RE : Re: [ActiveDir] remove orphan DC from the domain
Really ? That is a very interesting... Could you develop this statement please ? What is a XFER ? When you say "it does a seize", that means it choose a DC nearby ? and seize *automatically* a seizure ? Thanks, Yann Paul Williams <[EMAIL PROTECTED]> a écrit : > If the DC that died had FSMO roles, you need to seize them (check which > DC had FSMO roles with --> NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: "Almeida Pinto, Jorge de" To: Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with --> NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 6. Type quit, and then press ENTER. The Metadata Cleanup menu appears. 7. Type select operation target and press ENTER. 8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number. 9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The dom
RE : RE: RE: [ActiveDir] Question about DNS SRV registration.
Ulf, Thanks for clarification. I will follow your advices. :) Just an OT ... i found your windows server 2003 book on amazon.com here http://www.amazon.de/exec/obidos/ASIN/3866456042 Do you have english (or french version) of the book available ? Cheers, Yann "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> a écrit : v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} Hello Yann, youre welcome! No it is not best practice to disable it. The effect you have is only happening if a Site has no DC assigned to it, or if a single DC of a Site is offline for a while. It is important that the Clients are able to look up a DC, and if you disable Automatic Site Coverage and a Site is without a DC for some time Clients may experience longer logon times, and they might fall back on a DC which is in a site which goes over multiple WAN links. Id say best practice is to keep the Automatic Site Coverage active, and check once in a while if there are wrong registrations which you may delete if the DCs of that Site are back online. They will also dissolve if you enable aging and scavenging. Also what some customers are doing is the following: Assuming a Star-shaped Network Topology with a Hub-Site where each Branch connects to, they are configuring the DCs of the Hub-Site to register their SRV-Records at the Branch Sites with a lower Priority than default, therefore the Branch-Office Clients will use the Branch-Office DC as long as its available but fall back to the Hub DCs when the BO-DC is not available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 11:19 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> a écrit : Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns clie
RE : RE: RE : RE: [ActiveDir] Question about DNS SRV registration.
Hi Steve, Never mind :-) We're here to learn to each other, that makes life funnier ! Yann "Molkentin, Steve" <[EMAIL PROTECTED]> a écrit : Deji, Ulf, All, Good article - thanks. Also thanks to Ulf - that was a much better solution and much better idea than mine. I do not profess to be a DNS legend, but am continuing to learn... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Wednesday, 24 January 2007 8:42 AM To: ActiveDir@mail.activedir.org Subject: RE: RE : RE: [ActiveDir] Question about DNS SRV registration. I would not recommend that you do this. Please read the document I referenced in my previous response. Also, see Ulf's brief description/explanation of the behavior that you are seeing. I really recommend that you try to understand what is going on here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon - From: Yann Sent: Tue 1/23/2007 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work ... but i will follow into your direction. Thanks again, Yann "Molkentin, Steve" <[EMAIL PROTECTED]> a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs -> DCa.domain.local -> DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on oth
RE : RE: [ActiveDir] Question about DNS SRV registration.
Hi Deji, Good article with lots of usefull informations. Thanks again, Yann "Akomolafe, Deji" <[EMAIL PROTECTED]> a écrit : Read http://www.netpro.com/forum/files/authentication_topology.pdf Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ----- From: Yann Sent: Tue 1/23/2007 1:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs -> DCa.domain.local -> DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] Question about DNS SRV registration.
Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]> a écrit : v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs -> DCa.domain.local -> DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] Question about DNS SRV registration.
Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work .. but i will follow into your direction. Thanks again, Yann "Molkentin, Steve" <[EMAIL PROTECTED]> a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs -> DCa.domain.local -> DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
[ActiveDir] Question about DNS SRV registration.
Hello all and happy new year:-), Say: -> Site A with DCa that is also dns (integrated to AD). -> Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). -> DCa & DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs -> DCa.domain.local -> DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Ben, Thank you also for your help, the page you point to me has useful info. :) Cheers, Yann "WATSON, BEN" <[EMAIL PROTECTED]> a écrit : Hi Yann, I was reading this over the weekend, and perhaps this might provide enough relevant info for you to find what you are looking for. http://blog.joeware.net/2007/01/06/756/ ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 2:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : Re: [ActiveDir] Moving ADC
Hi, I don't know if i get it all but if I resume: You have a DC, say DCold,that has also Active Directory Connector(ADC) that points to a 5.5 BH server. You want to decomission it to a member server and promote a new one to a new DC, say DCnew. Right ? -> On DCold that has the ADC, move all Connection Agreemenjts (CA) to an other ADC server then decommission DCold. -> or if u have no other ADC server, just decomission DCold *BUT* be caution to verify that no CAs point to DCold before. Yann dinesh shinde <[EMAIL PROTECTED]> a écrit : My Questoin was: I have mixed mode environment in my setup with 28 Child Domains at remote loactions having Additional DC's and I am planning to move my DC to Additional Domain Controller making it a DC because of new Hardware we have received. We can move the Roles to the new server but the old one also has Active Directory Connector to our Bridgehead server(Exchange5.5). So what needs to be done to decommission old DC and make the new DC having AD Controller. size=5>Thanks & Regds. size=5> size=5>Dinesh From: AdamT Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving ADC Date: Mon, 8 Jan 2007 20:25:18 + MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by bay0-mc12-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 8 Jan 2007 12:40:22 -0800 Received: from nf-out-0910.google.com [64.233.182.184] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A8B219D300D4; Mon, 08 Jan 2007 15:25:22 -0500 Received: by nf-out-0910.google.com with SMTP id o60so8933690nfa for ; Mon, 08 Jan 2007 12:25:19 -0800 (PST) Received: by 10.49.13.14 with SMTP id q14mr28309403nfi.1168287918998; Mon, 08 Jan 2007 12:25:18 -0800 (PST) Received: by 10.48.254.12 with HTTP; Mon, 8 Jan 2007 12:25:18 -0800 (PST) X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fPbqRYXljrVJVt+f8tR2FxS9bYzrOfMLrHTqkbtQLUW/z4Q1G4JZQYAJVjfHv4KXvJ/0SyVWcwYrls/nmPeiHwaQmeo1JAdLBBNpgHkSDV4yx5tWEiM8jCWnr4Nniou8vNgVcrS5AqcFgaYJH4t+5tY/ocA2a0QzFx3zPtSeTPQ= References: Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 08 Jan 2007 20:40:22.0775 (UTC) FILETIME=[38028070:01C73365] On 08/01/07, dinesh shinde wrote: > > >Hello Can someone help me on the below issue? > I don't mean to come across as being awkward, but I found it difficult to understand what it is you're trying to do. Could you perhaps rephrase it a little? Regards, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx _ Try Sanjeev Kapoor's culinary delights! http://content.msn.co.in/Lifestyle/Moreonlifestyle/LifestylePT_101106_1530.htm List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : RE: RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
That's it !!! :-) I did not thought to update with the new release of adfind, and that works perfectly. Many thanks Joe ! Yann joe <[EMAIL PROTECTED]> a écrit : What is the version? Current version of AdFind that is publicly available is V01.35.00. The -resolvesids option made it into AdFind around V01.31.00 or so which was a year ago. Plus if you really want something readable you likely want -sddl++ joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Tuesday, January 09, 2007 5:59 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Oh, thanks Joe ! the command adfind -b "DN_OU" -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -adcsv works fine. But when I add -resolvesids as this adfind -b "DN_MyOU" -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -resolvesids -adcsv It shows an error ERROR: Bad Command Line Arg(s) ERROR: resolvesids Thanks, Yann joe <[EMAIL PROTECTED]> a écrit : Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Oh, thanks Joe ! the command adfind -b "DN_OU" -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -adcsv works fine. But when I add -resolvesids as this adfind -b "DN_MyOU" -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -resolvesids -adcsv It shows an error ERROR: Bad Command Line Arg(s) ERROR: resolvesids Thanks, Yann joe <[EMAIL PROTECTED]> a écrit : Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
[ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : Re: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Yes, definitively ;o) Thanks again ! Cheers, Yann Paul Williams <[EMAIL PROTECTED]> a écrit : No. Not quite. No cleanup happens whatsoever. Even when the ACEs are in the AD they aren't cleaned up. The LSA was mentioned to try and highlight the expense and difficulty of such a cleanup operation. The fact of the matter is that regardless of the securable object, it's ACE is managed locally and no cross-checking is done against a DC and a DC certainly doesn't look for stale ACEs when an object is deleted. Hope this clarifies the point. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 3:54 PM Subject: RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Hi, After rereading posts, it now makes sense to me that the ACEs are managed by the local LSA, and not by AD LSA So now if i consider that a group or user is deleted from AD and that object is set on an AD object ACLs (not share or ntfs permission), that object will be definitively disappear with no sid remaining from the ACLs, because the update is done by the "local LSA" (DC) where the deletion occurs, that is to say AD itself... Yann joe <[EMAIL PROTECTED]> a écrit : Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Hi, After rereading posts, it now makes sense to me that the ACEs are managed by the local LSA, and not by AD LSA So now if i consider that a group or user is deleted from AD and that object is set on an AD object ACLs (not share or ntfs permission), that object will be definitively disappear with no sid remaining from the ACLs, because the update is done by the "local LSA" (DC) where the deletion occurs, that is to say AD itself... Yann joe <[EMAIL PROTECTED]> a écrit : Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, January 04, 2007 5:35 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file & directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD<->file server) leave this dirty sid and that there is no synchronisation that updates the "link" between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after
RE : RE: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.
Ok, interesting thing you point out. So in the case of restoring the group deleted, there will also no automated service that reconcilies the sid in AD with those used to ACL the file system ? Today, I discovered something i thought i master... :) Thanks all for clarification to this subject. Robert Bobel <[EMAIL PROTECTED]> a écrit : The issue is that there is no automated service in AD/Windows that reconciles the SIDs in AD with those used to ACL the file system; and AD ACLs are separate and disconnected from the OS ACLs. Imagine deleting a group or user that had permissions on hundreds of computers around your network the OS on each box would have to *know* that the user or group was deleted then scan itself for obsolete SIDs or alternativly some service on the DC could contact each server to scan it for obsolete SIDs. As Deji correctly pointed out this is another example of why you should use groups to do your permissioning... it is also one of the reasons why many administrators choose to disable user accounts rather than just delete them when they become obsolete. Bob - From: [EMAIL PROTECTED] on behalf of Yann Sent: Thu 1/4/2007 5:35 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file & directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD<->file server) leave this dirty sid and that there is no synchronisation that updates the "link" between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann "Akomolafe, Deji" <[EMAIL PROTECTED]> a écrit : It's "normal". You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon - From: Yann Sent: Thu 1/4/2007 1:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all & Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file & directory ACLs. Is this normal ? If not,what could be the reason(s) & how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.
Thanks for replying. You say that it is normal that the sid still remains in file & directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD<->file server) leave this dirty sid and that there is no synchronisation that updates the "link" between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann "Akomolafe, Deji" <[EMAIL PROTECTED]> a écrit : It's "normal". You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon - From: Yann Sent: Thu 1/4/2007 1:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all & Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file & directory ACLs. Is this normal ? If not,what could be the reason(s) & how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
[ActiveDir] SID Deleted users remains in NTS permission.
Hello all & Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file & directory ACLs. Is this normal ? If not,what could be the reason(s) & how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
[ActiveDir] Adcheck from NetIQ.
Hello all, For those who use the monitoring tool for AD "Adcheck", i have a little question: When testing a "Show DC status" on a DC, i always have this error: "Replication error detected the remote system is unvalabile..(For diagnostic purposes, the error number is= 1256 )" But when doing a dcdiag /c /v /d and netdiag /v , i have no errors generated concerning any RPC/LDAP issues... Any ideas ? Thank you, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
[ActiveDir] get information with wmic
Hello, i was trying to use wmic to get these information from a list of DCs: Name (oh DC), TotalPhysicalMemory,InitialSize of pagefile, MaximumSize of pagefile on one line or in an excel file. I use this wmic PAGEFILESET list writeable that list the values of InitialSize MaximumSize Name wmic COMPUTERSYSTEM get name,TotalPhysicalMemory that list the values of Name TotalPhysicalMemory But how to concatenate the 2 commands line in order to have on one line the values of: Name TotalPhysicalMemory InitialSize MaximumSize Name Thanks for input, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] Need some advices....
interesting thing about tombstone lifetime depending on version of AD For my information, do you know why MS revers back the tombstome lifetime from 180 days in AD 2003 to 60 days in ADR2 ? Thanks, Yann --- Brian Desmond <[EMAIL PROTECTED]> a écrit : > If the domain was created in Windows 2000 or 2003 > R2, you've got 60 days to fix it, 2003 domains you > have 180 days. This is assuming you haven't tweaked > the tombstone lifetime. 4 hours is nothing. :) > > > > Thanks, > > Brian Desmond > > [EMAIL PROTECTED] > > > > c - 312.731.3132 > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Yann > Sent: Wednesday, October 25, 2006 10:23 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Need some advices > > > > Hello all ;) > > > > Due to network outage that is scheduled for 4 hours > on a active directory site, i'd like to leave our > DCs up without shut them down. > > > > Question: > > Could il leave all my DCs up despite they can not > communicate with each others for 4 hours ? Will that > cause any issues (repl, auth,etc..) ? or Do i have > to shut them down and next reboot them when network > will up ? > > > > Thanks for advices. > > > > Cheers, > > > > Yann > > > > > > Découvrez une nouvelle façon d'obtenir des réponses > à toutes vos questions ! Profitez des connaissances, > des opinions et des expériences des internautes sur > Yahoo! Questions/Réponses > <http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com> > . > > ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE : RE: [ActiveDir] Need some advices....
Ben and Vinnie, Thanks for your answers, i'm confident now :) Have a nice day, Yann"WATSON, BEN" <[EMAIL PROTECTED]> a écrit : There shouldnt be any reason why this would cause any issues. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Wednesday, October 25, 2006 7:23 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some advices Hello all ;) Due to network outage that is scheduled for 4 hours on a active directory site, i'd like to leave our DCs up without shut them down. Question:Could il leave all my DCs up despite they can not communicate with each others for 4 hours ? Will that cause any issues (repl, auth,etc..) ? or Do i have to shut them down and next reboot them when network will up ? Thanks for advices. Cheers, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
[ActiveDir] Need some advices....
