the support model and in the end he said, there is no SLA for software
> support from anyone - no guarantees... Great! He mentioned 
> that all of their
> VMWARE contracts are one offs negotiated specifically with 
> the customer at
> hand. But again, in the end, all they can do is pat your hand 
> and say, we
> understand, yes that does suck that it doesn't work, but 
> don't worry we sent
> someone a note - if we could fix it ourselves we would, but we can't. 
> 
> I actually stopped using the VMWARE products at home about 3 
> months ago and
> switched to the MS products as I figured I might as well get 
> used to it. 
> 
> 
> Here are some links worth reading:
> 
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;273508
> http://support.microsoft.com/default.aspx?scid=%2Fservicedesks
> %2Fbin%2Fkbsea
> rch.asp%3FArticle%3D320220
> http://www.computerworld.com/hardwaretopics/hardware/server/st
> ory/0,10801,87
> 185,00.html
> 
> 
>joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
> Sent: Tuesday, January 13, 2004 3:12 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DC's on VMWare
> 
> 
> 
> 
> 
> All,
> 
> Server consolidation has us heading towards putting production Windows
> Server 2003 domain controllers on VMWare VMs using ESX.  We 
> have not yet
> deployed AD widely (some business units have it and some 
> don't) but are
> working on a new design that will handle all business units.  
> Our lab is a
> combination of physical servers on workstation-class hardware 
> and VMs on
> VMWare Workstation4 and on ESX.
> 
> However, our direction for production DC's is VMs on ESX 
> unless we find that
> it doesn't work properly or well enough.  We're going to be 
> testing this in
> the lab.  I've seen recent emails about using VMs to spin off labs.
> But does anyone have experience running production DC's on 
> VMs or any known
> "gotcha's" that they're willing to share?
> 
> 
> Thanks,
> Mike Baudino
> 
> 
> 
> *** PLEASE NOTE *** This 
> E-Mail/telefax
> message and any documents accompanying this transmission may contain
> privileged and/or confidential information and is intended 
> solely for the
> addressee(s) name

RE: [ActiveDir] GPO and the Outlook Dumpster

[Roger Seielstad]

Title: Message



But 
Shift-Delete is not a permanent delete. Assuming you have deleted item retension 
enabled, shift-delete simply marks the message for deletion, but it is still 
available within that folder's dumpster until the DIR time expires, and is 
accessible using the DumpsterAlwaysOn registry setting for 
Outlook.
 
Scared the crap out of my desktop guy who thought he could hide 
email...
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] GPO and the Outlook Dumpster
  
  your protection against 
  this "CYA" type of deletion is backup. If you maintain a diligent backup of 
  your Exchange Server, you can always do a restore to your offline server 
  whenever you need to "prove" something. Disabling access to the "Recover 
  Deleted Items" folder will not buy you much with a determined user who wants 
  to cover his/her track. Shift-Del will not send deleted items to that folder, 
  you know?
   
  
  
   
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday?  
  -anon
  
  
  From: Oliver MarshallSent: Tue 
  1/13/2004 12:07 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the 
  Outlook Dumpster
  Because while the Recover Deleted Items addin allows you...err...recover
deleted items a user can also delete things permanently. We have had
people 'covering their tracks' by deleting emails.

I don't want to disable the feature all together as it's a useful IT
tool for managers etc, but not for users.

Olly 

-Original Message-
From: David, Andy [mailto:[EMAIL PROTECTED] 
Sent: 13 January 2004 19:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster

I'm just wondering why you would want to implement such a thing. 
 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 12:27 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster

It strikes me that it might be part of the Office Administration
Templates, which can be distributed via GPOs, but aren't actually part
of the GPO settings.

http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm

There are similar templates for Office XP and Office 2000 that might do
the trick.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Oliver Marshall [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 13, 2004 11:19 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] GPO and the Outlook Dumpster
> 
> 
> Does anyone know a GPO setting that will allow me to prevent users 
> from accessing the Recover Deleted Items addin in Outlook ? Someone on

> an exchange mailing list said that there is a GP setting to prevent 
> this addin being loaded.
> 
> Olly
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Bug in GPO?

