RE: [ActiveDir] Biggest AD Gripes
You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse, any port can be used... If all machines are part of a domain or forest, you could set up policies to block the running of the ADAM binaries I guess. I like AD/AM more from the standpoint that I think it can hint as to where AD will go. What is the largest Enterprise deployment of NDS that anyone has seen? I haven't seen anything larger than say 5000 or so users, it seems that the management got too difficult even at that level, but then I never looked really close at it, so
RE: [ActiveDir] Biggest AD Gripes
I see your HIMEM and raise you a QEMM! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 05 August 2005 17:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Don't make me get out my copies of himem and loadhigh! And his name was Ray Noorda. -gil (resident old guy and networking historian) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, August 05, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) You may call it a gooey comfortable feeling, Dean, but I'm having screaming-nightmare flashbacks over here! ;-) I actually think that Novell lost the race when they had that CEO (damned if I remember his name) who got on this kick of We need to do -everything- Microsoft does in order to compete. So since MS had Office, Novell went and acquired Corel...stuff like that. Though I'd probably lump that into the larger heading of inadequate/misinformed marketing that others have already mentioned. - L List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT - Biggest AD Gripes
There are certainly fairly large (~10k) installations and NDS/eDIR will scale way beyond that too. A lack of client/dir/server integration may become an issue as the org grows, though. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: 06 August 2005 00:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Biggest AD Gripes Were there any comments to Joe's question about large deployments of NDS? Are/were there any out there? I am just interested because I still hear comments about how scalable it is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 05, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Heh From a pure technical view, quite right. However - that's where I started - NetWare 2.0 (I mean the FIRST NetWare 2.0). I still remember the proprietary servers that they used to manufacture. However, what really killed Novell was not the brilliant technical ideas of Drew Majors (who, I still respect as a guy with real vision), but the Megalomania and obsessive behavior or Ray Noorda. Ray so envied Bill Gates that he was going to do anything to better Gates. This meant that Ray effectively lost focus of what Novell was all about in the interest of buying up products that he thought would better Microsoft. Hence, absolutely ridiculous amounts of money (OK, for that time it was ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces that were picked up. But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine paid no attention (outwardly, at least) to Noorda. They just went after the customers who had lost patience with the very badly off track NetWare. What was once a major player - and owned greater than 80% of the server market all but became a bit player overnight. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 8:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning
[ActiveDir] DC replicating with deleted DSA object
Title: DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Biggest AD Gripes
IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse, any port can be used... If all machines are part of a domain or forest, you could set up policies to block the running of the ADAM binaries I guess. I like AD/AM more from the standpoint that I think it can hint as to where AD will go. What is the largest Enterprise deployment of NDS that anyone has seen? I haven't seen anything larger than say 5000 or so users, it seems that the management got too difficult even at that level, but then I never looked really close at it, so possibly the admins and designers involved weren't that great. I certainly have never heard of any 100k globally distributed NDS implementations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 11:16 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes Re ADAM: I am unsure about this technology. I can handle multiple instances of an AD database which all provide a common service, but ADAM *could* lead to anarchy, where anyone can fire up an instance of their own home grown directory. That thought scares me and right now I do not know how a large org would manage such a scenario. I'd prefer to keep control, but have a more elegant and modular way to patch the various components which exist throughout the infra. Re your last para: 1. NDS was simpler to design IMHO and thus never attracted large design rates 2. AD has greater penetration, as you say and so demand is thus greater. 3. Directories themselves have a much larger scope today than they ever did. Compare NT and what we did with it vs AD and what we do with that. A good architect who can juggle all the necessary directory balls can demand a better rate than someone who merely installs a few NT domains and WINS servers [no disrespect intended - I was once in the latter category myself] 4. I haven't supported Netware/NDS for 10 years, so cannot reap those benefits that the admins may realise one day :) [I doubt that day will ever come, however.] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 15:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes No worries, probably the fault of my reading versus your writing. I have been known to have trouble reading English which is why I tend to write more than read. :o) Yes absolutely on the modular piece. I completely agree on this direction as well and exactly what I argued for with them. Personally, I look at AD/AM with great hope as to what it can eventually become, it could be the way to get to that without having to drag everyone there. People just jump to some AD/AM like system at some point when they want to and leave legacy behind but still have AD for some time available to anyone not ready. Agreed on well worth it. The last comment I find interesting. Is the earnings based on the relatively low penetration of NDS or simply NDS folks are just payed less? I would expect, if NDS marketshare gets to even lower points, that NDS admins would start to fetch bonus pay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 4:41 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may scare MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM
RE: [ActiveDir] Biggest AD Gripes
What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may scare MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, people could be asking for features that AD already has implemented, but not necessarily because they have used AD. Yeah I also like the idea of upgrading AD outside of the OS. I really tried to push for that in April 2004 at Redmond. There was a mixed response of that will never happen and never say never, that is an interesting idea followed up by would I be willing to pay for AD as a separate product. My response to that was if the price of the OS product went down in a similar way. Of course it also opens up MS to more competition there. Someone else just may come out with an AD like product to run on Windows if it was sold separately and someone knew they had to buy it from someone. Now who could that be? I like the last one too... A machine becomes part of a domain, its local SAM no longer functions. That would be some pretty massive changes though I expect. So what reasons did you come up with to remind yourself why you left NDS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, August 03, 2005 4:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes I always find it quite ironic that those who have never used NDS/Netware always seem to want NDS/Netware features, once they've worked with AD for a period of time :) I have to remind myself why I booted NDS out in preference to NT/AD years ago... Novell have been offering the vast majority of what is being proposed here for many years and even started to support the equivalent of GPO to Windows devices around 10 years ago too! I would add a new gripe (which Novell do support and have done since Netware 4) and that is the ability to upgrade the AD (or any other component for that matter) across an enterprise. Naturally, this means that these components need to be more modular, but it would be great if I could upgrade AD from version n to n+1 by simply deploying a file/files across all my DCs and then re-starting AD out of hours (not a server re-start, just a component re-start). Another gripe (if I may) would be my hate for local accounts. Why do we have / need an AD database and another database on each member server? Again, NDS/eDIR has a better architecture, in that all SPs exist within the directory and none exist on the servers themselves. TCO diminished immediately :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 02 August 2005 23:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Biggest AD Gripes I think what a lot of the stuff people are asking for is to take some of the stuff that NDS and eDir already use. Rights and login scripts at ou's and divivding AD as an admin sees fit. As least that's what it seems like to me but I haven't worked with Novell in about 4yrs. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Biggest AD Gripes
In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
Re ADAM: I am unsure about this technology. I can handle multiple instances of an AD database which all provide a common service, but ADAM *could* lead to anarchy, where anyone can fire up an instance of their own home grown directory. That thought scares me and right now I do not know how a large org would manage such a scenario. I'd prefer to keep control, but have a more elegant and modular way to patch the various components which exist throughout the infra. Re your last para: 1. NDS was simpler to design IMHO and thus never attracted large design rates 2. AD has greater penetration, as you say and so demand is thus greater. 3. Directories themselves have a much larger scope today than they ever did. Compare NT and what we did with it vs AD and what we do with that. A good architect who can juggle all the necessary directory balls can demand a better rate than someone who merely installs a few NT domains and WINS servers [no disrespect intended - I was once in the latter category myself] 4. I haven't supported Netware/NDS for 10 years, so cannot reap those benefits that the admins may realise one day :) [I doubt that day will ever come, however.] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 15:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes No worries, probably the fault of my reading versus your writing. I have been known to have trouble reading English which is why I tend to write more than read. :o) Yes absolutely on the modular piece. I completely agree on this direction as well and exactly what I argued for with them. Personally, I look at AD/AM with great hope as to what it can eventually become, it could be the way to get to that without having to drag everyone there. People just jump to some AD/AM like system at some point when they want to and leave legacy behind but still have AD for some time available to anyone not ready. Agreed on well worth it. The last comment I find interesting. Is the earnings based on the relatively low penetration of NDS or simply NDS folks are just payed less? I would expect, if NDS marketshare gets to even lower points, that NDS admins would start to fetch bonus pay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 4:41 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may scare MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, people could be asking for features that AD already has implemented, but not necessarily because they have used AD. Yeah I also like the idea of upgrading AD outside of the OS. I really tried to push for that in April 2004 at Redmond. There was a mixed response of that will never happen and never say never, that is an interesting idea followed up by would I be willing to pay for AD as a separate product. My response to that was if the price of the OS product went down in a similar way. Of course it also opens up MS to more competition there. Someone else just may come out with an AD like product to run on Windows if it was sold separately and someone knew they had to buy it from someone. Now who could that be? I like the last one too... A machine becomes part of a domain, its local SAM no longer functions. That would be some pretty massive changes though I expect. So what reasons did you come up with to remind yourself why you left NDS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, August 03, 2005 4:31 AM To: 'ActiveDir
RE: [ActiveDir] Biggest AD Gripes
I always find it quite ironic that those who have never used NDS/Netware always seem to want NDS/Netware features, once they've worked with AD for a period of time :) I have to remind myself why I booted NDS out in preference to NT/AD years ago... Novell have been offering the vast majority of what is being proposed here for many years and even started to support the equivalent of GPO to Windows devices around 10 years ago too! I would add a new gripe (which Novell do support and have done since Netware 4) and that is the ability to upgrade the AD (or any other component for that matter) across an enterprise. Naturally, this means that these components need to be more modular, but it would be great if I could upgrade AD from version n to n+1 by simply deploying a file/files across all my DCs and then re-starting AD out of hours (not a server re-start, just a component re-start). Another gripe (if I may) would be my hate for local accounts. Why do we have / need an AD database and another database on each member server? Again, NDS/eDIR has a better architecture, in that all SPs exist within the directory and none exist on the servers themselves. TCO diminished immediately :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 02 August 2005 23:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Biggest AD Gripes I think what a lot of the stuff people are asking for is to take some of the stuff that NDS and eDir already use. Rights and login scripts at ou's and divivding AD as an admin sees fit. As least that's what it seems like to me but I haven't worked with Novell in about 4yrs. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] End-to-End AD Authentication
Portal - http://www.microsoft.com/windowsserver2003/technologies/default.mspx Kerberos - http://www.microsoft.com/windowsserver2003/technologies/security/default.mspx http://www.microsoft.com/windows2000/technologies/security/kerberos/default.mspx DNS - http://www.microsoft.com/windows2000/technologies/communications/default.mspx I would suggest you go to the portal link first and you'll find a wealth of papers linked from there. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 03 August 2005 00:34 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] End-to-End AD Authentication Are there some white papers or some other resources that you guys would recommend to give me an in-depth analysis of the Active Directory authentication process end-to-end? Specifically, I want to understand how things like DNS/WINS, Kerberos, NTLM, etc. play a role. Ultimately, I'm looking for a complete picture of authentication for both users and groups, including everything from how/when GPOs are processed during authentication to Kerberos/NTLM authentication to how DNS and WINS play a role. I'll say up front that I don't necessarily expect this to be in a single document. But if anyone has some good articles or books to refer me to that will give me a start, I'd appreciate it. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy delays
- Are your subnets and sites defined correctly? If not, clients may authenticate and process GPOs from DCs across slow WAN links. - Does your GPO contain lots of registry and/or file DACL/SACL settings? This could account for the slow processing. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark Sent: 03 August 2005 09:32 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policy delays Hello, We have 300 identical Dell GX270's running XP in a 2003 Active Directory and we are seeing a few (1%) suffering from extremely long logons. The applying computer settings is displayed after the users signs in and stays there for some 20-30 Mins, during which time the HDD activity light is near constantly on. Given a long enough wait the PC then opens the desktop and behaves itself. Having started, the computer can then be re-started and the PC starts in a timely fashion with no delay. The logs show clean, and the long delays can be experienced whether or not a change to the Group policy has been published. We suspected that it follows a user not shutting down cleanly and that some sort of chkdsk may be running (scanning a 120GB drive could be expected to take half an hour), however we have users who swear blind that they are shutting their computers down nicely and still having the slow starts. The Policies that we run are minimal and if it were a screwed up policy it would effect all computers as the OU structure does not separate the computers. If anyone has some thoughts for seeking out the root cause I would be very grateful. Cheers Gary List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain DFS Roots hosted on DC
Title: Message I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)Sent: 03 August 2005 12:23To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Authentication in DOS mode
Title: Message When in DOS mode, you will *not* have any DNS name resolution - all names will be translated via WINS or NBT broadcast or lmhosts file. Ensure you have an entry in your lmhosts file if WINS is not available. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, RaoSent: 03 August 2005 14:29To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Authentication in DOS mode I am trying to resolve the issue of authentication in DOS mode using NDIS driver. The purpose is to MAP a drive on a server for creating a Ghost image. When I boot up with floppy/CDROM some times I get a message after user name and password "You have been authenticated by Server (PDC) or Server (BDC)" where we have AD implemented in W2K servers. The AD, DNS works without any problems for various clients using W2K and XP operating systems. We have not implemented WINS. But on several occasions, I get a message " You are logged into Domain, but not authenticated by a Server". In the second scenario, I have to map drives using IP address rather than Server names. I could not figured it out what causing this problem. We have opened all TCP ports within the subnet. Though it is not causing a major problem, I am curious what was going on. Can I create a log and see the events? Thanks, Rao/.. == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Zone Transfer Question
Title: Message That command will only be available if the DNS server is permitted to perform zone transfers to either 1. any machine, or 2. a list of machines, of which the admin workstation is a member. That command initiates a zone transfer and so the above criteria must be met. Maybe you could grant the user DNSAdmin rights instead? Does that help answer your question? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin WeeSent: 03 August 2005 14:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Zone Transfer Question Hi, I would like to ask whether an administration workstation (Win XP Pro) should receive for a zone transfer in the main DNS server (Windows 2003 server)? The reason is that the administrator would like perform some DNS monitoring task like using of NSLOOKUP Is -d abc.com command to verify entries in the abc.com zone. Thanks! BR, Kevin List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Biggest AD Gripes