Hello all ;) Due to network outage that is scheduled for 4 hours on a active directory site, i'd like to leave our DCs up without shut them down. Question: Could il leave all my DCs up despite they can not communicate with each others for 4 hours ? Will that cause any issues (repl, auth,etc..) ? or Do i have to shut them down and next reboot them when network will up ? Thanks for advices. Cheers, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : [ActiveDir] Planning for Active Directory Forest Recovery
Great ! Thanks for the info Mark :) Yann --- Mark Parris <[EMAIL PROTECTED]> a écrit : > A new Microsoft Document. > > Planning for Active Directory Forest Recovery > > http://www.microsoft.com/downloads/details.aspx?FamilyID=afe436fa-8e8a-4 > 43a-9027-c522dee35d85&DisplayLang=en > > Regards, > > Mark Parris > > Base IT Ltd > Active Directory Consultancy > Tel +44(0)7801 690596 > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE : Re: [ActiveDir] finding users that password never expire.
Thanks Paul. That works great :) YannPaul Williams <[EMAIL PROTECTED]> a écrit : Perform an AND query. In ADFIND, this looks like this: adfind -default -bit -f "&(objectCategory=person)(userAccountControl:AND:=65536)" cn If you want to use ADUC, or something else, you'll need to use this: (&(objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536)) --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 4:43 PM Subject: [ActiveDir] finding users that password never expire.Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
RE : RE: [ActiveDir] finding users that password never expire.
Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? Why couldn(t i find any results with my first query ? And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ?? Thanks for your answer :) Yann "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit :to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))" and to use it with a saved query use as the LDAP filter: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire.Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
[ActiveDir] finding users that password never expire.
Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.
Just found this interesting article http://www.parsintl.com/pdf/10129-R-Quest.pdf with a smalll chapter comparing netprodt with soad. It seems that netproddt has more features and fonctionnality than soad in the way that netprodt "has more tasks to diagnose and repair AD pb..." , "... is known for it's extensive inhouse knowledge base of AD tshoot...". A good start to help me in my final decsion. Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.
Thanks Marc. With your experirnce, what could you advice me about the 2 products ? Is soad much better that netprodt regarding tshooting, new features ? YannMark Parris <[EMAIL PROTECTED]> a écrit : SOAD has a lovely GUI and lots of flashing lightsMark ParrisBase IT LtdActive Directory ConsultancyTel +44(0)7801 690596-Original Message-From: Yann <[EMAIL PROTECTED]>Date: Tue, 3 Oct 2006 20:11:12 To:ActiveDir@mail.activedir.orgSubject: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.Hello all, I don't know if it is the right place I'm about to test 2 AD Troubleshooters products and I have to choose one them to monitor,tshoot our AD infrastructure: Spoltligh on Active Directory (SOAD) and Netpro Active Directory Troubleshooter. Does someone have any experiences with the 2 products and could tell me what are the pros and cons of each of them ? Thank you, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici: . [EMAIL PROTECTED]汫) Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.
Hi Paul, In fact, i talked about Netpro Directory Troubleshooter. Do you mean that Netpro DT have more features than soad ? The difficulty i have to face is: which one could give me the best and accurate information to tshoot a pb ? I know that soad has a good looking interface with some lights shinning ;) YannPaul Williams <[EMAIL PROTECTED]> a écrit : I assume you mean NetPro Directory Analyser? I've not done much with any, but we've got NetPro Directory Troubleshooter here and from what I've seen of it, it doesn't compare with Quest's SOAD as it does more proactive, task oriented stuff. I've not seen NetPro's analyser. Quest's SOAD is OK, but as with all real time monitoring solutions, your limited by the human on the end. I'd prefer something like HP Open View Operations for Windows or BMC Patrol or even MOM, which can react accordingly to issues in a number of ways. --Paul- Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, October 03, 2006 7:11 PM Subject: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.Hello all, I don't know if it is the right place I'm about to test 2 AD Troubleshooters products and I have to choose one them to monitor,tshoot our AD infrastructure: Spoltligh on Active Directory (SOAD) and Netpro Active Directory Troubleshooter. Does someone have any experiences with the 2 products and could tell me what are the pros and cons of each of them ? Thank you, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
[ActiveDir] choose between SOAD and Netpro directory Troubleshooter.
Hello all, I don't know if it is the right place I'm about to test 2 AD Troubleshooters products and I have to choose one them to monitor,tshoot our AD infrastructure: Spoltligh on Active Directory (SOAD) and Netpro Active Directory Troubleshooter. Does someone have any experiences with the 2 products and could tell me what are the pros and cons of each of them ? Thank you, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: RE : Re: [ActiveDir] forest disaster recovery plan.
Understood ! Thanks all :) Cheers, YannAl Mulnick <[EMAIL PROTECTED]> a écrit : I think that's a very good way to approach it. Guido is really the expert on such processes and I tip my hat to him on that. :)Some things to consider as you take this approach: Write down what you're thinking. Why? Because it'll help to focus the thoughts. This can have a lot of moving parts in the process and it helps if you can keep your focus on the end goal at all times - even when you get mired down in politics. If you lose the root domain, you have some big issues. It could happen, but I highly suggest you leave room in your report/guide for improvements aimed at shoring up any weaknesses in the processes that are followed to support the root domain. Of all, that is a very critical domain to ensure it is always running and available. Take into account all 8 layers when you do this. Put a value on the assets (domains in this case) in the scenarios. For example, is it as important if you lose that 20 person domain in South Florida? How important to the overall business? Is it important if you lose the root domain? How important? What's the relative value to the business? The reason I say that is because when you start down this path there will be a recommendation to make improvements as well as to how you approach the backup/restore process. If you have some values assigned, you can better prioritize and justify expenditures of time and money. Good luck!Al On 9/26/06, Yann <[EMAIL PROTECTED]> wrote: Thanks Al for advices. :) Guido pointed me to some very usefull papers on recovery. Maybe my first job will be to understand the different types of AD recovery in order to master the whole procces. Some questions i have to face are : -> What if a whole domain crashes (Root and Childs) ? -> What is a whole sites crashes ? And that sites contains several DCs for other domains ? My goal is to (try to)make a recovery as fast as possible and with minimal effects on end users. Cheers, YannAl Mulnick < [EMAIL PROTECTED]> a écrit :There's a whitepaper on Microsoft's website. I think there are several blogs out there talking about same. Things to look for? Timing of backups. Name resolution. Time sync. DA accounts. Backups from DC's or GC's (you'll want to pay attention to that). Role holders. Shouldn't be too bad otherwise. Kind of messy while you clean the orphaned DC's out of the mix seems to otherwise work well in the lab. I highly suggest you spend a lot of time up front detailing the requirements and timelines so that you can make the solution fit the requirements vs. the other way around. My $0.04 worth anyway. On 9/26/06, Yann < [EMAIL PROTECTED]> wrote: Hello all, I have to write a forest disaster reocvery plan fonr my entrerprise, and also test this plan in a test lab. We have AD 2k3 forest in FFL mode with: -> one "empty" root : no resources, only for security reason (to secure Entreprise & Ad domain admin). -> 3 childs domain. -> each DCs have AD integrated dns zone. -> Wins are also part of the infrastructure. -> 20 AD sites. I don't know where i have to start. Is there a roadmap or a step-by-step guide that describes the different strategies of a good recovery ? And if experts in this list have good advices, they are welcome :) Thank you very muche, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : RE: [ActiveDir] DNS entry won't delete
Hello, Maybe it is out of topic, but i had a similar issue where i had 2 nics and the 2 are configured to update their records automatically in DNS. Cheers, Yann "King, William" <[EMAIL PROTECTED]> a écrit : I experienced a similar occurrence a while back with a pointer recordthat wouldn't delete.I initially thought it was being re-registered, but I found that if Ideleted it via the DNS Management snap-in it would immediately re-appearafter hitting F5.Can you confirm if the record comes back immediately after hittingrefresh or if it comes back after a set period of time?William-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Clingaman,BruceSent: 26 September 2006 22:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't deleteMy two DCs are Windows 2003 servers, DNS integrated, Primary,The resiliant entries are from Mac OS X clients and one OS X server. Thedomain name of the entries are from a domain that was renamed.Bruce ClingamanInformation Technology DepartmentPensacola Christian College850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, September 26, 2006 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS entry won't deleteBruce, try the command that Andrew posted and see what results you get.Other things to check:Are the domains integrated? Primary? How are the reverse and forwardzones configured?I'm surprised to hear the record is not in WINS. I assume then thatit's not a Windows server then? What type of server is it? What is theOS?AlOn 9/26/06, Clingaman, Bruce <[EMAIL PROTECTED]>wrote:I got "object not found" error. The following script shouldenumerateall the zones on both my DCs:=WScript.Echo Now & vbCrLfDCs = Array("dc1","dc2")for i = 0 to UBound(DCs)strDN ="CN=MicrosoftDNS,DC=DomainDNSZones,DC=mydomain,DC=int"set objColl = GetObject("LDAP://" & DCs(i) & "/" &strDN)WScript.Echo "Entries in " & DCs(i)WScript.Echo String(30, "-")EnumColl objCollWScript.Echo ""nextSub EnumColl(objColl)for each objEntry in objCollWScript.Echo objEntry.NamenextEnd Sub==It does not display all the zones, one of which has the entiesinquestion.Bruce ClingamanInformation Technology DepartmentPensacola Christian College850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AndrewCaceSent: Tuesday, September 26, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't deleteYou can run the following command to see where an update isoriginating.Then, if you have auditing enabled for that operation, you cancheck theoriginating DC to see who made the change.repadmin /showobjmeta yourdc"dc=recordname,dc=yourzone.com,cn=MicrosoftDNS,dc=DomainDNSZones,dc=yourdomain,dc=com"Replace yourdc, etc with appropriate values for your domain.For areverse lookup zone, recordname will be the last octet of the IPaddressand dc=yourzone.com will be something likedc=2.1.10.in-addr.arpa, where2.1.10 is the reverse notation of the first three octets of yourIPaddress. Be sure that you have the partition where the zone isstoredcorrect, whether it's DomainDNSZones, ForestDNSZones, or thedomainpartition. The dnsRecord attribute is the one that you areinterestedin.-AndrewFrom: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf OfClingaman,BruceSent: Tuesday, September 26, 2006 8:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS entry won't deleteI have three DNS entries in my Reverse lookup zone that were forstaticaddresses that won't go away. The problem is one of them sharestheaddress and hostname (different domain name, domain was renamed)assigned to another server. When I delete it, it immediatelyreappears.I am unable to determine what is putting these entries back in.Theywere for OS X machines, one is a client, the other was a server.Theclient has been changed to DHCP. The server was reinstalled andgiven adifferent IP address.I have a single level domain with two DCs, one is a WINS server,AD/DNSintegrated.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxThis communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not
RE : Re: [ActiveDir] forest disaster recovery plan.
Thanks Al for advices. :) Guido pointed me to some very usefull papers on recovery. Maybe my first job will be to understand the different types of AD recovery in order to master the whole procces. Some questions i have to face are : -> What if a whole domain crashes (Root and Childs) ? -> What is a whole sites crashes ? And that sites contains several DCs for other domains ? My goal is to (try to)make a recovery as fast as possible and with minimal effects on end users. Cheers, YannAl Mulnick <[EMAIL PROTECTED]> a écrit : There's a whitepaper on Microsoft's website. I think there are several blogs out there talking about same. Things to look for? Timing of backups. Name resolution. Time sync. DA accounts. Backups from DC's or GC's (you'll want to pay attention to that). Role holders. Shouldn't be too bad otherwise. Kind of messy while you clean the orphaned DC's out of the mix seems to otherwise work well in the lab. I highly suggest you spend a lot of time up front detailing the requirements and timelines so that you can make the solution fit the requirements vs. the other way around. My $0.04 worth anyway. On 9/26/06, Yann <[EMAIL PROTECTED]> wrote:Hello all, I have to write a forest disaster reocvery plan fonr my entrerprise, and also test this plan in a test lab. We have AD 2k3 forest in FFL mode with: -> one "empty" root : no resources, only for security reason (to secure Entreprise & Ad domain admin). -> 3 childs domain. -> each DCs have AD integrated dns zone. -> Wins are also part of the infrastructure. -> 20 AD sites. I don't know where i have to start. Is there a roadmap or a step-by-step guide that describes the different strategies of a good recovery ? And if experts in this list have good advices, they are welcome :) Thank you very muche, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : RE: [ActiveDir] forest disaster recovery plan.
Wooow ! Awesome ! Thanks Guido for the links, I will study all of those. Hope that MS will soon made available the forest recovery version for AD2k3. Thanks again, Yann"Grillenmeier, Guido" <[EMAIL PROTECTED]> a écrit :Microsoft is working on an updated Forest Recovery guide for Windows Server 2003, however, the basic procedures for full forest recovery are still the same as youd have to do for a Windows 2000 AD forest. And for the later a guide already exists: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE Naturally, Win2003 offers new features such as Install from Media to speed up promotion of DCs, but the general gist of a full recovery of a multi-domain AD forest remains as complex as described in the Microsoft document just referenced above. Realize that there are different aspects to AD recovery and Forest Disaster Recovery is obviously for that very rare and unlikely occasion (that you still need to be prepared for). To get a good overview about the other challenges involved in AD recovery (especially in a multi domain forest), you should have a look at the following whitepapers: · A Definite Guide to Active Directory Disaster Recovery (from NetPro & HP)http://www.netpro.com/media/pdf/NetPro_ADDR_Guide.pdf · 11 Things to Know about Active Directory Recovery (from Quest & HP)http://www.quest.com/documents/list.aspx?searchoff=true&contenttypeid=1&prodfamily=13 /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Tuesday, September 26, 2006 7:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] forest disaster recovery plan. Hello all, I have to write a forest disaster reocvery plan fonr my entrerprise, and also test this plan in a test lab.We have AD 2k3 forest in FFL mode with:-> one "empty" root : no resources, only for security reason (to secure Entreprise & Ad domain admin).-> 3 childs domain. -> each DCs have AD integrated dns zone.-> Wins are also part of the infrastructure.-> 20 AD sites. I don't know where i have to start. Is there a roadmap or a step-by-step guide that describes the different strategies of a good recovery ?And if experts in this list have good advices, they are welcome :) Thank you very muche, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
[ActiveDir] forest disaster recovery plan.
