RE: [ActiveDir] Disable CD ROM through GP
Hello Dhiraj, it's always a kind of risk to put something into production without testing - even with good guidance there might be small issues which may lead to big results. That said - implementing a new Policy Extension in GP is pretty easy. First, copy the ADM to the ADM-Files in the Group Policy Object in Sysvol. They are referenced by GUID ({xxx-xxx-xxx-xxx}) there - you are able to find out the GUID of your GPO using GPMC. After you copied the ADM-File there, open the Group Policy. For custom ADMs you have to adjust the Filter (in the View Menu of the GP-Object Editor): Select the Administrative Template Node underneath either User or Computer Configuration (prop. Computer in your case), then go into the View Menu and click Filter. Unselect Only show policy settings that can be fully managed. Afterwards you should be able to find your policy setting and you are able to configure it. I'd do this in a separate GPO for testing, and remove the Right (in Security, make sure that you remove the right and do _not_ deny it) of Authenticated Users to apply the policy. Afterward enter your own computeraccount and give him the right to apply the policy - just to make sure that you are testing it before. If it works on your computer you can reset the rights be allowing Authenticated Users to apply it again and remove your computer account from the security settings. Now they will apply to all computer accounts underneath the level (domain, OU, site) where you linked the GPO. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj Sent: Samstag, 27. Januar 2007 09:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disable CD ROM through GP If anyone had done the same, kindly guide me... Bcoz right now donot have this mucb of time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, January 27, 2007 1:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Disable CD ROM through GP Why not setting up a test network/machine in VirtualPC/Vmware? Haritwal, Dhiraj wrote: Hi All, I want to disable CD ROM on all client machines through GP. I found the KB http://support.microsoft.com/kb/555324 created the attached test.adm file. Actually I don't have any testing machine where I can test this *adm *file. Can anybody try tell me the complete process to enable it. Also tell me where it will reflect the changes whether in registry or it will create that option in GP to disable/enable CD ROM. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx --- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. --- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: maintaining creation date when copying directories?
Robocopy with the /B-Switch should work. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 13:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: maintaining creation date when copying directories? What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
A Hostname underneath a folder 1? I'd agree if just the number would be there, but not with a name ( other number) underneath. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Donnerstag, 25. Januar 2007 15:14 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone You can register records like this by messing up a reverse lookup record addition using DNSCMD. --Paul - Original Message - From: EIS Lists mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, January 24, 2007 9:28 PM Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] OT: maintaining creation date when copying directories?
Hi Thommes, I've just tried this here, and both commands Robocopy /B .\ ..\ wins.dll Robocopy /B .\ c:\ wins.dll (first one on the same drive, second one on another drive) Maintain the Create and Modified date. My Robocopy-Version is the same (XP010, 5.1.1.1010) Weird. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 14:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Ulf, Thanks for the response! I tried Robocopy (version XP010) with the /E /B /COPYALL switches. It does not seem to have the desired effect (ie, both the modified date and the creation date are still the current date). Any other thoughts? Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 6:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Robocopy with the /B-Switch should work. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 13:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: maintaining creation date when copying directories? What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: [ActiveDir] How to find non-primary SMTP addresses?
Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again.
RE: [ActiveDir] OT: maintaining creation date when copying directories?
Sorry - I've missed that point. Yes - you're right, I got the same results. However, if you use robocopy which is now included in Vista in System32 (XP027, 5.1.10.1027) you can use a new switch to accomplish this: robocopy /dcopy:t /E /B /copyall . . The /dcopy:t does the trick. Thanks for bringing this up so I had to look into it - I'll blog this since it's a very interesting change. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Freitag, 26. Januar 2007 02:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Ulf, I don't have any problems with the creation date on files. It's the creation date on the directory folders that is not right. Could you try robocopy again, this time trying to copy some tree structure that has branches (subdirectories) and see what creation date is on the subdirectory folders? Thanks much! Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 3:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Thommes, I've just tried this here, and both commands Robocopy /B .\ ..\ wins.dll Robocopy /B .\ c:\ wins.dll (first one on the same drive, second one on another drive) Maintain the Create and Modified date. My Robocopy-Version is the same (XP010, 5.1.1.1010) Weird. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 14:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Ulf, Thanks for the response! I tried Robocopy (version XP010) with the /E /B /COPYALL switches. It does not seem to have the desired effect (ie, both the modified date and the creation date are still the current date). Any other thoughts? Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 6:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Robocopy with the /B-Switch should work. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 13:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: maintaining creation date when copying directories? What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, youre welcome! No it is not best practice to disable it. The effect you have is only happening if a Site has no DC assigned to it, or if a single DC of a Site is offline for a while. It is important that the Clients are able to look up a DC, and if you disable Automatic Site Coverage and a Site is without a DC for some time Clients may experience longer logon times, and they might fall back on a DC which is in a site which goes over multiple WAN links. Id say best practice is to keep the Automatic Site Coverage active, and check once in a while if there are wrong registrations which you may delete if the DCs of that Site are back online. They will also dissolve if you enable aging and scavenging. Also what some customers are doing is the following: Assuming a Star-shaped Network Topology with a Hub-Site where each Branch connects to, they are configuring the DCs of the Hub-Site to register their SRV-Records at the Branch Sites with a lower Priority than default, therefore the Branch-Office Clients will use the Branch-Office DC as long as its available but fall back to the Hub DCs when the BO-DC is not available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 11:19 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think
RE: RE: RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, unfortunately not MS-Press said they will decide whether its selling well, and it sold very well (and we were asked if wed like to come up with a second release already after a few month), but I doubt theyll do it since the timeframe is getting shorter every day (Longhorns approaching ;-) ). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 16:23 To: ActiveDir@mail.activedir.org Subject: RE : RE: RE: [ActiveDir] Question about DNS SRV registration. Ulf, Thanks for clarification. I will follow your advices. :) Just an OT ... i found your windows server 2003 book on amazon.com here http://www.amazon.de/exec/obidos/ASIN/3866456042 Do you have english (or french version) of the book available ? Cheers, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, youre welcome! No it is not best practice to disable it. The effect you have is only happening if a Site has no DC assigned to it, or if a single DC of a Site is offline for a while. It is important that the Clients are able to look up a DC, and if you disable Automatic Site Coverage and a Site is without a DC for some time Clients may experience longer logon times, and they might fall back on a DC which is in a site which goes over multiple WAN links. Id say best practice is to keep the Automatic Site Coverage active, and check once in a while if there are wrong registrations which you may delete if the DCs of that Site are back online. They will also dissolve if you enable aging and scavenging. Also what some customers are doing is the following: Assuming a Star-shaped Network Topology with a Hub-Site where each Branch connects to, they are configuring the DCs of the Hub-Site to register their SRV-Records at the Branch Sites with a lower Priority than default, therefore the Branch-Office Clients will use the Branch-Office DC as long as its available but fall back to the Hub DCs when the BO-DC is not available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 11:19 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Hello nme, quite easy - create a new host with the name test.1 in your domains zone and it'll be created under the same folder. Those folders you see underneath the zone (and Zones are all on the top level, right after Forward Lookup Zones and Reverse Lookup Zones) do not really exist, in DNS only the records exist within a zone and the dns-managementconsole makes those folders up to navigate easily. The folders are displayed with every segment distinguished by a . (dot/point). So for example there's a record _ldap._tcp.Default-First-Site-Name._sites.example.com IN SRV yadda-yadda Which is displayed in dnsmgmt.msc underneath Example.com | +- _sites | | | +- Default-First-Site-Name | | | | | +- _tcp However, if you look in the Active Directory Container which holds the zone (or in the file if DNS is not AD-integrated) you will neither see subcontainers or objects with the names _tcp... or Default-First-Site-Name... or _sites... - they are just made up because there's a single (or multiple records) which have those names between dots. So in your case - if the record was created manually, you might just recreate it without a .1 at the end (test this and verify the printers name), if it was registered automatically you need to change the name of the printer. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Mittwoch, 24. Januar 2007 20:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme attachment: winmail.dat
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
No Zone – no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] ftp access
Did you try to change the local Group Policy of the IIS-Machine not to prompt the user to change password before it expires? Maybe it's somehow connected with this mechanism. The GPO is underneath Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options And is named Interactive logon: Prompt user to change password before expiration Just a guess. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Montag, 22. Januar 2007 23:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ftp access I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Just 9:30 pm here, so not really late. Many are mixing up the zones with the “DNS-Subdomains” or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the “_*”-folders as well as a folder “1”. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone – no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
You're welcome! Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Mittwoch, 24. Januar 2007 22:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann _ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com Questions/Réponses.
RE: [ActiveDir] Quest Recovery Manager
Hi Neil and Joe, what I meant is that I'd evaluate a price-tag of third-party software against waiting for the next release and deploying the first machine (if something would be fixed / easier with a single installation of the next OS). So: 1. Get the price for the 3rd Party Product 2. Evaluate if you'd use it with the next version 3. Evaluate how many machines you'd have to deploy to get the feature 4. Judge how long it'll take you until the next version is RTM + you are ready to roll out #3s amount of machines 5. Compare if you are willing to invest #1 amount of money to get the feature before #4 So if a 3rd Party Vendor is telling me that the time is right to get their product, I'd still evaluate upper factors before making a decision. If it's a special offer right now it might affect the math ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Montag, 11. Dezember 2006 09:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I disagree with your disagreement :) How long do you wait? Do you wait until Intel releases a new chip too? What about the version after Longhorn?? There are always new technologies on the horizon - my company needs solutions to its problems now, based upon the technology it uses today. When assessing solutions, I look at the relevant roadmaps and how future proof that solution might be as well as the solution provider's track record in the space studied - but the major decision points always rest with its suitability to the present situation. neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 10 December 2006 12:06 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I do disagree since we might have other withes, issues, possibilities with Longhorn, so I'd wait when spending a lot of money. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: BLOCKED::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: BLOCKED::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: BLOCKED::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Donnerstag, 7. Dezember 2006 00:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager It is an excellent time to purchase Quest software. (In my opinion, my views do not represent my employer J J) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto
RE: [ActiveDir] release date for W2K3/SP2?
I can't remember exactly, but I think I've heard a Q1 at one of the conferences last year. IIRC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Freitag, 19. Januar 2007 22:17 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] release date for W2K3/SP2? Has anyone heard of a release date for Windows Server 2003/SP2? Thanks. Mike Thommes
RE: [ActiveDir] AdminSDHolder orphans
Hi Tony, late response as well - sorry. I guess why this isn't cleaned up is the same thing as in many other issues. If you have an admin which is in certain operators groups, and he's loosing those groups, it's likely that he has been delegated in some other ways. So not reversing the settings the account is still protected from malicious delegated admins and someone with higher privileges has to look at this account and take care of it (e.g. looking if it's still in the right OU). On the other hand - and as the others mentioned - this task of cleaning up should not run as often. And you'll either need to store the previous permissions (we don't have an attribute for this right now), or reset to some default permissions (we don't have a container to store them right now), or force the reset of the inheritance and propagate parent permissions down. Also how would we decide to reset the inheritance flag automatically - there might be accounts in the OU which have on purpose the inheritance flag turned off - so is a prior admin supposed to have inheritance turned on or off in those OUs? I don't think the task of resetting the inheritance flag would be complicated, but it's complicated to generalize that it should be reset in any case. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Dienstag, 19. Dezember 2006 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AdminSDHolder orphans
I think you make a great point here. Actually I'd prefer something like this in the Eventlog: Event xxx: AdminSDHolder has detected that the following account does not contain to any administrative groups anymore. Administrative Action is required to set security on this object as intended. Please set the attribute admincount to 0 after justifying the security-settings on this account. You know - the same thing as we get when we didn't backup for a while, when clients log on whos IP doesn't belong to any AD-Subnets, ... one of those maintenance events ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Montag, 22. Januar 2007 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Hi Ulf Thanks for the thoughts. I can see there could be issues with trying to revert settings after an object is removed from one of the protected groups. I'm now leaning towards the idea of reporting, rather than taking wholesale action. It would be good to have a canned report that shows all of the objects currently protected by the AdminSDHolder, compared with all those that have an adminCount value of 1 (or higher). An administrator could then make the decision to enable permissions inheritance on a case-by-case basis for objects listed in the second category but not the first. Sounds like a feature Joe should add to one of his many freeware tools. The behaviour would be similar to OldCMP. ;-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, 22 January 2007 11:32 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Hi Tony, late response as well - sorry. I guess why this isn't cleaned up is the same thing as in many other issues. If you have an admin which is in certain operators groups, and he's loosing those groups, it's likely that he has been delegated in some other ways. So not reversing the settings the account is still protected from malicious delegated admins and someone with higher privileges has to look at this account and take care of it (e.g. looking if it's still in the right OU). On the other hand - and as the others mentioned - this task of cleaning up should not run as often. And you'll either need to store the previous permissions (we don't have an attribute for this right now), or reset to some default permissions (we don't have a container to store them right now), or force the reset of the inheritance and propagate parent permissions down. Also how would we decide to reset the inheritance flag automatically - there might be accounts in the OU which have on purpose the inheritance flag turned off - so is a prior admin supposed to have inheritance turned on or off in those OUs? I don't think the task of resetting the inheritance flag would be complicated, but it's complicated to generalize that it should be reset in any case. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Dienstag, 19. Dezember 2006 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I
RE: [ActiveDir] AD Schema Extensions and Exchange System Manager
Exactly. You need to configure MapiIDs, however there is no supported way to change the MapiID and (as opposed to LinkIds) there's no procedure to reserve a MapiID for your internal use. Very old documentation shows a range marked as private, but I couldn't get any authoritative message from MS that this is respected. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: BLOCKED::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: BLOCKED::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: BLOCKED::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike) Sent: Montag, 18. Dezember 2006 11:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema Extensions and Exchange System Manager Thanks very much for the pointer ... a quick Google then got me a little further. I now know how to do it, but not supported by Microsoft is what I'm hearing. So pause for thought ... Thanks again Mike Waters _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 December 2006 01:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema Extensions and Exchange System Manager I am not positive on this, but I think you need to look at mAPIIDs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike) Sent: Tuesday, December 05, 2006 5:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema Extensions and Exchange System Manager Excellent mail list ... keep up the good work! But can anyone help me .. For various reasons we have extended the schema in our Active Directory (test only at present) to add further local attributes to users. All is working well until I attempt to make use of the data in these extra attributes within Exchange System Manager (ESM). Specifically, I would like to extend the user template visible from Outlook Address Book to display information contained in the schema extensions Unfortunately, the ESM only allows a handful of attributes to be picked for display and none of them our extensions. Anyone know how to coerce ESM to allow other user attributes to be chosen? Regards Mike Waters
RE: [ActiveDir] Delegate VPN rights
Correct - however certain things in this tab do update the userProperties-Attribute. This attribute does not hold clear data. So depending on the attributes and their requirements you'll have to use other things than LDP/ADSIEdit or generic scripting without using the supported interfaces. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Freitag, 1. Dezember 2006 01:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate VPN rights Keep in mind that this is only via the ADUC UI - since you have already delegated this to the user you can use ldp\script etc.. to set the msNPAllowDialin == true. It should reflect properly in ADUC when you next view that user.. spat - Original Message - From: Ulf B. Simon-Weidner mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 30, 2006 2:18 PM Subject: RE: [ActiveDir] Delegate VPN rights Hi Ben, the entire Dial-In Tab doesn't allow granular delegation - you need to delegate everything which is on the tab since it's writing back all attributes on the Tab no matter what. If you feel this is wrong open up a case with PSS and line up in the row of customers which want this changed. I've had a Critical Design Change Request with an Insurance Group about this, however it was not requested by other customers at this time and therefore not changed for a single customer. Some Infos I've wrote once about this issue: http://www.windowsserverfaq.de/faq/DialInTab.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Donnerstag, 30. November 2006 18:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate VPN rights I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and not set when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson
RE: [ActiveDir] Delegate VPN rights