Can you be a little more specific? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: 03 August 2005 15:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Not a AD gripe but a tools gripe. The AD Sites and Services snap-in sucks canal water as Laura sez. MS said they would fix it in Win2K3 but it still sucks. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 02, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: new job
Title: Message Al's response looks fine to me, joe. Then again, my response may be blank so you'll never know :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 02 August 2005 15:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: new job Is something wrong with the list or is it just me? This is the second response I have seen to this subject that is completely empty. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 02, 2005 9:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: new job == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Disaster Recovery Training
Whilst not independent, I know Quest offer something along these lines. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 25 July 2005 13:35 To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT)
Not strange to define RAID 1+0 in a different way to rest of the world? Hmm... That meets my definition of strange :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 18:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Not strange at all when you consider that HP defines 1+0 to mean a mirror (RAID1) with striped reads (RAID0) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, July 21, 2005 11:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Indeed, the HP array software will happily allow a 2 disk array to be configured as RAID 1+0. Strange, since we all know you need 4 disks to do this :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 17:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) I *think* HP uses 1+0 (or 0+1) to mean RAID 1 (mirrored), but striped reads (alternating across mirror halves). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) so is anyone gonna answer my question? do i need at least 4 drives to support raid 0 +1? or can it be done with 2? Does Smart Array 6i support raid 10(1 +0)? Thanks btw, i'm nobody but i always was told there is a difference between raid 10 and 0+1 -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) In looking at some further docs, there are a few things that are certain: 1. Standards aren't - when it comes to Hybrid RAID. 2. The only to know if your controller has what *I* consider RAID 10 (RAID 1+0) - 'Read the Frakking Docs'! One vendor's RAID 0+1 is another 1+vendor's RAID 1+0 3. Hybrid RAID is good - but expensive. Know what you want, why you want it, and be ready to justify the cost. 4. Apologies to Jose - it's a terminology thing. I wonder how many people order servers with RAID 1+0, get 0+1, and have a meltdown with the vendor who says, But, Sir - that's what you asked for, and what you explain is what we sent! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Rick, It's okay to disagree and if you do a lookup on RAID with Google it comes up with several sites with conflicting info ( Which means do not believe every thing your read unless you trust the source ). The authority on RAID is the hardware vendors, and each has there own interpretation or variance, however the true authority is IBM who invented it in the first place. Now companies like Network Appliance ( NETAPP ) have enhanced versions of a RAID 4 controller with patented write any where technology that makes them extremely fast and much faster then a vendor that uses RAID 4. So with that said I am including a link to Adaptec's site which explains their implementation of Raid 0+1 ( Raid 10 ). http://www.adaptec.com/worldwide/product/markeditorial.html?sess=nolang uage =English+UScat=%2fTechnology%2fRAID+Controllersprodkey=talk_about_raid Well that's my two cents, Jose Medeiros An old timer that worked at IBM supporting the engineers that invented the stuff. MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, July 20, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Jose, I respectfully disagree. RAID 0+1 is a mirrored array with segments that are RAID 0 arrays. RAID 0+1 has the same level of fault tolerance as RAID 5. If a single drive fails, the array becomes effectively a RAID 0 array. RAID 10, on the other hand, is an available standard on many Enterprise controllers. It is implemented as a striped array who's segments are always RAID 1 arrays. RAID 10 has the same fault tolerance as RAID 1, and carries the same overhead as mirroring alone. It has a huge I/O gain in that all segments are RAID 1 stripes. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 4:30 PM To: ActiveDir
RE: [ActiveDir] RILOE AD Integration
Title: Message I have to say, I find that hard to believe. The admin/user guide shows images where ILO objects are managed via the UC snap-in. All that ILO info must be stored in ILO specific attributes and classes in the schema and they aren't there out of the box :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: 20 July 2005 14:09To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RILOE AD Integration My understanding is none whatsoever. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Monday, July 18, 2005 5:11 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] RILOE AD Integration Does this mean 'no additional schema mods (above and beyond previous versions)' or ' no schema mods at all, even if you have yet to deploy any previous ILO schema mods' ? The latter would certainly be of interest. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: 15 July 2005 14:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RILOE AD Integration And now for the actual link http://h18013.www1.hp.com/products/servers/management/iloadv/index.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, July 06, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RILOE AD Integration Hi, I used the ADUC with our iLO setup (~50 servers)a while ago and it was flawless. The schema extensions have not caused any issues at all with any upgrades we had to do (Exchange 2003 forestprep) I highly recommend them. Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: July 5, 2005 8:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RILOE AD Integration Anybody done the schema extensions to support HPQ iLO/RiLOE II integration with AD. I'm thinking about it. We're pushing out 50 380s with RiLOE II boards in the next four weeks to all over kingdom come. If you have, how's it work from the ilo standpoint? ADUC extensions work ok? --brian This message has been scanned for viruses by MailControl This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Does a domain require a GC?
Title: Message Why not create a new site and [logically] move the DC to that site. Restart netlogon to update DNS records and viola, the DC is now a member of the new site. I have seen this done for the PDCe so it receives less load than other DCs in the same location. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 21 July 2005 17:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? No it works just fine and is often used to isolate GC/DCs. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, July 21, 2005 11:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? I can define a site using a 32 bit subnet mask? That's a possibility I hadn't considered! I'd have been afraid that would confuse the heck out of the kcc! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 20, 2005 7:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Dean killed the first question pretty well I think. The second question or implied question that I got was "don't I have to set up a special IP subnet to do this?" and the answer is no. You do not need a physical network breakup to define a logical site in AD andassign subnets. I did this in DataCentersquite often.A single data center with tons of subnets would have different pieces carved out and added to various sites depending on what DCs they needed to be with. Thiswas sometimes a pain but network didn't always want to work with us in terms of giving us whole ranges of physical subnets to work with. There were more than one singleIP subnets(32 bit mask) defined in that directory. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, July 19, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here? Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Monday, July 18, 2005 6:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain... Also a couple of suggestions: - Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs. - Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC? Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 18, 2005 7:19 PMTo: ActiveDir@mail.activedir.org; Exchange DiscussionsSubject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want toinsure that Outlook can manage distributionlists (universal groups), and Outlook can only do that if the GCis in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.
RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT)
Indeed, the HP array software will happily allow a 2 disk array to be configured as RAID 1+0. Strange, since we all know you need 4 disks to do this :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 17:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) I *think* HP uses 1+0 (or 0+1) to mean RAID 1 (mirrored), but striped reads (alternating across mirror halves). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) so is anyone gonna answer my question? do i need at least 4 drives to support raid 0 +1? or can it be done with 2? Does Smart Array 6i support raid 10(1 +0)? Thanks btw, i'm nobody but i always was told there is a difference between raid 10 and 0+1 -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) In looking at some further docs, there are a few things that are certain: 1. Standards aren't - when it comes to Hybrid RAID. 2. The only to know if your controller has what *I* consider RAID 10 (RAID 1+0) - 'Read the Frakking Docs'! One vendor's RAID 0+1 is another 1+vendor's RAID 1+0 3. Hybrid RAID is good - but expensive. Know what you want, why you want it, and be ready to justify the cost. 4. Apologies to Jose - it's a terminology thing. I wonder how many people order servers with RAID 1+0, get 0+1, and have a meltdown with the vendor who says, But, Sir - that's what you asked for, and what you explain is what we sent! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Rick, It's okay to disagree and if you do a lookup on RAID with Google it comes up with several sites with conflicting info ( Which means do not believe every thing your read unless you trust the source ). The authority on RAID is the hardware vendors, and each has there own interpretation or variance, however the true authority is IBM who invented it in the first place. Now companies like Network Appliance ( NETAPP ) have enhanced versions of a RAID 4 controller with patented write any where technology that makes them extremely fast and much faster then a vendor that uses RAID 4. So with that said I am including a link to Adaptec's site which explains their implementation of Raid 0+1 ( Raid 10 ). http://www.adaptec.com/worldwide/product/markeditorial.html?sess=nolang uage =English+UScat=%2fTechnology%2fRAID+Controllersprodkey=talk_about_raid Well that's my two cents, Jose Medeiros An old timer that worked at IBM supporting the engineers that invented the stuff. MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, July 20, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Jose, I respectfully disagree. RAID 0+1 is a mirrored array with segments that are RAID 0 arrays. RAID 0+1 has the same level of fault tolerance as RAID 5. If a single drive fails, the array becomes effectively a RAID 0 array. RAID 10, on the other hand, is an available standard on many Enterprise controllers. It is implemented as a striped array who's segments are always RAID 1 arrays. RAID 10 has the same fault tolerance as RAID 1, and carries the same overhead as mirroring alone. It has a huge I/O gain in that all segments are RAID 1 stripes. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Tom, Raid 0+1 is raid 10. If I recall, Adaptec and Dell coined the the Raid 10 term back in 1999. I always use the bios utility to create my drive raid arrays, what does that say? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 11:42 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Smart array(OT) I'm using Smart Array 6i to create a raid 0 +1 array with 4 drives. I'm using the web array config utlilty from hp to do this. It offers to create a raid 0+1 array but when i do, it turns out to be just raid 1(thats what it says in the bios bot up screen) also, i have another array with 2 drives
RE: [ActiveDir] Issues with newly built w2k3 DCs - update
In fact the root cause of this issue is/was objects with a NULL security descriptor. The newly built DCs would not replicate in these objects and so replication stalled, AD was not available, ADI zones were not available etc etc. We executed sdprop on all DCs in the domain and 'fixed' the above objects. We are now able to build DCs :) We believe these objects originated via the ADC and have thus disabled certain connection agreements so as to eliminate the issue at its source. Hopefully a KB will be created from our discoveries :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 13 July 2005 10:18 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Issues with newly built w2k3 DCs Additional info - DCs in another domain (the empty root domain) have built fine. It's just the child domain where we see these issues. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 12 July 2005 16:14 To: ActiveDir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Sorry, Pushed send too quickly, I found clearing the MUP cache made the errors go away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and is the secondary DNS address utilised? -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 15:08:15 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Neil, I have had this issue too, Have you seen 842804? Mark -Original Message- From: Ruston, Neil [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 13:48:57 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] Issues with newly built w2k3 DCs I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain): Source: userenv; ID:1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. Source: userenv; ID: 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . The above occur in pairs every 5 mins. All existing w2k DCs are fine. Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable). Time and DNS resolution all appear fine. Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RILOE AD Integration
Title: Message Does this mean 'no additional schema mods (above and beyond previous versions)' or ' no schema mods at all, even if you have yet to deploy any previous ILO schema mods' ? The latter would certainly be of interest. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: 15 July 2005 14:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RILOE AD Integration And now for the actual link http://h18013.www1.hp.com/products/servers/management/iloadv/index.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Wednesday, July 06, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RILOE AD Integration Hi, I used the ADUC with our iLO setup (~50 servers)a while ago and it was flawless. The schema extensions have not caused any issues at all with any upgrades we had to do (Exchange 2003 forestprep) I highly recommend them. Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: July 5, 2005 8:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RILOE AD Integration Anybody done the schema extensions to support HPQ iLO/RiLOE II integration with AD. I'm thinking about it. We're pushing out 50 380s with RiLOE II boards in the next four weeks to all over kingdom come. If you have, how's it work from the ilo standpoint? ADUC extensions work ok? --brian This message has been scanned for viruses by MailControl This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Issues with newly built w2k3 DCs
Additional info - DCs in another domain (the empty root domain) have built fine. It's just the child domain where we see these issues. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 12 July 2005 16:14 To: ActiveDir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Sorry, Pushed send too quickly, I found clearing the MUP cache made the errors go away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and is the secondary DNS address utilised? -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 15:08:15 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Neil, I have had this issue too, Have you seen 842804? Mark -Original Message- From: Ruston, Neil [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 13:48:57 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] Issues with newly built w2k3 DCs I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain): Source: userenv; ID:1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. Source: userenv; ID: 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . The above occur in pairs every 5 mins. All existing w2k DCs are fine. Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable). Time and DNS resolution all appear fine. Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Issues with newly built w2k3 DCs
Title: Issues with newly built w2k3 DCs I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain): Source: userenv; ID:1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. Source: userenv; ID: 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . The above occur in pairs every 5 mins. All existing w2k DCs are fine. Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable). Time and DNS resolution all appear fine. Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Issues with newly built w2k3 DCs
Thanks Mark. Will investigate that KB. DCs use another DC for DNS res until built and then use there own address (not loopback) thereafter. Will try the MUP cache workaround too. Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 12 July 2005 16:14 To: ActiveDir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Sorry, Pushed send too quickly, I found clearing the MUP cache made the errors go away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and is the secondary DNS address utilised? -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 15:08:15 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Neil, I have had this issue too, Have you seen 842804? Mark -Original Message- From: Ruston, Neil [EMAIL PROTECTED] Date: Tue, 12 Jul 2005 13:48:57 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] Issues with newly built w2k3 DCs I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain): Source: userenv; ID:1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. Source: userenv; ID: 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . The above occur in pairs every 5 mins. All existing w2k DCs are fine. Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable). Time and DNS resolution all appear fine. Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can a 2003 server be a domain controller in a 200 0 domain?