Hello all, I have to write a forest disaster reocvery plan fonr my entrerprise, and also test this plan in a test lab. We have AD 2k3 forest in FFL mode with: -> one "empty" root : no resources, only for security reason (to secure Entreprise & Ad domain admin). -> 3 childs domain. -> each DCs have AD integrated dns zone. -> Wins are also part of the infrastructure. -> 20 AD sites. I don't know where i have to start. Is there a roadmap or a step-by-step guide that describes the different strategies of a good recovery ? And if experts in this list have good advices, they are welcome :) Thank you very muche, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139 -> Call to MS PSS
Hello, With no luck solving my pb, i called MS PSS for assistance. Thanks, YannYann <[EMAIL PROTECTED]> a écrit :Hello Tony, Yes, i saw it and i mailed to Scott Anderson who is the author. He adviced me to check that my CAs are well configured, that was i did. Its pb was exactly the same as mine except that replication from AD -> Exch 5.5 does not work. I set diag logging on my ADC to maximum, added a value to an AD mailbox enabled user attribute (description) and forced a full replication. An event ID 8139 appears and i see no modification on my Exchange 5.5 mailbox user. The time is correctly set on my exchange 55, my ADC server and my Global Catalog. Thanks, YannTony Murray <[EMAIL PROTECTED]> a écrit : YannDid you see this?:http://www.mcse.ms/message568787.htmlTony-- Original Message --From: Yann <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgDate: Thu, 7 Sep 2006 20:25:02 +0200 (CEST)Hello all,I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites.I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log:The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=comchangetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::<>msExchMailboxGuid::<>-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url]I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.Anyone with any insight into this would be greatly apprecieated.Thanks,Yann-Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.Sent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Hello Tony, Yes, i saw it and i mailed to Scott Anderson who is the author. He adviced me to check that my CAs are well configured, that was i did. Its pb was exactly the same as mine except that replication from AD -> Exch 5.5 does not work. I set diag logging on my ADC to maximum, added a value to an AD mailbox enabled user attribute (description) and forced a full replication. An event ID 8139 appears and i see no modification on my Exchange 5.5 mailbox user. The time is correctly set on my exchange 55, my ADC server and my Global Catalog. Thanks, YannTony Murray <[EMAIL PROTECTED]> a écrit : YannDid you see this?:http://www.mcse.ms/message568787.htmlTony-- Original Message ------From: Yann <[EMAIL PROTECTED]>Reply-To: ActiveDir@mail.activedir.orgDate: Thu, 7 Sep 2006 20:25:02 +0200 (CEST)Hello all,I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites.I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log:The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=comchangetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::<>msExchMailboxGuid::<>-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url]I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS.Anyone with any insight into this would be greatly apprecieated.Thanks,Yann-Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.Sent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
[ActiveDir] [OT] Exchange 2003 ADC Time Sync Issues - Event 8139
Hello all, I have 2 sites Exchange 5.5 Environment (2 5.5 Server Per Site On NT4.0 SP6a with latest hotfixes),Windows 2003 Native Mode AD (Forest/Domain Level at 2003 Functional Level).MSADC Installed on 1 DC Replicating Recipient Containers and Public Folders from both sites. I have Two-way replication. But replication from AD to Exchange 5.5 does not work. When I do a full replicationbetween AD and 5.5 from the ADC, every object throws the following warning event 8139 in the app log: The target object 'CN=yann,OU=Exch,DC=mycompany,DC=com' was modified after the source object 'cn=yann,o=mycompany.com' Consequently, the following set of updates will not be applied to the target object. If this warning persists, make sure that the time is correctly set on both the source and target servers.dn: CN=CN=yann,OU=Exch,DC=mycompany,DC=com changetype: modifyreplicationsignature:E1EB509F06C5614FB3BF6066ACFCF531userAccountControl::<>msExchMailboxGuid::<>-(Connection Agreement 'Users: mycompagny.com - mycompagny.com' #3254)For more information, click [url]http://www.microsoft.com/contentredirect.asp.[/url] I have verified time synch/time zone on all DCs and 5.5 servers. I have not found any solution to my issue. Next step will be a support call to PSS. Anyone with any insight into this would be greatly apprecieated.Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: RE : RE: [ActiveDir] backup and restore AD.
Hello Brett, The pb was that one disk in my raid5 was corrupted. So i changed the disk and i checked that my raid 5 was OK via dell open manager.But when restarting the DC,it shows a windows popup stated an error in lssass.exe and that i have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !! When logging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !! So i restored system state but when the restore finished, there was no still edb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found. So i had 2 options: 1) restore ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago. 2) and i last force a demotion via ntdsutil and delete all dns registrations,frs subscriptions, ad objects that points to this DC. So i choose 1) and that works fine I was lucky !! Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet. And in my situation, what would you have done ? Would the 2) be the best and supported solution than 1) ? Thanks for advice. Yann Brett Shirley <[EMAIL PROTECTED]> a écrit : BTW, if you have snapshot based backup you _can_ backup and just restoreonly the AD data (dit, log, and chk), and it will work w/o USN rollbackcorrectly. We used to run quick tests like that all the time, but ONLYvalidated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,AuthZ, etc ... just about anything DS or security related) that may have adependency on some random part of AD and some random part of Registry datastaying in sync ... we don't know what breaks when you restore one w/o theother ... this is why it is unsupported ... and almost completely untested... but why let that dissuade you, you're a pioneer right. ;)The most obvious case of this, would be if you restored a DIT from onedomain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't knowthe inbetween cases.Cheers,-BrettSh [msft]On Fri, 18 Aug 2006, Yann wrote:> Hello Jorge,> > Thanks for clarification.> I will check next week if i have no issues with usn rollback :( . > > Yann> > "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>a écrit :> when a DC is restored from the system state (amongst others):> * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master> * the invocation ID of the AD DB is changed (which prevent USN rollbacks)> > so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-)> And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info> > jorge> > > -> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann> Sent: Tuesday, August 08, 2006 22:47> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] backup and restore AD.> > > > Hello,> > I had question about D backup & restore.> It is possible to backup AD in 2 ways:> 1) backup only the system state.> 2) backup system state & file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log).> > MS states that u have to restore your AD by restoring the system state.> But ,what about just restoring the AD working directory without system state ? I tested it and that works fine. > So my question is:> => In what circumstances do i have to choose a restore from system state or a restore from AD working directory.> > Thanks for clarification,> > Yann> > > -> Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.> > >
RE : RE: [ActiveDir] backup and restore AD.
Hello Jorge, Thanks for clarification. I will check next week if i have no issues with usn rollback :( . Yann"Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit : when a DC is restored from the system state (amongst others): * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master * the invocation ID of the AD DB is changed (which prevent USN rollbacks) so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-) And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info jorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Tuesday, August 08, 2006 22:47To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] backup and restore AD.Hello, I had question about D backup & restore. It is possible to backup AD in 2 ways: 1) backup only the system state. 2) backup system state & file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log). MS states that u have to restore your AD by restoring the system state. But ,what about just restoring the AD working directory without system state ? I tested it and that works fine. So my question is: => In what circumstances do i have to choose a restore from system state or a restore from AD working directory. Thanks for clarification, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
[ActiveDir] backup and restore AD.
Hello, I had question about D backup & restore. It is possible to backup AD in 2 ways: 1) backup only the system state. 2) backup system state & file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log). MS states that u have to restore your AD by restoring the system state. But ,what about just restoring the AD working directory without system state ? I tested it and that works fine. So my question is: => In what circumstances do i have to choose a restore from system state or a restore from AD working directory. Thanks for clarification, Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] Moving Sysvol .
Paul, Thanks for your suggestion. I will follow your advice in order to secure my ntds.dit Thanks again, YannPaul Williams <[EMAIL PROTECTED]> a écrit : Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul- Original Message ----- From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol .Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : RE: [ActiveDir] Moving Sysvol .
Thanks a lot :) Next time, I will look first in MS kb Cheers, YannRobert Rutherford <[EMAIL PROTECTED]> a écrit :http://support.microsoft.com/?kbid=842162 Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 08 August 2006 13:14To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving Sysvol . Hello :) I have my AD w2k3sp1 hard disk configured as this:hdd1: AD logs.hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
[ActiveDir] Moving Sysvol .
Hello :) I have my AD w2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE : Re: [ActiveDir] Question regarding compacting AD DB.
Hello Al, Good links u pointed to me, especially the link to automate the process . Thanks again for clarification on this subject. YannAl Mulnick <[EMAIL PROTECTED]> a écrit :http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-8363-82543236dbb31033.mspx?mfr=true http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx Compacting is a local dit thing. You'll need to deal with it local to each machine. IIRC, you can automate/semi-automate this and can off-set it to not take out your entire forest at the same time. The above links should help. I've just never seen a big reason to do this on an automated basis. Even with similar amounts of DC's I didn't have enough of a reason to do this. You may want to verify that there is much free space before doing this. Online defrag can be a wonderful thing, and off-line is typically recommended if online is not going to be able to finish during it's run time. Al On 6/27/06, Yann <[EMAIL PROTECTED]> wrote: Hello, It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ? I have at least 60 DCs :( I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure. Thanks for answer.Yann Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
RE : RE: [ActiveDir] Question regarding compacting AD DB.
Hi, Thanks for replying. We already did in-place upgrade for half of our DCs."Coleman, Hunter" <[EMAIL PROTECTED]> a écrit : If each 2k3DC is newly promoted, as opposed to an in-place upgrade, then the .dit on those DCs will essentially be compacted with minimal whitespace. Were you planning on rebuilding your DCs as part of the migration, or doing in-place upgrades? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Tuesday, June 27, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question regarding compacting AD DB.Hello, It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ? I have at least 60 DCs :( I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure. Thanks for answer. Yann Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
[ActiveDir] Question regarding compacting AD DB.
Hello, It may be a silly question, but when u perform a migration from winNT/w2k to a w2k3 domain, do i have next to compact+defrag the ntds.dit on *EACH* DC2k3 that have been migrated ? or may i do the operation on only one DC and this DC will replicate the state (compact&defrag) on all other DCs ? I have at least 60 DCs :( I think the answer will be "compact & defrag each DC that have been upgraded", but just to be 100 % sure. Thanks for answer. Yann Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
RE : [ActiveDir] How to block a sender in Exchange.
Hi, U can block someone from sending mail by 2 means: -> from the properties or your smtp virtual server -> from the properties of your smtp connector I have no exchange box nearby but you will easily find the option. If youu can not receive any mails from arvindmills *ONLY*, check if u have not enabled IMF at your Exchange Org Level: check to see if you have not enabled filtering based on IP, domain or senders. If you can not send mail *ONLY* to arvindmills: -> check if u have not been blacklisted. -> activate logging on the properties of your exchange server (Org->admin group-> your_ server); choose smtp category. -> activate smtp logging (if not done yet)on your smtp virtual server, and see if connections to foreign server are OK -> put a network traceon your exhange box et send a mail. Yann Ajay Kumar <[EMAIL PROTECTED]> a écrit :Hi there, I m having a exchange 2003 running in my org. with 500 clients using that. few weeks i m monitoring that a Particular Id is sending a virius mails i wanna block this sender how i will do that ,. And also we are not able to send and recveive mails from a particular domain. Everytime when we r sending mails to arvindmills.com msg bounce back with error of Retry timeout exceeded.and on arvindmills side when they are sending mails they r not getting any bounce back and on our end we are not receiving that mail. We are having DHCP ip . Plz help me out on this prob. wating for ur resp. Thanx & Regds Ajay __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE : RE: RE : RE: [ActiveDir] AD LDAP Logging.
Hello, Gil, very very very usefull informations that u provided at DEC ad performance session. I just finished to study it. I highly recommend it because of videos that well explanied how to use spa, logman,etc..!. I'm eager to test your troubleshooting on monday ! :) A few questions... 1) Will spa comsumes lots of resources when starting analyze and generating reports ? 2) Can spa analyzes other DCs from one w2k3 box dedicated spa ? or must i install spa on each boxes that i want to trend ? 3) Could I see possible LDAP problem connectivities ("dirty" LDAP disconnections...) between my DC and a client ? 3) Can i schedule the analyzes for a few days to be sure to track ldap pb? and will it consumes hight resources ? Thanks, Yann Gil Kirkpatrick <[EMAIL PROTECTED]> a écrit : You can use SPA, or you can use logman and tracerpt to get detailed LDAP stats. SPA does a lot of analysis for you and diagnoses several classes of AD perf problems. Tracerpt will give you a fairly raw look at all the LDAP traffic. I covered all three in my DEC AD Performance session (which I didn't actually deliver at DEC :). Its available on the NetPro website at http://www.netpro.com/community/medialibrary.cfm. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Friday, June 09, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: RE : RE: [ActiveDir] AD LDAP Logging. It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, YannSteve Linehan <[EMAIL PROTECTED]> a écrit : I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here:http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2&DisplayLang=en Thanks, -SteveFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, June 09, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. --O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging.Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with this generic error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineering set to 5 and if the web app timed-out, will a LDAP error appear in my eventlogs that stat
RE : RE: [ActiveDir] AD LDAP Logging.
Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, YannSteve Linehan <[EMAIL PROTECTED]> a écrit : I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2&DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, June 09, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC.An nother question. The Web app timed out with this generic error "the serveur is down", where "the server" = mydc.At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineering set to 5 and if the web app timed-out, will a LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet : RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look at one or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass, indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods) are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could be over what the disk system is capable of sustaining s
Re : [ActiveDir] AD LDAP Logging.
Ok thanks. When you said "..use event tracing ...", do you mean using Perfmon Trace Logs ? - Message d'origine De : joe <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 4h34mn 33sObjet : RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with this generic error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineering set to 5 and if the web app timed-out, will a LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet : RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look at one or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass, indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods) are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could be over what the disk system is capable of sustaining so you start backing up. As a quick rule of thumb I start with the assumption that each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out. Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory
Re : [ActiveDir] AD LDAP Logging.
Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with this generic error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineering set to 5 and if the web app timed-out, will a LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet : RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look at one or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass, indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods) are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could be over what the disk system is capable of sustaining so you start backing up. As a quick rule of thumb I start with the assumption that each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out. Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 5:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search Results Threshold to 1 Here are the LDAP operation, : 1644 INFORMATIONAL NTDS General Fri Jun 09 09:55:16 2006 childdomain\user1 Internal event: A client issued a search operation with the following options. Client: 11.22.33.44 Starting node: OU=MyOU OU=myou1 DC=childdomain DC=parentDomain DC=root DC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenName sAMAccountName sn Server controls: Visited entries: 63 Returned entries: 58 Followed by this: 1139 INFORMATIONAL NTDS LDAP Fri Jun 09 09:55:16 2006 childdomain\user1 Internal event: Function ldap_search completed with an elapsed time of 16 ms. => for 63 visited entries, only 58 are returned and the ldap search lasted 16 ms (Sometimes the ldap search took 140 ms.
Re : [ActiveDir] AD LDAP Logging.
Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search Results Threshold to 1 Here are the LDAP operation, : 1644 INFORMATIONAL NTDS General Fri Jun 09 09:55:16 2006 childdomain\user1 Internal event: A client issued a search operation with the following options. Client: 11.22.33.44 Starting node: OU=MyOU OU=myou1 DC=childdomain DC=parentDomain DC=root DC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenName sAMAccountName sn Server controls: Visited entries: 63 Returned entries: 58 Followed by this: 1139 INFORMATIONAL NTDS LDAP Fri Jun 09 09:55:16 2006 childdomain\user1 Internal event: Function ldap_search completed with an elapsed time of 16 ms. => for 63 visited entries, only 58 are returned and the ldap search lasted 16 ms (Sometimes the ldap search took 140 ms...). Questions: Would the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and Expensive LDAP Query to my DC ? Thanks for advices, Yann Message d'origine De : Tony Murray <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Mercredi, 7 Juin 2006, 11h16mn 33sObjet : RE: [ActiveDir] AD LDAP Logging. Hi Yann One option would be to enable logging of all LDAP searches against the DC. http://www.activedir.org/article.aspx?aid=97 Tony PS. We’re just loading a new version of the site, so it might take a few minutes before you can load the page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, 8 June 2006 6:39 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD LDAP Logging. Hello , I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, via ZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue. What are the different steps to tshoot possible problem with LDAP connections to my DC ? Thanks in advance for help, Yann __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
[ActiveDir] AD LDAP Logging.
Hello , I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, via ZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue. What are the different steps to tshoot possible problem with LDAP connections to my DC ? Thanks in advance for help, Yann __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] [OT] Active Directory Connector: member issues.
Agree with u joe with the fact that ADC is only used temporarily and not for a long time running as we do now. MSFT also confrm us that they do not either support it. Thanks for clarification about the repadmin output. I can then confirm to my boss that no modification was made to the member of the DLs since 05-15-2006 13:04:26 (and not 06-15-2006 13:04:26 :o)). Cheers, Yann joe <[EMAIL PROTECTED]> a écrit : If you ask MSFT, they will tell you that the ADC was not really designed to run that long. For something like that they would have (or if you got the good Enterprise Exchange MCS guys) recommended going to some sort of metadirectory product that is robust and has good error handling. In one of the companies I worked with we took half a year or so to do the migration and were told that was way over the length of time the ADC should be running. It is a product to get you over a hump, not something to stay running on. We only had 3 ADCs and less than 20 CAs and it was a big PITA. The date after the value indicates the last change to that value. So if it says PRESENT 06-15-2006 it means that it was added on June 15 2006 and hasn't changed since. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, May 29, 2006 5:22 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] Active Directory Connector: member issues.Hi Al, We have around 300 CAs localizd in 7 ADCs Servers. The migration e5.5 to e2k3 started last summer 2005 and will be ended (hope it will) in june 2007. We can not hurry for political reasons ;(, so i have to maintain the 2 databases as consistent as possible. So unfortunately tshoot ADC is my first goal in this situation. I will follow tomorrow your advices. But for a first tshoot, can repadmin /showobjmeta, as I stated earlier, prove that no modification to the user DL membership has occured since the date mentioned after "member"? This is the whole command. repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information: PRESENT "dn_of_the_user" member 06-15-2006 13:04:26 Thanks again. Yann Al Mulnick <[EMAIL PROTECTED]> a écrit :The issue is not terribly uncommon. It's one of the joys of having two directories joined like this. The absolute best way to deal with this is to hurry up and get off of 5.5 as fast as you possibly can. Things like this occur and it's barely worth your time to troubleshoot it. The complexity of your setup dictates that the troubleshooting time will be magnitudes longer than with a single system. Anyway, if you suspect that the users are being removed, turn on auditing on Active Directory for modifications, turn up the diagnostic logging on the ADC itself, and turn up the logging on Exchange 5.5. This will help you to narrow down the source system next time this occurs. Once you find out what the source system is, you can refine the troubleshooting that much more. Be sure to increase the size of your logs and be sure to scrape them off to some other repository so that wrapping won't cause you to miss the event. MOM is a great tool for this for what it's worth. To reduce the possibilities, you may want to reduce the number of possible input vectors i.e. reduce the number of users with administrative abilities to modify these groups. And if it's the same groups each time, focus on those :) I know that what I'm suggesting is politically difficult. See the beginning of my email to see my thoughts on this. Al On 5/29/06, Yann <[EMAIL PROTECTED]> wrote: Hello all, I have an issue where member(s) of distribution list (DL) in exchange 5.5 disapear and this state is replicated via my Connection Agreement to my AD2k3. I have not seen this on my own but some adminitrators (always the same guys :( ) frequently complain to my boss that some users disapear and so are not able to receive mail sent to this DL. They usually resolve this issue by putting those users back in the DL. So my boss urges me to resolve this issue ASAP ! I know that there was no issue possible but for my safety ;o) I'd like to give my boss with some proofs. So is there a way to track possible user disapearing from a DL in e5.5/AD/ADC ? In active Directory, i used repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information: PRESENT "dn_of_the_user" member 06-15-2006 13:04:26 FYI: The admin stated that user(s) disapear around the 06-20-2006. Is the info from repadmin tells me that the user is a member of the DL since 05-15-2006 13:04:26 and since that date, the user has never disapeared ?If yes can i considered this as a proof that those admins lies ? The replication plannin
Re: [ActiveDir] [OT] Active Directory Connector: member issues.
Hi Al, We have around 300 CAs localizd in 7 ADCs Servers. The migration e5.5 to e2k3 started last summer 2005 and will be ended (hope it will) in june 2007. We can not hurry for political reasons ;(, so i have to maintain the 2 databases as consistent as possible. So unfortunately tshoot ADC is my first goal in this situation. I will follow tomorrow your advices. But for a first tshoot, can repadmin /showobjmeta, as I stated earlier, prove that no modification to the user DL membership has occured since the date mentioned after "member"? This is the whole command. repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information: PRESENT "dn_of_the_user" member 06-15-2006 13:04:26 Thanks again. Yann Al Mulnick <[EMAIL PROTECTED]> a écrit :The issue is not terribly uncommon. It's one of the joys of having two directories joined like this. The absolute best way to deal with this is to hurry up and get off of 5.5 as fast as you possibly can. Things like this occur and it's barely worth your time to troubleshoot it. The complexity of your setup dictates that the troubleshooting time will be magnitudes longer than with a single system. Anyway, if you suspect that the users are being removed, turn on auditing on Active Directory for modifications, turn up the diagnostic logging on the ADC itself, and turn up the logging on Exchange 5.5. This will help you to narrow down the source system next time this occurs. Once you find out what the source system is, you can refine the troubleshooting that much more. Be sure to increase the size of your logs and be sure to scrape them off to some other repository so that wrapping won't cause you to miss the event. MOM is a great tool for this for what it's worth. To reduce the possibilities, you may want to reduce the number of possible input vectors i.e. reduce the number of users with administrative abilities to modify these groups. And if it's the same groups each time, focus on those :) I know that what I'm suggesting is politically difficult. See the beginning of my email to see my thoughts on this. Al On 5/29/06, Yann <[EMAIL PROTECTED]> wrote: Hello all, I have an issue where member(s) of distribution list (DL) in exchange 5.5 disapear and this state is replicated via my Connection Agreement to my AD2k3. I have not seen this on my own but some adminitrators (always the same guys :( ) frequently complain to my boss that some users disapear and so are not able to receive mail sent to this DL. They usually resolve this issue by putting those users back in the DL. So my boss urges me to resolve this issue ASAP ! I know that there was no issue possible but for my safety ;o) I'd like to give my boss with some proofs. So is there a way to track possible user disapearing from a DL in e5.5/AD/ADC ? In active Directory, i used repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information: PRESENT "dn_of_the_user" member 06-15-2006 13:04:26 FYI: The admin stated that user(s) disapear around the 06-20-2006. Is the info from repadmin tells me that the user is a member of the DL since 05-15-2006 13:04:26 and since that date, the user has never disapeared ?If yes can i considered this as a proof that those admins lies ? The replication planning of my Connection Agreement between e5.5<->AD is set to "always". Thanks very much for help, Yann Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
[ActiveDir] [OT] Active Directory Connector: member issues.
Hello all, I have an issue where member(s) of distribution list (DL) in exchange 5.5 disapear and this state is replicated via my Connection Agreement to my AD2k3. I have not seen this on my own but some adminitrators (always the same guys :( ) frequently complain to my boss that some users disapear and so are not able to receive mail sent to this DL. They usually resolve this issue by putting those users back in the DL. So my boss urges me to resolve this issue ASAP ! I know that there was no issue possible but for my safety ;o) I'd like to give my boss with some proofs. So is there a way to track possible user disapearing from a DL in e5.5/AD/ADC ? In active Directory, i used repadmin /showbjmeta mydc "dn_of_the_problematicDL_in_myAD" and i see that the user in question has this information: PRESENT "dn_of_the_user" member 06-15-2006 13:04:26 FYI: The admin stated that user(s) disapear around the 06-20-2006. Is the info from repadmin tells me that the user is a member of the DL since 05-15-2006 13:04:26 and since that date, the user has never disapeared ?If yes can i considered this as a proof that those admins lies ? The replication planning of my Connection Agreement between e5.5<->AD is set to "always". Thanks very much for help, Yann Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
RE : [ActiveDir] Build an AD test lab with schema extension.
Hello, I found it ! It was the objectGUID that I imported from the AD prod that caused this error. I delete this entry in my ldif file and it worsked fine. Thanks, Yann De: [EMAIL PROTECTED] de la part de TIROA YANN Date: mer. 24/05/2006 10:35 À: ActiveDir@mail.activedir.org Objet : RE : [ActiveDir] Build an AD test lab with schema extension. Hello, I used "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" to create those OUs, users, in my AD test. I managed by making the necessary schema extension in my ad lab test. But when I use ldifde to create those new objects in AD, i have those errors. "Add error on line 1: Unwilling To Perform The server side error is "The modification was not permitted for security reasons." I did an export of the new objectclass from my AD prod: ldifde -f NewObjectClass.ldf -s ExportDC -d "dc=Export,dc=com" -p subtree -r "(objectClass=newobjectclass)" Then go to my test lab, i did an import: ldifde -i -f NewObjectClass.ldf -s ImportDC -d "dc=Import,dc=com" -p subtree -r "(objectClass=newobjectclass)" "Add error on line 1: Unwilling To Perform The server side error is "The modification was not permitted for security reasons." Thanks, Yann De: [EMAIL PROTECTED] de la part de joe Date: mer. 24/05/2006 03:19 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Build an AD test lab with schema extension. I just took a quick glimpse at it and I would say no, not that I would have expected it to in the first place. You may want to look at the adschemaanalyzer which can be found in the ADAM SP1 and ADAM R2 distributions. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Tuesday, May 23, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Build an AD test lab with schema extension. Hello all, I'm working on duplicating my AD env. into a test lab. I read lots of posts about this and choosed to use the "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" only. The question is: I did a schema extension on my AD prod and i wondered if the 2 scripts will also import/export all the object class + attributes extended to my AD test lab ? Thanks, Yann <>
RE : [ActiveDir] Build an AD test lab with schema extension.
Hello, I used "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" to create those OUs, users, in my AD test. I managed by making the necessary schema extension in my ad lab test. But when I use ldifde to create those new objects in AD, i have those errors. "Add error on line 1: Unwilling To Perform The server side error is "The modification was not permitted for security reasons." I did an export of the new objectclass from my AD prod: ldifde -f NewObjectClass.ldf -s ExportDC -d "dc=Export,dc=com" -p subtree -r "(objectClass=newobjectclass)" Then go to my test lab, i did an import: ldifde -i -f NewObjectClass.ldf -s ImportDC -d "dc=Import,dc=com" -p subtree -r "(objectClass=newobjectclass)" "Add error on line 1: Unwilling To Perform The server side error is "The modification was not permitted for security reasons." Thanks, Yann De: [EMAIL PROTECTED] de la part de joe Date: mer. 24/05/2006 03:19 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Build an AD test lab with schema extension. I just took a quick glimpse at it and I would say no, not that I would have expected it to in the first place. You may want to look at the adschemaanalyzer which can be found in the ADAM SP1 and ADAM R2 distributions. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Tuesday, May 23, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Build an AD test lab with schema extension. Hello all, I'm working on duplicating my AD env. into a test lab. I read lots of posts about this and choosed to use the "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" only. The question is: I did a schema extension on my AD prod and i wondered if the 2 scripts will also import/export all the object class + attributes extended to my AD test lab ? Thanks, Yann <>
[ActiveDir] Build an AD test lab with schema extension.
Hello all, I'm working on duplicating my AD env. into a test lab. I read lots of posts about this and choosed to use the "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" only. The question is: I did a schema extension on my AD prod and i wondered if the 2 scripts will also import/export all the object class + attributes extended to my AD test lab ? Thanks, Yann
RE : [ActiveDir] Delete only one object in the Tom bstone.
Hi Guido, There is no secret behind the wall :o) This is the full story. I have Active Directory Connectors that permit bidirectionnal replication of all 5.5 mailboxes <-> Active Directory Forest. The pb is that i had an issue where a user object had the ADC-Global-names mapped with multiple users DN and that is something wrong with the system. The fact is when the user (with multiple ADC-Global-names) has been deleted from AD, the deletion (from the tombstoned container) effects all the exchange mailboxes that correspond to the ADC-Global-names populated in that user So 5 milboxes were deleted. So i disable the deletion from Windows -> Exchange to occur. And i wondered if there was a way to delete *ONLY* the user in question. Just to remind, the tombstoned container in AD is also replicated via the connection agreement. Thanks, Yann De: [EMAIL PROTECTED] de la part de Grillenmeier, Guido Date: mar. 23/05/2006 16:34 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delete only one object in the Tombstone. hmm - what would be the reason why you'd want to purge a single deleted object (tombstone) from your AD? What secret information does the tombstone contain, that you don't wish remains in it? Realize that there are hardly any attributes that remain in the tombstone by default, unless you've changed the searchflags of your attributes to include more. E.g. by default, only the following attributes are kept in a user account's tombstone from the searchflags are: Instance-Type Legacy-Exchange-DN NT-Security-Descriptor Object-Class Object-Guid Object-Sid Repl-Property-Meta-Data SAM-Account-Name System-Flags uid User-Account-Control USN-Changed USN-Created Note that a few other attributes are hardcoded in AD to remain in the tombstone. If these really contain anything critical you'd want to get rid of (maybe in the name attribute etc.), you'd have the option to reanimate the tombstone (undelete) and then edit it appropriately, and delete it again :-). I'm actually unsure if the system allows you to edit the object in the deleted items container directly - might be worth a try. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Montag, 22. Mai 2006 14:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delete only one object in the Tombstone. Hello Tiroa, it is not possible to purge Tombstones, no matter if one or all. For all you'd be able to modify tombstone lifetime and the system time, however I strongly doubt this would be supported by MS (tombstone-lifetime is supported, modifying systemtime to enforce garbage collection of tombstones most likely not). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, May 22, 2006 10:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delete only one object in the Tombstone. Hello, I'd like to know if it is possible to delete *only one* object in the tombstone instead of purging all the objects ? Thanks, Yann <>
RE : [ActiveDir] Delete only one object in the Tom bstone.