Hi Ben, the entire Dial-In Tab doesn't allow granular delegation - you need to delegate everything which is on the tab since it's writing back all attributes on the Tab no matter what. If you feel this is wrong open up a case with PSS and line up in the row of customers which want this changed. I've had a Critical Design Change Request with an Insurance Group about this, however it was not requested by other customers at this time and therefore not changed for a single customer. Some Infos I've wrote once about this issue: http://www.windowsserverfaq.de/faq/DialInTab.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Donnerstag, 30. November 2006 18:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate VPN rights I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and not set when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson
RE: [ActiveDir] ldp in ADAM-SP1
Just stepped across this - thanks for fixing it! Ulf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Freitag, 4. August 2006 09:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Hi Dmitri, And DSAcls still does not display a computer accounts ACL if someone was being delegated permission to join a computer to this account using ADUC: http://www.windowsserverfaq.org/faq/CompACLs.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Thursday, July 27, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Guido, which changes to you want to see in dsacls in B3? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 6:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you should need to do. You've already tripped over some of it's limitations especially around handling the confidential bit - however, I have not seen many customers that actually leverage the confidential bit yet for anything else but OS features (for example for PKI credential roaming). It would be nice to leverage it for many more lockdown scenarios, but you can't use it for the base schema attributes (category 1), which includes almost all of the interesting attributes you may want to restrict access to. Ofcourse you can use it for your own schema extensions. For file-system ACLing that tool is CALS or XCACLS - probably for 99% of what you need to do. Note for the FS you may also want to check out the betas of either Windows Longhorn or the current Windows 2003 SP2 = they include a new commandline ACLing tool called Icacls.exe, which can be used to reset the account control lists (ACL) on files from Recovery Console, and to back up ACLs. It can also handle replacement of ACLs (much like subinacl) and works well with either names or SIDs. At last, unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and thus correctly propagates changes to and creation of inherited ACLs. DSACLs has only been updated slightly in LH, but I hope to see some more changes prior to beta 3. At last, depending on your requirements, you may also need to look into changing the default security descriptor of some of the objects (for example, check out all the default write permissions, which every user is granted on it's own object via the SELF security principal; many companies are still unaware of this). You can check these rights most easily via the schema mgmt mmc (check properties of a class object, such as user and click on the Default Security tab). So it's fair to say that although handling ACLs remains to be a complex topic, you can get most of the things done with existing commandline tools from MSFT. Sometimes it will simply be more appropriate to use the UI for a few settings. And there is always the option to script setting ACLs if you really have special requirements. As for your delegation model = I would not have the goal to teach your delegated admins how to do ACLing inside AD. I'm fine with a delegated admin doing the security on a file-server that he completely manages on his own. But AD security should be kept in the hand of domain and enterprise admins (partly because it is rather complex and you only want few folks to fiddle around with it, partly because it is plain risky to do it otherwise). The critical piece for most delegation models to succeed is to build a centrally controlled OU structure (ideally standardized for your different delegated admin units as I like to call them and not to grant your data admin (= the delegated admins) any rights to create OUs themselves (otherwise - with the current ACLing model - you can't prevent them to configure the security of the OU). Basically the same is true for any objects they create, but it's the OUs that allow you to manage the security for multiple child objects at once (and thus these need to be controlled centrally). Many more things to share in this respect, but no delegation model is the same as any other so you're best to understand and plan it from the ground up. There may be similarities between many models, but for the various infrastructures I've planned, every customer has had their special requirements. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Wow, Thanks you
RE: [ActiveDir] ldp in ADAM-SP1
Hi Dmitri, And DSAcls still does not display a computer accounts ACL if someone was being delegated permission to join a computer to this account using ADUC: http://www.windowsserverfaq.org/faq/CompACLs.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Thursday, July 27, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Guido, which changes to you want to see in dsacls in B3? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 6:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you should need to do. You've already tripped over some of it's limitations especially around handling the confidential bit - however, I have not seen many customers that actually leverage the confidential bit yet for anything else but OS features (for example for PKI credential roaming). It would be nice to leverage it for many more lockdown scenarios, but you can't use it for the base schema attributes (category 1), which includes almost all of the interesting attributes you may want to restrict access to. Ofcourse you can use it for your own schema extensions. For file-system ACLing that tool is CALS or XCACLS - probably for 99% of what you need to do. Note for the FS you may also want to check out the betas of either Windows Longhorn or the current Windows 2003 SP2 = they include a new commandline ACLing tool called Icacls.exe, which can be used to reset the account control lists (ACL) on files from Recovery Console, and to back up ACLs. It can also handle replacement of ACLs (much like subinacl) and works well with either names or SIDs. At last, unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and thus correctly propagates changes to and creation of inherited ACLs. DSACLs has only been updated slightly in LH, but I hope to see some more changes prior to beta 3. At last, depending on your requirements, you may also need to look into changing the default security descriptor of some of the objects (for example, check out all the default write permissions, which every user is granted on it's own object via the SELF security principal; many companies are still unaware of this). You can check these rights most easily via the schema mgmt mmc (check properties of a class object, such as user and click on the Default Security tab). So it's fair to say that although handling ACLs remains to be a complex topic, you can get most of the things done with existing commandline tools from MSFT. Sometimes it will simply be more appropriate to use the UI for a few settings. And there is always the option to script setting ACLs if you really have special requirements. As for your delegation model = I would not have the goal to teach your delegated admins how to do ACLing inside AD. I'm fine with a delegated admin doing the security on a file-server that he completely manages on his own. But AD security should be kept in the hand of domain and enterprise admins (partly because it is rather complex and you only want few folks to fiddle around with it, partly because it is plain risky to do it otherwise). The critical piece for most delegation models to succeed is to build a centrally controlled OU structure (ideally standardized for your different delegated admin units as I like to call them and not to grant your data admin (= the delegated admins) any rights to create OUs themselves (otherwise - with the current ACLing model - you can't prevent them to configure the security of the OU). Basically the same is true for any objects they create, but it's the OUs that allow you to manage the security for multiple child objects at once (and thus these need to be controlled centrally). Many more things to share in this respect, but no delegation model is the same as any other so you're best to understand and plan it from the ground up. There may be similarities between many models, but for the various infrastructures I've planned, every customer has had their special requirements. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where
RE: [ActiveDir] Vendor Domain
Just a few thoughts to add since so many others already have given you great answers: - Ive heard that any changes to an network which has production status in a clinic, pharma-manufacturer or supplier will endanger FDA-approval - I know that many clinical devices are specialized workstations which are controlling a devices, such as modern x-rays. They do have network access and may be member of a domain to provide doctors with x-rays a.s.o. Sounds like your manufacturer is talking about such devices and is concerned that a change in a GPO which is affecting his appliance might break its functionality, e.g. putting certain signing or encryption policies in place, but the workstation talks to its hardware via proprietary SMB I just wanted to throw this into discussion if we are talking about such devices/appliances Id also prefer a different domain or even forest to manage them, or want to know very closely what the requirements are and keep an extra eye on those machines. Dont put lives at jeopardy b/c of a misconfigured GPO. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 20, 2006 9:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain Thank you all. The vendor in question is bringing in a medical solution. Here is the response from the vendor so far. Mind you that we have lots of medical device solutions that exist in our domain, the FDA card is played as a blanket so you stop asking questions...we ran into the same issue with security patches. why can't I patch that device?. When we've looked at these FDA regulations in the past it turned out that there was more liability by not patching. From the vendor: Let me start by thanking you for considering our support model and continuing to pursue supporting it in your organization. Our designers have architected the system to comply with Microsofts best practices. We have implemented our own .local domain in an effort to provide solid system integrity founded on Kerberos authentication and a single sign-on experience for your clinicians. Our system relies heavily on the integrity of the Active Directory structure. We have integrated the launching of services and control of processes using this Microsoft recommended model. It has been our experience that relying on a hospitals Active Directory structure is a dependency that has opened our customers up to liabilities for the integrity of our regulated medical device. I liken the servers to a respirator. Having an outside person, no matter how qualified, work on a respirator would be a concern from a clinical standpoint. We have witnessed Group Policies applied to servers in a more open environment. This is a liability we do not want to expose our business partners to. Any change, no matter how minute to our system, would endanger our validation and designation as aXXX regulated medical device and would open you to failing FDA auditing. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 20, 2006 12:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain I would tend to agree except in the case of Exchange, I am ALL FOR Exchange being run in a separate single domain forest, it solves an incredible number of problems such as the GC/NSPI problems as well as administrative isolation, etc. The exception there is if Exchange is deployed in a decentralized fashion outto all of the sites you already have DCs at, at that point, you probably want to fight with the issues with it in the main forest. The biggest complaint I have seen for running a separate Single Domain Forest for Exchange is around provisioning and quite frankly, that really isn't all that involved and doesn't necessarily need a full blown MIIS/IIFP solution. It dependson what data isneeded where. If you need all of the GAL info in the main NOS forest as well as the Exchange forest then you looking more into metadat sync tools unless your provisioning is all being handled through a centralized mechanism and then that can be used to send the info in both directions and actual tie between the domains for syncing isn't necessarily required. But if this isn't Exchange, I would be curious to hear the details of the app and why they want a separate forest. Most vendors if they told me they did it in a stupid way that had that requirement I would beat and tell them to fix it. With MSFT and Exchange, that only works a little bit. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, Ju
RE: [ActiveDir] NTDS.DIT Size
Hello Joshua, Id look at the whitespace to determine when to offline defrag a DC. You can enable the associated event which will tell you the amount of whitespace by setting the registry key HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\6 Garbage Collection to 1 instead of 0 (which is the default). Regkey might be likely just typed it from hard. This will give you an event every time when garbage collection runs (every 12 hrs) and tell you the amount of whitespace in the DB. Whatever needs to be loaded should perform better when smaller. Ive heard that a DC on x64 will perform better than on 32-bit, since its very likely you already have some of the newer servers with x64 Id just give it a try for one DC yourself. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman Sent: Thursday, June 29, 2006 10:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTDS.DIT Size Our AD (NTDS.dit) is at 1.7GB (approx. 250,000 users). Should an offline defrag be performed at a regular interval? Some articles I read only say it is only worthwhile if you are running low on space.We have plenty of drive space and RAM. At what point should the AD be moved to 64 bit? Thanks, Josh
RE: [ActiveDir] New DC can't find the machine account
Every joe is someones joe, but Joe McNicholas Joe joeware Richards Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 31, 2006 4:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Is this joe joe or joe someoneelse? It occured to me, I've NEVER seen joe joe's last name ... -B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication 1) We are talking about blocking the replication to and from a lag-site, and the good thing about using a firewall is that we are able to block users and memberservers authenticating against the lag-site. You do not want anyone to authenticate against a lag-site DC. So urgent replication is not a issue 2) Agree to Joe here Im quite sure that the rights to force replication are available for at least dom-admins, and Im very sure that no matter how many you have (OK more than yourself) they will forget not to trigger forced replication sometime. 3) Lag-Sites dont make any sense if they do replicate in between the scheduled times so in this scenario you may worry about both. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Tuesday, May 30, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 09:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this e
RE: [ActiveDir] Machine Psswd Age
Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 24, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. I have never seen a machine change its password at the 50% age and I have looked at this quite a bit for various[1] reasons. joe [1] OldCmp being one of them... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, May 24, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or ta
RE: [ActiveDir] AD lag sites and replication
I have to agree to the second option - they may not even know that they do it. Over the time people tend to forget about lag sites, want to force replication once in a while, and what the ... Are those checkboxes in replmon for? Do I want the information to replicate across sites? Sure! And right after hitting OK there's a head banging against the monitor-sound - Aahrg - Lag sites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 30, 2006 7:26 PM To: ActiveDir.org Subject: Re: [ActiveDir] AD lag sites and replication Imagine a glass ceiling with a girl in a skirt standing on it\man in a kilt standing on it and you're standing under the ceiling someone tells you not to look up. Do you not lookup or at somepoint lookup ? - even if you did not mean to - via a mirror or some other third party method. The fact that you can means at somestage you may do what you were not supposed to see even if if you had no intention of doing so. Applying this analogy to Mr Rustons scenario they may be trusted and do it or they may have no intention of doing so - but have the interlect of a tibetian Yak and do it anyway. Another Guinness please.. -Original Message- From: Molkentin, Steve [EMAIL PROTECTED] Date: Wed, 31 May 2006 02:52:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED] r¯zm§ÿðÃœ¶+Þv*è®æ—ûa汫) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]Identity Access Mangement
There's a basic workflow example available, IIRC either with SP1 or a Reskit. It's webbased and easy to modify/adjust. A workflow engine is supposed to ship with Gemini (the next full version of MIIS). This was mentioned in the TechEds and IT-Forums of the last two years (at least), so anyone who did attend should be able to find the sessions. Currently you are able to use Biztalk as workflow engine, or the Office 2007 workflow engine when available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Thursday, May 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]Identity Access Mangement On Thu, 25 May 2006 11:53:43 +0200, Carlos Magalhaes wrote Not yet no but we both know thats in the pipe line for SP2. I still would like to know why MIIS was not an option.C Workflow is not included in SP2, some solution is planned in Gemini time frame -- Tomasz Onyszko http://www.w2k.pl/ (PL blog) http://blogs.dirteam.com/blogs/tomek (EN blog) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT help with VBS/WMI Script
I'm usually prefering not to use CMD-Commands out of VBS if not necessary (there are many areas where it's really handy, but a ping is not one of them). You can also use WMI to ping the machine - works fast and you don't have to text-analyze the output of the ping-command. I've just dug out an example for you at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/ wmi_tasks__networking.asp - look at the last example. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Thursday, May 25, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT help with VBS/WMI Script If your concerned about the server being up, incorporate this into your script. It will ping the box and execute your logic if its up. This is just an example, it wouldn't actually work if you cut and paste it. Set objShell = CreateObject(WScript.Shell) For Each strServerName in colServerList Set objScriptExec = objShell.Exec(ping -n 2 -w 1000 servername) strPingResults = LCase(objScriptExec.StdOut.ReadAll) If InStr(strPingResults, reply from) Then Put your OS version WMI code here, call a function preferably. Else Wscript.Echo Error: Err.Description (something like this) End if Next Set objShell = Nothing -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Thursday, May 25, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT help with VBS/WMI Script If I use this, everything gets Server1++ nothing ever gets anywhere. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timo Ed Sent: Wednesday, May 24, 2006 4:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT help with VBS/WMI Script '= For Each strComputer In serverList Set colSettings = Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colSettings = objWMIService.ExecQuery _ (Select * from Win32_OperatingSystem) If err then WScript.Echo strComputer + ++ else Set colSettings = objWMIService.ExecQuery _ (Select * from Win32_OperatingSystem) For Each OS In colSettings' WScript.Echo strComputer + + + OS.Caption + + + OS.Version Next end if Next '= Rgds, Tim On 5/25/06, Hutchins, Mike [EMAIL PROTECTED] wrote: So I am trying to get some information from a gigantic list of machines. Problem is that if the machine isn't up, the script retains the previous values. Example server1+Microsoft(R) Windows(R) Server 2003, Enterprise server1+Edition+5.2.3790 server2+Microsoft(R) Windows(R) Server 2003, Enterprise server2+Edition+5.2.3790 In this example Server1 is Accurate (the + is a delimiter) Server2 is not online so the script retained the OS.Caption and OS.Version part. I would rather it be blank like; server2++ Here is the script part that this lies in. Any suggestions greatly appreciated. For Each strComputer In serverList Set colSettings = Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colSettings = objWMIService.ExecQuery _ (Select * from Win32_OperatingSystem) For Each OS In colSettings WScript.Echo strComputer + + + OS.Caption + + + OS.Version Next Next List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT help with VBS/WMI Script
You can also use WMI to ping the machine - works fast and you don't have to text-analyze the output of the ping-command. I've just dug out an example for you at http://msdn.microsoft.com/library/default.asp?url=/library/en-u s/wmisdk/wmi/ wmi_tasks__networking.asp - look at the last example. Before getting corrected: first example of the last question / howto on that page. Ulf List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Machine Psswd Age
Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mfr=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 24, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. I have never seen a machine change its password at the 50% age and I have looked at this quite a bit for various[1] reasons. joe [1] OldCmp being one of them... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, May 24, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but the computer accounts starts to request renewal after 50% of the time is over. After 30 days it'll change it if being logged onto the domain for sure (unless otherwise configured or connected). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, May 24, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine Psswd Age Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Machine Psswd Age
AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but the computer accounts starts to request renewal after 50% of the time is over. After 30 days it'll change it if being logged onto the domain for sure (unless otherwise configured or connected). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, May 24, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine Psswd Age Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete only one object in the Tombstone.