[Roger Seielstad]

All you need to do is put the AV software on a different partition

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Steve Rochford [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 6:43 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Bug in GPO?
> 
> 
> I know of deep freeze; another college near me is using it with some
> success but they had a problem with things like virus 
> software updates -
> deep freeze was wiping these out at each reboot! It's such a common
> requirement that I'm sure there must be a way round it but 
> I've not yet
> had time to investigate.
> 
> Steve
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
> 
> Sent: 12 January 2004 15:45
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Bug in GPO?
> 
> 
> 
> 
> 
> I used to do a bit of work with some companies up north that had the
> same issue.  They purchased a software product called DeepFreeze which
> basically reset the C drive back to the way it was at last boot up.
> They would image the systems, turn on deep freeze, and the users were
> not able to do anything that a simple reboot would not fix.  They were
> also not able to save any data on drive C - in their case an added
> benefit.
> 
> It may be worth looking into as an extra security setup especially in
> lab situations.
> 
> Regards;
> 
> James R. Day
> National Parks Service - AD Core Team
> (202) 354-1464
> Fax (202) 371-1549
> [EMAIL PROTECTED]
> 
> 
> |-+-->
> | |   "Steve Rochford"   |
> | |   <[EMAIL PROTECTED]|
> | |   .uk>   |
> | |   Sent by:   |
> | |   [EMAIL PROTECTED]|
> | |   tivedir.org|
> | |  |
> | |  |
> | |   01/12/2004 11:24 AM GMT|
> | |   Please respond to  |
> | |   ActiveDir  |
> |-+-->
>  
> >-
> --
> ---|
>   |
> |
>   |   To:   <[EMAIL PROTECTED]>
> |
>   |   cc:   (bcc: James Day/Contractor/NPS)
> |
>   |   Subject:  RE: [ActiveDir] Bug in GPO?
> |
>  
> >-
> --
> ---|
> 
> 
> 
> 
> I'd completely agree with this. I work in a college and we don't want
> the students to (accidentally or deliberately) play with 
> files on the C:
> drive but even the tightest set of policies makes no real difference -
> just typing "C:" into a file open dialog will show you the drive and
> typing "desktop" into the address bar in Internet Explorer 
> also leads to
> some fun
> :-)
> 
> In the end it's easier to make sure that permissions are as tight as
> possible so that people can't do too much damage and be prepared to
> re-image the machine if they do!
> 
> Steve
> 
> From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
> Sent: 31 December 2003 04:06
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Bug in GPO?
> 
> Mark-
> This worked for me on XP as expected--I chose to hide the C: 
> drive using
> this policy and it was hidden in both My Computer and Explorer. One
> thing I did note was that, if I enabled this policy while I 
> had Explorer
> up and running, the C: drive would only get "partially" 
> hidden. That is,
> it still appeared in the Explorer tree view but didn't in the 
> right hand
> results pane. Weird. Restarting Explorer cleared that up and C: was
> gone.
> 
> Just as a note, this policy is really nothing more than "shell
> obfuscation". For example, even with the C: drive hidden in Explorer,
> there are numerous ways the intrepid user can get to C:. For example,
> opening a command shell, using the File Open dialog in any number of
> applications, etc. So, even if you get it working, its not real
> security. I found that, in the past, it also confused some 
> applications,
> depending upon how poorly they were written. In the end I decided to
> give up on the drive hiding thing because it caused more 
> confusion than
> it fixed. Just my .02.
> 
> Darren
> 
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

I also wonder if the virtualization platforms are a dead end race. Looking
at the newer 64-bit-for-Windows systems, many of the vendors are building
partitioning into the hardware platform - where speed ceases to be an issue.
However, that still has the minimum 1 CPU per partition limitation, at this
point.

I wonder if it would be possible to build a hardware level abstraction layer
that does what the software virtualization platforms do now. I wonder if
that kind of technology is somewhere in the pipeline