Hello Ulf, Thank you very much for your answer and have a nice day. Best Regards, Yann De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: lun. 22/05/2006 14:34 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delete only one object in the Tombstone. Hello Tiroa, it is not possible to purge Tombstones, no matter if one or all. For all you'd be able to modify tombstone lifetime and the system time, however I strongly doubt this would be supported by MS (tombstone-lifetime is supported, modifying systemtime to enforce garbage collection of tombstones most likely not). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, May 22, 2006 10:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delete only one object in the Tombstone. Hello, I'd like to know if it is possible to delete *only one* object in the tombstone instead of purging all the objects ? Thanks, Yann <>
[ActiveDir] Delete only one object in the Tombstone.
Hello, I'd like to know if it is possible to delete *only one* object in the tombstone instead of purging all the objects ? Thanks, Yann
RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.
hi Iain, Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* during the replication windows scheduled . The other time, my NIC card will be disable. I don't know right now how to do this. I was thinking about scheduling (AT)a script (via netsh ??)that will enable my NIC when my replication windows starts and then will disbale my NIC when the replication stops. Yann [EMAIL PROTECTED] a écrit : Yann, How are you planning on protecting your lag site DCs from a forced replication? Regards, Iain | IT Services | Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC.Understood ! We will follow your advices. Cheers, Yann- Message d'origine De : "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet : RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : From: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites <->Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clients auth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. * This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. * Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
Re : [ActiveDir] Lag site- disabling auth on Lag DC.
Understood ! We will follow your advices. Cheers, Yann- Message d'origine De : "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet : RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : From: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites <->Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clients auth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Lag site- disabling auth on Lag DC.
hello all, We are about to build a lag site for our AD recovery strategy. We schedule replication Prod Sites <->Lag Sites one time a week. We have one forest with a Root and Child domain. The lag site will contain only one DC. We would like to disable clients auth on this DC. So I found 2 ways to do this: 1) Configuring the "DC Locator DNS Records" via a gpo. or 2) Stop and disable the netlogon service. What will be the best choice ? 1) or 2) ? Shall i also disable the service server to avoid replication of sysvol too ? Thanks for input.
RE : [ActiveDir] Migrating AD to a lab
Yep ! That was exactly i was thinking of. Putting a dns integrated AD in a test lab would be probably painfull for me to clean all dns records ;( I heard that it was possible to put a DC in a lab and install dns, and u confirmed it. Thanks, Yann De: [EMAIL PROTECTED] de la part de Lee, Wook Date: lun. 13/03/2006 20:34 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Migrating AD to a lab I find that it's much better to add DNS afterward. Metadata clean up is not too bad these days and should get even better. DNS cleanup is a royal pain in the backside especially if you have a large number of sites. Scavenging can help if you have the time to let it kick in, but if you want to get up and running as fast as possible, it's much cleaner to create a fresh version of the relevant zones and let auto registration occur naturally. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, March 11, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Migrating AD to a lab Hello Phil, I'm interested about your method.. When u put this VM into test environnement, how do u deal with DNS ? Can dns be installed *after* the introduction of the DC/GC VM ? Thanks for clarificaition, Yann De: [EMAIL PROTECTED] de la part de Phil Renouf Date: sam. 11/03/2006 21:23 À: ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Migrating AD to a lab The way I like to deal with this (and I think it's been suggested by someone else here before) is to bring up a VM into production, promote it to be a DC/GC then turn it off. Make a copy of the VM and put that into the lab, then bring the original VM back online and DCPromo it back to a member server so that it cleans itself out of AD. Also, I like to reset all the passwords of all the accounts if possible; scripting this is a good way to do it. At the very least change the admin/service accounts. Phil On 3/11/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote: ? Hello Peter, it depends on what you intend to test in your lab. Since lab security is usually more relaxed than production security (e.g. external employees getting domain admin access to test scripts or whatever) I wouldn't want my user-accounts (and worse - service and admin accounts) in the lab with their real passwords. If you just want the structure you can use the scripts provided with GPMC, and export/import user data without passwords using csvde. I'd just put the stuff in the lab you need there, e.g. if you just want to test GPOs the OU-Structure and some test accounts would be sufficient, if you want to test scripting for modifying users or provisioning you might need some more data. Pulling some backup / introducing another DC / pulling drives of a RAID-mirror are valid solutions if you need production data. I'd do a imaging-backup or pulling/replacing a drive if I have the same hardware. Also keep in mind that virtualisation is a valid solution, you can use P2V in VMWare or Virtual Server Migration Tool in VS. Virtualisation also provides you with the logical splitting of the production network to the test network, while still being able to access the test environment from any production machine. I've started to like to put my test-environment in the datacenter (well protected) and access it of my workplace. This is another important point: I've also found that I was lazily considering if I should go in the room with the test equipment when I knew I have to be back at my workplace soon or expected some important emails. Being able to access the test environment from the desk enables me more often to use the test environment when testing a script or something. If the test environemnt is physical I was sometimes putting a RDP-enabled workstation with two legs in between, so I was able to RDP to the workstation and then RDP into the test environment. And multimonitor at the primary desk also provides a great gain in productivity - e.g. RDP Fullscreen on the second monitor. Just my 0,02EUR Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz <http://tinyurl.com/44zcz> Weblog: http://msmvps.org/UlfBSimonWeidner <http://msmvps.org/UlfBSimonWeidner> Website: http://www.windowsserverfaq.org <http://www.windowsserverfaq.org/> Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D <http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Peter Johnson
RE : [ActiveDir] Migrating AD to a lab
Hello Phil, I'm interested about your method.. When u put this VM into test environnement, how do u deal with DNS ? Can dns be installed *after* the introduction of the DC/GC VM ? Thanks for clarificaition, Yann De: [EMAIL PROTECTED] de la part de Phil Renouf Date: sam. 11/03/2006 21:23 À: ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Migrating AD to a lab The way I like to deal with this (and I think it's been suggested by someone else here before) is to bring up a VM into production, promote it to be a DC/GC then turn it off. Make a copy of the VM and put that into the lab, then bring the original VM back online and DCPromo it back to a member server so that it cleans itself out of AD. Also, I like to reset all the passwords of all the accounts if possible; scripting this is a good way to do it. At the very least change the admin/service accounts. Phil On 3/11/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote: ? Hello Peter, it depends on what you intend to test in your lab. Since lab security is usually more relaxed than production security (e.g. external employees getting domain admin access to test scripts or whatever) I wouldn't want my user-accounts (and worse - service and admin accounts) in the lab with their real passwords. If you just want the structure you can use the scripts provided with GPMC, and export/import user data without passwords using csvde. I'd just put the stuff in the lab you need there, e.g. if you just want to test GPOs the OU-Structure and some test accounts would be sufficient, if you want to test scripting for modifying users or provisioning you might need some more data. Pulling some backup / introducing another DC / pulling drives of a RAID-mirror are valid solutions if you need production data. I'd do a imaging-backup or pulling/replacing a drive if I have the same hardware. Also keep in mind that virtualisation is a valid solution, you can use P2V in VMWare or Virtual Server Migration Tool in VS. Virtualisation also provides you with the logical splitting of the production network to the test network, while still being able to access the test environment from any production machine. I've started to like to put my test-environment in the datacenter (well protected) and access it of my workplace. This is another important point: I've also found that I was lazily considering if I should go in the room with the test equipment when I knew I have to be back at my workplace soon or expected some important emails. Being able to access the test environment from the desk enables me more often to use the test environment when testing a script or something. If the test environemnt is physical I was sometimes putting a RDP-enabled workstation with two legs in between, so I was able to RDP to the workstation and then RDP into the test environment. And multimonitor at the primary desk also provides a great gain in productivity - e.g. RDP Fullscreen on the second monitor. Just my 0,02EUR Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz <http://tinyurl.com/44zcz> Weblog: http://msmvps.org/UlfBSimonWeidner <http://msmvps.org/UlfBSimonWeidner> Website: http://www.windowsserverfaq.org <http://www.windowsserverfaq.org/> Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D <http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Peter Johnson Sent: Saturday, March 11, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating AD to a lab Hi all I was wondering, after finally got management buy in to build a lab, what the easist way is to get my domain info migrated into the lab for the purposes of testing dev etc? Do I simply Dcpromo a new box and then cut it off from the domain and NTDSUTIL it out or do I do a state recoverey from my Tivoli backups? Anyone got any ideas/pointers etc. Thanks & greetings from a chill server room in Johannesburg South Africa. Peter Johnson <>
RE: [ActiveDir] OT: MOM/Auditing Group Membership changes..
Hi, Just tried it, and that works for security groups or exchange Distribution lists. You just have to create a custom rule event with evenid 632 to monitor that corresponds to an add/delete memberships event. Here is a usefull eventID lists provided by Susan Bradley on this list which can help you to monitor the Ids you are looking for. http://www.ultimatewindowssecurity.com/encyclopedia.html Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mark Parris Envoyé : lundi 20 février 2006 11:02 À : ActiveDir.org Objet : Re: [ActiveDir] OT: MOM/Auditing Group Membership changes.. I have done this and it works very well, You need to monitor local, global and universal memberships What I would like to do though is monitor additions to mail enabled groups. Is this possible. Mark -Original Message- From: "Wyatt, David" <[EMAIL PROTECTED]> Date: Mon, 20 Feb 2006 09:51:16 To: Subject: RE: [ActiveDir] OT: MOM/Auditing Group Membership changes.. You can but not with the MOM AD Management pack specifically. You will need to setup a custom alert based on the Event ID (632 I think) that corresponds to a group membership change. You can then get alerted via email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: 20 Feb 2006 9:34 To: Active Subject: [ActiveDir] OT: MOM/Auditing Group Membership changes.. Hi, I'm looking to audit group membership changes with some form of alert. Would the MOM AD Management pack allow me to do this? I only mention MOM as the business has bought this without discussing this with IT thanks Frank Yahoo! Mail Use Photomail to share photos without annoying attachments. This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] ldifde download
on a win2k/2k3 box. Yann De: [EMAIL PROTECTED] de la part de Harding, Devon Date: lun. 13/02/2006 18:56 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] ldifde download Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. <>
RE: [ActiveDir] Lost perfmon counters(OT)
From a search in support.microsoft.com, i found this KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;q156494 "Restoring Lost Performance Counters for Exchange".I think u can reproduce the same resolution for lost windows counters. Follow the "Manually Adding Counters" section. Identify what objects and counters are missing by comparing such counters with an other box. Then follow the rest of the procedure. Tell us if that works. Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom KernEnvoyé : vendredi 10 février 2006 21:28À : ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Lost perfmon counters(OT) sorry. I should've mentioned that I tried that. The mem,processor,etc counters don't show up in exctrlst.exe either thanks On 2/10/06, TIROA YANN <[EMAIL PROTECTED]> wrote: Hello,,Did you try to use "exctrlst.exe" that is available in the win2k rkit ?Here a lin for download http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/exctrlst-o.aspThis will list for u all perfmon counters availables in you box, and sometimes counters are just present but hidden or not available.exctrlst.exe will help u unhide the counters u need.YannFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Fri 2/10/2006 10:31 AMTo: activedirectorySubject: [ActiveDir] Lost perfmon counters(OT)I have a couple of servers that have lost some key perfmon counters like memory,processor,process,etc.How can I get these back?I don't think just running lodctr /R seems to do anything.I read on some newsgroup about copying the perfc009.dat and perfh009.datfrom the win2k cd back to system32 but there is little elaboration so i'm afraid to try this.Does anyone have any insight on how to restore these?Thank youList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lost perfmon counters(OT)
Hello,, Did you try to use "exctrlst.exe" that is available in the win2k rkit ? Here a lin for download http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/exct rlst-o.asp This will list for u all perfmon counters availables in you box, and sometimes counters are just present but hidden or not available. exctrlst.exe will help u unhide the counters u need. Yann From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 2/10/2006 10:31 AM To: activedirectory Subject: [ActiveDir] Lost perfmon counters(OT) I have a couple of servers that have lost some key perfmon counters like memory,processor,process,etc. How can I get these back? I don't think just running lodctr /R seems to do anything. I read on some newsgroup about copying the perfc009.dat and perfh009.dat from the win2k cd back to system32 but there is little elaboration so i'm afraid to try this. Does anyone have any insight on how to restore these? Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
True execpt if you install the rdp client on windows 2000... :o)) Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve RochfordEnvoyé : mercredi 8 février 2006 16:59À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Not with Windows 2000 :-) Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 08 February 2006 13:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, Just launch rdp client with the /console switch as this mstsc /console, this will give u interactive logon to your server. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve RochfordEnvoyé : mercredi 8 février 2006 12:47À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared One tiny little point which might be worth adding dont try doing this using a remote desktop session as I did the other week. I sat there cursing the machine, confident that Id got the syntax etc right. It was only much later when I looked at the real console screen that I saw lots of cmd windows which had all opened and were running in the local system context Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 06 February 2006 19:53To: ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Yes. 1)go to start -> execute and type cmd.exe 2) Then will have to type this command "at /interactive cmd.exe" (without quote). Example: if your local time is 20:05, then you will type "at 20:06 /interactive cmd.exe" This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the second instance of cmd.exe, launch ESM [1] or type DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO [1]: after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann
RE: [ActiveDir] OT: Tracking File Deletes
Title: OT: Tracking File Deletes Hello, here is a good start http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx Don not remember the eventid corresponding to file deletions, but after activated audit, try delete a file.directory and see in the security logs what eventid is generated for this event. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Pohlschneider, ChrisEnvoyé : mercredi 8 février 2006 17:31À : ActiveDir@mail.activedir.orgObjet : [ActiveDir] OT: Tracking File Deletes Sorry if this is a bit off topic, but I was wondering if there is a way totrack file deletions off of a Windows 2000 SP4 file server?Chris PohlschneiderNetwork AdministratorCenveo-Sidney937-497-2136[EMAIL PROTECTED]Cenveo is your visual communications connection for a broad portfolio ofservices and products including eServices, envelopes, offset and digitalprinting, labels and business documents
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Hi, Just launch rdp client with the /console switch as this mstsc /console, this will give u interactive logon to your server. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve RochfordEnvoyé : mercredi 8 février 2006 12:47À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared One tiny little point which might be worth adding dont try doing this using a remote desktop session as I did the other week. I sat there cursing the machine, confident that Id got the syntax etc right. It was only much later when I looked at the real console screen that I saw lots of cmd windows which had all opened and were running in the local system context Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 06 February 2006 19:53To: ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Yes. 1)go to start -> execute and type cmd.exe 2) Then will have to type this command "at /interactive cmd.exe" (without quote). Example: if your local time is 20:05, then you will type "at 20:06 /interactive cmd.exe" This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the second instance of cmd.exe, launch ESM [1] or type DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO [1]: after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann
RE : [ActiveDir] Exchange - ESM - "All Address L ists" and "All Global Address Lists" disappeared
Victor, I will dare that your problem with /forestprep will be solve untill you grant the right accesses for authenticated users. The user able to launch the setup.exe /forestprep must be member of entreprise and schema admin *AND* also member of authenticated users, But, authenticated users are not present in your ACLs so the setup could not find ANY lists, that probably mention by "...Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Children..." So, what i would suggest u to do is: 1) "Did you go into "Advanced" and ensure that "Allow inheritable..." is checked?" as Michael B. Smith stated earlier. If no, then check it. 2)If that not resolves your pb, use the at /interactive with dsacls switch as stated in MS KB; in order to add/grant authenticated users with the right aces to your lists. 3) then check if an autehnticated users *CAN SEE* the GAL + all @ lists. 4) if it's ok, launch the setip /forestprep command with a user -> that has full admin exchange at the org. level, ->that is member of the entreprise + schema groups. 5) if that works launch setup /domainprep. 6) At last, check if the system attendant is working fine for 10-15mn. 7) if that works, u won !!! Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 21:58 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I am going to try that, nice one. I am still puzzled why I cannot run forestprep. Can anybody tell me what I have to do to be able to run forestprep without any errors? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 20:53 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Yes. 1)go to start -> execute and type cmd.exe 2) Then will have to type this command "at /interactive cmd.exe" (without quote). Example: if your local time is 20:05, then you will type "at 20:06 /interactive cmd.exe" This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the second instance of cmd.exe, launch ESM [1] or type DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO [1]: after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 20:05 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Okay, so you start ESM with local system properties. Does that mean you have to start ESM from that same command prompt window? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 19:28 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared To right answer your question : Yes. I use ESM instead of dsacls because I get use granting ACL with GUI :o) Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 16:48 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 16:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, The only way to revert your organization accessible is to run the command under "Local System" privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with "Local System" privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the
