RE: [ActiveDir] Anyone attending TechEd?
Oh, no! I didn't know Rick would be attending :) Oh, well.now that it's too late to cancel, I guess I have to just learn to stay away fromyour CABANA :O) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Sat 5/22/2004 8:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone attending TechEd? Yep - I'll be there. Find me in the Security 'Cabana' on almost all days. The 'Cabana's' are the areas for attendee to expert assitance, discussion, white boarding, etc. If you want answers to what's going on with your area of expertise or an area that you WANT to become proficient in, this is the place to go. It's also the place to meet the speakers and to have good, in depth discussion with them. Stop over - I'll be one of the folks in the Microsoft shirts! :O) Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marco BombardiSent: Saturday, May 22, 2004 5:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone attending TechEd? Hello everyone, I know this is not something new to you but this is indeed a really awesome list! Thank you Tony for putting it togetherand thank you to this great list of contribuitors that put so much time into writing detailed answers, suggestions and explanations. Iwas just wondering whofrom the list will be attending TechEd next week and would be interested in getting together for some AD and Exchange chat. Feel free to email / IM me directly if you're interested. Depending on the number ofanswers we can plan a group dinner or something... Thank you andsee some of you there. Marco Bombardi [EMAIL PROTECTED]
RE: [ActiveDir] dns issues
More likely DNS than WINS. Trying bouncing the new Server, then restart netlogon on it(in case the MS04-011 is hurting you), then checkDNS for the relevant SRV records. I know you said you looked in DHCP, but I have to ask if you made sure that the dead DC is no listed as a DNS server in your DHCP scopes. And, after the client have connected in "Safe Mode", what does nslookup say? Lastly, anything in eventlog (on both server and clients? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mulnick, AlSent: Tue 5/18/2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] dns issues WINS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, May 18, 2004 5:17 PM To: ActiveDir (E-mail) Subject: [ActiveDir] dns issues I had my primary fsmo role holder(pdc,infra,rid) go down. It was also a dns server(ad intergrated). i ran ntdutil and removed the server from AD. I also had another dns server running. I transfered all the fsmo roles to this server. Now however, i have a ton of what i think are dns issuses. I have clients who are stuck at "applying security settings" and never logon(however, they can when in safe mode with networking). also, i tried to join a workstation to my domain and it gave me a "connot contact domain" error. the clients are all pointing to the new dns server via dhcp. there are no errors in the dns log or in directory services log. this is a child domain and the zone was delegated from the root. what gives? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ms04-011
For the first part of this question, look at the TCP/IP properties of the new client you are trying to join to the Domain. Make sure that "Enable LMHosts lookup" is unchecked, then make sure you are pointing at the correct INTERNAL DNS server ONLY (no ISP DNS in there), reboot the machine and re-attempt your join. For the Win98 problem, have you tried DSCLIENT? http://download.microsoft.com/download/0/0/A/00A7161E-8DA8-4C44-B74E-469D769CE96E/dsclient9x.msi I know you said that you were sure that you successfully seized all the FSMO roles, but does your new DC think so? Have you tried "netdom /query FSMO" on the DC to see what it thinks? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Kern, TomSent: Wed 5/19/2004 7:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ms04-011 still doesn't work. when i try to join a win2k worstation to a domain, i get "domain cannot be contacted. check dns" error. dns settings are fine, i can ping my dc's and dns servers from the pc. i rebooted my dc, diabled ipsec policy agent, checked the srv records in my domain, no replication errors on my dc's. also, suddenly no win98 clients can logon. wins settings are correct, i can ping the wins server from my win98 clients, no errors in the wins log. i restarted the service, recreated the wins db. no errors on the pdc fsmo. still same issue. i'm at a loss. help! ack!! thanks -Original Message- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] ms04-011 forgot about the 2nd part of yr. question see this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html Kern, Tom wrote: i know this has been sopken of before, but i can't seem to find a pertinet email in the archives, so i apologize for this retread. what are the issuses with ms04-011 hot fix? i ask because i have some clients that are preptually stuck at the "applying security settings" screen and never log on. also, i have on e newly formated client that i can't join to the domain, because it can't contact the domain. this client(win2k) does not have the hotfix installed yet, but my dns server does. is there a know issue with this fix affecting dns? i know about the dltape and ipsec issues already, but i don't have these drivers loaded. thanks, and sorry for the rehash. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- John Singler Systems Administrator School of Veterinary Medicine, University of Pennsylvania 3800 Spruce Street Philadelphia, PA 19104-6044 "life is a killer" -- John Giorno List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Download the DSClient package now..url Description: Download the DSClient package now..url
RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.