Hello Tiroa, it is not possible to purge Tombstones, no matter if one or all. For all you'd be able to modify tombstone lifetime and the system time, however I strongly doubt this would be supported by MS (tombstone-lifetime is supported, modifying systemtime to enforce garbage collection of tombstones most likely not). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, May 22, 2006 10:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delete only one object in the Tombstone. Hello, I'd like to know if it is possible to delete *only one* object in the tombstone instead of purging all the objects ? Thanks, Yann
RE: [ActiveDir] Delete only one object in the Tombstone.
You're welcome, and have a nice day too! Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, May 22, 2006 10:56 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Delete only one object in the Tombstone. Hello Ulf, Thank you very much for your answer and have a nice day. Best Regards, Yann _ De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: lun. 22/05/2006 14:34 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delete only one object in the Tombstone. Hello Tiroa, it is not possible to purge Tombstones, no matter if one or all. For all you'd be able to modify tombstone lifetime and the system time, however I strongly doubt this would be supported by MS (tombstone-lifetime is supported, modifying systemtime to enforce garbage collection of tombstones most likely not). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, May 22, 2006 10:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delete only one object in the Tombstone. Hello, I'd like to know if it is possible to delete *only one* object in the tombstone instead of purging all the objects ? Thanks, Yann attachment: winmail.dat
RE: [ActiveDir] OldCmp question
Big fat ditto - and even better in the support tools. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 23, 2006 5:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I wouldn't be adverse to seeing at least adfind and admod in the support or resource kit tools. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 21, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I agree that ds-tools lack some possibilities, and I'd prefer MS putting your tools into their product, however in most scenarios I've been working in they are not allowed to put additional software in their domain unless it's prooved, and the use of your tools is not important enough the justify this hazzle. So I'm mainly limited to ds-tools or vbs. Something like this should work: Dsquery user -stalepwd 90 | dsget user -dn -disabled | find No Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, May 20, 2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Hmm good point... Well except we were talking about oldcmp instead of adfind... Fun though that the switches are so close... So what are the switches and the filter to use with dsquery to get an html listing of all enabled users whose password age is 90 days or older? :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Saturday, May 20, 2006 2:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I didn't catch it because I didn't bother enough to read the adfind syntax. If you'd provided a standard LDAP-Filter with DSQuery ... ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I just realized I told you how to INCLUDE disabled accounts - you want NOT DISABLED accounts. So you want to NOT what I indicated, however you have to add to it to avoid a false positive. -af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2))) One thing to note with NOT filters... Well two actually... 1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. NOT filters can have false positives. An account could have the value set that you are trying to avoid but if the account trying to access the info doesn't have the access to see that value, it will be still be returned. This is why the extra useraccountcontrol=* in the filter. The list is sleeping, they should have been all over me on that dork up. eg Too late now Al, Dean and Deji Princess, don't worry I will explain it to you next time I see you. ;o) joe -- I am 78% Evil Genius I am pure evil. I lie awake at night devising schemes of world domination, and I will not rest until all living souls bend to my will. Take the Evil Genius Test at fuali.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af useraccountcontrol:AND:=2 and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation
RE: [ActiveDir] OldCmp question
I agree that ds-tools lack some possibilities, and I'd prefer MS putting your tools into their product, however in most scenarios I've been working in they are not allowed to put additional software in their domain unless it's prooved, and the use of your tools is not important enough the justify this hazzle. So I'm mainly limited to ds-tools or vbs. Something like this should work: Dsquery user -stalepwd 90 | dsget user -dn -disabled | find No Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, May 20, 2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Hmm good point... Well except we were talking about oldcmp instead of adfind... Fun though that the switches are so close... So what are the switches and the filter to use with dsquery to get an html listing of all enabled users whose password age is 90 days or older? :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Saturday, May 20, 2006 2:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I didn't catch it because I didn't bother enough to read the adfind syntax. If you'd provided a standard LDAP-Filter with DSQuery ... ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I just realized I told you how to INCLUDE disabled accounts - you want NOT DISABLED accounts. So you want to NOT what I indicated, however you have to add to it to avoid a false positive. -af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2))) One thing to note with NOT filters... Well two actually... 1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. NOT filters can have false positives. An account could have the value set that you are trying to avoid but if the account trying to access the info doesn't have the access to see that value, it will be still be returned. This is why the extra useraccountcontrol=* in the filter. The list is sleeping, they should have been all over me on that dork up. eg Too late now Al, Dean and Deji Princess, don't worry I will explain it to you next time I see you. ;o) joe -- I am 78% Evil Genius I am pure evil. I lie awake at night devising schemes of world domination, and I will not rest until all living souls bend to my will. Take the Evil Genius Test at fuali.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af useraccountcontrol:AND:=2 and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation of a useraccountcontrol 66048 value or something? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] OldCmp question
I didn't catch it because I didn't bother enough to read the adfind syntax. If you'd provided a standard LDAP-Filter with DSQuery ... ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I just realized I told you how to INCLUDE disabled accounts - you want NOT DISABLED accounts. So you want to NOT what I indicated, however you have to add to it to avoid a false positive. -af ((useraccountcontrol=*)(!(useraccountcontrol:AND:=2))) One thing to note with NOT filters... Well two actually... 1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. NOT filters can have false positives. An account could have the value set that you are trying to avoid but if the account trying to access the info doesn't have the access to see that value, it will be still be returned. This is why the extra useraccountcontrol=* in the filter. The list is sleeping, they should have been all over me on that dork up. eg Too late now Al, Dean and Deji Princess, don't worry I will explain it to you next time I see you. ;o) joe -- I am 78% Evil Genius I am pure evil. I lie awake at night devising schemes of world domination, and I will not rest until all living souls bend to my will. Take the Evil Genius Test at fuali.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af useraccountcontrol:AND:=2 and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation of a useraccountcontrol 66048 value or something? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSACLS bug maybe?
Title: DSACLS bug maybe? Yes- I've found this bug in 2k4 and have reported it to Microsoft. Recently I have been approached (after complaining to someone in the DS-Group at MS) if this bug is still there, and I've confirmed that's it's still there with R2 and was told it will be looked into. Basically ADUC creates three wrong ACEs, where the ace.flags states that ace.inhertitedObjectType is present. Since it's not present nor needed it's reported back to the interfaces with a zero-filled-GUID. This field is supposed to map to a schemaIdGUID of an attribute, and there's no attribute like that. Some components do the error handling well and display the remaining SD, some (as dsacls) dont. Actually the RTM-Version of DSAcls was even giving out a very serious AD-Error in an error-box. After reporting the bug in 2k4 only dsacls was partly fixed, not the issue itself. I've published more details and a script to fix the ACLs on my website, and also mentioned it during one of my sessions at DEC: http://windowsserverfaq.de/faq/CompACLs.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Friday, May 19, 2006 2:48 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSACLS bug maybe? Has anyone seen this issue before? If you create a computer account in ADUC, then type "DSACLS DnOfComputerObject" it will spit out the ACL's on it. However, if you create another computer account and delegate out who can join it DSACLS can't spit out the ACL's.
RE: [ActiveDir][OT] DNS on a DC or NOT
Hi Mark, You are right - Exchange is great - what I love especially is it's capabilities of administrative delegation. See you in Boston? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Arnold Sent: Wednesday, May 17, 2006 11:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] DNS on a DC or NOT Laura, a Mucker is, in English, a good friend. You are probably not to be termed a Mucker, other words might apply, but Jimmy is one of mine and Dean/Joe is one of yours. Oh, and Joe is old and smells of wee, so pay no heed to his Exchange rants. Exchange is indeed special because it's such a wonderful solution. OK, I should shut up now and go back to my padded cell. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: 17 May 2006 21:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT] DNS on a DC or NOT BTW, anyone know what a mucker is? I am trying to figure out if I am supposed to be morally outraged. eg joe I use mucker as a compliment, but in my vernacular it's used in reference to a semi-skilled hockey player whose lack of scoring ability is balanced by his ability to check an opposing player into sometime next week. So I guess what I'm saying is...draw your own conclusions. :-) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned by Antigen. Every effort has been made to ensure it is clean. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
I can't see them as well, OL2k3 into POP, provider is using ESMTP (Nemesis) and POP appears to be mimap12 (at least that's what telnetting against the pop tells me). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 16, 2006 2:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on i
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
If all of those were intended I did get everything correct as well. Mainly one thread IIRC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. ClineSent: Tuesday, May 16, 2006 2:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm on O2K3 SP1 via E2K3 SP2, and the only blanks I've ever seen on this list were the long string ofintentionally blankemails. ;-) I did, however, see strange characters at the end of Al's last message, and what's interesting is they were different characters than the ones Susan forwarded.Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday 15 May 2006 20:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/actived
RE: [ActiveDir] User Accounts
Nice - poking with the finger works - give it to me babe ;-) I wasn't aware that ADSI is 100% LDAP, I thought it's just 9x% + some special stuff (AFAIK setting pwds directly with LDAP doesn't work), so I thought there's some stuff which supports it server side. Seems like you guys have a pretty good definition of the layers, would be great if you get the time to create a diagram or just dump thoughts to us and we'll handle visio. Having a diagram of the layers (even if not 100% correct) would make some things easier to explain. E.g. the replication - it's pretty hard for many to understand that it's not handled in the DB - they just think AD and don't get that the DB is different on each server. Resetting DNTs: OK - if DNT is a auto-incrementing primary key (compared with SQL) there's a third option: reading the backup db and writing it into the real, while keeping a dnt-translation table during the process. However would slow down dcpromo /IFM (OK - not correct - you know what I mean) and really doesn't make any sense since it would be way easier to have larger values. And there would be other options in the future, but mentioning those would make me look like and alcoholic (and it's actually way to early here to handle thinking like that). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, May 15, 2006 7:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Hmmm, you've actually combined too many layers in my opinion ... ADSI is client side, and based entirely on LDAP, and there is an LDAP marshalling component both on the client and LDAP server. Having an arch diagram where you don't clearly differentiate where the network interfaces is, seems confusing. The replication logic is actually split fairly evenly between the Directory and DBLAYER. USNs are in the dblayer for instance, while things like instanceType are handled in the Directory layer. With the current ESE level schema defined for the ntds.dit by AD you could not reuse DNTs, even after IFM. This is because AD creates the DNT column with the JET_bitColumnAutoincrement, so the auto-increment-ness is done in the ESE layer. I don't believe (though not 93% sure on this) that ESE provides a way to explicit set an auto-increment column, so you're stuck losing those DNT values. You would either have to add the ability to reuse orphaned auto-inc's in ESE, or make AD define the column as a regular integer, and manage the auto-inc'ness and reuse itself. Neither of those options is probably as good as making AD just have 64-bit DNTs. I'll try to write up a more explicit arch diagram, that is a little more accurate if it doesn't take me too long ... Cheers, BrettSh [msft] On Sun, 14 May 2006, Ulf B. Simon-Weidner wrote: Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER
RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
Usually not, but you may have some scripts (logon-script: ifmember)or 3rd party code which relies on the name. You should also make sure that you translate them in the GPOs, otherwise you might get weired issues. Access is usually based on SIDs - during logon the token of the user is created which lists all of his SIDs and groups belonging to (generally - there are exceptions such as lokal groups). When accessing a ressource the ntsecuritydescriptor of the ressource is compared against the users token, and based on the SIDs listed in both access is granted or denied. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Monday, May 15, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Name (Pre-Win2k) - Is it important We're making changes to group names in Active Directory. Is it important to keep the Pre-Win2k names the same? Teo
RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
GREP? Whats GREP! ;-) Great idea- forgot about that one. GPOs are really a big point here - I've seen an enterprise going down because of that. GPMC with backup / import (instead of backup / restore) might help here as well. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important Windows itself will mostlynot have an issue if you don't. Some things that might are custom scripts, batch files, tools, applications, etc that you have written to use those names. The one place I can think of off the top of my head that might have an issue in Windows is if you have set up restricted groups and didn't browse for the group name and instead, simply typed it in, the restricted groupmay be specified by legacy name instead of SID in the policy files.You can easily find this by GREPping your sysvol with an ID that has suitable permissions to see all policies files for the string that represents the group name. If you know you have used the group that way you may also want positive affirmation that is isn't there by name by also GREPping by the SID. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Monday, May 15, 2006 8:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Name (Pre-Win2k) - Is it important We're making changes to group names in Active Directory. Is it important to keep the Pre-Win2k names the same? Teo
RE: [ActiveDir] Is there a way to force users to logon to domain?
What about the origin - are they created using OL2k7? If so must be a new bug - I was using a bit older version for quite a while (and everything was readable), but it almost corupted my mailstore - so I switched temporarily back. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, May 16, 2006 12:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way to force users to logon to domain? I have a rule that auto-deletes Als emails as a matter of course. J I can confirm what others have said that the emails are visible in Outlook 2007. Still checking to see if there is a way to resolve this on the list server side, but havent found anything yet. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, 16 May 2006 9:42 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way to force users to logon to domain? Crap, more blank emails from Al. Al, use hotmail or something. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 15, 2006 4:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain? This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Is it important to keep correct timezone settings on DC?