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 8:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> I am not saying VMWare isn't very cool. I enjoy it immensely. Just
> indicating the limitations for Windows support. I think 
> anyone who would
> consider using a product in a production environment in a way 
> that isn't in
> the end completely supported by the people with the source 
> code are slightly
> insane. However my view of production may be slightly 
> different and more
> critical than others. 
> 
> I would like to see MS actually add VMWare to the HCL 
> certification process
> and lists. I think that would be a good way to tackle it and 
> probably the
> right way, they certify specific versions and don't even have 
> to worry about
> underlying hardware, VMWare has to worry about that. However, 
> realistically,
> I don't see it happening. If they hadn't gotten into the 
> virtualization
> business I don't think they would have had much choice for 
> much longer, but
> they did and some of us just said, duh, about time. 
> 
> Yes I would like to a very stripped down OS with the guests 
> running on it
> like ESX. They may be thinking about that but more likely 
> right now they are
> thinking about how closely they can tie it to the guts of a full blown
> Windows OS and make it integral to the core for speed and to 
> get away from
> it actually being a separate product. Then after that they 
> may look at how
> to strip the host (or someone else - maybe you - will figure 
> it out for
> them). 
> 
> 
>   joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, January 14, 2004 7:54 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> The big thing that VMWare has going for it, and in my option 
> it's a big
> thing, is the way they've built ESX server.
> 
> The problem with using Virtual Server (or GSX Server from 
> VMWare) is that
> you're still running a full blown OS underneath the virtual 
> machines. This
> really causes a problem in which a single OS patch which 
> requires a reboot
> means that all your VM servers also need to be rebooted - 
> even if they're
> not Windows.
> 
> ESX server uses a highly stripped down version of the Linux 
> kernel[1], and
> few ancillary services. This architecture should result in 
> significantly
> fewer issues in which the virtualization platform 
> necessitates downtime. I
> lump the virtualization engine more in the hardware than 
> software side of
> things - hardware should not require significant maintenance except in
> break/fix scenarios.
> 
> Now, maybe I need to see how hard it is to get Virutal Server 
> (or the PC
> equivilent of it) running in WinPE. Maybe that's the fix to all these
> problems. Of course, there are all those pesky licensing 
> issues to deal with
> then.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> [1] My thoughts on Linux in general are relatively well 
> known[2] [2] I've
> been quoted as saying "BSD Skunks the Penguin" on more than 
> one occasion
> 
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 13, 2004 7:51 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> > 
> > 
> > Well right off the bat... MS doesn't support Windows on 
> VMWARE; it is 
> > best effort unless Microsoft can determine that the issue can be 
> > reproduced on physical hardware. VMWARE claims this is because of 
> > competitive reasons but MS never supported it even before 
> they bought 
> > the Connectix product.
> &g

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

I didn't know about that... That could be an issue...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 9:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> WinPE will reboot every 24 hours, that might affect your 
> availability :)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 6:54 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> The big thing that VMWare has going for it, and in my option 
> it's a big
> thing, is the way they've built ESX server.
> 
> The problem with using Virtual Server (or GSX Server from 
> VMWare) is that
> you're still running a full blown OS underneath the virtual 
> machines. This
> really causes a problem in which a single OS patch which 
> requires a reboot
> means that all your VM servers also need to be rebooted - 
> even if they're
> not Windows.
> 
> ESX server uses a highly stripped down version of the Linux 
> kernel[1], and
> few ancillary services. This architecture should result in 
> significantly
> fewer issues in which the virtualization platform 
> necessitates downtime. I
> lump the virtualization engine more in the hardware than 
> software side of
> things - hardware should not require significant maintenance except in
> break/fix scenarios.
> 
> Now, maybe I need to see how hard it is to get Virutal Server 
> (or the PC
> equivilent of it) running in WinPE. Maybe that's the fix to all these
> problems. Of course, there are all those pesky licensing 
> issues to deal with
> then.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> [1] My thoughts on Linux in general are relatively well known[2]
> [2] I've been quoted as saying "BSD Skunks the Penguin" on 
> more than one
> occasion
> 
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, January 13, 2004 7:51 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> > 
> > 
> > Well right off the bat... MS doesn't support Windows on 
> > VMWARE; it is best
> > effort unless Microsoft can determine that the issue can be 
> > reproduced on
> > physical hardware. VMWARE claims this is because of 
> > competitive reasons but
> > MS never supported it even before they bought the Connectix product.
> > 
> > >From what I have heard, our dev guys have actually hit 
> > things that they
> > couldn't reproduce.
> > 
> > Personally I would run Windows on VMWARE all day in a lab (we 
> > do) or at home
> > (I did). I wouldn't even start to consider it for production 
> > (never ever
> > ever). If you want to look at virtualization software for 
> > running Windows,
> > get into the Virtual Server preview program that MS has as 
> > obviously the
> > Windows products will be fully supported on that software. 
> > 
> > IBM and HP both claim full support for Windows on VMWARE. 
> > However you have
> > to keep in mind, what can they really do? If there is a 
> > problem with VMWARE
> > they can send that info back to the vendor. If they find a 
> problem in
> > Windows they can send that back to MS. They have no power to 
> > really fix
> > anything. I have had a conversation with one of the guys at 
> > IBM concerning
> > the support model and in the end he said, there is no SLA 
> for software
> > support from anyone - no guarantees... Great! He mentioned 
> > that all of their
> > VMWARE contracts are one offs negotiated specifically with 
> > the customer at
> > hand. But again, in the end, all they can do is pat your hand 
> > and say, we
> > understand, yes that does suck that it doesn't work, but 
> > don't worry we sent
> > someone a note - if we could fix it ourselves we would, but 
> we can't. 
> > 
> > I actually stopped using the VMWARE products at home about 3 
> > months ago and
> > switched to the MS products as I figured I might as well get 
> > used to it. 
> > 
> > 
> > Here are some links worth reading:
> > 
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;273508

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

That brings its own issues (SIDs, etc) that get back into why I don't clone
servers. And since you have to stop the entire VM to get a consistent backup
for DR, that negates that benefit.