... Or check the Schema version - version 30 should be shown if w2k3 forestprep has been executed successfully. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 09 July 2005 21:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can a 2003 server be a domain controller in a 2000 domain? Yes. Use ADSIEdit and go in the Config and Domain NCs. There's a ForestUpdates CN under the root of the config NC, and under it there should be a Windows2003Update (or something like that), and I believe for DomainPrep its in the SystemContianer/DomainUpdates/Windows2003Update Thanks, Brian Desmond [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, July 09, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can a 2003 server be a domain controller in a 2000 domain? A slight aside: how can you confirm that the schema changes have replicated to a particular DC? Is there a particular attribute to check? -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC
rough and ready response :) 1. Client logons, Exchange GAL lookups and various other components require a GC to be available, ideally in the same site. 2. Why are only 2 of the 7 DCs also GCs? Given that you are experiencing issues, I'd be inclined to 'upgrade' the remaining 5 DCs to GC status and ensure that your Exchange servers are configured to use multiple GCs. When all DCs are GCs, the infra master FSMO becomes redundant too, so that's one less FSMO to worry about catering for :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 08:16 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC Hi, I have 2 GC and 7 domain controllers, I made 2 GC so that if I had to take any one of them offline the other will be functional and the network will be ok, what happens is that if any of them goes offline, the network goes down, (includeing email service exchange). Any thing I should have done ? Thanks, r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC
I don't agree with the below at all, to be candid. I would rather have 7 servers, knowing I can lose 1 or 2 without issue, rather than working round the clock to keep 2 servers up all the time. To me, that's the beauty of systems like AD, where the system is distributed and self resilient. You however, have removed some of that resilience from the system and have thus moved the maintenance effort from the system onto your own lap. Anyway, now that's off my chest - I think you need to explain what 'the network suffers' means. What symptoms do you see when a GC goes offline? I'd also like to know why your GCs are going offline. We have 100+ GCs here and we probably have 4-5 issues per year. When we do have an issue, the net effect on the end user is negligible due to the self healing and resilient nature of AD/GCs themselves. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 08:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Thanks for teh reply :) I will tell you, because now I have to maintain 2 servers (the GCs) online 24/7 I can't take one offline for maitenance for a second cause the network goes down, imagine if I upgrade the other 5, then I will have to keep 7 servers alive 24/7!!! I configure the exchange to use multiple GC, but why the network suffers if one of them goes offline? I dont' know? is it by design? or am I missing something thaks, r.c. On 7/5/05, Ruston, Neil [EMAIL PROTECTED] wrote: rough and ready response :) 1. Client logons, Exchange GAL lookups and various other components require a GC to be available, ideally in the same site. 2. Why are only 2 of the 7 DCs also GCs? Given that you are experiencing issues, I'd be inclined to 'upgrade' the remaining 5 DCs to GC status and ensure that your Exchange servers are configured to use multiple GCs. When all DCs are GCs, the infra master FSMO becomes redundant too, so that's one less FSMO to worry about catering for :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 08:16 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC Hi, I have 2 GC and 7 domain controllers, I made 2 GC so that if I had to take any one of them offline the other will be functional and the network will be ok, what happens is that if any of them goes offline, the network goes down, (includeing email service exchange). Any thing I should have done ? Thanks, r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC
I don't understand how this can work in one site :) If all DC/GCs are defined in the same site, then clients may be 'offered' any of these DCs from a DNS perspective, since they are all 'equal'. You appear to several odd environmental issues which need to be addressed before attacking the Outlook related issues. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC seems very good but I have 1 domain but I have 15 VLANs, not all domain controllers accessible by all VLANs, if I set all the domain controllers to GC will that cause a problem? the 2 that I chose to set as GCs are accessible from all VLANs. thanks. r.c. On 7/5/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I also don't agree with what you are saying concerning the maintenance of the GCs. If you only have 1 domain in the forest there is NO OVERHEAD in making all DCs GCs. The size of your DIT will not grow in size because there are no other domains. For its own and single domain the GCs will use pointers to the domain data. So if you have 1 domain, make all DCs GCs. Even if you have multiple domains there as less issues in W2K3 compared to W2K because W2K3 DCs/GCs use Linked Value Replication (only in FFL w2k3) and for the partial attribute set it only replicates the deltas. So even for a multiple domain forest I would consider making all DCs GCs. Concerning exchange I would not manually define the DCs and GCs it uses. Let exchange itself figure that out. What are the reasons to manually define the DCs/GCs it uses? Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: dinsdag 5 juli 2005 10:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC One site and all servers in that one site. On 7/5/05, Rops, Arjan [EMAIL PROTECTED] wrote: How many sites do you have configured in your AD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: dinsdag 5 juli 2005 10:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Suffering = users loose connectivity to their mailbox (the Outlook shows a message saying Trying to connect to your exchange server), users can't use their home directories on the servers, users not being able to print, basically users goes offline, waiting for the GC to be online, now this I understand if there was only one GC, but if 2, then this shouldn't happen, i.e. the network appears to be seeing each GC as the only one. Is there anything else other than checking the Global Catalogue check box to make a server GC? (and add it in the system manager in the exchange server as a GC too) ? Thanks, r.c. On 7/5/05, Ruston, Neil [EMAIL PROTECTED] wrote: I don't agree with the below at all, to be candid. I would rather have 7 servers, knowing I can lose 1 or 2 without issue, rather than working round the clock to keep 2 servers up all the time. To me, that's the beauty of systems like AD, where the system is distributed and self resilient. You however, have removed some of that resilience from the system and have thus moved the maintenance effort from the system onto your own lap. Anyway, now that's off my chest - I think you need to explain what 'the network suffers' means. What symptoms do you see when a GC goes offline? I'd also like to know why your GCs are going offline. We have 100+ GCs here and we probably have 4-5 issues per year. When we do have an issue, the net effect on the end user is negligible due to the self healing and resilient nature of AD/GCs themselves. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 08:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Thanks for teh reply :) I will tell you, because now I have to maintain 2 servers (the GCs) online 24/7 I can't take one offline for maitenance for a second cause the network goes down, imagine if I upgrade the other 5, then I will have to keep 7 servers alive 24/7!!! I configure the exchange to use multiple GC, but why the network suffers if one of them goes offline? I dont' know? is it by design? or am I missing something thaks, r.c. On 7/5/05, Ruston, Neil [EMAIL PROTECTED] wrote: rough and ready response :) 1. Client logons, Exchange GAL lookups and various other components require a GC to be available, ideally in the same site. 2. Why are only 2 of the 7 DCs also GCs? Given that you are experiencing issues, I'd be inclined to 'upgrade' the remaining 5 DCs to GC status and ensure that your Exchange servers
RE: [ActiveDir] GC
I would question the below, given that the poster has just _1_ site defined. :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 05 July 2005 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC So you have a hub location and 15 branch offices. As long as the hub can reach ALL the branch offices and the branch offices can reach the hub there will be no problem as all communication/replication will go through the hub Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: dinsdag 5 juli 2005 11:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC seems very good but I have 1 domain but I have 15 VLANs, not all domain controllers accessible by all VLANs, if I set all the domain controllers to GC will that cause a problem? the 2 that I chose to set as GCs are accessible from all VLANs. thanks. r.c. On 7/5/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I also don't agree with what you are saying concerning the maintenance of the GCs. If you only have 1 domain in the forest there is NO OVERHEAD in making all DCs GCs. The size of your DIT will not grow in size because there are no other domains. For its own and single domain the GCs will use pointers to the domain data. So if you have 1 domain, make all DCs GCs. Even if you have multiple domains there as less issues in W2K3 compared to W2K because W2K3 DCs/GCs use Linked Value Replication (only in FFL w2k3) and for the partial attribute set it only replicates the deltas. So even for a multiple domain forest I would consider making all DCs GCs. Concerning exchange I would not manually define the DCs and GCs it uses. Let exchange itself figure that out. What are the reasons to manually define the DCs/GCs it uses? Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: dinsdag 5 juli 2005 10:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC One site and all servers in that one site. On 7/5/05, Rops, Arjan [EMAIL PROTECTED] wrote: How many sites do you have configured in your AD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: dinsdag 5 juli 2005 10:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Suffering = users loose connectivity to their mailbox (the Outlook shows a message saying Trying to connect to your exchange server), users can't use their home directories on the servers, users not being able to print, basically users goes offline, waiting for the GC to be online, now this I understand if there was only one GC, but if 2, then this shouldn't happen, i.e. the network appears to be seeing each GC as the only one. Is there anything else other than checking the Global Catalogue check box to make a server GC? (and add it in the system manager in the exchange server as a GC too) ? Thanks, r.c. On 7/5/05, Ruston, Neil [EMAIL PROTECTED] wrote: I don't agree with the below at all, to be candid. I would rather have 7 servers, knowing I can lose 1 or 2 without issue, rather than working round the clock to keep 2 servers up all the time. To me, that's the beauty of systems like AD, where the system is distributed and self resilient. You however, have removed some of that resilience from the system and have thus moved the maintenance effort from the system onto your own lap. Anyway, now that's off my chest - I think you need to explain what 'the network suffers' means. What symptoms do you see when a GC goes offline? I'd also like to know why your GCs are going offline. We have 100+ GCs here and we probably have 4-5 issues per year. When we do have an issue, the net effect on the end user is negligible due to the self healing and resilient nature of AD/GCs themselves. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 05 July 2005 08:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Thanks for teh reply :) I will tell you, because now I have to maintain 2 servers (the GCs) online 24/7 I can't take one offline for maitenance for a second cause the network goes down, imagine if I upgrade the other 5, then I will have to keep 7 servers alive 24/7!!! I configure the exchange to use multiple GC, but why the network suffers if one of them goes offline? I dont' know? is it by design? or am I missing something thaks, r.c. On 7/5/05, Ruston, Neil [EMAIL PROTECTED] wrote: rough and ready response :) 1. Client logons, Exchange GAL lookups and various other components require a GC to be available, ideally in the same site. 2
RE: [ActiveDir] Advertising RPC services - best practices - resen d
Title: Message Does anyone have any experiences of apps that advertise their RPC services, which they'd care to share? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: 28 June 2005 09:24To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Advertising RPC services - best practices Apologies for being vague :) I would like to restrict the app so it has read/write/delete to its own RPC container [in AD] and no more. Moreover, I'm interested to hear any experiences others have of similar RPC advertised apps. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: 24 June 2005 16:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Advertising RPC services - best practices Neil, What are you trying to restrict? Access to the App, access via RPC, or access via AD? I can help, but the scope is pretty big at this point. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, June 24, 2005 9:40 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Advertising RPC services - best practices Does anyone have any suggestions, comments or experiences with applications that advertise themselves via the RPCservices container in AD? Specifically, the subject of security is of interest to me. i.e. how can the application be restricted so that it has a minimum set of privileges without 'breaking' the app? I have read various MS papers on the subject and am happy with the general principles involved. I'm more interested in "real world" examples :) TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Tuning the server service and event ID 2022 - res end
Title: Message I'm interested to hear from others who've encountered similar issues and also what the default values for the keys below are for w2k3 [I've heard conflicting reports]. Any offers? thanks, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: 22 June 2005 14:40To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Tuning the server service and event ID 2022 Whilst working with Windows NT and Windows 2000, I've encountered issues with the server service which manifest themselves as "event id 2022" http://support.microsoft.com/?kbid=245080 Specifically, I have observed this on w2k DCs (SP3) and made registry changes to the lanmanserver key as a result. See below for detail. Maximum Work Items 65535Maximum Raw Work Items 512Maximum Free Connections 100Minimum Free Connections 32The above changes appear to have alleviated the issues and I am now researching if these changes are needed on w2k3 DCs. I have read/been informed that the w2k3 server service is self tuning and therefore will not require the above changes to be made. I have also been led to believe that the default and max values for the above keys are significantly increased when comparing w2k and w2k3. Does anyone else have any experiences / suggestions / best practices they can share on this subject? TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] OT: scheduler account?
I'm sure someone will offer a more precise answer, but this is in mmddhhmmss format. i.e. 20050518144457.0Z == Year 2005 Month 05 (May) Day 18 Hour 14 (2pm) Minutes 44 Seconds 57 Or in more readable format, at 14.44 on 18th May 2005 neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 01 July 2005 07:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Hi, How do u translate the 20050518144457.0Z format into human readable format :) ? Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé : vendredi 1 juillet 2005 01:30 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: scheduler account? And from adfind adfind -gc -b -f name=scheduler -owner whencreated Output would look something like [Thu 06/30/2005 19:29:09.67] F:\tempadfind -gc -b -f name=someuser -owner whencreated AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 dn:CN=someuser,CN=Users,DC=joe,DC=com whenCreated: 20050518144457.0Z _OBJECT_OWNER: JOE\Domain Admins 1 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 29, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Jorge, Thanks for the slap along side of head idea to use ADSIEdit to track down this account! Values of related attributes show this account was created a long time ago when we were an NT4 domain. It has been dispensed with accordingly. Thanks again! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, June 29, 2005 1:09 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? nope... not a default account in AD. * see the creation date to see if you remember what happened on that date * see the owner to see to who caused the creation Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 6/29/2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: scheduler account? I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: scheduler account?