Title: Is it important to keep correct timezone settings on DC? Hi Freddy, it doesn't make any sense to retrieve the timezone settings from the DC, since the clients may be on other timezones than the DC they are authenticating against. And speaking about traveling users, they may want to adjust the timezone to their current location, which would keep international invitations and appointments happy. The time timezone need to be set correctly, so that all machines in the domain are about the same time with respect to the timezone. Speaking about GPOs - for international or cross-timezone organisations you may want to set those based on the site (considering the best practices when it comes to GPOs linked to sites), however to enable traveling users to adjust their timezone I'd recommend setting the time correctly automatically and disabling the users to change the time, but allow them to adjust the timezone. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Thursday, May 11, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is it important to keep correct timezone settings on DC? Hi all, Does the client takes timezone and daylight savings changes from the DC? I was under the impression that timezones and daylight savings changes are local to the pc and the dc ntp server runs on a Zulu timezone? Just curious as I had an issue with a remote site today due to daylight savings tickbox. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] User Accounts
Agreed - very good thread. Let's extend the model a bit: --- | ... | | LDAP/NETLOGON/ADSI |- Services using the Dir/providing interfaces | ... | --- | | The Directory provider itself | Directory |- Replication works in here, so everything below is local to the DC | | Version numbers, USN,.. are managed here --- | | | DBLAYER |- Gluepart between Directory and DB | | (P)DNTs, Links, SIS-SDs,.. are managed here --- | | | DB |- Just the ESE with it's features, such as defrag | | --- I also believe that the not reused DNTs on IFM is by design, IMHO there would be a possibility to reset DNTs programmatically after IFM, however this would need additional code and time after reading the DB and rebooting the DC for the first time. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 10:36 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] User Accounts This is a good thread, I should have kept up with it. :) I think some of the problem is resulting from language interpretation. When I visualize AD in regards to the topics in this thread I think of it sort of like --- | | | AD | | | --- | | | DBLAYER | | | --- | | | DB| | | --- Depending on who you are you make look at all three boxes as AD and truly for most everyone that is the case. However when speaking at the internal component level these are three main areas, it could be broken up into even more like for instance SAM, Kerb, Replication, LDAP, etc. But I think where some confusion may have come in when saying AD dblayer. To many that would read as the DB. But I am reading it as the layer that interfaces or more properly abstracts the the lower DB portions from the high level AD stuff. That way you could jack up AD and slide another DB under it say something good like Oracle or MySQL or notepad or something eg and make most adjustments at the dblayer, sort of like a HAL. So we could call the dblayer something more like DBAL. I expect the abstraction isn't that fully fleshed out and there is still dependencies based on the underlying DB tech but I expect that could be worked through rather speedily, those AD Dev guys are a generally smart bunch. Microsoft could look into a reuse system for older DNTs but it would be more logical, IMO, to just expand the bit size of the variable. Since again, these DNTs are local it wouldn't be an issue except in the case of IFM promos, you would now be in a situation where you could IFM from a machine with a 32 bit DNT to one with 32 bit DNTs or 64 Bit DNTs but if you have a backup from a 64 bit machine you could only IFM with another 64 bit machine (even that could be made to work if you could guarantee that the high half of the variable wasn't being used but you would be silly to even start going in that direction). Anyway... Chase down the guy who stole the bit and get it back and we double the DNTs, fire someone and get another bit and double again (and you thought bits were just small little things...). Get it over with and go to 64 bits or really have fun and use 128. Of course this has implications on performance on 32 bit machines but those should be dropping off now that we are saying people need to load 64 bit OSes anyway - who is going to want to run 32 bit DCs with 64 bit Exchange pounding on them[1]? MS did it for Exchange, why not force the issue with AD as well in LH? Exchange 12 is due out before LH isn't it? Everyone should be used to being slapped and told they have to say they like it by then. :) joe [1] Being facetious here, though I don't really expect MS Exch Dev to change how they recommend DC hardware for Exchange. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 19, 2006 10:46 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 2:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User
RE: [ActiveDir] R2 Upgrade or install?
Just depends on when you Dcpromo it. On the first DC in the Forest: WS2k3 then SP1 then DCPromo: 180 days WS2k3 then dcpromo then SP1: 60 days WS2k3 w/ slipstreamed SP1, then DCPromo: 180 days However as I understand SBS-Land you are unable to do SBS then SP1 then dcpromo w/o slipstreaming. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, May 01, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 Upgrade or install? Tombstone of 180 days for one. Slip sp1 has some slight different values than 2k3 + sp1. Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Is there any reason for your preference to use R2 disk 1 for a fresh install, rather than installing from a 2003 CD and then loading the Service pack? If I understand correctly the R2 disk 1 is just 2003 with SP1 slipstreamed into it, am I correct? Thanks, Nate Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, April 28, 2006 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? I do option 2 for existing installs that need it and option 3 for anything that needs a rebuild excuse or is fresh. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Friday, April 28, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Upgrade or install? Hey all, I am having a debate and wondering if the following is true: 1)You must upgrade your 2003 servers to SP1 before going to R2. 2)You can upgrade a existing 2003 server to SP1 and then load the components from R2 onto it from R2 disk 2. Or 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 embedded and then load R2 disk 2 onto it. Just trying to figure out if we need to upgrade to SP1 and then we can load the components of R2 onto our existing 2003 servers, or if we need to load the R2 disk 1 operating system, which contains SP1 already, and then R2 disk 2. Does anyone have any ideas? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] R2 Upgrade or install?
Also the uninstall-files and all the previous garbage which isn't needed won't install when using a slipstreamed media. Ulf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Monday, May 01, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? Theres quite a few behaviours that are different when SP1 is slipstreamed and isnt, found out a few things on IIS behaviour with Integrated Authentication for example. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/ Library/IIS/5 23ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true Does anyone has a complete list of differences? Been wanting to have it for quite sometime.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, May 01, 2006 5:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? Is there any reason for your preference to use R2 disk 1 for a fresh install, rather than installing from a 2003 CD and then loading the Service pack? If I understand correctly the R2 disk 1 is just 2003 with SP1 slipstreamed into it, am I correct? Thanks, Nate Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, April 28, 2006 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? I do option 2 for existing installs that need it and option 3 for anything that needs a rebuild excuse or is fresh. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Friday, April 28, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Upgrade or install? Hey all, I am having a debate and wondering if the following is true: 1)You must upgrade your 2003 servers to SP1 before going to R2. 2)You can upgrade a existing 2003 server to SP1 and then load the components from R2 onto it from R2 disk 2. Or 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 embedded and then load R2 disk 2 onto it. Just trying to figure out if we need to upgrade to SP1 and then we can load the components of R2 onto our existing 2003 servers, or if we need to load the R2 disk 1 operating system, which contains SP1 already, and then R2 disk 2. Does anyone have any ideas? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logging users out
Did you try shutdown.exe? The parameters /l /f /t 3600 allow you to time it for an hour after executing it, and to force a logoff. No need to script around using additional timers or scripts. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naserSent: Monday, April 24, 2006 6:07 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] logging users out Thank you all for the helpful hints, Yes exactly, I want it to log of users whether they object or not, please can you post it or send it to me? Thanks On 4/23/06, joe [EMAIL PROTECTED] wrote: Do you want this to be something that logs the user off whether or not they object? If so, I have a qlogoff tool that will log someone off immediately and they will lose whatever they are working on. I thought I posted it to the website but I don't see it. But I can post it. Firing it after one hour will be a little involved. You will have to have some sort of timer app running in the background. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of shereen naser Sent: Saturday, April 22, 2006 3:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] logging users out Hi list, how can I set Active directory to log out users after a specific period of time, say an internet cafe wants to log the users out after one hour? I don't want to use account expires, I want the account to be still active but to log the users out and they can re-login after that no problem.
RE: [ActiveDir] logging users out
Guess you'll have to do that by yourself, e.g. logon-script shutdown -l -t 3600 Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naserSent: Saturday, April 22, 2006 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] logging users out Hi list, how can I set Active directory to log out users after a specific period of time, say an internet cafe wants to log the users out after one hour? I don't want to use account expires, I want the account to be still active but to log the users out and they can re-login after that no problem.
RE: [ActiveDir] Can We configure Romaing Profiles using Script
Hello Ravi, It's basically a setting of the useraccount, so you can create a share, allow everyone Full Control on the share, then change the useraccounts using ADUC Mulitselect/Multiedit or with the ds-tools: Dsmod user distinguishedname_of_user -profile \\server\profile$\$username$ Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra |Sent: Saturday, April 22, 2006 8:58 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Can We configure Romaing Profiles using Script | |Hi Champs, | |Can we configure Roaming Profiles using Script. I am in need |of this because we are migrating to ThinClient and want all |our users to have a Roaming Profile. | |Kindly update if there is a way out. i have 3 days with me to |comeup with a solution. | |I Know someone there has a solution. | |We have Win2k3 DC's and Windows XP Embedded (ThinClients). | |-- |Ravi Dogra |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can We configure Romaing Profiles using Script
Hello Ravi, the easiest way is using the gui, by selecting all users in question in Active Directory Users and Computers, then choose Properties and set the checkbox next to the profile field and enter the profilepath in there. You can use %username% in there as well. Will set it for all users. You can also combine the dstools: Dsquery user ou=whatever,dc=example,dc=com -limit 0 | dsmod -profile ... This should give you an example how to do this. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra |Sent: Saturday, April 22, 2006 9:52 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script | |Hi Ulf, | |Do i need to run same command for all my users. I think there |should be a better way to just run a single command over OU or |Group or List of Users. | |Update me if i am wrong. | |Dsmod user distinguishedname_of_user -profile |\\server\profile$\$username$ | |Thanks |Ravi Dogra |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
* DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge pertaining to link-pairs influences my opinion on |where DNTs lie; directory or database. | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
Ok - thinking over it it's understandable that IFM does not touch DNTs but rather use the backup as default dit to start from. Obviously you are not creating a default dit and open up a second dit to do a local sync. How are you handling server specific settings? Delete/change those right at the beginning of a IFM, then go ahead with the default replication to figure out the changes? Guess USNs and watermark vectors can be kept and are the same at the beginning of IFM. However, thanks Eric and Dean for verification and additional thoughts. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Eric |Fleischman |Sent: Wednesday, April 19, 2006 4:39 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | DNTs are reusable in ESE, however ADs implementation does not allow |DNTs | to be released / reused on a single server, and the database |will only | reuse them if you recreate the DB by repromoting (cause |the data is | replicated from other servers into a virgin ESE, and DNTs |are assigned | from the beginning at this point). | |Basically, yes. Though I would point out, this is hardly |reusing DNTs...this is more starting over. :) For the sake of |clarity I would point out that such a re-promotion would need |to be over the wire and not IFM. IFM just picks up where the |last left off, as you are using the old database again, and so |the same AD level rules apply. | |~Eric | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Tuesday, April 18, 2006 11:40 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |* DNTs (to me) are _not_ a component of the directory | |IIRC they are like a (primary/foreign) key in a database. |Technically not needed by the database layer, and not needed |by the application, but needed to keep the data together for |the application. So if you look at AD from the outside it |won't be referenced, if you look at ESE it's just a DB and |doesn't care about the data stored within, but you still need |it in between to store the AD in the ESE. |Right? | |* DNTs are not reusable | |Unique per Server and don't provide any reference across |servers. If AD looks for a parent object by looking up it's |known DNT (stored with the child), ESE would fail in that |moment, AD would not able to go to another server and look up |the same DNT in it's database. The AD is distributed, the ESE |is local, and DNTs are part of the local table. | |If I understand correctly: |DNTs are reusable in ESE, however ADs implementation does not |allow DNTs to be released / reused on a single server, and the |database will only reuse |them if you recreate the DB by repromoting (cause the data is |replicated from other servers into a virgin ESE, and DNTs are |assigned from the beginning at this point). | |Right? | |Gruesse - Sincerely, | |Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org | Profile: |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 |C811 |D | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells ||Sent: Wednesday, April 19, 2006 1:18 AM ||To: Send - AD mailing list ||Subject: RE: [ActiveDir] User Accounts || ||Inline is my take on an IM conv. Brett and I just had, the result and ||content of which turned up some interesting (to me at least) ||implementation details. The short story is - || ||* DNTs (to me) are _not_ a component of the directory || - they _are_ a component of the layer that bridges the |two (dblayer) || - to Brett, I believe he sees them within the sum of |what is the ||directory ||* DNTs (to both Brett and I) are not part of ESE ||* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) ||* DNTs are not reusable || ||I hope the summary and conversational text inline proves useful. || ||-- ||Dean Wells ||MSEtechnology ||* Email: [EMAIL PROTECTED] ||http://msetechnology.com || || || || -Original Message- || From: [EMAIL PROTECTED] || [mailto:[EMAIL PROTECTED] On Behalf Of ||Brett Shirley || Sent: Tuesday, April 18, 2006 5:11 PM || To: ActiveDir@mail.activedir.org || Cc: Send - AD mailing list || Subject: RE: [ActiveDir] User Accounts || || || Dean, I didn't understand this comment ... || But, dude, seriously, you weren't aware that AD's ESE ||used a 32 bit || DNT? || Methinks perhaps you're muddling in the realms of personal || interpretation ... though I'm quite certain you'll argue |that too || ... ESE purist :0p || || Are you claiming that ESE knows what a DNT is? || ||Not at all ... but IMO, neither does the directory ... and |per our IM, ||the dblayer knows what they are (after all, DNT = distinguished name ||tag
RE: [ActiveDir] Anomoly in application of Permissions by adminSDHolder
Hi Richard, You can change the settings by delegating write access to lockoutTime on the adminSDHolder-Object in the system container. After doing that your helpdesk will be able to unlock any administrative account anywhere in the domain. For more information query my blog for adminSdHolder or use google, which will bring it up as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Richard Bowersox |Sent: Wednesday, April 19, 2006 10:09 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Anomoly in application of Permissions by |adminSDHolder | |I have noticed what appears to be an anomoly in the way that |adminSDHolder is applying object permissions and was wondering |if anybody else has seen something similar or has a workaround. | |We want our internal helpdesk staff to be able to unlock any |users account, even privliged accounts that are protected by |adminSDHolder 'inheritance'. |The HELPDESK group has been give Read/Write permissions on the |lockoutTime attribute for User Objects protected by |adminSDHolder. However, when members of HELPDESK go to unlock |a locked account of this type, the choice is grayed out. (The |same permissions given to the same group for accounts not |protected by adminSDHolder allow the HELPDESK to unlock those |accounts without any problem.) | |When I look at the permissions applied to the specific user |object it shows that the HELPDESK group has Read/Write on the |lockoutTime attribute as expected. The only way that members |of the HELPDESK group can gain access to the account lockout |box is to set the security on a specific account for the |lockoutTime READ/WRITE permission to apply to 'This Object' |rather than the User Objects' choice. | |Unfortunately, when setting the security on the adminSDHolder |container, I cannot use the This object and all child |objects choice because when that is selected, the lockoutTime |attribute is not an available option. | | | |Rick Bowersox |Rockwell Collins | |If you cannot convince them, confuse them. |-- |Harry S Truman | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Tombstone attributes
Unfortunately the passwords is the same attribute for users and computers. I thought recently to put the password in the tombstone to ease computer account reanimation - after the account is deleted the computer is not able to change it's password, and if it was deleted accidentally it's easy to reanimate the account and the computer will still be happy. I know that it'll be easy to put the computers in the domain again, however I've had a customer with hundreds of sites which lost a couple hundred computer accounts across those sites, and bandwidth didn't allow to remotly script the addition of the computer accounts to the domain via netdom. We were able to perform an authoritative restore, and were lucky that we lost almost no computer accounts due to changed password, however this was a unlikely event with the computers recently joined the newly created domain. In running domains we'd have to calculate an average of 1/15th of computers per day of the age of the backup to join manually. I agree on user objects - and if I'd decide to keep the password for computer account in the tombstone I'd would prefer to put a procedure in place to change a users password before deleting it. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Tuesday, April 18, 2006 11:19 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Tombstone attributes | |Steele, Aaron [BSD] - ADM wrote: | Hi there all, | | Does anyone here know why Microsoft chose not to include the | attributes related to user password and sidHistory in the |tombstone of | an object upon deletion? | Was it a security decision? | I would like to get some input from people here before I go |and update | my schema to enable the restoration of these properties from the | tombstone'd object. | |Personally I would not like to preserve password attribute on tombstone |- I don't see a reason for that, and yes, IMO it can be seen |as possible | security threat. If user is deleted and restoring it |requires admin action it is just another logical step to reset |it's password. | |SID History attribute is preserved as with SP1 on Windows 2003 |DC. ~Eric wrote about it some time ago: |http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx | |and this is OK - when you want to restore object and probably |it's group membership etc. preserving SID History is good solution. | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Tombstone attributes