RE : [ActiveDir] Exchange - ESM - "All Address L ists" and "All Global Address Lists" disappeared
Yes. 1)go to start -> execute and type cmd.exe 2) Then will have to type this command "at /interactive cmd.exe" (without quote). Example: if your local time is 20:05, then you will type "at 20:06 /interactive cmd.exe" This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the second instance of cmd.exe, launch ESM [1] or type DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO [1]: after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 20:05 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Okay, so you start ESM with local system properties. Does that mean you have to start ESM from that same command prompt window? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 19:28 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared To right answer your question : Yes. I use ESM instead of dsacls because I get use granting ACL with GUI :o) Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 16:48 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 16:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, The only way to revert your organization accessible is to run the command under "Local System" privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with "Local System" privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with "Local System" privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W. Envoyé : lundi 6 février 2006 16:05 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. >From within Outlook it is as iff you can display the All Address List but you >are presented with an error message when you actually select it, the same >error message is displayed when clicking "check name" when creating a new >Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Objec
RE : [ActiveDir] Disable the RDP Popup security al ert -> reminder :o)
Hello folks :) Has someone got an idea about disabling the tsweb warning popup ? I noticed that the popup warning only appears when: -> users connect via tsweb. -> users connect via the RDP client (mstsc.exe). BUT, when users connect via the Remote Desktop Connection MMC (tsmmc.msc). the popup does not appear ! Endeed, i will not use this way of connection, but it was just to make a comparision. What i want to do is to redirect the users local drives via tswe, so I modified the default.htm file in the tsweb virtual folder to activate the redirection, and that works great. But i would like to disable this popup warning which appears at each users connection. Thanks, Yann De: [EMAIL PROTECTED] de la part de TIROA YANN Date: ven. 20/01/2006 22:22 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Disable the RDP Popup security alert. Hello, I activated the client drives redirection while users log on a 2k3 TS via tsweb. But, while connecting, there is always a RDP popup security alert stating that: "The Remote Desktop Connection has asked a connection to your computer, do you want to:connect your local drives to the remote computer that may be a security risk' Is it possible to disable this Popup security alert ? Thanks for input. Yann <>
RE : [ActiveDir] Exchange - ESM - "All Address L ists" and "All Global Address Lists" disappeared
To right answer your question : Yes. I use ESM instead of dsacls because I get use granting ACL with GUI :o) Yann De: [EMAIL PROTECTED] de la part de Victor W. Date: lun. 06/02/2006 16:48 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: maandag 6 februari 2006 16:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, The only way to revert your organization accessible is to run the command under "Local System" privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with "Local System" privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with "Local System" privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W. Envoyé : lundi 6 février 2006 16:05 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. >From within Outlook it is as iff you can display the All Address List but you >are presented with an error message when you actually select it, the same >error message is displayed when clicking "check name" when creating a new >Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Object path is not valid, please correct it" When I try this in a command prompt: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO I get the following error message: "The system cannot find the file specified". >From within Adsi Edit I can see In the right hand pane: "CN=All Address Lists" and "CN=All Globall Address Lists" They are at the following location: CN=Configuration,CN=Services,CN=Microsoft Exchange,CN=Domain,CN=AddressListContainer When I right click either of those two and ask for properties, I get the message that an invalid directory was passed. When I try to delete either of those two I get the message that there are other property sheets opened and that need to close first. It is as if the objects are visible but arent really there any more. As suggested I tried running setup: /forestprep but I get an error almost at the end of forestprep: "Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Children with error code 0x80071392 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again". I took the relevant piece from the Exchange Server Setup Progress Log: "[09:30:39] Creating organization address books [09:30:39] Entering CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs [09:30:39] CAtomOrgCtChildren::S
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Oh yes ! Just think about it, i would recommend you to check *ALL* the ACLs throught the organisation level in case of Here is a technet doc describing the default permissions Organization Container,Address Lists Container,Addressing Container, and many more here http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ADPerm/fac468d7-043e-4505-9923-fc7e9b877659.mspx , see -> Permissions granted During Exchange setup -> Permissions on Objects in the Exchange Configuration Tree. When gaining total acces to your lists, download,install and launch Exchange Server Best Practices at http://www.microsoft.com/downloads/details.aspx?familyid=dbab201f-4bee-4943-ac22-e2ddbd258df3&displaylang=en, il will help point u all relative pb. Hope that helps. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:48À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: maandag 6 februari 2006 16:30To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, The only way to revert your organization accessible is to run the command under Local System privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with Local System privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with Local System privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:05À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. From within Outlook it is as iff you can display the All Address List but you are presented with an error message when you actually select it, the same error message is displayed when clicking "check name" when creating a new Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Object path is not valid, please correct it" When I try this in a command prompt: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO I get the following error message: "The system cannot find the file specified". From within Adsi Edit I can see In the right hand pane: "CN=All Address Lists" and "CN=All Globall Address Lists" They are at the following location: CN=Configuration,CN=Services,CN=Microsoft Exchange,CN=Domain,CN=AddressListContainer When I right click either of those two and ask for properties, I get the message that an invalid directory was passed. When I try to delete ei
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Hello, I don't check the whole kb you mentionned, but the at /interactive will just give you the right that you have lost to perform the action described in the KB. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:48À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks for your fast reply Yann! Do you mean to run the command which resets the permissions for the Authenticated users under local system priviliges? Cheers, Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: maandag 6 februari 2006 16:30To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, The only way to revert your organization accessible is to run the command under Local System privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with Local System privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with Local System privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:05À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. From within Outlook it is as iff you can display the All Address List but you are presented with an error message when you actually select it, the same error message is displayed when clicking "check name" when creating a new Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Object path is not valid, please correct it" When I try this in a command prompt: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO I get the following error message: "The system cannot find the file specified". From within Adsi Edit I can see In the right hand pane: "CN=All Address Lists" and "CN=All Globall Address Lists" They are at the following location: CN=Configuration,CN=Services,CN=Microsoft Exchange,CN=Domain,CN=AddressListContainer When I right click either of those two and ask for properties, I get the message that an invalid directory was passed. When I try to delete either of those two I get the message that there are other property sheets opened and that need to close first. It is as if the objects are visible but arent really there any more. As suggested I tried running setup: /forestprep but I get an error almost at the end of forestprep: "Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Children with error code 0x80071392 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again". I took the relevant piece from the Exchange Server Setup Progress
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
"So at 12:00, a command prompt will appear with Local System privileges ( type whiami to be sure)." > it is rather "type whoami to be sure". :) Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:05À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. From within Outlook it is as iff you can display the All Address List but you are presented with an error message when you actually select it, the same error message is displayed when clicking "check name" when creating a new Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Object path is not valid, please correct it" When I try this in a command prompt: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO I get the following error message: "The system cannot find the file specified". From within Adsi Edit I can see In the right hand pane: "CN=All Address Lists" and "CN=All Globall Address Lists" They are at the following location: CN=Configuration,CN=Services,CN=Microsoft Exchange,CN=Domain,CN=AddressListContainer When I right click either of those two and ask for properties, I get the message that an invalid directory was passed. When I try to delete either of those two I get the message that there are other property sheets opened and that need to close first. It is as if the objects are visible but arent really there any more. As suggested I tried running setup: /forestprep but I get an error almost at the end of forestprep: "Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Children with error code 0x80071392 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again". I took the relevant piece from the Exchange Server Setup Progress Log: "[09:30:39] Creating organization address books[09:30:39] Entering CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs[09:30:39] CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:1815) Error code 0X80071392 (5010): The object already exists.[09:30:39] Leaving CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs[09:30:39] CAtomOrgCtChildren::ScAddDSObjects (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:192) Error code 0X80071392 (5010): The object already exists.[09:30:39] Leaving CAtomOrgCtChildren::ScAddDSObjects[09:30:39] mode = 'ForestPrep' (61965) CBaseAtom::ScSetup (f:\titanium\admin\src\udog\setupbase\basecomp\baseatom.cxx:842) Error code 0X80071392 (5010): The object already exists.[09:31:23] >>>>>>>>>> Setup encountered a fatal error during Microsoft Exchange Forest Preparation of ForestPrep component task. -- ID:62237 -- CBaseComponent::ScSetup (f:\titanium\admin\src\udog\exsetdata\components\forprep\compforprep.cxx:513) Error code 0X80071392 (5010): The object already exists.[09:31:23] Entering CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup[09:31:23] Leaving CBaseComponent::SetSubtreeComponentsToFailWithErrorInSetup[09:31:23] CCompForestPrep::ScSetup" I found an MS article that address the error 0x80071392 message, but I wonder if this is relevant for my case. http://support.microsoft.com/default.aspx?scid=kb;en-us;296938 That article talks about Domain prep and domain prep runs just fine (I ran domain prep anyway but it doesnt resolve the problem). The article also talks about renaming the Exchange System Objects OU and the fact that renaming it isnt possible if the Objectclass attribute of that OU has the value msExchSystemObjectsContainer. Even though in my case the OU has indeed got an Objectclass attribute, I can rename it anyway. I tried renaming this OU and ran
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Hi, The only way to revert your organization accessible is to run the command under Local System privileges by passing this command in a command line windows as this: c:\>at /interactive cmd.exe Ex : c:\>at 12:00 /interactive cmd.exe So at 12:00, a command prompt will appear with Local System privileges ( type whiami to be sure). Tip: if you connect to your server via RDP, the command will not be interactive and the command shell will not appear unless you active the /console in your RDP conection. However, just open a session directly to you r exchange server. Now you can open properly ESM with Local System privileges, and give full access to a user at the organisation level. After regainning total access to your exchange oraganisation server, run a /forestprep and /domainprep for the Systeme attendant to be in a stable state. Let us know if that works for you. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : lundi 6 février 2006 16:05À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared I had the chance to look at the actual problem today and hereunder I will describe the problem and what I have tried to resolve it: Problem: The All Address Lists container has dissapeared from ESM, as well as the All Global Address Lists container. From within Outlook it is as iff you can display the All Address List but you are presented with an error message when you actually select it, the same error message is displayed when clicking "check name" when creating a new Outlook profile. I know what happened, what has caused this; somebody had denied Everyone and Authenticated Users acces to this list. I found a MS article which deals with exactly this, if I am right: http://support.microsoft.com/?id=286296 When I try this in a command prompt: DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" I get the following error message: "Object path is not valid, please correct it" When I try this in a command prompt: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO I get the following error message: "The system cannot find the file specified". From within Adsi Edit I can see In the right hand pane: "CN=All Address Lists" and "CN=All Globall Address Lists" They are at the following location: CN=Configuration,CN=Services,CN=Microsoft Exchange,CN=Domain,CN=AddressListContainer When I right click either of those two and ask for properties, I get the message that an invalid directory was passed. When I try to delete either of those two I get the message that there are other property sheets opened and that need to close first. It is as if the objects are visible but arent really there any more. As suggested I tried running setup: /forestprep but I get an error almost at the end of forestprep: "Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Children with error code 0x80071392 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again". I took the relevant piece from the Exchange Server Setup Progress Log: "[09:30:39] Creating organization address books[09:30:39] Entering CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs[09:30:39] CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:1815) Error code 0X80071392 (5010): The object already exists.[09:30:39] Leaving CAtomOrgCtChildren::ScCreateOrgLevelAddressBooksCTAndObjs[09:30:39] CAtomOrgCtChildren::ScAddDSObjects (f:\titanium\admin\src\udog\exsetdata\components\server\a_orgctchildren.cxx:192) Error code 0X80071392 (5010): The object already exists.[09:30:39] Leaving CAtomOrgCtChildren::ScAddDSObjects[09:30:39] mode = 'ForestPrep' (61965) CBaseAtom::ScSetup (f:\titanium\admin\src\udog\setupbase\basecomp\baseatom.cxx:842) Error code 0X80071392 (5010): The object already exists.[09:31:23] >>>>>>>>>> Setup encountered a fatal error during Microsoft Exchange Forest Preparation of ForestPrep component task. -- ID:62237 -- CBaseComponent::ScSetup (f:\titanium\admin\
RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared
Hi Victor, I just had this issue last week ! The All Address Lists has disapeared from ESM !!! In fact "someone" (saw in security event log of my DC) who has the full exchange admin on the organisation has made an error and deleted the "All Address Lists", then he tried to recreate it but could not due to some replication issues, and a collision occured ! So i wanted to confirm this by I opening ADSIEDIT, go to "CN=LostAndFoundConfig,CN=Configuration,DC=mydomain,,DC=fr", i saw that the List was there but suffixed with a CNF as this: "CN=All Address ListsCNF;feffgee", same as all chid lists and my personnal @ lists. So that telling that the lists was duped, and due replication issue, a collision occured. So I deleted the the duped lists, ran forestprep, and the "All Address Lists" appeared in ESM. For your issue, you have also lost the GAL, so do not forget to check: 1) that the GAL is associated to the Offline GAL in ESM. 2) rebuild the Offline GAL. One issue i had is for Outlook 2k3 in cache mode: 1) For those clients that are configured in cache mode (.ost and .oab), you must force your client to download the GAL + All Address Lists +GAL. 2) For those that are configured in cache mode (only .ost), you also must to force the download of the GAL. Hope that helps. Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Victor W.Envoyé : vendredi 3 février 2006 09:11À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Thanks Michael and Tony, I will try it and will let you know the outcome. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: vrijdag 3 februari 2006 2:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared As Tony said, if they are deleted and you need the specific contents back, an authoritative restore is your appropriate response. If the defaults work for you, you might just try rerunning forestprep and domainprep, then touching each store setting the GAL for the store. I have seen security changes make them "appear" to disappear. adsiedit.msc is where you go to deal with that(although, again, rerunning forestprep and domainprep will probably take care of it for you) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W.Sent: Thursday, February 02, 2006 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared What if the containers mentioned in the subject title are 'suddenly' missing in ESM? I have not checked (via adsiedit) if they are still in the Config.Nam.Context cause I just heard this and have not had the chance to actually look at it. If they are gone from the conf.nam.cont. how can I get these folders back and what if they are visible there but not in ESM. Any help is greatly appreciated.