I know see from your reply that I should have translated into French. I'll leave that as an exercise for the reader, in light of my laziness :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 01 July 2005 09:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Ok thanks neil, Have a great day :) Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : vendredi 1 juillet 2005 09:55 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] OT: scheduler account? I'm sure someone will offer a more precise answer, but this is in mmddhhmmss format. i.e. 20050518144457.0Z == Year 2005 Month 05 (May) Day 18 Hour 14 (2pm) Minutes 44 Seconds 57 Or in more readable format, at 14.44 on 18th May 2005 neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 01 July 2005 07:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Hi, How do u translate the 20050518144457.0Z format into human readable format :) ? Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé : vendredi 1 juillet 2005 01:30 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: scheduler account? And from adfind adfind -gc -b -f name=scheduler -owner whencreated Output would look something like [Thu 06/30/2005 19:29:09.67] F:\tempadfind -gc -b -f name=someuser -owner whencreated AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 dn:CN=someuser,CN=Users,DC=joe,DC=com whenCreated: 20050518144457.0Z _OBJECT_OWNER: JOE\Domain Admins 1 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 29, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Jorge, Thanks for the slap along side of head idea to use ADSIEdit to track down this account! Values of related attributes show this account was created a long time ago when we were an NT4 domain. It has been dispensed with accordingly. Thanks again! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, June 29, 2005 1:09 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? nope... not a default account in AD. * see the creation date to see if you remember what happened on that date * see the owner to see to who caused the creation Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 6/29/2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: scheduler account? I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info
RE: [ActiveDir] Advertising RPC services - best practices
Title: Message Apologies for being vague :) I would like to restrict the app so it has read/write/delete to its own RPC container [in AD] and no more. Moreover, I'm interested to hear any experiences others have of similar RPC advertised apps. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: 24 June 2005 16:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Advertising RPC services - best practices Neil, What are you trying to restrict? Access to the App, access via RPC, or access via AD? I can help, but the scope is pretty big at this point. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, June 24, 2005 9:40 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Advertising RPC services - best practices Does anyone have any suggestions, comments or experiences with applications that advertise themselves via the RPCservices container in AD? Specifically, the subject of security is of interest to me. i.e. how can the application be restricted so that it has a minimum set of privileges without 'breaking' the app? I have read various MS papers on the subject and am happy with the general principles involved. I'm more interested in "real world" examples :) TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
[ActiveDir] Advertising RPC services - best practices
Title: Advertising RPC services - best practices Does anyone have any suggestions, comments or experiences with applications that advertise themselves via the RPCservices container in AD? Specifically, the subject of security is of interest to me. i.e. how can the application be restricted so that it has a minimum set of privileges without 'breaking' the app? I have read various MS papers on the subject and am happy with the general principles involved. I'm more interested in real world examples :) TIA, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
[ActiveDir] Tuning the server service and event ID 2022
Title: Tuning the server service and event ID 2022 Whilst working with Windows NT and Windows 2000, I've encountered issues with the server service which manifest themselves as event id 2022 http://support.microsoft.com/?kbid=245080 Specifically, I have observed this on w2k DCs (SP3) and made registry changes to the lanmanserver key as a result. See below for detail. Maximum Work Items 65535 Maximum Raw Work Items 512 Maximum Free Connections 100 Minimum Free Connections 32 The above changes appear to have alleviated the issues and I am now researching if these changes are needed on w2k3 DCs. I have read/been informed that the w2k3 server service is self tuning and therefore will not require the above changes to be made. I have also been led to believe that the default and max values for the above keys are significantly increased when comparing w2k and w2k3. Does anyone else have any experiences / suggestions / best practices they can share on this subject? TIA, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] FW: Batch Script Fun
Title: Message FYI: a wrote a similar script a while back and found I ran into issues when using it in a w2k/w2k3 mixed DC environment. Has anyone used setpwd in such an environment with success? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 19 June 2005 23:21To: Send - AD mailing listSubject: RE: [ActiveDir] FW: Batch Script Fun Yes, that was in fact the OS it was written for ... PS - SETPWD.EXE MUST be within the system path, current dir. will not suffice due to error handling logic. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE)Sent: Sunday, June 19, 2005 6:05 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] FW: Batch Script Fun Hey Dean...I haven't tried it yet and since I'm inherently lazy I'll ask and try if I don't get a response J Will this work against a 2003 DC as long as setpwd.exe from 2000 is available (in same directory script is run from or in the %PATH%)?? Thanks man; Cheers!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Sunday, June 19, 2005 2:21 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] FW: Batch Script Fun Enclosed as a text file ... rename to a .CMD ... --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, June 19, 2005 2:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FW: Batch Script Fun Hmmm Let me think. YES! ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Sunday, June 19, 2005 12:57 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] FW: Batch Script Fun I appreciate the compliment Rick ... nothing interesting this time I'm afraid ... Anybody interested in a script that resets every DC's DSRM password to the same value? ;-) --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, June 19, 2005 1:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FW: Batch Script Fun Heh I see that Dean has already answered this, so I'm most interested to see what the "Wizard of the Shell Script" has come up with Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Saturday, June 18, 2005 6:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FW: Batch Script Fun Maybe this didn't go through this morning? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, June 18, 2005 2:34 PMTo: 'ActiveDir@mail.activedir.org'Subject: Batch Script Fun Ok, her's what I need to do from within a .cmd file (this is the only hook I have into a process that runs on every workstation once an hour - no I can't use a _vbscript_ or any of that): Check device's domain If Domain MyDomain Run netdom and remove Reboot Otherwise Quit Now I figured out a way to use wmic to get the domain, but it returns multiple lines of text, and I don't have a clue how I would parse that in a batch file. The output of "wmic computersystem get domain" looks like this: Z:\Files\PsToolswmic computersystem get domain Domain WORKGROUP Z:\Files\PsTools I just need that "WORKGROUP". Ideally my script needs to work on NT and newer. I'll settle for 2000 newer and the field guys can do the NT ones by hand if need be. The NT inventory purportedly has WMI installed, which I presume means wmic would work. I'm all up for a different way of doing this - I don't know of an environment variable or similar holding the machine's domain. Anyone got a way I can make this work? --brian == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
[ActiveDir] Objects found in LostandFoundConfig
Title: Objects found in LostandFoundConfig Through testing I have found that a forest FFL may not be raised if orphaned NTDS objects exist in the LF container in the Config NC. Whilst I understand why this is the case, I'm not sure I fully understand why these orphans exist. I can inspect the lastKnownParent attribute (for these orphans) and am pretty sure what is returned are DCs which have been removed over the years. Why should some (but not all) of the removed DCs leave behind orphans in this way? TIA, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Unexpected WINS registering behavior
FYI: I tried the below and *did* see the same (odd) behaviour - WINS entries 'flipped'. I'm not sure if perhaps the WINS client flips to another WINS server if the server does not respond within n msec?? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 21:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unexpected WINS registering behavior More info: I setup a test lab: 1 Windows 2003 Sp1. WINS installed 1 Windows 2003 Sp1. WINS installed 1 XP sp2 client Generic installs of WINS on each server. Setup Push/Pull replication between them. No other server configs done. Client points to the servers ip's for WINS. All boxes are on the same subnet on the same isolated switch. Doing a nbtstat -RR exibits the same behavior. It's swaps the WINS servers each time. Can someone else try: ipconfig /all = note the WINS order nbtstat -RR ipconfig /all = see if the WINS order changed I'm stumped... -alex On Thu, 16 Jun 2005 08:41:57 -0700, Kevin Taco [EMAIL PROTECTED] said: We have two WINS servers and one DHCP server. All are on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, Jorge de Almeida Pinto [EMAIL PROTECTED] said: Are you using different DHCP servers that service the same subnet but where the WINS IP addresses are switched? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: donderdag 16 juni 2005 16:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
I found I needed to set Network access: Allow anonymous SID/Name translation to Enabled. This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Default value for some lanmanserver parameters
Title: Default value for some lanmanserver parameters We have recently had issues which led us to change various parameters on our w2k DCs. We plan to implement w2k3 DCs in the near future and would like to better understand the default and max values that these parameters may take. Parameters in question with values used on w2k DCs: MaxWorkItems 65535 MaxRawWorkItems 512 MaxFreeConnections 100 MinFreeConnections 32 Are the w2k3 defaults documented anywhere? I am concerned that by applying the above settings we may adversely affect w2k3 DCs, where the defaults are perhaps greater than the above. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Virtual Domain Controllers
I haven't deployed virtual DCs and always shy away from this concept, personally. 1. Management tools of virtual machines still appear to be immature (IMHO). i.e. how would you manage / patch / configure / administer all machines in a uniform, centralised fashion, regardless of physical/virtual status 2. DC performance is paramount, esp. in larger organisations I would need to be convinced that a virtual DC could compete with its physical counterpart. If I deploy DCs with 4Gb RAM / separate disk spindles for Db and logs etc etc then I'd be surprised if a virtual DC could equal the performance. Note: Some of the above is not DC specific, but cover my main concerns. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 June 2005 13:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Shooting in the dark a little, but would this imply that clients have failed over to the secondary WINS server? i.e. the first WINS server was unavailable and thus the secondary was used. If the release/refresh failed on 10.x.x.x, the client would then attempt to perform a similar refresh on 192.x.x.x neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 15:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :)
Title: Message I understand you concerns and requirements but you include too many subjective words / phrases for my liking :) i.e. "heavy load" "plenty of queries" "deserve efficiently" Best of luck with the SRV weight changes. neil -Original Message-From: TIROA YANN [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 13 June 2005 18:20To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :) "busy" in term of allqueries (LDAP, auth...) point to only one DC, that causes heavy load.These loads cause affected system resources(memory, CPU, ..). All my DCs have the same system resources (1Go RAM, biprocessor,etc..). When monitoring DCs queries, always the same DC suffers of these queries ;( Maybe, I have this simple picture of load balancing in my mind... 1 DC receives plenty of queries(LDAP or auth)that it can not deserve efficiently. I imagine that it can forward a certain amount (a ratio ?) of those queries to another DC less "busy".. But maybe is a "to simple" reflexion :) Anyway, if DCs can not load-balanced LDAP queries, i will then chek your link and altering SRV record weights/priorities in DNS. Regards, Yann De: [EMAIL PROTECTED] de la part de Ruston, NeilDate: lun. 13/06/2005 17:52À: 'ActiveDir@mail.activedir.org'Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :) Well, yes and no. DNS does load balance via round robin, as Jorge alluded to. DCs do not load balance based upon your requirements, where a request is forwarded to another DC if the receiver is "busy".After all, what is the definition of busy??neil-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANNSent: 13 June 2005 16:05To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Load balancing LDAP request among my DCs - Correction :)Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be *UNABLE* (and not enable - sorry for my english :)) , natively, to load balance such queries, strange .. :(I will chek your link for more informations.Cheers,Yann-Message d'origine-----De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De la part de Ruston, Neil Envoyé : lundi 13 juin 2005 16:20 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] Load balancing LDAP request among my DCsHave you considered altering SRV record weights/priorities in DNS?Check out this article http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to the PDC but applies to DCs in general too.neil-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANNSent: 13 June 2005 15:04To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Load balancing LDAP request among my DCsHello,I have a site with 4 DCs 2003.It seems that one of my DC can not deal with a large number of LDAP queries, GC Response and NTLM/Kerberos Auth I misunderstand something but is my DC 2003 is able to check that it cannot deserve these queries and forward automatically these queries to another DC that is less busy ? In order wold, can AD 2003 natively load-balance queries to another less busy DC ? Regards, Yann==Please access the attached hyperlink for an important electronic communications disclaimer:http://www.csfb.com/legal_terms/disclaimer_external_email.shtml==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/==Please access the attached hyperlink for an important electronic communications disclaimer:http://www.csfb.com/legal_terms/disclaimer_external_email.shtml==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] DCPROMO over a 128\256K line
Title: Message As per previous threads - if the system state is larger than a CD (or DVD) then you still need to copy the system state over the wire so as to use the /adv switch. If this is the case, then you may as well simply promote over the wire in the traditional manner. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim FosterSent: 13 June 2005 14:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPROMO over a 128\256K line If you are promoting a W2K3 machine, you can run dcpromo /adv. This will allow you to replicate AD from a backup of system state data - copy the backup of system state data for one of your existing DCs to a CD, ship the CD to your remote location. Copy the contents of the CD to disk (do not restore it!), then run dcpromo /adv. You will still need network connectivity with HQ. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: Monday, June 13, 2005 9:14 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DCPROMO over a 128\256K line I have a server at a remote location that I need to DCPROMO. Two of my colleagues were at this location a few months ago and tried to DCPROMO it after a fresh rebuild but the sync took down the line (it was running at 56K with a burst speed of 128K). We have finally gotten the line upgraded to a 128K line with with a 256K burst. I'm not all that great with my math on these slow links but I was wondering if it would be possible to conduct a DCPROMO while making that DC a global catalog over this size link? Right now, I'm going to have someone there power it up so I can do a forced demote and then Iwill remove AD from it (as this box is currently tombstoned) then ensure that I delete it out of my AD. After that I will need to bring it back up and I'm trying to determine the best course of action: 1) DCPROMO it remotely and let it kill the line over a weekend 2) Have them ship the server to me for rebuilding (it's in Canada I'm in the US) 3) Install a DC on a laptop and carry it up there and conduct the DCPROMO I would like to do the first one for cost and time reasons, however I'm not sure if the replication will be able to occur over this slow of a line in time. Does item one sound like it would work or is the line too small to do this type of sync with? Currently, my NTDS and SYSVOL folders are only 226 megs combined. What path do you guys suggestion I follow? Thanks, Charlie == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :)