Agreed - as I said I'd put procedures in place to protect user account passwords, but would use tombstones to ease computer account restores. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Wednesday, April 19, 2006 12:43 AM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Tombstone attributes | |Ulf B. Simon-Weidner wrote: | Unfortunately the passwords is the same attribute for users and | computers. I thought recently to put the password in the |tombstone to | ease computer account reanimation - after the account is deleted the | computer is not able to change it's password, and if it was deleted | accidentally it's easy to reanimate the account and the |computer will still be happy. | | I know that it'll be easy to put the computers in the domain again, | however I've had a customer with hundreds of sites which |lost a couple | hundred computer accounts across those sites, and bandwidth didn't | allow to remotly script the addition of the computer accounts to the | domain via netdom. We were able to perform an authoritative restore, | and were lucky that we lost almost no computer accounts due |to changed | password, however this was a unlikely event with the |computers recently joined the newly created domain. | In running domains we'd have to calculate an average of 1/15th of | computers per day of the age of the backup to join manually. | | I agree on user objects - and if I'd decide to keep the password for | computer account in the tombstone I'd would prefer to put a |procedure | in place to change a users password before deleting it. | | |Jup, I can agree with it - but still I don't like idea of |restoring the user with old password. What about password age |and complying with security policy - I can imagine situation |in which user's password was |89 day's old (wit 90 days maximum password age), then was |deleted an restored - password will be valid for another 90 |days. What about complexity requirements ? | | | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
Very interesting again, thanks for those explainations. So you've seen Ads with 50M - 100M Objects. This makes the theoretical part of my brain a bit anxious - theoretically ;-) Were these real objects, or what the regular AD-Guy would refer to (Sum of users, computers, groups, a.s.o - leaving out technical objects like phantoms, objects in the C-NC, S-NC, D-NC/System,.. dnsNode-Objects [1],..)? That means they'll have issues after a account overturn [2] of 20-40 (or 10 if 100M Objects and you feel comfortable with 1.07B) because then they hit the unreleased DNTs and have to start repromoting DCs to get them back. OK - while a account overturn of 20 seems very long term - I doubt that DNTs are being released by inplace upgrades and I don't look very happy imagining running ADMT or some other migration tool against 100M Object ADs. And the limit is still the forest, not the domain. So in the long term they might be even hitting the DNT-Limit, without even creating a bigger AD DIT (considering they perform regular DIT-maintenance) - just by deleting and recreating each object b/c of its natural overturn up to 40 times and not releasing their DNTs. However long term - if we assume 100M Objects and a object overturn about 10yrs we'll have 20 cycles and 200 yrs to figure that out - or just get the last bit back and rethink. Limit on RIDs - this one is interesting as well, since we only need to create 2147483 DCs and create 325 objects on the last one. Anyone out there to borrow me some hardware ;-) However I'm still curious what would happen when we have the 2^31+1 newly created objects (handled error, major bang of the server against the wall) (no matter how many are currently existing - same issue whold happen with lower numbers of objects and frequent deletion/creation)? Also - as Dean mentioned - what would happen when we have more than 2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs over at 1000, or overflow which would cause the RIDs to start at 1(yeah - I'd like to be the 2^30-1000+500 user then)? OK - everything extremely unlikely - but the d... [3] thing is that my brain wants to know that now - and I can't find the soft reset ;-) [1] Uupsi - they tend to be deleted and recreated quite frequently (compared to accounts) [2] How would you call this? Inventory overturn comes to my mind (the cycle when a warehouse has all inventory sold and new one in there), so account overturn may be appropriate defining when each account has been dismissed and a new one created (however technically I'm talking to object overturn) - people leave and people join - people die and people are being instantiated (aka born). [3] Swearword? Do clue - I'm german - we have our own - can't keep a dictionary of approabriate words in foreign languages in the same brain which is interested in those answers. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Monday, April 17, 2006 2:47 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |Eric's quoting didn't come across in pine so well, so I've |improved it by using where he was quoting others ... | |*Ahem* ... for the hex heads ... | |ESE limits: | |The underlying store (aka ESE or JET Blue) does not have a 4.2 |billion row constraint to the # of rows in a single table ... |ESE will support from |2^1 up to 2^(~240*8) rows in a single table, _depending upon |your primary key_ ... and if you found ESE's old max 9.95e+583 |rows to be woefully under sized, you'll be able to go to |around _I think_ 2^(~1875*8) rows in Vista ... if you can find |the storage for it [1]. | |AD design limits: | |Active Directory however choose a primary key (The DNT) that |has only 32 bits, and is signed, so limiting to positive |values is limited to 2.1 billion rows (as ~Eric mentions), but |this is not ESE's fault, nor an ESE limitation. Exchange for |example choose a 63-bit message ID on thier message table |(called 1-23 IIRC), and is thus limited to no more than |2^63 / 9.22 quintillion rows (though probably a bit less due |to the way they parse up the message ID). | |Clearly the Exchange limit of # of message rows, shows that |ESE is not limited to 2.1 or 4.2 billion rows in a single |table, this is why it is crucial to be able to distinguish how |ESE differs from the data layer / schema (of AD) constructed |on top of ESE. | |At this point we think we've established the max # of objects |in an AD database, BUT the actual hard limitation would be the |minimum of several competing constraints, any which could |reduce us far lower ... | |Actual hard limitation
RE: [ActiveDir] User Accounts
Hi Brett, I don't want you to say or admit anything - I'm just curious and having a conversation here ;-) I was refering to your sentence I've heard of two production ADs in excess of 50 M (less than 100 M though) Which really made me curious and I started to think that these are not that unlikely to hit the limit. Rest of the conversation is just curiousity and for the sake of being interested - no real scenario - just interested in opinions. Never take me to serious - I'm german but that wasn't my fault ;-) I like to discuss what-if scenarios and am mainly interested in geeky chit-chat. And I've never and will never ask someone of your group or company to confess something in public. We are just chatting here. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, April 18, 2006 12:32 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | |In my experience the type of forest you're thinking about is a |different beast, Ulf ... | |I don't know a single customer that has a NOS / IT |infrastructure forest with 10M objects, in fact I can't even |think of one with 5 M. Anything north of 5M - 10M objects is |almost assuredly e-commerce, internet facing web portal type stuff ... | |There is natural churn because of user accounts on the web |facing stuff churn, multiple personas, forgotten password, |what ever, but they don't get any of the normal churn you |associate with the IT infrastructure (DNS objects, computer |accounts join/unjoin, MIIS or HR control system |injected changes, etc). They're basically using it like a |specialized database. | |They are more prone to IFM though, which doesn't recycle DNTs. | But all things consider the object churn seems to be less ... |I believe the churn isn't too ridiculous. | |But it seems you just want to say or me to admit, yes if you |hit this limit you will need to repromote. That is true. |People dealt w/ NT4 SAM when it balked at 70k accounts or |whatever, people will have to deal w/ AD when they use 2B RDNs |... if you're actually dealing with numbers that ballpark into |that area, I'd be curious to hear about your scenario, but I |suspect no one is doing that ... yet. | |Cheers, |-BrettSh | |On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: | | Hi ~eric, | | I don't look very happy | imagining running ADMT or some other migration tool against 100M | Object | ADs | | You don't need to think about anything like ADMT. In your |scenario, | with | object overturn and DNT depletion, you would simply need to |re-promote | the machines | slowly over time, perhaps when doing OS version upgrades or | something, and | not use IFM. | This is not a forest concept, nor domain, nor NC.this is a DB | instance | concept. DNTs are different in each instance in your forest. |They are | not replicated. | | Yes - agree. My intend was to outline that we might approach the | DNT-limit with directories this large because: | - they might run for a longer time | - object overturn will happen | - AD will stay over time since I doubt a upgrade will touch the dit | and recycle DNTs, and companies with that large forests will rather | upgrade to a new OS than using ADMT | | I'm aware that a repromote of the DCs will take care of it. I just | tried to say that there might be the time when a repromote |because of | DNTs might be necessary in some larger domains. However still | unlikely, but not that much away from reality if you look at the | numbers posted (100M Objects are 5-10% of the limit, employees and | customers as well as other objects (DNS) tend to change, and |the limit is the forest (b/c total number of objects on a GC)). | | Were these real objects, or what the regular AD-Guy would refer to | | Yes, but I don't understand why this matters to you? | | Just being curious if Brad was talking about 50M+ Accounts |or Objects | - main reason because of plain curiousity to figure out if we are | talking about | 50M+ Objects or 50M+ Accounts + another couple M |dnsNodes/phantoms/... | | Gruesse - Sincerely, | | Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: | http://tinyurl.com/44zcz http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org/ | http://www.windowsserverfaq.org | Profile: | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1 | 214C81 | 1D | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 |9-F2F1214C811 | D | | | | | _ | | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Eric | Fleischman | Sent: Monday, April 17, 2006 4:43 PM | To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] User Accounts | | | I don't look very happy | imagining running ADMT or some other
RE: [ActiveDir] User Accounts
Never take me to serious Seriously? :) Absolutely ;) (Great thread by the way) I agree! Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Crawford, Scott |Sent: Tuesday, April 18, 2006 1:16 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Never take me to serious | |Seriously? :) | |(Great thread by the way) | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, April 17, 2006 6:06 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Hi Brett, | |I don't want you to say or admit anything - I'm just curious |and having a conversation here ;-) | |I was refering to your sentence | I've heard of two production ADs in excess of 50 M (less than 100 M |though) |Which really made me curious and I started to think that these |are not that unlikely to hit the limit. Rest of the |conversation is just curiousity and for the sake of being |interested - no real scenario - just interested in opinions. | |Never take me to serious - I'm german but that wasn't my fault |;-) I like to discuss what-if scenarios and am mainly |interested in geeky chit-chat. | |And I've never and will never ask someone of your group or |company to confess something in public. We are just chatting here. | |Ulf | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley ||Sent: Tuesday, April 18, 2006 12:32 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] User Accounts || || ||In my experience the type of forest you're thinking about is a ||different beast, Ulf ... || ||I don't know a single customer that has a NOS / IT infrastructure ||forest with 10M objects, in fact I can't even think of one with 5 M. ||Anything north of 5M - 10M objects is almost assuredly e-commerce, ||internet facing web portal type stuff ... || ||There is natural churn because of user accounts on the web |facing stuff ||churn, multiple personas, forgotten password, what ever, but |they don't ||get any of the normal churn you associate with the IT infrastructure ||(DNS objects, computer accounts join/unjoin, MIIS or HR control ||system ||injected changes, etc). They're basically using it like a |specialized ||database. || ||They are more prone to IFM though, which doesn't recycle DNTs. || But all things consider the object churn seems to be less ... ||I believe the churn isn't too ridiculous. || ||But it seems you just want to say or me to admit, yes if you hit this ||limit you will need to repromote. That is true. ||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, ||people will have to deal w/ AD when they use 2B RDNs ... if you're ||actually dealing with numbers that ballpark into that area, I'd be ||curious to hear about your scenario, but I suspect no one is |doing that ||... yet. || ||Cheers, ||-BrettSh || ||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: || || Hi ~eric, || || I don't look very happy || imagining running ADMT or some other migration tool against 100M || Object || ADs || || You don't need to think about anything like ADMT. In your ||scenario, || with || object overturn and DNT depletion, you would simply need to ||re-promote || the machines || slowly over time, perhaps when doing OS version upgrades or || something, and || not use IFM. || This is not a forest concept, nor domain, nor NC.this is a DB || instance || concept. DNTs are different in each instance in your forest. ||They are || not replicated. || || Yes - agree. My intend was to outline that we might approach the || DNT-limit with directories this large because: || - they might run for a longer time || - object overturn will happen || - AD will stay over time since I doubt a upgrade will touch the dit || and recycle DNTs, and companies with that large forests will rather || upgrade to a new OS than using ADMT || || I'm aware that a repromote of the DCs will take care of it. I just || tried to say that there might be the time when a repromote ||because of || DNTs might be necessary in some larger domains. However still || unlikely, but not that much away from reality if you look at the || numbers posted (100M Objects are 5-10% of the limit, employees and || customers as well as other objects (DNS) tend to change, and ||the limit is the forest (b/c total number of objects on a GC)). || || Were these real objects, or what the regular AD-Guy |would refer to || || Yes, but I don't understand why this matters to you? || || Just being curious if Brad was talking about 50M+ Accounts ||or Objects || - main reason because of plain curiousity to figure out if we are || talking about || 50M+ Objects or 50M+ Accounts + another couple M ||dnsNodes/phantoms/... || || Gruesse - Sincerely, || || Ulf B. Simon-Weidner || || MVP-Book Windows XP - Die
RE: [ActiveDir] User Accounts
Hi ~eric, Thanks for the answer. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Eric |Fleischman |Sent: Tuesday, April 18, 2006 4:05 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Yes, both Brett and I have seen large directories in this range. |All of my experience with directories 25M objects was outward facing. |IE, internet portal types, like Brett was talking about. | |~Eric | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, April 17, 2006 4:06 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |Hi Brett, | |I don't want you to say or admit anything - I'm just curious |and having a conversation here ;-) | |I was refering to your sentence | I've heard of two production ADs in excess of 50 M (less than 100 M |though) |Which really made me curious and I started to think that these |are not that unlikely to hit the limit. Rest of the |conversation is just curiousity and for the sake of being |interested - no real scenario - just interested in opinions. | |Never take me to serious - I'm german but that wasn't my fault |;-) I like to discuss what-if scenarios and am mainly |interested in geeky chit-chat. | |And I've never and will never ask someone of your group or |company to confess something in public. We are just chatting here. | |Ulf | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley ||Sent: Tuesday, April 18, 2006 12:32 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] User Accounts || || ||In my experience the type of forest you're thinking about is a ||different beast, Ulf ... || ||I don't know a single customer that has a NOS / IT infrastructure ||forest with 10M objects, in fact I can't even think of one with 5 M. ||Anything north of 5M - 10M objects is almost assuredly e-commerce, ||internet facing web portal type stuff ... || ||There is natural churn because of user accounts on the web |facing stuff ||churn, multiple personas, forgotten password, what ever, but |they don't ||get any of the normal churn you associate with the IT infrastructure ||(DNS objects, computer accounts join/unjoin, MIIS or HR control ||system ||injected changes, etc). They're basically using it like a |specialized ||database. || ||They are more prone to IFM though, which doesn't recycle DNTs. || But all things consider the object churn seems to be less ... ||I believe the churn isn't too ridiculous. || ||But it seems you just want to say or me to admit, yes if you hit this ||limit you will need to repromote. That is true. ||People dealt w/ NT4 SAM when it balked at 70k accounts or whatever, ||people will have to deal w/ AD when they use 2B RDNs ... if you're ||actually dealing with numbers that ballpark into that area, I'd be ||curious to hear about your scenario, but I suspect no one is |doing that ||... yet. || ||Cheers, ||-BrettSh || ||On Mon, 17 Apr 2006, Ulf B. Simon-Weidner wrote: || || Hi ~eric, || || I don't look very happy || imagining running ADMT or some other migration tool against 100M || Object || ADs || || You don't need to think about anything like ADMT. In your ||scenario, || with || object overturn and DNT depletion, you would simply need to ||re-promote || the machines || slowly over time, perhaps when doing OS version upgrades or || something, and || not use IFM. || This is not a forest concept, nor domain, nor NC.this is a DB || instance || concept. DNTs are different in each instance in your forest. ||They are || not replicated. || || Yes - agree. My intend was to outline that we might approach the || DNT-limit with directories this large because: || - they might run for a longer time || - object overturn will happen || - AD will stay over time since I doubt a upgrade will touch the dit || and recycle DNTs, and companies with that large forests will rather || upgrade to a new OS than using ADMT || || I'm aware that a repromote of the DCs will take care of it. I just || tried to say that there might be the time when a repromote ||because of || DNTs might be necessary in some larger domains. However still || unlikely, but not that much away from reality if you look at the || numbers posted (100M Objects are 5-10% of the limit, employees and || customers as well as other objects (DNS) tend to change, and ||the limit is the forest (b/c total number of objects on a GC)). || || Were these real objects, or what the regular AD-Guy |would refer to || || Yes, but I don't understand why this matters to you? || || Just being curious if Brad was talking about 50M+ Accounts ||or Objects || - main reason because of plain curiousity to figure out if we are || talking about || 50M+ Objects or 50M+ Accounts + another couple M ||dnsNodes/phantoms/... || || Gruesse
RE: [ActiveDir] User Accounts
Title: User Accounts So you saved the negative DNTs for Longhorn or Blackcomb - if you realize that someone is getting to close to that limit in his forest? Interested in sharing the reason? What are you going to do if someone asks nicely (to get the bit back)? Sounds deeper in the system as some hotfix or sp can fix - err - change. When will you relase the whitepaper "Maintaining Active Directory Forests at the DITs Limit" which states to regulary repromote DCs in the intervals of garbage-collection (to release unused DNTs)? (And note that this will be the introduction of implementing manuall processes for floating roles) And just in case: ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Sunday, April 16, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that cant play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a single server. I havent seen people break that on a single box.but I dont deny it has been done, I just havent seen it. J Oh yea, the concept of negative linkIDs somehow came up in conversation as well. Ill blog about that I think. Perhaps even tonight, if I get my stuff done. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 15, 2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the
RE: [ActiveDir] OU's Structure
Yes - prio 1 is delegation, prio 2 GPOs since you have multiple ways to influence GPOs. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Thursday, April 13, 2006 9:22 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OU's Structure Joe, The problem is that, as some one else mentioned your OU structure serveves two purposes:- 1) To delegate authourity 2) To apply rights and restrictions via GPO's Now if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its (more?) natural to apply GPOs based on group membership rather than having rights or restrictions "drop on you from above" because of where you are in AD. Mind you of course NTFS rights may also descend from above. Dave. As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on thehierarchical structure would have.
