RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Tuesday, August 09, 2005 3:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, August 08, 2005 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore.Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of
[ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Thanks, Al. Given all the rants,er, discussions, about single purpose servers (thanks, Joe), I'd like to not do that. The sites (~18 of them)range in size from 20 to 200 users. Consistency is good, so whatever solution we come up with I plan to do the same thing in each remote office. This change to VMis more about hardware reduction in outlying offices rather than specific cost savings measures (though of course, those are always appreciated up the chain). If there are reasons to not go with VMs on DCs (e.g. if memory usage in the VM environment can cause AD corruption), I need to know that. Hearing that the configuration is not 'officially' supported is not a show stopper if many people are successfully doing it and feel it should be supported by MS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Computer Account Cleanup
Title: Message *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. how about oldcmp from Joeware? I use it to do this fun task. It will give you nice reports, allow you to disable first, delete, script it... http://www.joeware.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Liz VaibarSent: Tuesday, January 11, 2005 7:41 AMTo: Active Directory Discussions (ActiveDir@mail.activedir.org)Subject: [ActiveDir] Computer Account Cleanup Is there a free MS utility that allows you to identify and cleanup old computer accounts within AD? Any suggestions would be appreciated. Thanks, Liz
RE: [ActiveDir] Logging on to a Domain Controller
*CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. ** Hi Mark, If they are using terminal services, you might also check the Terminal Services Configuration RDP-Tcp permissions. I believe by default it is only Administrator and System that have access. JJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 7:50 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller Hi Mark In the default domain controller group policy check the allow logon local / allow logon terminal (are they accessing the box using the local console or via remote desktop?). Also check the deny logon local and deny logon terminal. Those four settings should override anything that is set elsewhere in GPO or local settings. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Abbiss, Mark | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 09/14/2004 04:22 PM ZE2| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Logging on to a Domain Controller | --- ---| Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to look around, check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying You do not have access to log on to this session. So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE:
RE: [ActiveDir] MS Exchange Tools on Domain Controller
Title: Message *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. * Also think about the steps to add EMC to a server requires IIS to be installed... again not advisable on a DC. -Original Message-From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 11:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller That is it however, that brings up the question... Is Exchange Admin something you should be doing from a domain controller? As a general rule you shouldn't be logging onto DCs very often, that way leads to mistakes and problems. You manage the stuff from workstations. Let servers just sit and cook in the background. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, May 21, 2004 2:27 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Thats it? Cool. Okay..I will give it a try. Thank you again for the reply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 21, 2004 1:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Yes, just install the ESM on the DC -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, May 21, 2004 1:54 PMTo: Active Directory ListSubject: [ActiveDir] MS Exchange Tools on Domain Controller I have an Exchange server and would like to know if it would be possible to have the properties menus available when logged into the domain controller? The domain and the exchange server are two separate machines. Is this possible? Thank you all for your replies in advance.
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Title: Message
*CONFIDENTIALITY NOTICE*
This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
*
Thanks, Joe.
I for
one find these things very useful. Maybe not today, maybe not tomorrow,
but soon.
JJ
-Original Message-From: joe
[mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 4:31
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Anyone ever convert dnsRecord attribute?
Ok sorry for the delay, one of my nano marine tanks (5
gallon)had a thermostat crack and blow up and it took out a circuit
breaker (electrical device exposed in a tank of water, go figure). I am just
hoping everything didn't get zilched out. I know the fish and hermit crabs
survived, not so sure about the corrals and fan tails.
Anyway, here is a quick and dirty script to do
this
##*
Anti-DSinAddr.PL
*#*==*#*
Author : Joe Richards ([EMAIL PROTECTED])
*#* Version:
V01.00.00
*#* Modification
History:
*#* V01.00.00 2004.03.26
joe Original
Version
*#*--*#*
This script pulls out host names out of an AD integrated reverse dns
zone
*#*--*#*
Notes:
*##*
This script requires ADFIND to be available to do the
queries...
*#
##*
Definitions:
*#*--*#*
$TRUE : Define True for
testing.
*#* $FALSE :
Define False for
testing.
*#*
$YES : Define Yes for
testing.
*#*
$NO : Define No
for
testing.
*#* $SCRIPTPATH : Path to
script.
*#$TRUE=1;$FALSE=0;$YES=1;$NO=0;($SCRIPTPATH)=($0=~/(^.*)\\.*$/);
## Display
header#print "\nAnti-DSinAddr V01.00.00pl Joe Richards
([EMAIL PROTECTED]) March 2004\n\n";
## Pull
base and do initial dns zone search#my $base=shift;my $cmd="adfind
-gc -b $base -f name=microsoftdns -dn";my @out=`$cmd 2nul`;my
@rs=grep(/dn:/,@out);chomp @rs;map {s/^dn://} @rs;
## Go
find reverse zones#print "Locating DNS in-addr arpa zones...\n";my
@zones=();foreach $this(sort @rs){ print
"$this\n"; $cmd="adfind -gc -b $this -f * -dn -s one";
@out=`$cmd 2nul`; @rs2=grep(/in-addr.arpa/,@out);
chomp @rs2; map {s/^dn://} @rs2; push @zones,@rs2;
@rs2=();}
## Loop
through zones and pull info#foreach $thiszone (sort
@zones){ print "Zone: $thiszone\n"; $cmd="adfind
-b $thiszone -f \"(objectcategory=dnsnode)(dc=0)\" -s one
dnsrecord"; @out=`$cmd 2nul`; chomp @out;
$dn=""; foreach $thisline (@out)
{ if ($dn eq "")
{
($dn)=($thisline=~/^dn:(.+)/);
next; } if
($thisline=~/^dnsRecord: (.+)/)
{ push
@records,$1;
next; }
if ($thisline!~/\w/)
{ next unless
$dn; print
DecodeRecord($dn,[EMAIL PROTECTED]);
$dn="";
@records=();
next; } }}
##*
Subs and
Functions
*#*--*
#*--*#*
Sub
DecodeRecord
*#*--*#*
Input
*#* Scalar DN of
record
*#* List Ref Reference to list with Hex Data
for
record
*#*
*#*
Output
*#* List List of
decoded records for that DN (note this can be
multiple)
*#*--*sub
DecodeRecord{ my @rs=(); my $dn=shift;
my $refrecords=shift; my
$hostip=join(".",($dn=~/DC=(\d{2,2}).(\d{2,2}).(\d{2,2})/)).".".($dn=~/^DC=(\d+),/)[0];
foreach $thisrecord (@$refrecords) { my
$hostnamehex=substr(join("",split(/\s/,$thisrecord)),54);
my $hostname=""; map {$hostname.=chr(hex($_))}
($hostnamehex=~/(..)/g); push