Well, yes and no. DNS does load balance via round robin, as Jorge alluded to. DCs do not load balance based upon your requirements, where a request is forwarded to another DC if the receiver is busy. After all, what is the definition of busy?? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 13 June 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs - Correction :) Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be *UNABLE* (and not enable - sorry for my english :)) , natively, to load balance such queries, strange .. :( I will chek your link for more informations. Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : lundi 13 juin 2005 16:20 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs Have you considered altering SRV record weights/priorities in DNS? Check out this article http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to the PDC but applies to DCs in general too. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 13 June 2005 15:04 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Load balancing LDAP request among my DCs Hello, I have a site with 4 DCs 2003. It seems that one of my DC can not deal with a large number of LDAP queries, GC Response and NTLM/Kerberos Auth I misunderstand something but is my DC 2003 is able to check that it cannot deserve these queries and forward automatically these queries to another DC that is less busy ? In order wold, can AD 2003 natively load-balance queries to another less busy DC ? Regards, Yann == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites to restrict traffic,
If you have your site links and costs setup correctly to reflect your underlying network topology and infra, then this should not be a concern, since you have already informed AD where and how it should replicate data. If 2 sites are replicating and you do not want them to, then either remove the link, or increase the cost, but naturally, you need to ensure that an alternative path exists between these 2 sites. I'm intrigued to know why you think you need to enforce these restrictions. If your underlying network allows data to flow from A to B then why not allow AD to use that underlying transport system? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 10 June 2005 09:59 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sites to restrict traffic, Hello, How can I use sites to prevent traffic from flowing from one site to another? I have a domain controller for each site, and I want to stop traffic flowing in certain direction (kind of like the trust relationships in windows NT). thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites to restrict traffic,
OK, that makes sense, although as you say, this is still not possible. We don't (yet) have read-only DCs so this is just a non-starter :) I'd still like to hear the justification / explanation for such a behaviour. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 June 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites to restrict traffic, I read that differently than you did Neil. I read it as how do I allow replication to go in one direction... Into a site but not from the site back say like in a weird DMZ type configuration or something. If that is what the question is. The answer is you don't... Successfully. You may get it working but it will break when the DC can't update its own info in the rest of the environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, June 10, 2005 5:44 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Sites to restrict traffic, If you have your site links and costs setup correctly to reflect your underlying network topology and infra, then this should not be a concern, since you have already informed AD where and how it should replicate data. If 2 sites are replicating and you do not want them to, then either remove the link, or increase the cost, but naturally, you need to ensure that an alternative path exists between these 2 sites. I'm intrigued to know why you think you need to enforce these restrictions. If your underlying network allows data to flow from A to B then why not allow AD to use that underlying transport system? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: 10 June 2005 09:59 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sites to restrict traffic, Hello, How can I use sites to prevent traffic from flowing from one site to another? I have a domain controller for each site, and I want to stop traffic flowing in certain direction (kind of like the trust relationships in windows NT). thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] One way Trust
Title: Message I believe the new Trust Wizard will allow *both* sides of the trust to be created from the same wizard, assuming credentials in the trusting domain can be provided. If the domains exist in the same forest, then there *may* be an argument for a shortcut trust, but that's another discussion ... :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: 10 June 2005 16:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] One way Trust Hi Juan Are these domains in separate forests? If so you use the Active Directory Domains and Trusts snap in to create the trusts with Domain B trusting domain A. Create Domain A as a trusted domain in Domain B and then add Domain B as a trusting domain in Domain A IIRC. If they are in the same forest you shouldn't have to create trust at all. Regards Peter Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: 10 June 2005 17:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] One way Trust Hi, I need to add a trust to a AD 2003 domain and a AD 2000 domain. I need Domain A users to be able to access resources in Domain B. Do I do it from Domain B side or both? Thanks, Juan == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Modifying behaviour of Users and Computers snap-i n
The object cn=user-display,cn=409,cn=displayspecifiers,cn=configuration,dc=xxx,dc=yyy, attribute adminpropertypages may be altered. [409 refers to the English language, others may be in use in your org.] Additional entries may be provided - one per additional attribute to be exposed in the UI. An example is found here http://www.windowsitpro.com/Article/ArticleID/21588/21588.html neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: 07 June 2005 12:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying behaviour of Users and Computers snap-in Good day to you all. How can the Users and Computers snap-in be modified to display additional properties? For example I might wish to see the employeeID property of a user in the Organization tab. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADPrep /Forestprep and /DomainPrep
Title: Message No. That would be pretty painful in an env with hundreds of DCs :) The below commands simply extend the schema and make other minor changes in the config and domain NCs. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: 02 June 2005 16:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep /Forestprep and /DomainPrep Do ADPrep /forestprep and /domainprep require rebooting of the domain controllers? Thanks, Z.V. == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Enhancement Question
It's funny how people approach AD this way - i.e. deploy and look to justify its existence thereafter :) When AD was designed and a business case was created, what were the perceived benefits back then? Why not try to create additional benefit along those lines? We all have different reasons for deploying AD - to some it's simply an upgrade, to others it's seen as a way to simplify / improve the Windows environment in many different ways. Identify your initial reasons for deploying AD and then build from there. For the record, I would argue that the end user need not see real, tangible benefits in order that AD be seen to benefit the business itself. The real benefits are normally less tangible. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: 31 May 2005 16:05 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community. I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say Wow, now that's cool. Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3
RE: [ActiveDir] DC's not replicating
I guess if the server were described as rouge is would be problematic since it would not be visible :) Great faux pas! neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: 25 May 2005 23:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not replicating Had the same issue in a remote site and agree with Freddy. Once you have done this you need to do a metadata cleanup using ntdsutil and remove all instances of the rouge server from AD and the schema, Q216498 applies. Should the server have been an FSMO role holder you will need to seize/transfer that role/s, in this instance Q255504 applies. I would then advise you rename the server, put it back on the domain and re DCPROMO it. Do you have a DNS server in that site? James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 26 May 2005 8:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not replicating /Forceremoval? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, May 26, 2005 12:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC's not replicating Getting a continous flow of these errors on one of our remote DCs. Can't even log into it as my own domain admin account (says invalid user/pass) so I have to log in as administrator. Won't let me demote it even, says directory service invalid. Any ideas? Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination domain controller: b2293e9b-4f9c-4bd7-9b63-ab8c3ab002b8._msdcs.ourdomain.com SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b2293e9b-4f9c-4bd7-9b63-ab8c3ab002b 8/[EMAIL PROTECTED] User Action Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller's computer account data to replicate to the KDC before this computer can be authenticated. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] restructuring domain
Might I respectfully suggest that before a plan is drafted, precise requirements be documented, with justification and therefore sponsorship. Your project is doomed to failure without this scoping and management buy-in from day one. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: 26 May 2005 13:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] restructuring domain Freddie This is really a worst case scenario. ¡A school! On this listing are many people who know better than I but I suggest. Lower your boss's expectations. I don't think it is realistic in a week. You will only clean up this environment when you reinstall the PCs. Applying group policy on this setup may not be sufficient to obtain you expectation. You also need antivirus, SUS server for patch update, user policy. Before you start I would write down a plan and cost it in terms of money and person hours. I hope you don't have to give classes as well! Good luck Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Missing built-in objects
Title: Missing built-in objects In a lab I have a domain in w2k native mode, that has a w2k3 DC hosting the domain FSMO roles and additional w2k DCs. I have also built a virtual w2k3 DC in a single domain forest and raised the domain and forest functional levels to w2k3 native. I have noticed that the virtual env has additional built-in objects which the lab does not. Additional objects (missing from the lab) shown below: Digest Authentication Incoming forest trust builders Local service Network service NTLM authentication Other organisation Remote interactive logon Schannel authentication Terminal server user This organisation As a result, certain services are not functioning correctly, since they are configured to logon using one of the built in accounts shown above. Can anyone shed any light on this odd issue? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Missing built-in objects - ignore
Title: Message Please disregard this post. The PDC role in the *root* domain needs to be hosted by a w2k3 DC in order that the well known SPs are updated in the Config NC. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: 26 May 2005 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Missing built-in objects In a lab I have a domain in w2k native mode, that has a w2k3 DC hosting the domain FSMO roles and additional w2k DCs. I have also built a virtual w2k3 DC in a single domain forest and raised the domain and forest functional levels to w2k3 native. I have noticed that the virtual env has additional built-in objects which the lab does not. Additional objects (missing from the lab) shown below: Digest Authentication Incoming forest trust builders Local service Network service NTLM authentication Other organisation Remote interactive logon Schannel authentication Terminal server user This organisation As a result, certain services are not functioning correctly, since they are configured to logon using one of the built in accounts shown above. Can anyone shed any light on this odd issue? Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over thissystem are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] LOGOFF Notice/warnings..
Title: Message How about a simple script to show a dialog which is run from the Logoff script? What exactly are you trying to achieve and why? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanz de Leon, Juan CarlosSent: 25 May 2005 12:49To: ActiveDir@mail.activedir.orgCc: Quintanilla Caja, RafaelSubject: [ActiveDir] LOGOFF Notice/warnings.. Dear gurus, Anyone know any tricks or if it´s possible to put a "Disclaimers/Warnings/Notices" on domain workstations when users LOGOFF the PC. Thanks in advance, Juan Carlos Sanz Advertencia / Confidentiality NoticeEste envÃo es confidencial y está destinado únicamente a la persona a la que ha sido enviado. Puede contener información privada y confidencial. Si usted no es el destinatario al que ha sido remitida, no puede copiarla, distribuirla ni emprender con ella ningún tipo de acción. Si cree que lo ha recibido por error, por favor, notifÃquelo al remitente.This transmission is confidential and intended solely for the person to whom it is addressed. It may contain privileged and confidential information. If you are not the intended recipient, you should not copy, distribute or take any action in reliance on it. If you believe that you have received this transmission in error, please notify the sender.Aeropuertos Españoles y Navegación Aérea == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Access denied connecting to remote Event Logs - resolved
Having granted Auth Users read access to the Winreg registry key, this issue is now resolved. neil PS Case opened with MS to discuss this issue further, since auth users should *not* need rights on the winreg key on a DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 23 May 2005 09:58 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Access denied connecting to remote Event Logs Neil Have you seen 323076 ? Mark -Original Message- From: Ruston, Neil [EMAIL PROTECTED] Date: Mon, 23 May 2005 09:13:01 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Access denied connecting to remote Event Logs John, To re-iterate, I am using an account with membership of domain admins. The domain admins group has the right 'manage auditing and security logs' granted. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Policelli Sent: 20 May 2005 16:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Access denied connecting to remote Event Logs One other thing you may want to look at is whether the account you are using has Manage auditing and security log (SeSecurityPrivilege) on the Default DC Policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Policelli Sent: Friday, May 20, 2005 11:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Access denied connecting to remote Event Logs This is a new feature of Windows Server 2003. MS was smart enough to prevent regular users to view the Application and System log. With Windows 2000, authenticated users can read the Application log and System log on a domain controller. Having said this, users require a specific right to access the Security log on a domain controller. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, May 20, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Access denied connecting to remote Event Logs I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native. I am logged on to both DCs using an account which is a member of domain admins. If I connect to the event viewer on the w2k DC from the w2k3 DC, no problem. If I connect to the event viewer on the w2k3 DC from the w2k DC, I receive 'access denied'. Domain Admins have the right to logon locally, manage auditing and sec logs and access this computer from the network (all set via GPO) Which setting / policy should I check or change to fix this issue? Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http
RE: [ActiveDir] Access denied connecting to remote Event Logs
Title: Message John, To re-iterate, I am using an account with membership of domain admins. The domain admins group has the right 'manage auditing and security logs' granted. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John PolicelliSent: 20 May 2005 16:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "Access denied" connecting to remote Event Logs One other thing you may want to look at is whether the account you are using has Manage auditing and security log (SeSecurityPrivilege) on the Default DC Policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John PolicelliSent: Friday, May 20, 2005 11:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "Access denied" connecting to remote Event Logs This is a new feature of Windows Server 2003. MS was smart enough to prevent regular users to view the Application and System log. With Windows 2000, authenticated users can read the Application log and System log on a domain controller. Having said this, users require a specific right to access the Security log on a domain controller. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, May 20, 2005 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "Access denied" connecting to remote Event Logs I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native. I am logged on to both DCs using an account which is a member of domain admins. If I connect to the event viewer on the w2k DC from the w2k3 DC, no problem. If I connect to the event viewer on the w2k3 DC from the w2k DC, I receive 'access denied'. Domain Admins have the right to "logon locally", "manage auditing and sec logs" and "access this computer from the network" (all set via GPO) Which setting / policy should I check or change to fix this issue? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over thissystem are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Access denied connecting to remote Event Logs