RE: [ActiveDir] Changing a users password
Hi Oliver, First of all the receptionist needs to be delegated the rights to reset users passwords, as well as being made aware of the consequences (local credential cache of the users f.e.). To reset the password you can use commands like net user username password /domain or you can use AD-Tools like ADUC, dsquery user domainroot -name whatever | dsmod -pwd newpass -mustchangepwd yes, or you can create your own script which searches for the user and changes password after asking for approval. Www.microsoft.com/technet/scriptcenter provides the examples you have to glue together for this. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Oliver Marshall |Sent: Wednesday, April 12, 2006 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Changing a users password | |Hi, | |I want to create a script that will allow a user here to |change the password of any other user. | |I have found several examples, most based on the examples on |the MS site. Thing is, they all depend on knowing the |Distinguished Name of the user, and the poor old receptionist |wont have a clue what that is. | |Can anyone help me with a script that will change the password |of a user just knowing the username of the user ? At the least |I'm after some code to find the DN of a user from their |username, and I can then use that with the code I already have |(I think). | | |Thanks | |Olly |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extending the schema
Well designed schema updates will not conflict with existing ones - so you shouldn't have any issues - and if you have issues it's most likely another non-MS schema extension. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Rimmerman, Russ |Sent: Wednesday, April 12, 2006 12:59 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Extending the schema | |~~ |This e-mail is confidential, may contain proprietary |information of the Cooper Cameron Corporation and its |operating Divisions and may be confidential or privileged. | |This e-mail should be read, copied, disseminated and/or used |only by the addressee. If you have received this message in |error please delete it, together with any attachments, from |your system. |~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] default values for net time /querysntp on new systems?
Actually type NTP or AllSync may use the NTP-Server. AllSync is the reg-setting for w32tm /syncfromflags:MANUAL,DOMHIER (so it's a combination of NTP and NT5DS). If the setting is NoSync or NT5DS the NTP-Server setting is not being used. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of David Adner |Sent: Wednesday, April 12, 2006 12:48 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] default values for net time |/querysntp on new systems? | |time.windows.com,0x1 is the default value for XP and 2003 |computers. The fact that it's not set on some of your servers |could be because they were upgraded in place from 2000 or |someone's (or something, like a GPO, for |example) has reset them using any number of means; the net |time command, w32tm.exe, modifying the Registry, etc. | |All the command that you're running is telling you is what the |NtpServer Registry value is set to. It is NOT telling you |that your computers are necessarily using those sources to |synchronize time. Try running w32tm.exe /dumpreg /subkey:parameters | |Look at the Type value. If it says NT5DS then it's using the |domain hierarchy and ignoring the NtpServer value. If it says |NTP then it's using that value. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, | Michael M. | Sent: Tuesday, April 11, 2006 5:30 PM | To: ActiveDir@mail.activedir.org | Subject: [ActiveDir] default values for net time /querysntp | on new systems? | | Hi, |I've noticed in our Active Directory environment default settings | on Windows XP and Server 2003 computers for net time /querysntp to | be one of two values: | | net time /querysntp | The current SNTP value is: time.windows.com,0x1 | | net time /querysntp | This computer is not currently configured to use a specific SNTP | server. | | The value does not seem to correspond to new vs. upgraded systems. | | Our PDC emulator role holder, as recommended, is set to an outside | time source. | | Does the value time.windows.com,0x1 have some special significance | like obtain your time through normal AD channels, but just in case | there is a problem, go to time.windows.com? | | There are no time problems in my environment that I am aware of. | Thanks for any enlightenment! | | Mike Thommes | | List info : http://www.activedir.org/List.aspx | List FAQ: http://www.activedir.org/ListFAQ.aspx | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server 2003 DNS Admins group permissions
Might be - you know that you can delegate any eventlog by adjusting the CustomSD Registrykey underneath the specific eventlog in the registry? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Thommes, Michael M. |Sent: Thursday, April 06, 2006 5:54 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Server 2003 DNS Admins group permissions | |The default DNS Admins group has permission to use the DNS GUI |(dnsmgmt.msc) and to make changes in it but does not have |permission to view the DNS event log (DnsEvent.Evt). Would |this just be an oversight on Microsoft's part? | |TIA, |Mike Thommes |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 DFS/open files
I guess it also depends on the application he's using to open the file and when it's written by the other (before or after replication). If the file is replicated between the servers before the first user is closing (saving) the file, and the application is able to handle it, it will inform the user that there's a different version of the file on the server and offer him to reload. But apps which are doing this are pretty rare. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Wednesday, April 05, 2006 5:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2003 DFS/open files If running DFS on R2 the last write wins, but the first write is put into the Conflict and Deleted folder on the server, so that it can be retrieved if necessary, depending on available space, quotas, etc. HTH, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: Wednesday, April 05, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 2003 DFS/open files The person that saves the file last will win. So the last write will win. Take a look at this article for more info http://support.microsoft.com/?kbid=221089 Thanks Mike On 4/5/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Can someone tell me what happens with DFS/replication when a file isupdated on one DFS server and a client has that same file open on another DFS server?TIA!Mike ThommesList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] View Delegated Tasks?
Sounds like http://www.dec2006.com/abstracts.cfm#directorysimonweidner ;-) Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Wednesday, March 29, 2006 8:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated Tasks? teaser For anyone whos going to Windows Connections in Orlando, come to my Advanced Delegation session. Ill show you an option that is so simple and powerful for delegating and then being able to pull reports on your delegation that it will blow your mind. Believe me Im not tooting my own horn Im no brainiac the key word was SIMPLE /teaser Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Thursday, March 23, 2006 5:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated Tasks? You can however use something like DSRevoke to build a report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, March 23, 2006 4:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated Tasks? You can't. The delegate wizard is write only. You have to look at the security descriptor on the OU and figure out what changes were made. Wook Lee AD Architect - HP IT From: [EMAIL PROTECTED] on behalf of Harding, DevonSent: Fri 3/17/2006 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain
How about dsquery * domainroot -Filter ((objectCategory=Computer)(sAMAccountName=computername)) -attr objectSID Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, April 04, 2006 6:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain How about: dsquery computer -samid computer_name_here | dsget computer sid Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasingheSent: Tuesday, April 04, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain No it works fine as computer$. He wanted MS tools only remember? ;-) M@ On 04/04/06, Freddy HARTONO [EMAIL PROTECTED] wrote: if getsid doesnt work (if i remember correctly this is only for user accounts not comp)- try psgetsid or newsid.exe Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of matheesha weerasingheSent: Tuesday, April 04, 2006 10:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Use getsid.exe of the support tools. How come you are using regmon. I thought sysinternals was a no no :0)M@ On 02/04/06, Rodrigo Blanco [EMAIL PROTECTED] wrote: Freddy,is there any stadard way (tools included in the W2K3 OS) to verify theSID of a machine? I am not allowed to install or use any external software, such as sysinternals, for instance.Joe,I believe that the application is using the wINSOCK API too. TCP/IP isworking fine and the setting are just are they should be... :-/ So Iwill do a regmon on a good machine and extract the differences with mine.Thank you very much,Best regards,Rodrigo.On 02/04/06, joe [EMAIL PROTECTED] wrote: I believe that tool is using the gethostname WINSOCK API call, I expect you are hitting an error and it isn't handling it gracefully. Is TCP/IP working properly on that machine? Are all of the TCP/IP settings correct? If everything looks ok, I would recommend running regmon on a known good machine and then do the same on the troublesome machine and see what the differences are in the requests, you might get a hint there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rodrigo Blanco Sent: Tuesday, March 28, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Hello list, I am currently having a problem with a Windows 2003 server inside a Windows 2003 server-based Active Directory domain. The problem is that when I run the "hostname" command, it is empty: C:\hostname C:\ I suspect this happened after doing a clone of the VM machine and, by error, starting it and changing its name in the same network of the original one (this should have happened in an off-line network). I have tried to take it out from the domain and register it again in it, but his will not help. There is no conflict between the DNS and the local hosts file on the server. The server is registered in both the direct and inverse DNS lookup zones. If I look in System Properties Computer Name, everything looks fine: hostname and domain are correctly configured. Any help will more than welcome. Thanks in advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding best way to list servers in AD.
Why not ((objectCategory=computer)(|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows Server 20003))) This is at least limited to computer objects and should be slightly better. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams |Sent: Monday, April 03, 2006 10:05 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Finding best way to list servers in AD. | |I usually use: | |((objectCategory=computer)(operatingSystem=*Server*)) | | |But this is a lot more efficient: | |(|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows Server |20003)) | | |Although it' still not great as there's no indexed attribute. | | |- Original Message - |From: AD [EMAIL PROTECTED] |To: ActiveDir@mail.activedir.org |Sent: Monday, April 03, 2006 7:48 PM |Subject: [ActiveDir] Finding best way to list servers in AD. | | | Ok ladies and gentlemen, | | Once again I need your help. What would be the best query to |list all | servers in Active Directory knowing that no additional |indexes have been | added from the default install? | | 1. ((|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows | Server 20003)) | | 2. ((ObjectCategory=Computer)(OperationSystem=*Server*)) | | I do not know of any other attribute to use other then |operationSystem | which limits your options. | | Thanks | | Yves St-Cyr | List info : http://www.activedir.org/List.aspx | List FAQ: http://www.activedir.org/ListFAQ.aspx | List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] CNF entries and LDIFDE.