[ActiveDir] Disable the RDP Popup security alert.
Hello,I activated the client drives redirection while users log on a 2k3 TS via tsweb.But, while connecting, there is always a RDP popup security alert stating that: "The Remote Desktop Connection has asked a connection to your computer, do you want to:connect your local drives to the remote computerthat may be a security risk'Is it possible to disable this Popup security alert ?Thanks for input. Yann
[ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] Strange deleted object issue
understood ! thanks Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé : jeudi 12 janvier 2006 14:49À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Strange deleted object issue Correct, limit search to the deleted objects container when possible. Some objects (objects marked with systemflags & 0x0200 which is still misdocumented as something that will be deleted immediately though I have submitted multiple changes for it...) will not be moved upon delete. They will stay in their current container. However, note, I just tested (should have done this before) and it won't let me create a user with that flag (the bit gets cleared) so it looks like users should always go to the DO container. I expect if I looked at the source I would see a handy XOR op clearing any bits MSFT doesn't want set on systemflags for user objects and that would be one of them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 12, 2006 6:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue My understanding was also to limit the search base to CN=Deleted Objects,DC=univ-lyon1,DC=fr" ? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Thursday, January 12, 2006 3:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue Hi joe, Just for my understanding, the command would be, using my previous example: adfind -b "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" -showdel -f "&(isdeleted=TRUE)(name=yann*)" . Right ? It try it and endeed, that works faster than dumping the whole deleted users in a file "The whatever* is necessary for the object rename that occurs.There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". ..." if i well understand, if i do not use (name=yann*) the command would probably not find yann because in some situation the user could not be,bydefault, in the deleted objects container ? Right ? If i misunderstand could you explain me again ? thanks joe. Yann size=2 width="100%" align=center tabIndex=-1> De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé : jeudi 12 janvier 2006 01:52À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Strange deleted object issue Note that the adfind query will be a trifle slow as that is going to have to walk every object in the directory, in larger orgs that could easily time out so you will want to add the -t 0 option to specify unlimited timeout. If you know the name of the object when looking for it, I recommend sticking to the NC it existed in and then use something like adfind -b Deleted_Objects_for NC_DN -showdel -f "&(isdeleted=TRUE)(name=whatever*)" The whatever* is necessary for the object rename that occurs. There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". This mostly occurs on site type objects in the config though, I have not seen a user configured that way though I don't think there is anything preventing it but someone would have had to have known how to pull it off. I haven't gone through this entire extensive thread but I think it is about a missing user. There are a couple of things it could be 1. User isn't missing, simply renamed. Without GUID of old object, good luck figuring out which object it is now. 2. User isn't missing, simply moved to another domain. 3. Object was deleted and the search for it isn't being done properly or possibly this is in combination with 1and/or 2 above. 4. User was deleted and person searching doesn't have rights to see deleted objects (easy to test). 5. Object was a dynamic object and timed out and went away. Doubtful it occurred here. Nothing would lead me to believe that someone was up on that capability enough to do it. I would start by doing the search as I indicated above. If nothing found, I would dump all deleted user objects and look at them. If that doesn't come up with it, I would expect someone renamed it and possibly moved to another domain. Oh in specific reference to this "that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID. otherwise it won't work. i could be wrong.." That is incorrect, you can use the format to see deleted objects. That is just a DN format that AD accepts period. Make note that 2K doesn't do this as nicely as K3. I.E. You would have
RE: [ActiveDir] Strange deleted object issue
Hi joe, Just for my understanding, the command would be, using my previous example: adfind -b "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" -showdel -f "&(isdeleted=TRUE)(name=yann*)" . Right ? It try it and endeed, that works faster than dumping the whole deleted users in a file "The whatever* is necessary for the object rename that occurs.There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". ..." if i well understand, if i do not use (name=yann*) the command would probably not find yann because in some situation the user could not be,bydefault, in the deleted objects container ? Right ? If i misunderstand could you explain me again ? thanks joe. Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé : jeudi 12 janvier 2006 01:52À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Strange deleted object issue Note that the adfind query will be a trifle slow as that is going to have to walk every object in the directory, in larger orgs that could easily time out so you will want to add the -t 0 option to specify unlimited timeout. If you know the name of the object when looking for it, I recommend sticking to the NC it existed in and then use something like adfind -b Deleted_Objects_for NC_DN -showdel -f "&(isdeleted=TRUE)(name=whatever*)" The whatever* is necessary for the object rename that occurs. There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". This mostly occurs on site type objects in the config though, I have not seen a user configured that way though I don't think there is anything preventing it but someone would have had to have known how to pull it off. I haven't gone through this entire extensive thread but I think it is about a missing user. There are a couple of things it could be 1. User isn't missing, simply renamed. Without GUID of old object, good luck figuring out which object it is now. 2. User isn't missing, simply moved to another domain. 3. Object was deleted and the search for it isn't being done properly or possibly this is in combination with 1and/or 2 above. 4. User was deleted and person searching doesn't have rights to see deleted objects (easy to test). 5. Object was a dynamic object and timed out and went away. Doubtful it occurred here. Nothing would lead me to believe that someone was up on that capability enough to do it. I would start by doing the search as I indicated above. If nothing found, I would dump all deleted user objects and look at them. If that doesn't come up with it, I would expect someone renamed it and possibly moved to another domain. Oh in specific reference to this "that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID. otherwise it won't work. i could be wrong.." That is incorrect, you can use the format to see deleted objects. That is just a DN format that AD accepts period. Make note that 2K doesn't do this as nicely as K3. I.E. You would have to use "" instead of "". Also note that if you can find the object with adfind, use -extname and it will kick out the extended SID and GUID names of the objects for you. I would honestly stop worrying about ldp and repadmin and just sit down and find the object with adfind. If it is there and the person doing the searching has permissions, they should be able to find it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, January 11, 2006 4:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange deleted object issue Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmeta MYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the 2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts occured before the 10/27/05, or connect to MY
RE : [ActiveDir] Strange deleted object issue
Glad that helps :) When I said in my previous post "...Not sure if that works but i am in w2k3 FFL mode...", it was rather "...Not sure if the switch / /showobjmeta works in w2k forest because it works in w2k3...". So you confirm that it also works in w2k forest. Yann De: [EMAIL PROTECTED] de la part de Tom Kern Date: mer. 11/01/2006 17:40 À: ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Strange deleted object issue That worked. Thank you very much!! On 1/11/06, TIROA YANN <[EMAIL PROTECTED]> wrote: Not sure if that works but i am in w2k3 FFL mode. *BUT* when i tried with the repadmin /showmeta switch, it shows me the same error as you. So you would try to install the adminpak.msi for w2k3 in your windows XP box, because the repadmin /showobjmeta is only available in the w2k3 adminpak.msi . Then try again the process. Try it and let me know if that works. Yann De : [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] De la part de Tom Kern Envoyé : mercredi 11 janvier 2006 16:00 À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Strange deleted object issue Yann, does this command work against a win2k forest? When i run it against any DC in my forest, i get a . C:\repadmin /showmeta opnyc10.mydomain.com <http://opnyc10.mydomain.com/> "CN=YIPJ\ 0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted Objects,DC=mydomain,DC=com" DsBindWithCred to CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted Objects,DC=mydomain,DC=com failed with status 1722 (0x6ba): The RPC server is unavailable. Thanks On 1/11/06, Tom Kern <[EMAIL PROTECTED]> wrote: Brian, I apologize for being so grammatically and syntactically cavalier with my posts to this list. If a dangling participle, split infinitive,or misspelled word has offended you, you have my sincerest regret and I promise to work on being a bit more diligent on that matter. If it helps any, by way of explanation, I usually write most of my posts from home while chasing after 2 kids. I can never seem to find the time to post from work or a more quiet place. But I'm sure that's more information than you or the list has needed to know By "everyone", I mean I have enabled "Audit account management" policy and I'm auditing user object creation/deletion for the "everyone" well know security principle. Hope that helps On 1/11/06, TIROA YANN <[EMAIL PROTECTED] > wrote: Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmeta MYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the 2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts occured before the 10/27/05, or connect to MYDC to search in the event security log. If you can not find your user at the time, it may be that an other domain admin has disabled the policy account applied by default, so you may see with your peers to confirm this. hope it helps De : [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] De la part de Tom Kern Envoyé : mercredi 11 janvier 2006 01:24 À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Strange deleted
RE: [ActiveDir] Strange deleted object issue
Not sure if that works but i am in w2k3 FFL mode. *BUT* when i tried with the repadmin /showmeta switch, it shows me the same error as you. So you would try to install the adminpak.msi for w2k3 in your windows XP box, because the repadmin /showobjmeta is only available in the w2k3 adminpak.msi. Then try again the process. Try it and let me know if that works. Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom KernEnvoyé : mercredi 11 janvier 2006 16:00À : ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Strange deleted object issue Yann, does this command work against a win2k forest? When i run it against any DC in my forest, i get a . C:\repadmin /showmeta opnyc10.mydomain.com "CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted Objects,DC=mydomain,DC=com" DsBindWithCred to CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=DeletedObjects,DC=mydomain,DC=com failed with status 1722 (0x6ba): The RPC server is unavailable.Thanks On 1/11/06, Tom Kern <[EMAIL PROTECTED]> wrote: Brian, I apologize for being so grammatically and syntactically cavalier with my posts to this list. If a dangling participle, split infinitive,or misspelled word has offended you, you have my sincerest regret and I promise to work on being a bit more diligent on that matter. If it helps any, by way of explanation, I usually write most of my posts from home while chasing after 2 kids. I can never seem to find the time to post from work or a more quiet place. But I'm sure that's more information than you or the list has needed to know By "everyone", I mean I have enabled "Audit account management" policy and I'm auditing user object creation/deletion for the "everyone" well know security principle. Hope that helps On 1/11/06, TIROA YANN <[EMAIL PROTECTED] > wrote: Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmeta MYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the 2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts occured before the 10/27/05, or connect to MYDC to search in the event security log. If you can not find your user at the time, it may be that an other domain admin has disabled the policy account applied by default, so you may see with your peers to confirm this. hope it helps De : [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] De la part de Tom KernEnvoyé : mercredi 11 janvier 2006 01:24À : ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Strange deleted object issue that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID. otherwise it won't work. i could be wrong.. Besides this won't help me figure out who deleted it or why the audit wasn't logged. p.s.- i have the Forestry book and think its great and well worth the hefty price. On 1/10/06, Mark Parris < [EMAIL PROTECTED] > wrote: If I recall, he reset the permissions on the ou/container which holds the deleted objects then you could query it with out reanimating anything. -Original Message-From: Tom Kern <[EMAIL PROTECTED]>Date: Tue, 10 Jan 2006 17:03:11 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange deleted object issue I thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID.The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest. Besides, that will only tell me the DC and time the isDeleted attrib was set. It wont tell me the user or process that deleted it.thats what i really need and as my DC's seem to mysteriously stopped logging event id 630 or 56
RE: [ActiveDir] Strange deleted object issue
Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmeta MYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the 2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts occured before the 10/27/05, or connect to MYDC to search in the event security log. If you can not find your user at the time, it may be that an other domain admin has disabled the policy account applied by default, so you may see with your peers to confirm this. hope it helps De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom KernEnvoyé : mercredi 11 janvier 2006 01:24À : ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Strange deleted object issue that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID. otherwise it won't work. i could be wrong.. Besides this won't help me figure out who deleted it or why the audit wasn't logged. p.s.- i have the Forestry book and think its great and well worth the hefty price. On 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: If I recall, he reset the permissions on the ou/container which holds the deleted objects then you could query it with out reanimating anything. -Original Message-From: Tom Kern <[EMAIL PROTECTED]>Date: Tue, 10 Jan 2006 17:03:11To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange deleted object issueI thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID.The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest. Besides, that will only tell me the DC and time the isDeleted attrib was set. It wont tell me the user or process that deleted it.thats what i really need and as my DC's seem to mysteriously stopped logging event id 630 or 565, i'm screwed. thanks alotOn 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: Use repadmin to check the objects metadata, can usually find the DC where the deletion occured and also who did it. The Active Directory forestry book by john craddock is an excellent resource for this type of AD audit.-Original Message-From: Tom Kern <[EMAIL PROTECTED] >Date: Tue, 10 Jan 2006 15:53:18To:ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange deleted object issueIt logged the creation/deletion. My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it.the security logs have not been cleared and are set to stay for 7 days.still i know a user account ended up in the deleted objects container with a whenChanged date of 20060109202458. someone/thing must have deleted it and there is no entry in the event logs of any DC.what gives?ThanksOn 1/10/06, Coleman, Hunter <[EMAIL PROTECTED] > wrote:Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 1:23 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange deleted object issueYes.Thanks. I just have 2 issues.1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing. this account was deleted last nite so something should show up with this auditing enabled, no?do i have to set some other security policy like audit directory service access as well?I figured account management should cover deleting a user object. ThanksOn 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:I've
RE : [ActiveDir] Delegation of control wizard in A ctive Directory