Title: Message Bob, I can indeed access the logs on the w2k3 DC from its own console. The account used is *not* a member of Guests. Where is the explicit deny set and how is this visible/changed? Guests and Domain Guests have default members [this is a test lab]. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: 20 May 2005 18:08To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "Access denied" connecting to remote Event Logs You don't mention if you can view the logs on the 2003 box from it's own console but absent that info, I'll take a stab at it anyway Check that the account isn'ta member ofGuests, there is an explicit deny in 2003 for Guests. At the risk of incurring joe's wrath, whoami / groups works nicely as a starting point:-) This problemcould alsobe caused by an administrator addinng a group containing a broad category of users (such as the Everyone, INTERACTIVE, OR Authenticated users group) to the Guests group. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, May 20, 2005 7:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "Access denied" connecting to remote Event Logs I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native. I am logged on to both DCs using an account which is a member of domain admins. If I connect to the event viewer on the w2k DC from the w2k3 DC, no problem. If I connect to the event viewer on the w2k3 DC from the w2k DC, I receive 'access denied'. Domain Admins have the right to "logon locally", "manage auditing and sec logs" and "access this computer from the network" (all set via GPO) Which setting / policy should I check or change to fix this issue? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over thissystem are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] GLOBAL CATALOG- WITH 2 DOMAINS
Are these domains part of the same forest? If so, then a trust *will* exist and a level of interop will be available. Are you able to provide further detail? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mohammed_Tantawi Sent: 23 May 2005 04:21 To: Active-Directory-List Subject: [ActiveDir] GLOBAL CATALOG- WITH 2 DOMAINS Dear All, i have one question here:- if i have 2 Domains , one is ( mailserver.com ) the second is ( webloc.com) installed on 2 different Server. the Both server are in the same Network ID. i mean the Domain controller which is under ( Mailserver ) is haveing this IP-Address ( 192.168.1.1 / 24 ) and the second Domain Controller is ( 192.168.1.5 / 24 ) . if i did not make the trust relation ship, i found that , i can see the and access the onther PC on the another domain, so i want to know, why we should have trust relationship , while here in my situation i can see that i can access the server. can any one inform me is there any Problem has been done, or what is happen in here . List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Access denied connecting to remote Event Logs
Title: Access denied connecting to remote Event Logs I have 2 DCs in a [test] domain - one w2k sp3, the other w2k3 sp0. The domain is w2k native. I am logged on to both DCs using an account which is a member of domain admins. If I connect to the event viewer on the w2k DC from the w2k3 DC, no problem. If I connect to the event viewer on the w2k3 DC from the w2k DC, I receive 'access denied'. Domain Admins have the right to logon locally, manage auditing and sec logs and access this computer from the network (all set via GPO) Which setting / policy should I check or change to fix this issue? Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] AD DR - replication lag site
That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD alerting tools
Title: Message 3rd party apps such as NetIQ Security Monitor can achieve this. [The usual caveats apply - without knowing your full requirements, I cannot suggest the 'ideal' product etc etc] neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: 19 May 2005 16:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD alerting tools Does anyone know of any good tools that will notify me if a new AD account is Created/Deleted? I have a lot of remote DCs and admins and I want to be notified when they add or delete an account. I have auditing setup on their account and I run Eventcomb daily for 630 events but I'm looking for a tool that will send me notifications. Thanks in advance Mike == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] AD DR - replication lag site
I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :) DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
RE: [ActiveDir] OT:DNS SRV resource Kit
I think I may have misled you all - sorry. Upon re-reading my thread, I realised this was (obviously!) not possible using my steps. Take a look at the link here http://www.tek-tips.com/viewthread.cfm?qid=1020879page=1 This explains how a special HTTP re-direct service is used to re-direct HTTP traffic to another server/port. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 May 2005 00:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:DNS SRV resource Kit Neil, I'm not sure I follow you here. Are you saying people use DNS to do port redirection for requested records? As in, I go and create an alias called ww2 in a domain called xcompany.com and I am able to specify the port and get DNS to inspect a request for ww2.xcompany.com:portABC and redirect the client to the appropriate A record? Am I just reading you upside-down? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Ruston, Neil Sent: Fri 5/13/2005 8:44 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT:DNS SRV resource Kit Why not simply add an alias for www.xcompany.com and include the port number. e.g. host: www.xcompany.com alias: ww2.xcompany.com:456 http://www.xcompany.com:456 This is how some ppl have configured DNS and web servers to work correctly when ISPs block port 80. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 13 May 2005 09:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT:DNS SRV resource Kit Hi All Does anyone know wether IE supports SRV Resource records in DNS. I like to create a DNS entry that includes the port number of the Website on one of my internap IIS boxes. I know I can do this with host headers within IIS but I was wondering wether I could do it so that www.xcompany.com http://www.xcompany.com/ would be redirected to http://server/webiste:456 for example. Thanks in advance Peter Johnson = = This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. = = List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Secure DHCP
Title: Message MS has an offering named Quarantine Control which can be used to control RAS clients but this (today) does not apply to non-remote clients. The following article implies that plans are in motion to extend this model to include non-remote clients although you'll need to wait for Longhorn server :( http://www.windowsitpro.com/Windows/Article/ArticleID/44129/44129.html Cisco offers a hardware based solution http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html(not an endorsement) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: 16 May 2005 15:00To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure DHCP I am wondering if there is any way to secure DHCP from assigning leases to PCs that are not authorized on the domain. I imagine that this is not possible since, in order to authenticate, a PC needs an IP address. The problem is that the other day we had a rogue PC plug into our network and, though probably coincidental, our browse list was messed up afterwards. So I have been tasked with finding out if there is a way to prevent unauthorized PCs from obtaining IP leases on our network (other than disabling all jacks not in use, which is what we will be doing). If not, does anyone have any suggestions on how to prevent the above situation in the future? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir] [OT] Exchange ADC event ID 8294
Title: [OT] Exchange ADC event ID 8294 Whilst testing an upgrade of a lab based test ADC connector from ver 2k to ver 2k3, I encountered the following error when testing a connection agreement (post upgrade). Source: MSADC; Event ID: 8294 The homeMDB attribute is not present on the import object CN=ADCtest\, testsnyc,OU=TESTGENG,DC=,DC=,DC=. This can happen when ADC does not have permissions to see all links. Please ensure that the ADC has Read permissions to the all of the source directory, including the Microsoft Exchange Configuration Container. (Connection Agreement ' - 1-Way AD Secondary' #1984) Searches reveal that others have suffered from this issue too, but never received a response to their posts. The ADC and it's CAs were functioning pre-upgrade so permissions are unlikely to be at fault. Has anyone encountered this issue or have any ideas what this implies and how it may be addressed? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] OT:DNS SRV resource Kit
Title: Message Why not simply add an alias for www.xcompany.com and include the port number. e.g. host: www.xcompany.comalias: ww2.xcompany.com:456 This is how some ppl have configured DNS and web servers to work correctly when ISPs block port 80. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: 13 May 2005 09:40To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT:DNS SRV resource Kit Hi All Does anyone know wether IE supports SRV Resource records in DNS. I like to create a DNS entry that includes the port number of the Website on one of my internap IIS boxes. I know I can do this with host headers within IIS but I was wondering wether I could do it so that www.xcompany.com would be redirected to http://server/webiste:456 for example. Thanks in advance Peter Johnson == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Cross forest trusts and site subnet syncing
Title: Message Thanks Dean. It was my understanding that the DCs in the root domain of each forest performed the DNS lookup, not the client. I guess this academic but that was why I asked about the stickiness of the DNS response and whether the DCs formed a secure channel or not. I guess this is moot given your response. Thanks again, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 10 May 2005 19:10To: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trusts and site subnet syncing I was just told that my response is missing a conclusion, so it is ... ooops, sorry 'bout that. The bulky paragraph should read - To answer your question, syncing the site and subnet objects (merging or 'joining' them is a better use of terminology to describe the desired end result) is required such that when the client chases the TGS referral and attempts to resolve a DC in the opposing forest by utilizing the well-known DNS query-prefixes which are then suffixed with its cached (registry) site plus the target forest/domain name (i.e. - _ldap._tcp_.site_name._sites.dc._msdcs.forest/domain suffix), if the site in which the client exists does not exist in the target forest, the client will re-submit a non-site specific DNS query and rely upon DNS' local subnet priority alone to provide a suitably local DC. By merging or joining the site and subnet objects of the two distinct forests, the client's cached site is now viable in the target forest. The site names need to be identical such that a particular subnet object meets AD's requirements, i.e. -it exists in only one site. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, May 10, 2005 12:41 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trusts and site subnet syncing I have a little more info. than the whitepaper that was linked below provides but it's, quite honestly, redundant detail. To answer your question, syncing the site and subnet objects (merging or 'joining' them is a better use of terminology to describe the desired end result) is required such that when the client chases the TGS referral and attempts to resolve a DC in the opposing forest utilizing the well-known DNS query prefixes which are then suffixed with its cached (registry) site plus the target forest/domain name (i.e. - _ldap._tcp_.site_name._sites.dc._msdcs.forest/domain suffix), if the site in which the client exists does no exist in the target forest, the client will re-submit a non-site specific query and now we're relying on DNS' local subnet priority alone to provide a suitably local DC. ... and no, AFAIK, the DCs make no effort to cache anything specific to a X-forest trust, though, to be honest, I'm not sure I understand what you're asking there :( --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Tuesday, May 10, 2005 3:31 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Cross forest trusts and site subnet syncing I've read that paper but am sure I saw far more detail pre RTM than I have found post RTM. If Mr. Wells is 'listening', I suspect he may be able to shed further light :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 09 May 2005 18:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trusts and site subnet syncing Were you referring to already seeing this document? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/mtfstwp.mspx Cross-Forest Logon Process When a user from Forest A logs on to a computer in Forest B, the logon process requires location of a domain controller from the user's domain in Forest A. If the site of the computer from Forest B is not specified in Active Directory in Forest A, the computer might locate any (rather than the closest) domain controller from the user's domain in Forest A. If the connection to the domain controller is made over a WAN, then this logon process adds traffic to the WAN (the amount of traffic depends on the number of Group Policies and logon scripts, as well as the size of the roaming profile). This connection generates traffic during logon as well as logoff and usually ranges from 100 kilobytes (KB) to a few hundred KB. Depending on the WAN bandwidth that is available for logon traffic, logon duration over the WAN might be increased. If these
RE: [ActiveDir] All
If you were to place the correct accent over the last e in resume then all ambiguity would be removed. Of course, one could simply stick with CV which has no ambiguity to begin with :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 09 May 2005 18:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All I like that. You don't have to have an understanding of the context of the sentence to pronounce it properly. I would like to see your resume. I would like to see you resume. Granted that second sentence seems to be missing the what should be resumed. But it could be assumed which means you have to understand the context of the overall section being read and not just the sentence. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, May 09, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All Al- C.V. == Curriculum Vitae Used more often in Europe to refer to the resume than in the States. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 09, 2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All Accenture? Compucom? CSC? I don't think MS would rank that high in the consulting arena. What's a Cv? Pardon my ignorance, but that has me puzzled. I mean, before Tony comes back online I'd like to know. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 09, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All Unless you got clearance from Tony to post this prepare to be thumped. As an aside, who are the largest 5 IT specific companies now? IBM, HP, Dell??, MS, Lockheed, Unisys, ?? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Cooper Sent: Monday, May 09, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] All Importance: High Dear All, I am currently conducting a search for one of the top 5 largest IT companies in the world. They are looking for a number of Architects of varying levels from Junior to Guru level. You will gain exposure to the worlds largest programmes and Technical environments. You should have excellent MS Environment experience, in particular Active Directory. The client has numerous regional offices across the UK so location not a problem. Salaries range from £40k to £105k base salary with up to 40% bonuses. Please email your Cv or contact me if of interest. Simon Cooper IT Connect UK Ltd 5 Hampton Hill Business Park, High Street, Hampton Hill, Middlesex, TW12 1NP Tel Number +44 208 973 33 33 Fax Number +44 208 973 32 00 Mobile +44 7952 672 739 Email: [EMAIL PROTECTED] http://www.itconnect.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cross forest trusts and site subnet syncing
Title: Message I've read that paper but am sure I saw far more detail pre RTM than I have found post RTM. If Mr. Wells is 'listening', I suspect he may be able to shed further light :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 09 May 2005 18:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trusts and site subnet syncing Were you referring to already seeing this document? http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/mtfstwp.mspx Cross-Forest Logon Process When a user from Forest A logs on to a computer in Forest B, the logon process requires location of a domain controller from the user's domain in Forest A. If the site of the computer from Forest B is not specified in Active Directory in Forest A, the computer might locate any (rather than the closest) domain controller from the user's domain in Forest A. If the connection to the domain controller is made over a WAN, then this logon process adds traffic to the WAN (the amount of traffic depends on the number of Group Policies and logon scripts, as well as the size of the roaming profile). This connection generates traffic during logon as well as logoff and usually ranges from 100 kilobytes (KB) to a few hundred KB. Depending on the WAN bandwidth that is available for logon traffic, logon duration over the WAN might be increased. If these drawbacks are acceptable, especially if you anticipate that most users will be logging on to computers in their own forest, then site and subnet information might not be important enough to warrant synchronizing the data between forests. Cross-Forest File Download When a user who is logged on to a computer that is joined to Forest B requests a file that is hosted by multiple DFS servers, the nearest one being a server that is joined to Forest A, the DFS server that is contacted for the download depends on whether site and subnet information for Forest A is available in Forest B. If the site of this DFS server is not specified in Forest B, then the file might be downloaded from an arbitrary (potentially remote) DFS server. If the site of the DFS server is available in Forest B, the server in Forest A can be located. NoteDFS enhancements in Windows Server 2003 ensure that files are downloaded from the next closest DFS server that hosts the desired file and is joined to Forest B. Downloading a file from a remote DFS server increases network traffic over a WAN (the amount of traffic is determined by the size of the file to be downloaded) and potentially increases the download time (the delay depends on bandwidth available to download the file). If these drawbacks are acceptable, especially if you anticipate that users download files only from the DFS servers in their own forest, then synchronizing site and subnet information might not be important. Cross-Forest Authentication When a user needs to authenticate to a resource in a different forest, the user's computer or domain controller (depending on the authentication mechanism that is used) must contact a domain controller in the domain of the resource. Domain controller location is optimized by the closest site across forests only when identical site and subnet information is configured in Active Directory in both forests. However, if the traffic that is generated by authentication of the user does not cause significant delay, then it is not critical that a local domain controller be contacted. Solution The initial solution for mirroring site and subnet information is to create the same site and subnet objects in all forests. After these objects have been created, two methods can be used to ensure that site and subnet information is maintained identically in both forests: * Use a directory data synchronization product (for example, Microsoft Identity Integration Server 2003) to synchronize the data when site and subnet information changes in one forest. This approach is characterized by a high level of automation and requires practically no administrator involvement after Microsoft Identity Integration Server 2003 configuration is in place. However, this approach is not acceptable in scenarios where service isolation is required (the service administrators in the destination forest do not trust the service administrators from the source forest). * Establish a business process by which network administrators inform service administrators in each forest when site and subnet information changes, and the service administrators then update the information in