Excellent writing buddy - hope you are keeping snippets like this for the forth edition ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, April 02, 2006 5:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] CNF entries and LDIFDE. Howdy. At DEC I was approached concerning a problem where an admin was having with LDIFDE and importing CNF (conflict) objects, basically LDIFDE hits an error and stops when it processes one of these DNs. That is not generally the result you are looking for. It certainly puts a crimp in your productivity for the day if it keeps happening and you can't stop it. First some background, these objects appear when an object is created with the same DN on multiple DSAs (Directory Service Agents aka DCs or ADAM instances) within the same replication convergence interval. They replicate and eventually collide and following standard collision rules, the loser gets marked with a newline (\0A), the string literal 'CNF:' and the objectGUID value in friendly format. Looking something like CN=collision\0ACNF:efc83ba9-412f-452e-ad49-72f91d31c201,CN=Users,DC=duck,DC=com The winner of the collision is usually determined by the timestamp of the RDN on the various servers because the version of the RDN of both objects is almost always 1 making the version slightly less than helpful for the comparison. Note I was careful not to say the second one created will win, it is the one with the later timestamp, if servers are out of sync in time with each other, it could confuse the situation. However, assuming you have a good time structure, the object created first shouldbe renamed and the object created second will have the "clean" name. So the problem with LDIFDE is related to that darn NEWLINE character. That isn't something you can generally import in for a name and Microsoft specifically used that character to get your attention. When LDIFDE tries to importan object like that the DSA says "No way Jose!". Well it isa little more professional and says NAMING_VIOLATION with an error of 200B which is G:\granamigodelpatoerr 200b# for hex 0x200b / decimal 8203 : ERROR_DS_INVALID_ATTRIBUTE_SYNTAX winerror.h# The attribute syntax specified to the directory service is# invalid.# 1 matches found for "200b" You do occasionally (or more or less often - YMMV) get these objects in your directory. As a general rule, clean them up when you find them. How you do that is very specific to the objects, you will have to use some judgement and try to figure out which is the right object to keep, the non-CNF stamped object or the CNF stamped object. About the only incorrect answer here is to say that you always keep one or the other simply based on whether it has the CNF or not. As the name indicates they are indicative of a collision andthey are a mechanismto protect you from something that could possibly have really hurt. Don't like collision objects you say?? Consider the alternatives which are thatsomething disappears or you get some sort of odd amalgamation of two different objects. Both of those alternatives suck because they aremuch worse than just having a CNF object. With a CNF object at least you have something you can detect and have a fighting chance to correct. So the admin is having troubles importing the objects because he keeps hitting CNF objects. It would be nice if LDIFDE handled this situation gracefully. And guess what... it can. :o) The latest version of LDIFDE which isin the ADAM SP1 or R2 release has a version of LDIFDE dated 2005/11/23 with a file version of 1.1.3790.2075 which has a '-z' option whichtellsldifde to continue importing regardless of errors. Very cool, yet anotherreason for you to download ADAM SP1 or dig it offyour R2 CDs. However Do you really want to always do that? I mean come on, keep on going regardless of errors... That is equivilent to the _vbscript_ ON ERROR RESUME NEXT programming mechanism and we don't even have ERROR levels so we can really check to stop our process midstream and correct. So the "right" solution in my mind if you have CNF objects is to clean them up. If that isn't feasible at the time or you already have the LDIF dump you need to import, clean up the file prior to import. This can be done by hand with notepad or if you have a 600MB LDIF file like the admin in question did you will want to script it. Below is a simple script
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Actually I believe that a 64-bit version is more advantegeous immediatelly, however if the better memory handling and higher performance will be human recognizable depends on other settings, such as your applications and their LDAP-Queries, your GPOs and Logon-Scripts (Client/User-Logon), administrative behavior a.s.o. Finding a precise amount of RAM to optimize caching the database. LSASS is only able to consume 512MB by default in a 32-bit environment. How much memory is consumed by your LSASS depends on the DIT-Size and on other settings such as indexing, forest infrastructure and GC placement,... You are able to monitor the memory LSASS consumes by cmd (tasklist), perfmon or other monitoring tools (Process\LSASS\Working set size or max working set size) or just taskmon. If LSASS gets closer to conuming 512MB you should put the /3GB Switch in place or run it on 64-bit Hardware/OS. However to figure out the right size of RAM you need to keep monitoring and trying at least on one server (or one DC and one GC) in your domain since memory usage adjusts on windows depending on the availability of memory. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: Sunday, April 02, 2006 10:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 2. April 2006 09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: "Active Directory Performance for 64-bit Versions of Windows Server 2003" http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
RE: [ActiveDir] display name confusion
PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. Landed yesterday evening (Friday if i recall correctly) - and am still a bit jetlagged. And the rubber ducky is still on the road - luggage got lost (or not transfered in time) in San Fransisco so I may expect it earliest tonight. Was nice meeting you - and glad you've made it out of the lurking space ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katherine CoombsSent: Saturday, April 01, 2006 5:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] display name confusion Tom, The column Name in ADUC is not the displayName, but you can add this latter column. When generating a user via ADUC, the field called Full Name is used to populate the user's CN, displayName and name attributes. By default this format is "givenName sn" but you can modify this via the relevant DisplaySpecifier as you mentioned (see http://support.microsoft.com/?kbid=250455). Note thatchanging the DisplaySpecifier only affects objects created afterwards; objects previously created won't be updated to reflect this change. Additionally, the displayName can be subsequently over-written, or a displayName can be specified at the point of object creation which doesn't adhere to the createDialog format. If your createDialog for users is %sn, %givenName then - within ADUC - the Full Namefield (which populates the CN, displayName and name attributes) will bepopulated automatically based on the information in the First name and Last namefields. If you don't populate these two fields then the Full Name will need to be specified manually before you can proceed. I presume that this field is required in ADUC because it populates the CN, which is a mandatory attribute, and just for convenience sake the information from this field is then used to populate those other attributes. Creating a user via another mechanism, such as via a script,should only require you to specify the CN and samAccountName, since other attributes including the displayName are optional. Actually, you don't even need to specify the samAccountName come to think of it, since it will be created automatically if you don't, but ultimately the samAccountName attribute itself is mandatory. So, if you're certain that you're creating the users via ADUC, then someone manually entered the samAccountName in the Full Name field, which propagates tothe displayName attribute amongst others. I'm not sure what you mean by "the dn's are all mixed". I thought that your problem waswith the displayName attribute? It sounds to me like someone mis-populated the Full Name field, which then flows to the displayName and the CN, and the distinguishedName. HTH, Katherine Coombs PS. For those interested, it would appear that 4 days is the time required to spend with joe before being converted from a lurker to an eassayist :-) PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 30 March 2006 07:16To: activedirectorySubject: [ActiveDir] display name confusion Can someone explain to me how the display names get generated in ADUC? I have users whose display names are "lastname,firstname" but whose accounts show up in aduc as the samaccountname format. This is sporadic and not for all users. The "user-Display" is set to "lastname,firstname" as well in the config NC. When I do a query with adfind or dsquery, the dn's are all mixed as well with some in sAMAccountName format and some as the display name. Thanks
RE: [ActiveDir] Thanks to all who came to DEC 2006
Hi Gil, Thanks to you and your team, especially Stella and Christine, for all the work you did to make this conference as special as it is to all of us. I also want to thank Stuart, AFAIK he was not only sponsoring the event but also enabled a lot of his folks (Nathan, Levon, Brian,..) to attend and spent time with us - there were a lot of great discussions between all of the attendees, speakers, MS, and the conference would not be the same without their support physically being there. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Friday, March 31, 2006 12:30 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Thanks to all who came to DEC 2006 | |Thank you to everyone on the list who came to DEC this year |and helped make it a success. I've had nothing but positive |comments ranging from really great to un-f***ing-believably |great. I've had four different people tell me (including |Stuart) that if they can only go to one show a year, DEC would be it. | |Certainly the Joe Dean Show stands out as a popular (and |hillarious, and informing) event, but even more critical to |the show's success was having the expertise of people like |joe, Dean, Guido, Ulf, Jorge, Laura, Wook, and the other |list-denizens wandering the halls and talking to people. There |was a _scary_ amount of expertise attending the show, and |_that's_ what brings people back. | |One of the things I do during DEC is wander the halls during |the parties and between sessions and listen in on the |conversations... I usually don't pick up on anything specific, |but I can usually get a sense of the conversation... is it |positive/negative, is it energetic, are the people engaged, |etc. And this year the halls were positively buzzing, all the |way through the final sessions on Wednesday afternoon. It has |_never_ been like that before. | |I'd like to take this opportunity to thank joe, Ulf, Dean, and |Laura for helping Guido and me with the pre-conference |disaster recovery workshop. They wandered into the room where |we were setting up, and stayed with us till well after |midnight testing and configuring the lab systems. Hmmm... |funny, that's about when the Scotch ran out as well... :) To |give you an idea of how cool these guys are, they showed up at |the workshop the next morning around 7:30 (after getting very |little sleep the night before) and spent the next several |hours configuring the IP settings in the 150+ lab VMs because |the code I wrote to automate the process crashed and burned. |And then they spent the rest of the workshop helping the |attendees get connected to the wireless net, helping them do |the exercises, answering questions, etc. etc. All voluntary, |just to help out. | |I have to give special thanks to Jorge for running through the |pre-conference lab docs until about 3:00 in the morning, just |out of the goodness of his heart. Jorge is touring the |Southwest US for the next couple of weeks with his girlfriend |Nellika (sp?) and I hope he has a great trip. | |And double-special-thanks to Guido for partnering with me to |produce the whole pre-conference workshop. Guido spent more |nights and weekends than either of us want to remember to put |the workshop together, and I certainly could not have done it |without him. As big a PITA as it was, working with Guido made |it a lot of fun except for the part when the VMs started |to blue-screen an hour before the workshop was supposed to |start. That part truly sucked. :) | |Thanks again to all of you who came, and I hope those who |couldn't make this year can make it next year. | |-gil | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Grillenmeier, Guido |Sent: Friday, March 31, 2006 12:37 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | | $20 of it was spent showing Guido how US slot machines |worked in the Belagio. | |and that was so complicated to learn :-) Obviously I lost all |of what I've put into the machines as well (hadn't expected |anything else) - a whopping $12! But now I can gamble all I |want since on the last day I went to the MM world-store on |the strip and bought a Slot-Machine-Type of MM dispenser for |my kids - it's way cool and I'm sure I'll use it more often |than they will ;-)) | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Donnerstag, 30. März 2006 19:00 |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Would be interested in hearing the survery
RE: [ActiveDir] Reset Local Admin Passwords
Title: RE: [ActiveDir] Reset Local Admin Passwords Hello Scott, If you are talking about the DSRM-Password: SetPW - which is available in W2k SP4 - enables you to remotly reset a DCs DCRM-Password. If you want to run this across all running DCs you can do that as following: for /f %i in ('dsquery * -Filter "((objectCategory=Computer)(userAccountControl=532480))" attr name -q') do setpwd /s:%i /p:[EMAIL PROTECTED] Make sure you extend the script to provide you with logging - you need to make sure that you know if you were unable to reset a DCs DSRM-Password. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott KlassenSent: Friday, March 31, 2006 10:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords A bit dated I know, but Danish companys web site seems to have gone kaput. Does anyone here happen to have a copy of DCPC to share? Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Tuesday, January 31, 2006 3:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords Use a tool call DCPC (DC password changer) freeware you can find it here http://www.danish-company.com/dcpc all you need is the domain admin password and all PC running. Strait forward and I am changing the password every 2-3 month. Cheers, Katrin Wilhelm (MCSA)CVGT Employment Training SpecialistsAustraliaE-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 1 February 2006 4:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords We do realize the potential risk in this but this request is coming from a higher authority (my boss). I've been asked to find a way to change it and I believe that they are going to have the password reset on a monthly basis. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Laura E. Hunter Sent: Tuesday, January 31, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Reset Local Admin Passwords We currently have about 4 different passwords floating around our domain and we'd like to get it down to a single standard. Any help would be appreciated. Okay, just to offer a counterpoint to your underlying plan - you do realise that by using a single local admin password across your enterprise, if even -one- of those workstations gets the admin password compromised, the attacker who did so now has local admin rights to every workstation on your network? With apologies to Jesper Johannsen[1], it's one of those "How to get your network hacked in 10 easy steps" things - if I've just compromised the local admin password of WorkstationA, what do you think is going to be the very first password I try when I move on to try and compromise WorkstationB? [1] And additional apologies for the fact that I'm sure I just spelled his name wrong. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document.Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material.Please contact us at www.cvgt.com.au for further information regarding this disclaimer.
RE: [ActiveDir] Quiet? DEC? Related?
Hmm - they figured that one out while under NDA ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris |Sent: Thursday, March 30, 2006 9:16 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |I think if Dean and Joe were to do the pre-conference that |would get a few more people there and I would pay a little |more to ensure it was worth while for all attending parties. | |From what I recall I would also make any of their other |sessions well |in |to the afternoon - just to give everyone attending time to |recover from the night before :-) | |The other interesting AD snippet that was revealed by the DJ |Show was that Brett Shirley wears T-shirts with pictures of |himself on it. | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart |Sent: 30 March 2006 17:52 |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |The DEC backpacks were very nice and my wife immediately |appropriated mine as soon as I got home last night. Gil |handed the conference slide deck out on a USB stick which was |a great idea. Dean-n-Joe sessions were definitely the best of |DEC and Gil *has* to convince them to present next year. I |haven't been that entertained since the very first time I |watched Monty Python and the Holy Grail | |_Stuart Fuller | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Coleman, Hunter |Sent: Thursday, March 30, 2006 9:28 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Dean and Joe ended up doing 2 sessions. I think they were on |track to get it all covered in 1 session until Guido's house |burned down. At any rate, both were excellent and probably the |best of DEC. They're spinning up a website and some or all of |the session content will probably end up there. They may be |posting details about the site, but I didn't ask how widely |they intend to publicize it. | |Hunter | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray |Sent: Thursday, March 30, 2006 1:43 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Sounds great. Sorry I missed it. How was the Dean 'n Joe |show? Did the handbags come out or was it a peaceable affair? | |Tony | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Thursday, 30 March 2006 11:07 a.m. |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Just wrapped up Day 3. 530 people. General consensus is that |it was the best DEC ever. More to follow when I can type on |something bigger than a credit card. | |-gil | | |-Original Message- |From: Ayers, Diane [EMAIL PROTECTED] |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org |Sent: 3/29/06 1:23 PM |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Maybe we should ask a question on the merits of doubling down |on an 11 when the dealer has a face card showing... :-) | |Diane | | | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Wednesday, March 29, 2006 9:35 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | | |Don't worry we're still here.. ;-) | |Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida |Pinto Senior Infrastructure Consultant MVP Windows Server - |Directory Services | |LogicaCMG Nederland B.V. (BU RTINC Eindhoven) |( Tel : +31-(0)40-29.57.777 |( Mobile : +31-(0)6-26.26.62.80 |* E-mail : see sender address | | | |From: [EMAIL PROTECTED] on behalf of Moon, Brendan |Sent: Wed 2006-03-29 19:26 |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Quiet? DEC? Related? | | |Hmm.. everyone must be having fun at DEC... this list has been |very quiet this week! | |- Brendan Moon | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org
RE: [ActiveDir] Quiet? DEC? Related?
Nope, handed out with but not in the bag. Was only 128. It you want me to mail you the content let me know. Easier than writing on the plane ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Thursday, March 30, 2006 7:10 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Hmmm I didn't get a USB stick with presentations on it... Was |it in the bag? |I still haven't looked through mine yet. | |Ah Monty Python and the holy grail, we probably could have fit |a Knights of the Round Table song and dance in there |somewhere, have to keep that in mind... | | | | |-- |O'Reilly Active Directory Third Edition - |http://www.joeware.net/win/ad3e.htm | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart |Sent: Thursday, March 30, 2006 11:52 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |The DEC backpacks were very nice and my wife immediately |appropriated mine as soon as I got home last night. Gil |handed the conference slide deck out on a USB stick which was |a great idea. Dean-n-Joe sessions were definitely the best of |DEC and Gil *has* to convince them to present next year. I |haven't been that entertained since the very first time I |watched Monty Python and the Holy Grail | |_Stuart Fuller | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Coleman, Hunter |Sent: Thursday, March 30, 2006 9:28 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Dean and Joe ended up doing 2 sessions. I think they were on |track to get it all covered in 1 session until Guido's house |burned down. At any rate, both were excellent and probably the |best of DEC. They're spinning up a website and some or all of |the session content will probably end up there. They may be |posting details about the site, but I didn't ask how widely |they intend to publicize it. | |Hunter | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray |Sent: Thursday, March 30, 2006 1:43 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Sounds great. Sorry I missed it. How was the Dean 'n Joe |show? Did the handbags come out or was it a peaceable affair? | |Tony | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Thursday, 30 March 2006 11:07 a.m. |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Just wrapped up Day 3. 530 people. General consensus is that |it was the best DEC ever. More to follow when I can type on |something bigger than a credit card. | |-gil | | |-Original Message- |From: Ayers, Diane [EMAIL PROTECTED] |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org |Sent: 3/29/06 1:23 PM |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Maybe we should ask a question on the merits of doubling down |on an 11 when the dealer has a face card showing... :-) | |Diane | | | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Wednesday, March 29, 2006 9:35 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | | |Don't worry we're still here.. ;-) | |Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida |Pinto Senior Infrastructure Consultant MVP Windows Server - |Directory Services | |LogicaCMG Nederland B.V. (BU RTINC Eindhoven) |( Tel : +31-(0)40-29.57.777 |( Mobile : +31-(0)6-26.26.62.80 |* E-mail : see sender address | | | |From: [EMAIL PROTECTED] on behalf of Moon, Brendan |Sent: Wed 2006-03-29 19:26 |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Quiet? DEC? Related? | | |Hmm.. everyone must be having fun at DEC... this list has been |very quiet this week! | |- Brendan Moon | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org/List.aspx |List FAQ
RE: [ActiveDir] Copying OU permissions
Title: Message Hi David, my script at http://www.windowsserverfaq.org/faq/CompACLs.aspprovides you with all the parts you need to put your script together. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Friday, March 24, 2006 4:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Copying OU permissions I need to find a way to dump the ACLs of an OU structure, then use that dump to re-apply the same permissions to a different OU. Anyone know of the best way to do this? I have seen DSACLS but cannot see a way to use a report to permission a different OU. cheers David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] AdminSDHolder
Yes - sorry - didn't want to suggest doing that - just wanted to outline how it works. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 20, 2006 10:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AdminSDHolder But that is perl -e "print \"very \"x1000,\"\n\"" dangerous. If you happen to drop one of these objects in an OU that has some inherited permissions defined such asuser:FC to somefolks with lesserpowers then it is all over. But yes, it is a Security Descriptor level mod which includes the ACLs (both DACL and SACL),inheritence setting (aka protected), owner, primary group, etc. Neal: Would you like to alter the list because you would like to add your own custom groups/users to get controlled like that or do you just want tojust change what is protected at all? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AdminSDHolder Hi Neil, as mentioned in my blog entry you are able to change if it applies to the operator-groups (and which). The whole nTSecurityDescriptor is copied, since there is inheritance disabled on the adminSdHolder-Object inheritance is disabled by default on those protected objects as well. If you enable inheritance on the adminSdHolder the objects will inherit permissions. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AdminSDHolder A few minor additions to other posts in this thread: The list of objects protected by SDPROP is hard coded AFAIK. The SD applied to adminsdholder is then copied to those objects and (by default), all other ACEs are removed and inheritance is disabled too. We discussed changing the list of objects protected in previous threads and concluded that this was not possible. I, for one, would like the flexibility to alter the list. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 17 March 2006 20:24To: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Extending AD Schema
Apart from the stuff others have answered: OIDs need to be registered for the company A Prefix needs to be registered with MS LinkIDs - if exist - need to be taken from a range assigned by Microsoft MapiIDs - if they use them you are on your own - you can't register these, but they also need to be unique. For all those Attributes there's no supported way in changing them afterwards. So make sure whatever used is as unique as you are sure no other company ever would consider using the same ones. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari |Sent: Tuesday, March 21, 2006 12:01 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Extending AD Schema | |AD Guys and Gals, | |Is there is a way to backout of AD Schema extension? | |We have a project that requires AD Schema extension. The |vendor has a tool that will make changes in AD schema |automatically. However, we are little conscious about it. Is |it possible to export the current AD schema and then make |extension. Would it be possible to import it back again? | |Can you guys/gals share your experience with schema extensions |/ updates? | |Thanks, |Adeel | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AdminSDHolder
Hi Tom, I do not fully understand what you mean. When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Wrong - MS does not say that the Operators are protected by the PDCE checking any ACL. The PDCE runs the process which ensures that the adminCount Attribut of members of those groups (+ others and accounts you havent mentioned) is 0, then it resets the Security-Descriptor to be the same as the AdminSdHolder-Process. You've never seen ACEs for AOs? Did you check a user, group, computer, inetorgperson or OU? Account Operators have the right to create child/delete child on OUs for Users, Groups, Computers, INetOrgPersons, and they also have Full Control on those Objects. Where are they listed? Security Tab How are they protected? See above What ACL is the PDCE checking to determine what perms should be present for those groups?No ACL, it's checking the groups, and resets the rights of their members. The adminCount Attribute is helper. In the thread before my blog about this was mentioned, I think it clarifies some stuff: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 17, 2006 9:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
RE: [ActiveDir] View Delegated Tasks?