I'm looking at it because we have 3 different web based apps that are all
relatively low volume, but all three use different application platforms and
they don't play well on the same box. So - 1 server, 3 VM's, one per
application. Fortunately, they all use SQL Server as the backend, so they'll
tie into our existing SQL farm.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 9:50 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> A lot of the VM benefit comes from having a portable image 
> virtual drive
> (ignoring being able to make one computer turn into 5+ at 
> once, for now)
> because it's easy to grab a VM file and move it, unlike 
> Windows.  But does
> anyone remember the days of mapping a drive to a server with 
> a DOS boot disk
> and xcopy'ing the files to or from the computer? No ghost, no 
> sysprep, no
> pagefiles, and no 1.2GB basic OS install - just copy copy 
> boom you're done.
> When I moved a Win98 file from my workstation to the lab (98 
> fits on a CD),
> made 4 copies and in a few minutes had running clones, it 
> reminded me of
> those days... *sigh*
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 7:32 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> I also wonder if the virtualization platforms are a dead end 
> race. Looking
> at the newer 64-bit-for-Windows systems, many of the vendors 
> are building
> partitioning into the hardware platform - where speed ceases 
> to be an issue.
> However, that still has the minimum 1 CPU per partition 
> limitation, at this
> point.
> 
> I wonder if it would be possible to build a hardware level 
> abstraction layer
> that does what the software virtualization platforms do now. 
> I wonder if
> that kind of technology is somewhere in the pipeline
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED] 
> > Sent: Wednesday, January 14, 2004 8:20 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> > 
> > 
> > I am not saying VMWare isn't very cool. I enjoy it immensely. Just
> > indicating the limitations for Windows support. I think 
> > anyone who would
> > consider using a product in a production environment in a way 
> > that isn't in
> > the end completely supported by the people with the source 
> > code are slightly
> > insane. However my view of production may be slightly 
> > different and more
> > critical than others. 
> > 
> > I would like to see MS actually add VMWare to the HCL 
> > certification process
> > and lists. I think that would be a good way to tackle it and 
> > probably the
> > right way, they certify specific versions and don't even have 
> > to worry about
> > underlying hardware, VMWare has to worry about that. However, 
> > realistically,
> > I don't see it happening. If they hadn't gotten into the 
> > virtualization
> > business I don't think they would have had much choice for 
> > much longer, but
> > they did and some of us just said, duh, about time. 
> > 
> > Yes I would like to a very stripped down OS with the guests 
> > running on it
> > like ESX. They may be thinking about that but more likely 
> > right now they are
> > thinking about how closely they can tie it to the guts of a 
> full blown
> > Windows OS and make it integral to the core for speed and to 
> > get away from
> > it actually being a separate product. Then after that they 
> > may look at how
> > to strip the host (or someone else - maybe you - will figure 
> > it out for
> > them). 
> > 
> > 
> >   joe
> > 
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Roger Seielstad
> > Sent: Wednesday, January 14, 2004 7:54 AM
> > To: '[EMAIL PROTECTED]'
> > Subjec

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

"2. ESX allows you to run other OS's on the same server at the same time
(e.g
Linux, Netware..).  MS's product only allows Windows."

Actually, you *can* run other OS's on the MS Virtual Server - but
technically you're unsupported. Since Linux is probably the predominant
choice for "other" OS in many of these cases, and you're unsupported (more
or less) there, then I don't think it's a valid issue.