RE: [ActiveDir] Missing Domain Controllers
Have you checked whether these DCs are configured to *not* advertise themselves in the browse list? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 09 May 2005 15:04 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Missing Domain Controllers All, I have a domain with a forest root (AD1) and two child domains (AD2 AD3). When I browse AD1 and AD2, no domain controllers are listed under microsoft windows network\domain name. Yet under AD3 I can see all domain controllers with no issue. I have run all the normal troubleshhoting tools and I am at a loss as what to try next, can anyone please suggest anything? The environment is a Windows 2003 forest, running in Native mode (D F) The environment was a Windows 2000 forest, which has been upgraded using a swing stock server. Is there a W2K3 patch for KB832723? Domain Controllers may be missing from the browse list in Windows 2000 ? Many thanks, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Use of SRV records (_ldap, _kerberos, _kpasswd) ( WAS : DNS vs. Hos ts File)
Title: Message 1. If memory serves (and it lets me down now and then!), the kpasswd service is only used by non-Windows Kerberos clients. Windows servers register this service in DNS for compatibility (and adherence to standards) rather than because Windows clients actually use/need this service. 2. I believe that KRB5KRB_ERR_RESPONSE_TOO_BIG implies that the response was too big for UDP and that TCP was used therefore. This can be overcome by using TCP for all Kerberos related requests. hth, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: 09 May 2005 09:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Use of SRV records (_ldap, _kerberos, _kpasswd) ( WAS: DNS vs. Hos ts File) Hi, A few days ago we were talking about the different service records (_ldap, _kerberos and _kpasswd) and when these are used. Joe did a network trace and posted his findings. I was also curious and I also did network trace. Here are my findings. (I did not go through the traces thoroughly) I did three network traces and used the following: Configuration used: * Windows 2003 SP0 installed and upgraded to SP1 - DC/DNS * Windows 2003 SP1 installed - Client * 1 AD domain * Network monitor installed on both the client and the DC * Network monitor used: Packetyzer 4.0.0 TRACES: (1) Joining a client to an AD domain -- _ldap SRV RR and _kerberos SRV RR used -- NetBIOS also used to determine DCs. Don't understand this one! -- Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one! (2) Booting of a client and the logon of a user -- _ldap SRV RR used. Use of _kerberos SRV RR not detected, but kerberos authentication is used! -- Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one! (3) Password change of a user account -- Received "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN". The client used the SPN "cifs/172.16.1.11" instead of "cifs/w2k3dc01.w2k3domain.lan". Don't understand why. As I know _kpasswd service record is for the Kerberos Password Change service, but I have not seen it being used in the trace. For the specific findings see below. Cheers, #JORGE# PS: If anyone is interested in also receiving the traces mail me offline (1) findings: Queries (FROM THE CLIENT TO THE DC) -- 4x _ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN Name: _ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN Type: SRV (Service location) Class: IN (0x0001) Queries (FROM THE CLIENT TO THE DC) -- 8x W2K3DOMAIN.LAN1c: type NB, class IN Name: W2K3DOMAIN.LAN1c (Domain Controllers) Type: NB Class: IN Queries (FROM THE CLIENT TO THE DC) -- 1x _kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN Name: _kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN Type: SRV (Service location) Class: IN (0x0001) Kerberos AS-REQ (User Datagram Protocol, Src Port: 1050 (1050), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1050 (1050)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:00 (Z) susec: 665713 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): krbtgt/W2K3DOMAIN.LAN Name-type: Service and Instance (2) Name: krbtgt Name: W2K3DOMAIN.LAN Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1052 (1052), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1052 (1052)) (FROM DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:01 (Z) susec: 962588 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): cifs/w2k3dc01.w2k3domain.lan Name-type: Service and Instance (2) Name: cifs Name: w2k3dc01.w2k3domain.lan Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1069 (1069), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1069 (1069)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:08 (Z) susec: 259463 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): ldap/w2k3dc01.w2k3domain.lan Name-type: Service and Instance (2) Name: ldap Name: w2k3dc01.w2k3domain.lan (2) findings: Queries (FROM THE CLIENT TO THE DC) -- 3x W2K3DC01.W2K3DOMAIN.LAN: type A, class IN Name: W2K3DC01.W2K3DOMAIN.LAN Type: A (Host address) Class: IN (0x0001) Queries (FROM THE CLIENT TO THE DC) -- 1x
[ActiveDir] Cross forest trusts and site subnet syncing
Title: Cross forest trusts and site subnet syncing I am researching x forest trusts and the need / advantage in syncing sites and subnets between forests. I have found a MS paper which describes multi forest scenarios in some detail but would ideally like to see a paper which describes the process used by a root domain DC to locate a root domain DC in the 'other' forest in more detail. i.e. does the DC simply look for a DC in the same site as itself? If so, then this implies that both forests need to have a similar site naming convention, which may be an issue :) Does the DC cache the DC used (and form a secure channel) or is some other mechanism used? Does anyone know of any detailed papers which cover the above? [I thought I once read a paper available in the w2k3 JDP timescales, but have not seen anything similar post RTM.] Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Segregating and delegating _msdcs
Title: Message I'll try to elaborate but much of the reasoning behind this is political or sensitive in its nature :) [BTW: I'm happy with the feasibility of the change but am looking more for best practices and known issues etc] We currently have non-secure DDNS enabled in the a.test.com zone and wish to enable secure DDNS. Whilst investigating the ramifications of this change, we have decided to segregate out the _ zones so we can safely enable secure DDNS on those zones whilst investigations continue for the parent zone. Ultimately, both the _ zones as well as the parent zone itself will be managed by non-Windows DNS servers, but we will still require a split of _ zones since DDNS will only be permitted for those zones. Now I've "spilled the beans" are you able to offer a response or a technote / KB? :) Thanks, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: 27 April 2005 21:57To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Segregating and delegating _msdcs technically, this approach is quite feasable - however, it's usually done the other way around. Many companies dothisso that they can safely enable DDNS on the _MSDCS zones (as AD integrated zone) allowing automatic service record, DC Domain GUID registration etc., while putting the host records on a (static) Bind DNS. So it would be good to know your reason behind your request...? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Mittwoch, 27. April 2005 09:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Segregating and delegating _msdcs For various reasons we would like to split out _msdcs and the other _* domains within one specific DNS zone, into separate zones. These new zones will then, eventually, be hosted on non-Windows DNS servers, whilst the 'parent' zone will remain hosted on w2k DCs. Our current environment is w2k DCs [in a 4 domain forest] so app partitions are not an option just yet. Root domain is named test.com and 3 children exist, a.test.com, b.test.com and c.test.com. We wish to delegate the _ domains within a.test.com only to non-Windows DNS servers, with a.test.com remaining hosted on w2k DCs.. I have found fairly useful technotes etc and have started to flesh out a plan but wondered if anyone would be prepared to share any real world experiences of such an operation. i.e. how was the change performed? Any pitfalls or gotchas? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Windows Server 2003 DNS Vs. LUCENT QIP DNS
Those that spring to mind: W2k3 offers scavenging - QIP does not [but then you could argue, it is not needed by design] W2k3 offers secure DDNS - QIP can, but requires Kerberos integration [again, QIP may be designed such that this is moot] QIP is a full IP management solution and not just a DNS product. Both (QIP and w2k3 DNS) have their pros and cons - it really depends upon your requirements and whether you need/want a full IP management solution of just a DNS product. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Green Sent: 28 April 2005 11:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows Server 2003 DNS Vs. LUCENT QIP DNS Hi all I was wondering if what (if any) benefits/advantages are over using Microsoft (2003) DNS Vs. QIP in Active Directory? Any comments or thoughts welcome :) James _ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Segregating and delegating _msdcs
Title: Segregating and delegating _msdcs For various reasons we would like to split out _msdcs and the other _* domains within one specific DNS zone, into separate zones. These new zones will then, eventually, be hosted on non-Windows DNS servers, whilst the 'parent' zone will remain hosted on w2k DCs. Our current environment is w2k DCs [in a 4 domain forest] so app partitions are not an option just yet. Root domain is named test.com and 3 children exist, a.test.com, b.test.com and c.test.com. We wish to delegate the _ domains within a.test.com only to non-Windows DNS servers, with a.test.com remaining hosted on w2k DCs.. I have found fairly useful technotes etc and have started to flesh out a plan but wondered if anyone would be prepared to share any real world experiences of such an operation. i.e. how was the change performed? Any pitfalls or gotchas? Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] How to determine which is the default site
Title: Message I guess 'he' is me, so thought I should respond :) Based upon the excellent feedback received, it looks as though my concerns have been allayed. I was discussing this over a beer with an ex colleague and we both thought the behaviour in scenario 3 was different and hence the original post. I therefore don't really care which is/was the default site anymore, as you suggested. Thanks to all, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: 25 April 2005 23:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Yeah, if you don't have one numbered in the low thousands, then it's gone. I wonder which method he finally picked? Maybe he doesn't care anymore. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site My lowest numbered site has a USN of 1.8 million. Though I know I deleted the original one and probably 50 after that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Wednesday, April 13, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site From the tests I've run so far, it's been pretty consistent that the first site has a USNCreated of 4112 for an fresh Window 2003 AD. For forests that started life as Windows 2000, I've been seeing 3493, but at least one forest has it at 1171. Not sure what that's about. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 13, 2005 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Why? Nothing I have seen in my experience would seem to indicate anything special about that first site, in fact my home test lab has been running with that first site deleted for some time now and I am running with other sites. Someone mentioned looking at the GUIDs. GUIDs are not sequential, they are semi-randomly created, see MSDN for the algorithm. Trying to divine order from them would be fruitless. Here would be a simple command line to find the oldest site adfind -config -f objectcategory=site whencreated -sort whencreated -maxe 1 This would look at the config container, find all site objects, sort them by whenCreated, then return the DN and whenCreated attribute for the first one. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Wednesday, April 13, 2005 9:54 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] How to determine which is the default site At some point in the dim, dark past, the default site was renamed (I assume it was not removed!) Does anyone have a quick and easy way to determine which of the existing sites was once the default site? [It has been suggested that I look at the create date for all the sites and that the oldest one will be the default site :) I have 100 sites so need something more elegant/quicker. ] Any suggestions more than welcome. Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] How to determine which is the default site
Testing back in 2000 (the year, not the OS) showed that this site did have special properties. I'm researching and testing before I post further info. I believe it has relevance when a client tries to locate a DC and the client's subnet has no site-subnet mapping defined in AD. More to follow... neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: 13 April 2005 17:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to determine which is the default site Why do you need to know? You understand there's nothing special about that particular Site name? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, April 13, 2005 08:54 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] How to determine which is the default site At some point in the dim, dark past, the default site was renamed (I assume it was not removed!) Does anyone have a quick and easy way to determine which of the existing sites was once the default site? [It has been suggested that I look at the create date for all the sites and that the oldest one will be the default site :) I have 100 sites so need something more elegant/quicker. ] Any suggestions more than welcome. Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How to determine which is the default site
Title: How to determine which is the default site At some point in the dim, dark past, the default site was renamed (I assume it was not removed!) Does anyone have a quick and easy way to determine which of the existing sites was once the default site? [It has been suggested that I look at the create date for all the sites and that the oldest one will be the default site :) I have 100 sites so need something more elegant/quicker. ] Any suggestions more than welcome. Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Inherit parent permissions on an AD user
This is by design, as Jorge explained. Members of privileged groups do not inherit permissions unless the properties of the AdminSDHolder object is altered. Take a look at the KB which Jorge offered earlier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 11 April 2005 16:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Inherit parent permissions on an AD user Not really blaming it on the migtool, seems like more of a functionality with AD. We're using Quest/Aelita DMW, but we originally migrated all the accounts with ADMT. The users are domain admins in the source domain, but we're removing them from domain admins after they're migrated to the target domain. If we remove them from domain admins in the source domain BEFORE migrating them, they have the Inherit permissions box checked. However, if we migrate them as a domain admin, and then remove them from domain admins in the target domain, that box is unchecked, and ONLY domain admins can modify them until we click the Inherit permissions checkbox on their account's security advanced settings. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, April 11, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Inherit parent permissions on an AD user Hi Russ, Are you sure it is your migtool? What tool are you using? Are those users also domain admins / administrators in the target domain? (in other words members of protected groups - default ms admin groups within a domain) If yes... Are you familiar with the AdminSDHolder phenomenon? The AdminSDHolder object holds the permissions and inheritance settings for all protected users and groups (administrator, domain admins, administrators, account operators, etc.) If a normal user account is made a member of one of these groups it becomes a protected user and it gets the Admincount attribute set to 1. A process on the PDC FSMO check ourly all protected users/groups and members of the protected groups and resets the permission and inheritance settings if they don't match the settings on the AdminSDHolder object. http://support.microsoft.com/?kbid=232199 http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: maandag 11 april 2005 16:21 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Inherit parent permissions on an AD user We found out our migration tool is unchecking the Inherit parent permissions checkbox on our user accounts if they are in domain admins in the source domain. We're having to go in and recheck this box on many accounts in the target domain since we had over 100 domain admins in the source domain.. Is there any way to ensure that inherit parent permissions is enabled for the security options on each user account in our AD domain? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of