Hi To complete Al statements, 1) Check if the help desk person has all the required permissions on that user by either uses dsacls(dsacls ),acldiag (acldiag /geteffective:) or the "effective permission" on the security tab of that user. 2) Check if the user belongs to protected groups. 3) Check if the helpd desk person has explicite denied permission, or belongs to a group that have denied ace.to this user object, you will see this by dsacls or effective permission tab. Yann On 1/5/06, Aguilar, Louis <[EMAIL PROTECTED]> wrote: We hired a new help desk person this month. I'm trying to give her the ability to administer certain request (unlock user accounts, reset passwords.). I've tried accomplish by following: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx Everything seems to work fine on new accounts, but she cannot administer anything on existing/old accounts. She keeps getting access denied Thanks for your time in advance Louis NOTICE OF CONFIDENTIALITY This message, including attachments, is from Family Health Partners. This message contains information that may be confidential and protected by HIPAA Privacy Regulations. If you are not the intended recipient, promptly delete this message and notify the sender of the delivery error by return e-mail or call the FHP Compliance Department at 816-234-3946. You may not forward, print, copy, distribute or use the information in this message if you are not the intended recipient. <>
RE : [ActiveDir] Display Specifier + Command Varia bles
I don't know if it could help you but for the same pupose as you, I found 2 attributes: * msIIS-FTPDir -> "Relative user directory on an FTP Root share" => Schema definition. * msIIS-FTPRoot --> "Virtual FTP Root where user home directory resides." => Schema definition. I populated these 2 attributes to all my students so then can access their homedir via ftp. For example, msIIS-FTPDir will be the samaccoutname msIIS-FTPRoot will be \\yourserver\share\ [1] I configured my ftp server in Isolated Mode Using Active Directory, so each students have to go to ftp://myserver.domain.fr authenticated themselves with an AD box, and are directly logged into their home directory: IIS & AD make automatically the concatenation with the 2 attributes in this way msIIS-FTPRoot & msIIS-FTPDir. [1] for redondancy and fault tolerance, i use a rootDFS instead of the server : msIIS-FTPRoot = \\myDFSRoot\share\ Optionnaly, u could integrate hte 2 attributes in the admincontext of ADUC so u can easily see them by right cliking on a user. I am in AD2k3. Hope it helps. Yann De: [EMAIL PROTECTED] de la part de Marc A. Mapplebeck Date: ven. 23/12/2005 20:36 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Display Specifier + Command Variables I need to propogate the FTPRoot and FTPDir fields in the user objects, they are not available through ADUC, only by using iisftp or a vbs. I am using FTP via IIS in AD Isolation Mode. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: December 23, 2005 12:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Display Specifier + Command Variables I'm still not clear on whether you want to do this for the homedrive attribute or if you are trying to do something else. Might just be a little dense (that sometimes happens around this time of year). You want to add a vbscript to your ADU&C so you can right click and enable some function that currently is not available, vs. using a script to enable it in bulk. Is that correct? I believe you want something similar to this, right? http://www.2000trainers.com/article.aspx?articleID=317&page=2 On 12/23/05, Marc A. Mapplebeck <[EMAIL PROTECTED]> wrote: Sure, I was just using a batch file that called iisftp the context was "iisftp username" all Z drives are the homedir of the user stored on our hermes server in the share Z Drives, the purpose of this was to give users access to their homedir remotely. however, now that I want to use it from within AD Users & Computers, I think I will have to rewrite it to set the variables using vbs. setftp.bat - IIsFtp /SetADProp %1 FTPDir %1 IIsFtp /SetADProp %1 FTPRoot "\\hermes\Z Drives" - end I will probably end up using a .vbs that looks similar to this: setftp.vbs - Dim ouserFTPDir Dim ouserFTPDRoot Dim oUser1 Set oUserFTPDir = GetObject(ouser1(0)) Set oUserFTPRoot = "\\hermes\Z Drives" oUser1.SetInfo Set oUser1 = Nothing Set ouserFTP = Nothing WScript.Quit - end I'm actually teaching a class right now(yes, one of my students showed up for class the day before the holiday break starts, so I gave him a nice subnetting lab, I'm soo sadistic), so I do not have access to any of my reference/test servers, so this script will prolly crash on line 1. But, the general idea is there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick Sent: December 23, 2005 11:23 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Display Specifier + Command Variables Marc, can you post the code you're using? Cleaned up for internet consumption of course. Al On 12/23/05, Marc A. Mapplebeck <[EMAIL PROTECTED] > wrote: Hi all, I am working on setting up FTP in AD Isolation mode. I have written a batch file that I run to enable a user on the FTP server, I would like to change this so that I can just right click on a user in AD Users & Computers to do this, I have made the modification to the display specifier to call the batch file, however, it is not passing what I want, does anybody know if/what the variable is for the CN of the user, or would it be just as easy to script this with VB instead? If so, does anybody already have a script or
RE : [ActiveDir] Display Specifier + Command Varia bles
Hello, Take a look at the Sakari Kouti's web site http://www.kouti.com/scripts.htm , in the "Bonus Material" section, you have an example (employeeid.vbs)on how to do this. As stated Jorge earlier, merry christmas to all of you ! :) Yann De: [EMAIL PROTECTED] de la part de Marc A. Mapplebeck Date: ven. 23/12/2005 15:59 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Display Specifier + Command Variables Hi all, I am working on setting up FTP in AD Isolation mode. I have written a batch file that I run to enable a user on the FTP server, I would like to change this so that I can just right click on a user in AD Users & Computers to do this, I have made the modification to the display specifier to call the batch file, however, it is not passing what I want, does anybody know if/what the variable is for the CN of the user, or would it be just as easy to script this with VB instead? If so, does anybody already have a script or a model that can be used for this? Thanks - Marc List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE : [ActiveDir] ::OT:: xexch50
Hi, follw the different steps described in this KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee Let us know how it works for you. Yann De: [EMAIL PROTECTED] de la part de Quatro Info Date: jeu. 22/12/2005 20:13 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] ::OT:: xexch50 kinda figured that out myselfbut how to fix it? walked through whole config but cant find anything out of the ordinary Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Al Mulnick Verzonden: donderdag 22 december 2005 19:49 Aan: ActiveDir@mail.activedir.org Onderwerp: Re: [ActiveDir] ::OT:: xexch50 The problem is that they also have an exchange server trying to communicate with you. When that happens, it's told to try and authenticate and because it's not a member will likely fail. If this is an internet facing mail handler, you should not expect other hosts to have to authenticate in order to send mail to you. That would be a configuration error on your part and a silly extra verb on the part of Exchange. ;) Al On 12/22/05, Quatro Info <[EMAIL PROTECTED]> wrote: Hi all, Installed a new SBS 2k3 box and get following messages in eventviewer: ID 7010 This is an SMTP protocol log for virtual server ID 1, connection #278. The client at "193.173.22.154" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2204 2". This will probably cause the connection to fail. ID 7004 This is an SMTP protocol error log for virtual server ID 1, connection #292. The remote host "193.173.22.154", responded to the SMTP command "xexch50" with "504 Need to authenticate first ". The full command sent was "XEXCH50 2376 2 ". This will probably cause the connection to fail. Only get this message from a few ip addressesthey are not member of the exchange organization but just other companies servers who try to send mail Mail flow isnt working well from those senders as wellsome mail arrive some dont Integrated windows auth is turned on at the virtual smtp connector as well. Is this a configuration problem on my exchange server or theirs? All help appreciated. Grtz Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE : [ActiveDir] adminCount attribute
Hi joe, Just a notice: "this delegation will not impact any accounts protected by adminSDHolder so he won't be able to reset any users in the native admin groups." This is also the case for the users belonging to those protected groups: they have no control to each of their users object. I have the case that some account operators could not reset passwords nor modify users informations (as sn, givenname,...) when those users belong to protected groups, in my case it was print op. It seems that domain admins have FC to those protected users Yann De: [EMAIL PROTECTED] de la part de joe Date: mar. 20/12/2005 21:58 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] adminCount attribute If all he needs to do is reset passwords you want to do this anyway. Acc Ops have considerable rights over groups and users as well as the capability to add groups/users as desired. Obviously delegate to a group versus the person directly. You may want to delegate the ability to unlock accounts (WP lockoutTime) and expire/unexpire accounts (WP pwdLastSet) as well. Note that this delegation will not impact any accounts protected by adminSDHolder so he won't be able to reset any users in the native admin groups. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, December 20, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute Well he's a helpdesk guy that needs to be able to reset passwords for everyone in the domain, so I would need to delegate him permissions at the highest level OU, whereas right now he's in account operators so he automatically can do it. Once I remove him from account operators, I'll have to delegate him the permissions. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 20, 2005 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute Hi, What do you mean with "I will have to delegate him permissions at the top since he can't be an Account Operator anymore". And by the way... which top? Jorge From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Tue 12/20/2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute That's correct. In Windows 2000 SP4 and in Windows Server 2003 the Account Operators group is protected. For a full list of protected groups and accounts, see the following KB article. http://support.microsoft.com/?kbid=907434 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 21 December 2005 8:24 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute I did just find that he's a member of a group which is a member of Account Operators group. So I need to remove him from this group in order for his adminCount to stay ? If that's true, then I will have to delegate him permissions at the top since he can't be an Account Operator anymore. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, December 20, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute The user was removed from all protected groups long ago. The problem is, his adminCount attribute is still getting set back to 1. I set it to , enable ACL inheritence and set his default permissions back, and an hour later I re-check his account and adminCount is set back to 1, and the security context on his account isn't correct anymore again. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 20, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminCount attribute The adminsdholder process only looks at users and groups that are defined in AD as protected objects. As mentioned in MS-KBQ817433 - "Delegated permissions are not available and inheritance is automatically disabled" it is possible to include or exclude some of the default admin groups (account operators, print operators ,etc.) The process that checks object against the adminSDHolder object only looks at that definition of protected objects and in case of groups it will also look at its members. It resets the DACL to match the DACL of the adminSDHolder object and sets the admincount attribute to 1 and disables ACL inheritance on the protected object The group membership of a protected group is the criteria the process looks at, not the attribute value of 1. The admincount attribute is just an administrative measure for the process that say
RE: [ActiveDir] Active Dir web based management
Hi, Steve, may i suggest putting "Web Admin Tool" in the "Downloads" part of activedir http://www.activedir.org/Downloads/Downloads.aspx ? You could made it available for anyone, if, of course, Tony murray is agree. Yann -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Saturday, December 17, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Dir web based management There was an older package from MS which was free- noted here: http://weblogs.asp.net/conrad/archive/2003/12/29/46329.aspx If you want a copy of it ( no guarantees warranties blah blah..) I can send it to you, it may be a good place to start and you can modify it to suit your needs. steve - Original Message - From: "Darren Mar-Elia" <[EMAIL PROTECTED]> To: Sent: Saturday, December 17, 2005 10:25 AM Subject: RE: [ActiveDir] Active Dir web based management Hey now, careful... Jason, depending upon what you're after, you might want to check out these guys for a simple web-based AD management product: www.thedotnetfactory.com. No idea on relative cost however. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Saturday, December 17, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management I think usually the word cheap doesn't ties along with Quest tools :) Pretty much what Jason was trying to say perhaps..right? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 17, 2005 9:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management You probably should define your definition of relatively cheap. To some of the folks on this list, $100,000-$500,000 would be considered relatively cheap. I expect your definition may vary. If you mean in the $1000 or less range I would have to say I can't think of anything but possibly there are some open source projects available you could glom onto. Building a web system specific to a single company tends to be considerably easier than building a generic product that would work well for anyone trying to use it to capture any possible eventuality/configuration/work stream. That extra work is usually why people start charging coin for something. Possibly though, you should look at the official commercial products, there might be more there that you need that you aren't thinking about at the moment. Usually anytime mentions a need for something in this area I say build it yourself or look at something like ActiveRoles Server from Quest. That has wrapped in the capability of the former Enterprise Directory Manager tool. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Yaremchuk Sent: Friday, December 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Dir web based management I am currently looking at creating a web page that allows onsite tech admin to create and alter user/group info in Active directory. I want to have delegated control of a OU but I am looking at a web form so I can apply some sort of input masks to ensure data consistency when new users are added. Our onsite techs have little knowledge of Active directory so I want to have a lot of control on how and what they can enter. Before I start developing all this I was wondering is anyone has seen free or relatively cheap products already on the market. Any ideas or comments appreciated. Thanks, Jason List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.
RE: [ActiveDir] Viewing delegates?
You can use this: acldiag "OU=your_ou,DC=domain,DC=com" /chkdeleg _skip This will check whether the Delegation of Control Wizard has been run for an object. Acldiag can be run by anybody, but the results of the output will depends on the users's right to view ACLs of the object you are querying. Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Craig Gauss Envoyé : mercredi 14 décembre 2005 23:12 À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Viewing delegates? Windows 2003 AD How do you go about viewing the users you have set as delegates for an OU? I setup a test earlier with a delegate on a test OU, it worked but I dont see where you can see who is a delegate. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] LDAP Traffic Replay
Hi, tcpreplay might help you. Here u can find the it; http://tcpreplay.sourceforge.net/ Here is an extract from the faq http://tcpreplay.sourceforge.net/FAQ/node2.html#SECTION00021 Yann De: [EMAIL PROTECTED] de la part de joe Date: mar. 06/12/2005 18:31 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe <>
RE: [ActiveDir] When is a domain Admin not a domain Admin?
understood :) Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé : lundi 28 novembre 2005 23:29À : ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] When is a domain Admin not a domain Admin? Base assumption that I took and I expect Hunter took is that FC was granted to all objects, that includes correcting the permissions on adminsdholder. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, November 28, 2005 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] When is a domain Admin not a domain Admin? Hi, the user will have full control to all objects but to members that belong to protected groups such as domain admins, print op,etc.. This is due to the adminsdholder mechanism. For more information see http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 and adminsdholder threads that were discussed in this list. Yann De: [EMAIL PROTECTED] de la part de Coleman, HunterDate: lun. 28/11/2005 21:11À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] When is a domain Admin not a domain Admin? Well, if they truly have full control over all objects, then they could add themselves into the Domain Admins group. Moot point... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morley, ScottSent: Monday, November 28, 2005 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] When is a domain Admin not a domain Admin? All, For reasons too long and boring to mention, I have been asked about the following scenario: Create a regular normal everyday user Give that user full control over all objects in the domain The user is NOT part of the Domain Admins group Does the membership of the domain Admins group provide some additional rights/functionality to a user? Or is full access to all objects equivalent to domain admin rights? Scott Morley Active Directory Manager MSCE 2000, CCNA, CNE, CNI "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. " - Douglas Adams (1952-2001) This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.