NetWare would be a bigger issue, but I also think that their declining
market share makes that less of an issue.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Fuller, Stuart [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 10:09 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare 
> 
> 
> Okay... I have to jump in here and give my 2 cents...
> 
> The State of Montana is running over 60 production Windows servers on
> multiple VMware ESX 2.01 servers.  We have made the strategic 
> decision that
> our server consolidation will be done with ESX.  
> 
> The support issue and MS having a competing product does 
> bite, but there are
> several recourses including VMware itself to resolve 
> problems.  We have been
> running ESX for more than a year and have never had an issue 
> with support.
> 
> Why VMware instead of Microsoft??  Basically it comes down to 
> three things -
> 
> 1. ESX is a stripped kernel and doesn't have the performance 
> hit you take by
> running a full blown host operating system underneath your 
> virtual machines.
> 
> 
> 2. ESX allows you to run other OS's on the same server at the 
> same time (e.g
> Linux, Netware..).  MS's product only allows Windows.
> 
> 3. VMware's new Virtual Control Center and VMotion products.  
> Control Center
> gives you a single management view of all of your VM's.  
> VMotion allows you
> to move VM's from one ESX server to another while the VM is 
> still running
> with no down time.  How cool is that!!  
> 
> Okay so now back to the question of DC's on VM's.  I think it 
> is a good idea
> if the planning is done right.  The benefits that ESX gives 
> you as far as
> easy backup, DR, and portability I think outweigh any 
> marketing speak about
> it not being officially supported by MS.
> 
> Do we have any our production DC's on VM's yet??  No, but we 
> do have plans
> to move one of our external forests completely to VM's to get off old
> unsupported physical hardware.  And, as part of our DR 
> planning, we are
> considering putting a set of DC's on VM.  
> 
> -Stuart Fuller
> State of Montana
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

As I mentioned in one of my posts - I'm looking at using this technology so
I can run more than 1 web application platform on one piece of hardware.

None of these applications would tax a server by itself, yet they can't all
run (at least not at all well) within a single OS instance. 

I agree, however, that mass consolidation doesn't normally make sense.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 11:22 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> Maybe this is a good chance for me to express my ignorance 
> and hopefully
> be enlightened.
> 
> I don't understand the whole concept of replacing N (relatively)
> inexpensive boxes of cost C with one monster box costing more than N *
> C. Where are you saving money? You still have N (actually 
> N+1) operating
> systems to pay for, patch, maintain, monitor, etc. and your hardware
> costs have went up, not down.
> 
> I can see that each virtual server potentially has access to a vast
> amount of memory and CPU horsepower, but realistically, how many
> applications are going to stress a 3GHz single CPU box with, say, 4GB
> ram? 
> 
> Also, because all your eggs are in one hardware basket, your hardware
> has become crucially important and probably warrants some sort of
> extended 24X7 maintenance contract from the vendor adding 
> even more cost
> to the picture. 
> 
> For a lab, test or educational environment (where performance isn't
> going to be an issue), I can see something like VMWare being 
> very handy,
> but running on one inexpensive box.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Douglas M. Long
> Sent: Wednesday, January 14, 2004 10:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> It seems to me that it would be cheaper to buy seperate HW for each DC
> than to buy one HUGE machine.
> Example: 4 dual CPU machines with 8GB RAM is going to cost 
> less than 1 8
> CPU machine with 64GB RAM
> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Roger 
> Seielstad
> Sent: Wednesday, January 14, 2004 10:27 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> That brings its own issues (SIDs, etc) that get back into why I don't
> clone servers. And since you have to stop the entire VM to get a
> consistent backup for DR, that negates that benefit.
> 
> I'm looking at it because we have 3 different web based apps that are
> all relatively low volume, but all three use different application
> platforms and they don't play well on the same box. So - 1 server, 3
> VM's, one per application. Fortunately, they all use SQL Server as the
> backend, so they'll tie into our existing SQL farm.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 14, 2004 9:50 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> >
> >
> > A lot of the VM benefit comes from having a portable image virtual 
> > drive (ignoring being able to make one computer turn into 5+ at
> > once, for now)
> > because it's easy to grab a VM file and move it, unlike
> > Windows.  But does
> > anyone remember the days of mapping a drive to a server with
> > a DOS boot disk
> > and xcopy'ing the files to or from the computer? No ghost, no
> > sysprep, no
> > pagefiles, and no 1.2GB basic OS install - just copy copy
> > boom you're done.
> > When I moved a Win98 file from my workstation to the lab (98
> > fits on a CD),
> > made 4 copies and in a few minutes had running clones, it
> > reminded me of
> > those days... *sigh*
> > Rich
> >
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 14, 2004 7:32 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] DC's on VMWare
> >
> > I also wonder if the virtualization platforms are a dead end race. 
> > Looking at the newer 64-bit-for-Windows systems, many of the vendors
> > are building
> > partitionin

RE: [ActiveDir] Bug in GPO?

[Roger Seielstad]

Doesn't have to be...

Set the partition to NFTS with localsystem having the only rights, and I
think it would work fine.