Since it hasn't been mentioned - LDP of R2 and ADAM provides the possiblity to view the ntSecurityDescriptor as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C81 1D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, March 17, 2006 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? you can also use DSREVOKE in report mode to see where a certain security principal has been assigned delegated permissions in the domain partition Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 2006-03-17 19:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] View Delegated Tasks? You can use the dsacls command line tool if you want it in text view, or, in ADUC, ViewAdvanced Features, and then right click the OU, Properties, Security Tab. You can also get the ACL Editor view in ADSIEdit natively. Thanks, Brian Desmond mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] c - 312.731.3132 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, March 17, 2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 _ __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] AdminSDHolder
The securityDescriptor of the adminSdHolder is copied to be the same as the securityDescriptor of the Object in Question. Just look at the Security-Tab of both, they are the same. If you change to one of a protected Object (adminCount 0) it will be reset to be the same within one hour. AdminSdHolder is a object which has IMHO no specific use, just to hold a securityDescriptor to use as template. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Saturday, March 18, 2006 1:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AdminSDHolder when you say " if the SD of one of those objects is not the same as what is on the adminSDHolder object...", where on the adminSDHolder object are these values kept that help it determine the SD? Thanks On 3/17/06, joe [EMAIL PROTECTED] wrote: The SDPROP thread monitors groups/users that are considered "sensitive" and if the SD of one of those objects is not the same as what is on the adminSDHolder object, that SD is applied to the object. They are not specified in the ACL on the adminSDHolder object because they shouldn't have permissions over those sensitive objects. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, March 17, 2006 3:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
RE: [ActiveDir] Forest Recovery Question
Assuming a complete failure of the Forest you need to disable the GC on multi-domain forests, recover each domain as needed, make sure that the domain is in sync, then reenable the GCs. You will not need to disable the GC in a single domain environment since the GC does not store anything but some indexes from the domain database. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Sunday, March 12, 2006 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest Recovery Question Hi everyone, I have read a MS whitepaper regarding Forest Recovery. The process seems straightforward. My question is regarding GC's, it mentions that you should disable the GC function on a restored root DC if enabled as this may contain a partial replica newer than that of the domain it'sauthoritative for. If the GC function is disabled, you can't seize the Domain naming master FSMO which I assume would mean you can't add additional childdomains. So would you have todisable then re-enable the GC function, seize the FSMO roles (ex IM)to the restored root DC (now a GC)before adding a second DC and making this aIM FSMO beforerecovering the child domains? So my question is at what point would you need to re-enable the GC function on the recovered root DC? This is assuming it's a multi-domain environment...so would disabling the GC function be required in a single domain forest recovery? I would thought not. thanks James Carter Yahoo! MailBring photos to life! New PhotoMail makes sharing a breeze.
RE: [ActiveDir] Migrating AD to a lab
Title: Migrating AD to a lab Hello Peter, it depends on what you intend to test in your lab. Since lab security is usually more relaxed than production security (e.g. external employees getting domain admin access to test scripts or whatever) I wouldn't want my user-accounts (and worse - service and admin accounts) in the lab with their real passwords. If you just want the structure you can use the scripts provided with GPMC, and export/import user data without passwords using csvde. I'd just put the stuff in the lab you need there, e.g. if you just want to test GPOs the OU-Structure and some test accounts would be sufficient, if you want to test scripting for modifying users or provisioning you might need some more data. Pulling some backup / introducing another DC / pulling drives of a RAID-mirror are valid solutions if you need production data. I'd do a imaging-backup or pulling/replacing a drive if I have the same hardware. Also keep in mind that virtualisation is a valid solution, you can use P2V in VMWare or Virtual Server Migration Tool in VS. Virtualisation also provides you with the logical splitting of the production network to the test network, while still being able to access the test environment from any production machine. I've started to like to put my test-environment in the datacenter (well protected) and access it of my workplace. This is another important point: I've also found that I was lazily considering if I should go in the room with the test equipment when I knew I have to be back at my workplace soon or expected some important emails. Being able to access the test environment from the desk enables me more often to use the test environment when testing a script or something. If the test environemnt is physical I was sometimes putting a RDP-enabled workstation with two legs in between, so I was able to RDP to the workstation and then RDP into the test environment. And multimonitor at the primary desk also provides a great gain in productivity - e.g. RDP Fullscreen on the second monitor. Just my 0,02€ Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Saturday, March 11, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating AD to a lab Hi all I was wondering, after finally got management buy in to build a lab, what the easist way is to get my domain info migrated into the lab for the purposes of testing dev etc? Do I simply Dcpromo a new box and then cut it off from the domain and NTDSUTIL it out or do I do a state recoverey from my Tivoli backups? Anyone got any ideas/pointers etc. Thanks greetings from a chill server room in Johannesburg South Africa. Peter Johnson
RE: [ActiveDir] Technet Magazine Active Directory Component Jigsaw
Hi Todd, this would rock if you are able to scan it (or somebody has contacts to the team to request a printable-file)? Subscriptions are only free for US Residents (shipping costs), and the web-version does not include the picture. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]Sent: Wednesday, March 08, 2006 5:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Technet Magazine "Active Directory Component Jigsaw" http://www.microsoft.com/technet/technetmag/ Someone in my office just gave me a copy of this free magazine, and it came with the really neat insert called the Active Directory Component Jigsaw. It is a wall hanging that outlines all the AD process graphically. I will try to scan it and post it on my Blog, but I just wanted to make you all aware of it. I plan to hang it on my cubical wall on the outside that says What I do here J Subscriptions are free. Todd
RE: [ActiveDir] Bulk Import
If you mention google after MSN Search you have to turn off the shamless plug. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, March 09, 2006 3:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Bulk Import If not, ldifde will let you create passwords if you want to go that route but mailboxes would be harder to deal with it. ADMOD will not mailbox enable the objects. For that you'd want to pipe it to exchmbx. I'd tell everyone what the input is and ask Deji to look through his couches (couches? As in more than one?) for a useful script. Or you *could* use something like shameless Microsoft plug (as if they need it here) MSN Search or Google to find such scripts pre-written that you could modify. Couple of options anyway. People that use CSVDE tend to then use a script to set the passwords on those objects that get created. LDIFDE would be more flexible for what you're trying to do, but I've never tried to do it with that tool. My preference would be script instead. I'd call Deji and ask him to search his couches (is it really two? I feel like I'm hung up on that for some reason :) On 3/8/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What is your input? Where are you getting the input from, and what format isit in? Al mentioned some script laying around. I may have one stuck in one of my couches here :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Harding, DevonSent: Wed 3/8/2006 1:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Bulk ImportI was going to user csvde, but read that it did not support password creation.Is this supported under ADMod?From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, March 08, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Bulk Import I suppose it really depends on your input data.What have you got to workwith and what is the decision criteria for the OU differences?Creating the objects in a particular OU and mailbox enabling them would not be terribly difficult depending on the information you have and want to putin there. Jim's way would work, but I think I prefer to put them where theybelong at creation vs. later.For that reason either one of Joe's tools (admod for example) or script would be my preference.Script would be minebut that's just because I'm funny like that. Joe's tools are faster thoughboth at runtime and to get working if you don't have scripts laying around. AlOn 3/8/06, Kennedy, Jim [EMAIL PROTECTED] wrote:Ok, I skipped a step, sounds like you need these 200 to go to separate OU's. Mass create them in one OU, mass right click them and create the mailbox thenmass send them an email.The script the move if that is faster/easier than a manual drag and drop. Soyour spreadsheet of users is: firstnamelastname passwordtargetOUconvert that to comma text for your script and use the first three for thecreation and then the first two and last for the move. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] ] On Behalf Of Kennedy, Jim Sent: Wednesday, March 08, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bulk ImportDelegate it to HR.Short of that get HR or someone to give you a list of the names and script it, provide a default password of their SS number perhaps...must be changedon first log on.After they are created, in the same OU...mass select them in ADUC and rightclick them and send them a test email to create the mailbox. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, Devon Sent: Wednesday, March 08, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bulk Import What's the fast way for me to create 200 user accounts in specific OU's and create Exchange mailboxes? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and
RE: [ActiveDir] How Secure is a Domain Controller?
Hi Neil, I think long passwords are primary necessary for priviledged accounts such as domain admins and especially service accounts. Having long, randomly generated passwords is not an issue for service accounts if you have a procedure in place to change them. If you need to provide the password again, you can generate a new one and change it - no need to even store those passwords. For domain admins teach them how to create long passwords - e.g. starting with passphrases would be a start which can be improved with nonsense characters in between to avoid dictionary attacks. I also believe it's a good idea to teach your users as well, but that's mainly internal marketing. Long passwords don't buy you the security that those passwords can not be hacked, however it increases the time the attacker needs to get to the passwords, and buys you time for changing the passwords after a DC has been stolen. Since I'm talking about admin and service-accounts it's not enforceable via GPO - at least not without 3rd party software or a special domain design. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 9:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 05 March 2006 08:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 V
RE: [ActiveDir] Dynamic Groups
And keep in mind that it only works when users are logging off and on (at least for domain groups) so that the token is recreated - so running it multiple times a day is propably not practical. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, March 06, 2006 9:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Dynamic Groups Bryan- Just write a script which runs as a scheduled task which enumerates all the users in an OU and checks that theyre a member of the group. Youll also need to remove users who dont belong in there anymore. Depending on the scale of your AD deployment (in terms of number of DCs and links between them) it may just be easier for you to clear out the group and repopulate it. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Monday, March 06, 2006 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Dynamic Groups I know you can build a dynamic query based distribution group, but can you do the same for a security group? What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971
RE: [ActiveDir] Resolving SIDs
The SID is only a number which isissued on each DC to new security principles by first comes first serves, so if you create two users on the same DC you propably have two following SIDs. There's nothing encrypted or magic into the SID, so there are no more informations you can get just out of the SID without resolving it to the domain. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, March 06, 2006 9:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving SIDs Adeel, I was thinking that I read that without the account database, you could actually gain some information from the SID, using a formula of some type. I dont know if thats actually possible or not. I might have made it up in a dream. Thanks for the info on sidtoname.exe, that might not help here, but I can see it being useful in the future. Thanks, Justin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Monday, March 06, 2006 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Resolving SIDs Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Clay, Justin (ITS)Sent: Monday, March 06, 2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Resolving SIDs I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I dont mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] How Secure is a Domain Controller?
I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Sunday, March 05, 2006 4:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin
RE: [ActiveDir] Active Directory Backup
Hello, I do not understand your scenario correctly. If you had multiple DCs, and you deleted one of them, the GPO will still be on the other DCs. If you had a single DC, and you reinstalled it but forgot to export your GPO, you can do that as you describe with the following modifications: 1. Install a WS2k3, do not make it a DC. Try to use the same hardware if possible, and do not put it into the same network (but provide it with a link - a single wire on a hub without any other connections would be sufficient) 2. Restore the Systemstate (still make sure that it's on a separate network) 3. You can log onto the server using the domain admins credentials with the password at the time of the backup 4. Use GPMC (you can install it at 1. or you use a USB-Stick or CD to install it) to backup the GPO to e.g. a USB-Stick again 5. Use GPMC on your production server to import the GPO. You do not need to boot into directory recovery mode here. However note that you are able to reset the directory recovery mode administrators password as long as you have the domain admin by logging on while AD is active, then use ntdsutil to reset the DSRM Admins password. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of marwahashem |Sent: Friday, March 03, 2006 7:49 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Active Directory Backup | | |Dear All, | |We were having a Server As Domain Controller called DC1.Mydomain.com | |this server had several OU and each OU inside it, and it has a |group Policy applied to it. | |we used to take the Backup of This server as :- | |1- System State . |2- SYSVOL Folder. | |for some resoans, this server has been formatted and |completely formatted. | | | |Now, i did not take a backup from the Group Policy which i |assigned to the Users OU at all. | |I want to implement the same group policy on the same OU as Before . | |So, i am thinking of another IDEA, Please Follow it with me. | | |1- As long as i have the Backup from the Domain Controller |which is SYSTEM STATE SYSVOL , i will install Windows Server |2003 on onther server i will create the Domain Controller |with the same name but without any Configurations at all on ( |New Server ) . | |2-Once the Windows Server 2003 installed and configured |completely , i will restart it , and i will choose F8 to |choose ( Active Directory Disaster Receovery Mode ) . | | |3- i will restore the Backup as we know. | | |But , while i am doing it, i Discover that, i forget the |Password of the Domain Controller in Disaster recovery mode , | i found that , i am Unable to Login , at F8 Choice . | |Please, can any one Help me guide me , to see what is going |on how to solve this situation in Order to solve it . as |soon as possible . | | |Please Urgent Help. | | | | | | | | | | | | |Thanks Best Regards, |Marwa, |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trouble adding a new server to an AD domain
Hi Gene, the Infrastructure Master is not the most critical role. However if you have a backup of that system I'd recommend a restore of the Systemstate. If not, I'd seize the Infrastructure Master to another server, clean up the Active Directory from the remainers of the old server (Metadata-Cleanup, see here for the KBs http://www.windowsserverfaq.de/faq/AD/RemoveDC.asp). Afterwards you should be able to install a new server and promote it as DC using the same name as before, and move the IM again if necessary. Between the changes make sure that AD is replicated. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gene SibbsSent: Friday, March 03, 2006 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Trouble adding a new server to an AD domain "I'm having trouble adding a new server to an AD domain. There are20 servers on the network, all are Windows 2003 .Three were domain controllers. One DC housing Infrustructure FSMO Role crashed.A new server was buit. When trying to add it as a DC using dcpromo wizard we see:The Wizard is configuring Active DirectoryLocated comain controller server1.mydomain.comStopping NETLOGONExamining an existing Active Directory ForestAfter a moment we get the error:The operation failed because: This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller server1.mydomain.com is undetermined. The installation process has quite. "The system cannot find the file specified".We though it might be because we named the replacement server the same name as the one which crashed. So we renamed the server and tried again with the same results. This is after a fresh install on a blank drive on this server." I having a similar error as above... Any pointers? Regards, Sib Yahoo! MailUse Photomail to share photos without annoying attachments.
RE: [ActiveDir] AD Lag Sites
As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!