RE: [ActiveDir] DC location queries
Thanks James. You've responded to scenario 2 only (I believe) - can you offer any comment on the other 2 scenarios? A simply yes/no will suffice :) If no, can you point me to an article that explains the correct behaviour? Thanks, neil MVP - DS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 April 2005 15:20 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] DC location queries Hi Neil In you domain DNS zone you will see a list of the sites in the _SITES folder. Inside that are the site names and an _tcp folder. This contains the SRV records that are registered for that site. Once a client is site aware (after first logon) my understanding is this. 1) The client queries DNS for a list of DCs in its site. It will then try them in a random order. If nothing is returned, or this fails... 2) The client will query DNS for a list of DCs in the domain. It will then try them in a random order with (I believe) 100ms time out for each before contacting the next. Gil Kirkpatrick wrote a very good article on controlling this topology with SRV record priorities (ie.lower records are provided first and when they time out remaining records are provided), and on setting manual site coverage. http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html We have used this somewhat, setting the SRV record value for all DCs to 16, except for our hubsite (left at the default value of 0) for the domain. In our scenario the client will 1) Check the site, if there is nothing. 2) Check the hubsite, if they both time out 3) Check every other DC in the domain. Hope this helps; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Ruston, Neil | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 04/07/2005 03:07 PM CET| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] DC location queries | --| I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
RE: [ActiveDir] Assigning permissions for domain user -- post Ser ver 2003 sp1 upgrade
Title: Message Unless the firewall is needed, you should disable it. At least then you have removed one factor from the issue. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen G. MaczkoSent: 06 April 2005 22:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Assigning permissions for domain user -- post Server 2003 sp1 upgrade I'm no longer able to assign permissions on a client to a domain user. When i open a directory properties sheet, security tab and then press the Add btn, it takes a long time for the Users, computers groups box to show. Then when i select a user, the thing hangs. One other simptom, possibly related: it takes a looong time to pop up the runas box now from anywhere on the client. I've not used the security wizzard, because you can't use it on a DC, so i activated the firewall and manually opened a set of ports. The following is my partial list of portsa opened, those relevant to AD, etc. 53 DNS (TCP/UDP) 88 Kerberos (TCP/UDP) 123 NTP (UDP) (??) 464 Keberos password change (TCP/UDP) I also have all the appropriate ports for file-sharing; working well for the shares where permissions are already set up. The network is really very basic; i have one server/one client. It's actually a development environment; i need AD to mimick one of my clients. I also have ASP.NET and SQL Server on the server; they are working well, including ASP.NET debugging. Thanks for any suggestions! Steve == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir] 675 events [Account Logon]
Earlier today, a DC was found at 85-95% CPU. It was also noted that there were continuous 675 events for one user account: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 4/7/2005 Time: 8:43:49 AM User: NT AUTHORITY\SYSTEM Computer: x Description: Pre-authentication failed: User Name: yyy User ID:\yy Service Name: krbtgt/ Pre-Authentication Type:0x2 Failure Code: 0x18 Client Address: a.b.c.d [We don't really have a user with ID yy - I have changed names to protect the innocent :) ] The users machine was switched off and CPU dropped from 90% to 75% and then down to the 50% range! Any ideas how we might explain this behaviour? Is this an account lockout type issue? Any help greatly appreciated. neil -Original Message- From: Ruston, Neil Sent: 07 April 2005 08:54 To: # GSI Core Infra EU; # IT GTI GSE Active Directory Team Subject: FW: [ActiveDir] SLOWW Logons FYI -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 06 April 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Staring a new thread from the original post, as I am going to address this from a troubleshooting methodology perspective, not a take a swing and perhaps one hit out of the park perspective. My approach to slow logon: 1) I always start with a userenv log (logging set to 10002). I then take the log, and begin looking for gaps of time in the log, to perhaps understand components that are being slow during user init. 2) If I don't immediately see an answer in the userenv, or at least a starting point (can go either way depending upon the case) I go with two pieces of data: userenv + network trace. Network trace can be tricky, given that you can't take it on the clientthe client hasn't logged on yet. :) Typically, I take the client machine and throw it on a silly little hub, and on that hub also place another machine which I take a trace from. Start the trace (some larger buffer, say 50MB or so), then boot the client + log on to the client, and I don't usually stop the trace until the logon is complete. From there, you can line up gaps of time in the userenv log to what was going over the wire. I find this approach more fruitful than just taking a trace and trying to guess where the problem is. ~Eric == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
... presumably this sets the limit for Kerberos UDP packets, before TCP is used instead? or does it simply reduce the max packet size so as to minimise fragmentation of those packets? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: 07 April 2005 13:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Oops, be careful, it wrapped... The value is MaxPacketSize -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, April 07, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons This sounds very much like an issue we had and the problem had to do with UDP packet fragmentation. Perhaps you can try the following Kerberos change. If it doesn't work, remove it. Add the following Value to the registry on one of the remote workstations, reboot and try again: HKLM/System/CurrentControlSet/Control/LSA/Kerberos/Parameters/MaxPacketS ize DWORD 0x580 (1408 decimal) Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC location queries
Title: DC location queries I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] AD logging
That can be explained by sdprop which runs every 60 mins on the PDCe. It sets ACLs on privileged groups as per those ACLs set on the AdminSDHolder object in the domain. Different, unrelated issue, I'd say :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: 07 April 2005 16:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging I can't help much, but to say I've seen a similar situation. In my case, I had several group objects that I modified security on. After some time, say a few hours or so, the permissions would revert back to the default. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, April 07, 2005 9:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] 2003 SP1 RTM
With respect, shouldn't we expect to see detailed docs released at the same time as the SP? This SP is far more than a bunch of fixes and will require extensive testing by various groups before being deployed. This process can be helped greatly by good, descriptive documentation. AD is viewed as more critical to an enterprise as each year passes and so any change to its infrastructure must be tested and given due diligence before authorised for deployment. Personally, I'd rather wait another week or 2 so docs can be incorporated into the SP release. Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nathan Muggli Sent: 31 March 2005 20:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM We'll be releasing documentation soon. For now, here's a quick list of new features (note this is a not a comprehensive list for AD). 1) Support for DCs in Virtual Servers. Replication is halted and the system stops advertising if an improper restoration has occurred (USN rollback). 2) Replication resolves additional forms of DNS names in order to be more robust and work sooner after install. Also improved event log text when there is a failure. 3) Improve group membership consistency on authoritative restore 4) Report if a directory partition has not been backed up recently 5) Report if a FSMO role holder is set incorrectly or is not responding 6) DNS diagnostic test for dcdiag.exe 7) Authentication diagnostic test for dcdiag.exe 8) Improved event log text with common repair steps included. There are existing w2k3 messages that are updated, and there are entirely new messages. 9) Improved metadata cleanup for FRS objects 10) Retain application partitions on IFM 11) New default tombstone lifetime for new forests created using sp1 12) Faster FSMO validation when FSMO holder has partners in other sites 13) During forced removal, warn administrator if important roles will be orphaned 14) Ability of Dirsync api to return partial tombstones in order to allow directory synchronizing applications to learn of object deletions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, March 31, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM Hi Eric, Sorry David for hijacking your thread :) Other than the tombstone life on clean installs of AD on SP1 what are the major impacts of SP1 on an AD deployment? Is the a public document that outlines the changes? Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Eric Fleischman Sent: 31 mars 2005 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM Dave can you quantify this statement please? I ask out of curiosity, not disagreement. Specifically: 1) You referred to SP1 having too many changes. How did you make this determination? What is the threshold where we cross in to too many? 2) What steps will you be going through between now and when you do install it? What will you do between now and deployment to give you the confidence level you need to fire it up on a box and see how it goes? Interested, so we can perhaps think through ways to make that less painful going forward. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis Sent: Thursday, March 31, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I am certainly going to be waiting to install this one for a while to many changes to jump right into it. David A. Marquis Computer Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 31, 2005 6:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 RTM FYI. Windows Server 2003 SP1 went RTM yesterday http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4 D81- 8354-72593B1C1F43displaylang=en List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] AD/ Virus outbreak
Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless. I disagree. All machines have an attack vector. In this case perhaps the admin is the weakest link, but then that's no reason to exclude DCs from AV protection. From a TCO perspective, an environment where all machines are configured in a similar fashion must be the optimum. Why manage AV protected and non-AV protected machines? I agree wrt the op guidelines - these best practices can be used to minimise the attack surface but can never reduce it to zero, however. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 30 March 2005 06:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/ Virus outbreak 1. Don't log into servers to do daily work, learn how to do things with remote interfaces. 2. Do not run IE, OE, or pretty much any App interactively on servers. 3. Do not log into workstations with IDs that have admin rights on servers, use RUNAS or scripts that require you to specify the creds, etc. Even avoid fixed drive letters to DCs with admin creds, use UNCs if you want to use NET USE /USER. 4. Do not allow normal users to write to the file systems of a DC. 5. Keep DCs fully patched and do not run unnecessary services. Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless. Yes you can put all roles on one DC. In an empty root I would have done it already anyway and would have made all DCs in the empty root GCs most likely as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missedanyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WINS topic
Title: Message WINS like DNS, is domain agnostic. You may host aDNS zone abc.com (corresponding to AD domain abc.com)on a UNIX server, which exists in some Kerberos realm, perhaps. Similarly, WINS may be hosted on a Windows NT server which is not part of any Windows domain. In answer to your question therefore, simply use your existing WINS servers. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: 30 March 2005 14:09To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WINS topic I know there has been some debate in this group recently about WINS in AD but I wanted to get your feedback regarding an empty root domain: Do you need a WINS server in an empty root domain? If so, would pointing WINS back to the child domain WINS server be a bad idea? Other than AD traffic nothing should be happening at the root level (other than DNS forwarding) so I'm not sure I understand why WINS would be needed... We have Exchange 2003 running (which I realize has somewhat of a dependency on WINS) but the Exchange server(s) are in the child domain where we have WINS already running. Any insight would be greatly appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] AD Site Confusion
Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO's in AD (online and offline)
One further clarification - GPO settings are stored in the registry and *are* active even if the machine is disconnected from the domain or network. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 24 March 2005 11:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO's in AD (online and offline) There are two profiles for the firewall settings. The one is external and the other one is internal. I can't recall their exact names but the one operates when the firewall is aware that it's connect to it's domain and the other operates in all other scenarios. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: 24 March 2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO's in AD (online and offline) We are in the process of rolling out XP SP2 in our environment and I am beginning to mess around a bit with the GPO settings for SP2, specifically the firewall. We have a mixture of laptop and desktop users, the desktops are no problem as we disable the firewall on all of them as the corporate network they are connected to handles all access rights. The laptop users however are a bit of a headache. What I need to be able to do is disable the firewall when the laptiops are logging on locally to the network but ensure that the firewall is enabled when they are working offline and perhaps making dialup connections to the internet. What I cant figure out is how I am supposed to get the firewall policy settings to the laptops. If they are logging on to the domain the firewall should be disabled and if they logon while disconnected from the domain then they wont process the GPO and therefore won't get any settings ?!? Just how can I solve this Catch 22 ? Thanks for any help List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain remains after decommissioning
I would suggest that you still have a WINS entry for the domain. You may either remove this/these entry(ies) manually or allow the entry(ies) to be tombstoned. Search for 1B and 1C entries corresponding to the domain in the WINS database. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: 24 March 2005 13:18 To: activedir@mail.activedir.org Subject: [ActiveDir] Domain remains after decommissioning Dear List Readers, I have finally decommissioned an old domain after having migrated into our new domain structure. The last DC was DCPromoed down and actually moved to the new domain as a standalone server. Prior to this, there was a two way trust which had been in place. All trust relationships were broken before the final DCPromo down. Now, I can still see the old domain in my new domain drop down list and I want to get rid of it. Do I have to run ntdsutil on the new domain to clean up something somewhere or is there something else I need to do to delete this old domain from my new domain's drop down list? Thanks for anything you may offer to me and for continuing to help those of us on the list who need help. This list is invaluable. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove DNS forwader
Title: Message "dnscmd /resetforwarders" i.e. set list of forwarders to blank. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet SinghSent: 24 March 2005 13:29To: activedir@mail.activedir.orgSubject: [ActiveDir] Remove DNS forwader Hi, How to remove the DNS forwarder using command line? I was trying dnscmd but there is not switch to remove the forwarder. Thanks, Manjeet == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Enabling Password must meet complexity requiremen ts
As Jorge stated, these 3rd party tools copy the pw hash and not the password itself (for obvious reasons). The receiving DC is unable to determine if this hash conforms to the pw policy or not and so the hash is always permitted (even if corresponding to a blank pw). I have used the Quest/Aelita toolset and the above was certainly found to be true. neil MVP - dir services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 23 March 2005 15:18 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enabling Password must meet complexity requiremen ts On Wed, 23 Mar 2005 08:01:45 -0700, Coleman, Hunter [EMAIL PROTECTED] wrote: Our experience with ADMT v2 (beta) matched what Jorge said...source passwords did not have to meet the target requirements when migrated, but the next time the migrated user changed passwords the new ones did have to meet the target requirements. I'm not sure if this has changed in later versions of ADMT. Interesting that it works for ADMT but NetIQ and Quest haven't been able to build that into their products! Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/