You're not going to stop the truly determined, but this should stop a whole
lot of them

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Steve Rochford [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 5:28 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Bug in GPO?
> 
> 
> Surely that partition is then available for users to write to (unless
> you make sure you lock down everything but that's where I came in!!)
> 
> Steve 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: 14 January 2004 13:00
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Bug in GPO?
> 
> All you need to do is put the AV software on a different partition
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Steve Rochford [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 14, 2004 6:43 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Bug in GPO?
> > 
> > 
> > I know of deep freeze; another college near me is using it 
> with some 
> > success but they had a problem with things like virus 
> software updates
> 
> > - deep freeze was wiping these out at each reboot! It's 
> such a common 
> > requirement that I'm sure there must be a way round it but I've not 
> > yet had time to investigate.
> > 
> > Steve
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > 
> > Sent: 12 January 2004 15:45
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Bug in GPO?
> > 
> > 
> > 
> > 
> > 
> > I used to do a bit of work with some companies up north 
> that had the 
> > same issue.  They purchased a software product called 
> DeepFreeze which
> 
> > basically reset the C drive back to the way it was at last boot up.
> > They would image the systems, turn on deep freeze, and the 
> users were 
> > not able to do anything that a simple reboot would not fix. 
>  They were
> 
> > also not able to save any data on drive C - in their case an added 
> > benefit.
> > 
> > It may be worth looking into as an extra security setup 
> especially in 
> > lab situations.
> > 
> > Regards;
> > 
> > James R. Day
> > National Parks Service - AD Core Team
> > (202) 354-1464
> > Fax (202) 371-1549
> > [EMAIL PROTECTED]
> > 
> > 
> > |-+-->
> > | |   "Steve Rochford"   |
> > | |   <[EMAIL PROTECTED]|
> > | |   .uk>   |
> > | |   Sent by:   |
> > | |   [EMAIL PROTECTED]|
> > | |   tivedir.org|
> > | |  |
> > | |  |
> > | |   01/12/2004 11:24 AM GMT|
> > | |   Please respond to  |
> > | |   ActiveDir  |
> > |-+-->
> >  
> > >-
> > --
> > ---|
> >   |
> > |
> >   |   To:   <[EMAIL PROTECTED]>
> > |
> >   |   cc:   (bcc: James Day/Contractor/NPS)
> > |
> >   |   Subject:  RE: [ActiveDir] Bug in GPO?
> > |
> >  
> > >-
> > --
> > ---|
> > 
> > 
> > 
> > 
> > I'd completely agree with this. I work in a college and we 
> don't want 
> > the students to (accidentally or deliberately) play with 
> files on the 
> > C:
> > drive but even the tightest set of policies makes no real 
> difference -
> 
> > just typing "C:" into a file open dialog will show you the 
> drive and 
> > typing "desktop" into the address bar in Internet Explorer 
> also leads 
> > to some fun
> > :-)
> > 
> > In th

RE: [ActiveDir] DC's on VMWare

[Roger Seielstad]

I'm pushing towards having 2 types of boxes - blade servers and 2U servers
connecting to external storage/SAN, or housing their data locally.

As Al mentioned - the Virtualization people are trying to ignore the laws of
physics much like the SAN folks did a few years ago. Taking two systems that
are at 25% resource utilization and moving them to virtual machines on the
same hardware doesn't mean that hardware is now 50% utilized - its now 50%
plus overhead for resource contention.

There are areas in which it makes a lot of sense - our customer support
teams run it on all their workstations, as they need access to multiple OS's
for test and verification of customer issues. Our Presales teams do the same
thing for their demo environments. We save the $300 licenses in not having
to deal with dual and triple boot machines.

I think the key, and I've heard it mentioned from some of the people here
that are doing it, is truly understanding the load your systems are under,
and only then considering virtualizing things.



--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: marcus [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 14, 2004 7:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> 
> I have the same reaction most everyone else does.  We're in 
> the middle of
> server consolidation here, too... the days of sprawl are over.
> 
> So... we're starting w/ low hanging fruit.  None of us know 
> exactly how this
> whole thing will pan out in terms of support so we're not placing any
> critical servers on VM at this point.
> 
> I'd prefer to still hang on to the idea of bricks/blades architecture.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Wednesday, January 14, 2004 2:24 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] DC's on VMWare
> 
> As I mentioned in one of my posts - I'm looking at using this 
> technology so
> I can run more than 1 web application platform on one piece 
> of hardware.
> 
> None of these applications would tax a server by itself, yet 
> they can't all
> run (at least not at all well) within a single OS instance. 
> 
> I agree, however, that mass consolidation doesn't normally make sense.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
> > Sent: Wednesday, January 14, 2004 11:22 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> > 
> > 
> > Maybe this is a good chance for me to express my ignorance 
> > and hopefully
> > be enlightened.
> > 
> > I don't understand the whole concept of replacing N (relatively)
> > inexpensive boxes of cost C with one monster box costing 
> more than N *
> > C. Where are you saving money? You still have N (actually 
> > N+1) operating
> > systems to pay for, patch, maintain, monitor, etc. and your hardware
> > costs have went up, not down.
> > 
> > I can see that each virtual server potentially has access to a vast
> > amount of memory and CPU horsepower, but realistically, how many
> > applications are going to stress a 3GHz single CPU box 
> with, say, 4GB
> > ram? 
> > 
> > Also, because all your eggs are in one hardware basket, 
> your hardware
> > has become crucially important and probably warrants some sort of
> > extended 24X7 maintenance contract from the vendor adding 
> > even more cost
> > to the picture. 
> > 
> > For a lab, test or educational environment (where performance isn't
> > going to be an issue), I can see something like VMWare being 
> > very handy,
> > but running on one inexpensive box.
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Douglas M. Long
> > Sent: Wednesday, January 14, 2004 10:52 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] DC's on VMWare
> > 
> > 
> > It seems to me that it would be cheaper to buy seperate HW 
> for each DC
> > than to buy one HUGE machine.
> > Example: 4 dual CPU machines with 8GB RAM is going to cost 
> > less than 1 8
> > CPU machine with 64GB RAM
> > 
> > 
> > 
> > 
> > 
> > -Original Message-
> > Fro

RE: [ActiveDir] GPO and the Outlook Dumpster

[Roger Seielstad]

Title: Message



There 
are a lot of default settings that most admins change - and deleted item 
retension is one of them (at least I would hope it is).
 
The 
DumpsterAlwaysOn setting is client side, and only affects whether or not you can 
see the dumptser. It most certainly exists on every folder in Exchange (when DIR 
is enabled). The offender does NOT need to have this registry key set for a 
Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I 
know I'm one of three people in the company with it enabled, and I use it to get 
our exec admin's out of trouble quite a bit
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] GPO and the Outlook Dumpster
  
  I usually refrain from 
  adding to a thread more than once, except to occasionally concur. I have 
  always thought that, all things being equal, Shift-Delete is indeed a 
  permanent delete, given the following circumstances:
   
  >> Assuming you DON'T have deleted item retention enabled - which is 
  the default configuration
  >> You have not enabled DumpsterAlwaysOn -which is the 
  default configuration
  >>You don't do 
  brick-level backup, you don't have an offline Exchange server you test restore 
  to, AND you are not willing to interrupt other users' access to do a live 
  restore
   
  
  
  I've been known to be wrong before, but I 
  don't think this is one of those moments :-p
   
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday?  
  -anon
  
  
  From: Roger SeielstadSent: Wed 
  1/14/2004 4:58 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the 
  Outlook Dumpster
  
  But 
  Shift-Delete is not a permanent delete. Assuming you have deleted item 
  retension enabled, shift-delete simply marks the message for deletion, but it 
  is still available within that folder's dumpster until the DIR time expires, 
  and is accessible using the DumpsterAlwaysOn registry setting for 
  Outlook.
   
  Scared the crap out of my desktop guy who thought he could hide 
  email...
   
  Roger
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: deji Agba 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 
AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] GPO and the Outlook Dumpster

your protection against 
this "CYA" type of deletion is backup. If you maintain a diligent backup of 
your Exchange Server, you can always do a restore to your offline server 
whenever you need to "prove" something. Disabling access to the "Recover 
Deleted Items" folder will not buy you much with a determined user who wants 
to cover his/her track. Shift-Del will not send deleted items to that 
folder, you know?
 


 
Sincerely,Dèjì 
Akómöláfé, MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon


From: Oliver MarshallSent: Tue 
1/13/2004 12:07 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the 
Outlook Dumpster
Because while the Recover Deleted Items addin allows you...err...recover
deleted items a user can also delete things permanently. We have had
people 'covering their tracks' by deleting emails.

I don't want to disable the feature all together as it's a useful IT
tool for managers etc, but not for users.

Olly 

-Original Message-
From: David, Andy [mailto:[EMAIL PROTECTED] 
Sent: 13 January 2004 19:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster

I'm just wondering why you would want to implement such a thing. 
 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 12:27 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster

It strikes me that it might be part of the Office Administration
Templates, which can be distributed via GPOs, but aren't actually part
of the GPO settings.

http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm

There are similar templates for Office XP and Office 2000 that might do
the trick.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Oliver Marshall [mailto:

RE: [ActiveDir] Good book on AD

[Roger Seielstad]

The list of books that I've culled from this group and others, as well as my
own experience, is available here:
http://www.wiredeuclid.com/modules.php?op=modload&name=books&file=index

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Tony Murray [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 15, 2004 2:43 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Good book on AD
> 
> 
> I'd recommend Active Directory Forestry by John Craddock and 
> Sally Storey.  It has an excellent "LDP Primer" chapter and 
> goes into some of the finer detail on object classes and attributes.  
> 
> Tony
> 
> -- Original Message --
> Wrom: PNKMBIPBARHDMNNSKVFVWRKJV
> Reply-To: [EMAIL PROTECTED]
> Date:  Wed, 14 Jan 2004 18:48:22 -0500
> 
> I am looking for a few good books on AD to help me re-work on 
> AD here.  I 
> have Mission Critical AD, Robbie's second AD book, the cookbook, and 
> Inside AD. lol I know too many books.  Is there anything else I am 
> missing?
> 
> Ryan McDonald
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Good book on AD

[Roger Seielstad]

Title: Message



There is one additional book but its not Active Directory 
specific more how to use System.DirectoryServices (ADSI COM component wrapped 
for .nET), but it does cover a lot of AD tasks. Let me know if you are 
interested.
 
 
Tease! You went to all that trouble to build it up and then not mention 
the title??? What's the book? 
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Carlos Magalhaes 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Good book on AD
  Another good book is Inside Active directory by By Sakari 
  Kouti and Mika Seitsonen 
  Publisher : Addison-Wesley Pub Co 
  There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 
  And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Y&pwb=1&ean=9780201616217 
  
  Both are by me. 
  You already have Robbie's book (which is a gem as well). 
  I will be posting a review on Robbie's book on the 
  yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the 
  coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, 
  Joe and all the others I left out) really did an awesome job.
  I will keep you posted. 
  There is one additional book but its not Active Directory 
  specific more how to use System.DirectoryServices (ADSI COM component wrapped 
  for .nET), but it does cover a lot of AD tasks. Let me know if you are 
  interested.
  LDAP (Active Directory , iPlanet, NDS?) programming? 
  Http://groups.yahoo.com/group/adsianddirectoryservices 
  Carlos Magalhaes. 
  -Original Message- From: Tony 
  Murray [mailto:[EMAIL PROTECTED]] 
  Sent: Thursday, January 15, 2004 9:43 AM 
  To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD 
  I'd recommend Active Directory Forestry by John Craddock and 
  Sally Storey.  It has an excellent "LDP Primer" chapter and goes into 
  some of the finer detail on object classes and attributes.  
  Tony 
  -- Original Message 
  -- Wrom: 
  PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: 
  [EMAIL PROTECTED] Date:  Wed, 14 Jan 
  2004 18:48:22 -0500 
  I am looking for a few good books on AD to help me re-work on 
  AD here.  I have Mission Critical AD, Robbie's 
  second AD book, the cookbook, and Inside AD. lol I 
  know too many books.  Is there anything else I am missing? 
  Ryan McDonald 
  List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  

RE: [ActiveDir] Importing of contacts

[Roger Seielstad]

Title: Message



Looks 
like Jerry from CPS already mentioned their company's product, which I've heard 
very good things about.
 
I 
would think that you *might* be able to do it with the Exchange Interorg tool, 
but that's a 5.5 tool, so I'd expect you'd need to be in Mixed mode for 
Exchange.
http://support.microsoft.com/default.aspx?scid=kb;en-us;198789
 
Without some coding, you're probably going to have to purchase a solution 
though.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Yusuf Mayet 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 
  5:48 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Importing of contacts
  
  Hi 
  all
   
  I have a client that has three 
  exchange organizations in their company.
   
  I am looking at synchronizing 
  the Address Lists across each of the forests.
   
  I know that I can use MIIS (not 
  joe's favourite word, I apologise joe) to do a GAL synch but the customer 
  refuses to budget for the additional hardware and SQL license cost that is 
  required.
   
  I know that I can do some type 
  of import of the users by making them contacts in the other Exchange Orgs but 
  I have never done this before and my programming skills are very 
  shaky
   
  Any other ideas guys 
  
   
  Thanks in 
  advance
  yusuf
   
   
   This email 
  and any files transmitted with it are confidential and intended solely for the 
  use of the individual or entity to whom they are addressed. If you have 
  received this email in error please notify the Business Connexion at 
  :[EMAIL PROTECTED] This message contains confidential information and is 
  intended only for the individual named. If you are not the named addressee you 
  should not disseminate, distribute or copy this e-mail.This e-mail has 
  been scanned for all viruses by Antigen. The service is powered by Sybari. For 
  more information on a proactive anti-virus service working around the clock, 
  around the globe, visit: 
http://www.busconnex.co.za