Try reading "Authentication Topology" by Gil Kirkpatrick. I am not sure if it's a member-only doc, butit's available athttp://www.winnetmag.com/Articles/Print.cfm?ArticleID=37935 Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-EliaSent: Fri 5/7/2004 7:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. Todd-Not sure if this will get to your specific issue here, but Gil wrote a great article about the DC discovery process on Windows .Net magazine here: http://www.winnetmag.com/Article/ArticleID/37935/37935.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Friday, May 07, 2004 6:51 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. I am searching for an article that identifies the behavior that of how authentication DCs are selected based on AD sites. Here is why. Our default site cost for all our sites in the hub and spoke architecture is 10. We had a situation where we have a BDC Domain H that is in Mixed mode on the same network as our Hosted Exchange Servers on Domain N that is in Native Mode. The Exchange Servers managed to establish a secure channel with the DCs of Domain H AD PDC which is located in a different site from the Hosted Exchange Servers and Domain Hs BDC. When the Domain Admin of H moved one of there servers to a Site starting with A, we saw the secure channel get changed to the site with an A in it. So our suspicions are as follows. We believe authentication is served locally if possible (Meaning on the same subnet). If there are no local DCs and the domain is in mixed mode, it will use sites based on cost. If there are multiple sites to chose from. It will then select a site based on its order is AD Sites Services. The reason why is that we moved the DC back to a site lower in the site list and it changed to secure channel. Thanks, Todd
[ActiveDir] Here's what the MVPs mean by NDA
I've decided to break ranks and reveal to the world EXACTLY what the MVPs are up to when they pay their annual pilgrimage to Redmond. Everyone of them comes and start mouthing "It's NDA", "I really can't tell you", "Yeah, I heard that's coming soon but I can't say anymore..", etc, etc. Ever wonder why they do that? Well for starters ... there's this hyper-secret "thing that can't be named" stuff that's supposed to come down the pipe VERY SOON. It was so secretive that only very few of the MVPs got to hear about it. I was there, I heard and saw it all. So. here is introducing the super-secret, next-big-thing-since-the-invention-of-bubble-gum . THE MICROSOFT DINING SERVICES. http://www.readymaids.com/Default.aspx?tabid=38 Enjoy. And, please don't crash my server this time. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] Replication issues
You know me, Joe. If you say it's like this, I believe you. I have no doubt about what you see, but I'm telling you, I lived through this for the most part of early last year. It did not work as billed. I worked long hours with PSS before they came out with Alock and the rest. Now, things are much different, and I agree that unless the PDCE is out to lunch, you should now not have to unlock accounts on local DCs. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 4/29/2004 3:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication issues The password will get replicated "out of band" [1] back to the PDC on a password change. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/bpactlck.mspx, specifically check the piece on "immediate replication". "Theoretically, there should be no need for these tools, but in reality, chaining did not work as designed." Yes it actually does, I see it in action every single day. We process thousands of password requests a day. It does work. Wherever the password is changed, it gets back to the PDC and then whatever DC is hit, the request is chained back to the PDC to allow the authentication. "before the locking out DC learns about the reset." Lockouts are handled differently. Dig into the documentation. An unlock has some special stuff around it in terms of how often it will go back and check. I don't recall the details, however, not every attempt is sent back to the PDC when the account is locally locked. I believe the logic was put in to protect the PDC from DOSed from things like viruses and such that pound the DCs. The "AvoidPDConWAN" will of course change the default functionality, that is what it was designed to do. If someone blindly applied it without understanding the repercussions, they deserve everything that happens to them. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;232690 / http://support.microsoft.com/?kbid=225511 for more info on AvoidPDConWan setting. One other thing I want to point out that is usually documented horribly. Password changes are urgently replicated within a site, not to all domain controllers. So if you change a password, you will go through urgent notification (i.e. bypassing the holdback time) within the site and those DCs will replicate in an urgent manner [2]. Once you hit site boundaries that are living with normal site link replication periods then you wait for that replication period to come up to get that password sent across. So if you have a 4 day wait on the link, then you wait that long to get that replication through. If you don't have avoidpdconwan set though and you have good connectivity, this will not be an issue. If you do, the very fact that you set that setting means you WANT to have to go change the password on the DC the user is using. In a simple environment this is a trivial thing to work out (assuming proper configuration everywhere). In a large complex environment this can be decidely non-trivial. joe [1] A specific RPC call is made. I have seen this in action with one of my tools that watches DCs for changes and notifies on object modifications. The longest delay I have seen has been about 500ms. However if the PDC is for some reason unavailable, this call will fail and the password will get back to the PDC through the standard replication methods. [2] I don't believe however that the priority is any higher than any other domain context change, just simply the notification is urgent which means that if there is a queue on the inbound thread on what it is working on, it will get thrown at the bottom of the items with the same priority. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 7:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication issues It will get that password back immediately unless the PDC is really busy or otherwise unavailable The way I'm reading this is that you are saying password change will trigger immediate replication to the PDCE. Iin my experience (which I don't have to describe to you :)), this is not the case. Also, I may be misreading you here, because, further now, you said: What SHOULD happen is that the local DC should realize, hey this password isn't correct and will do what is called a PDC Chaining to ask the PDC what if the password specified is in fact ok [3] This is the way it works, I agree here. Now, you also said: Assuming the PDC is available to that site, you should be able to change a password anywhere on any DC and that password will get back to the DC. This, too, is correct. However the problem is the time it takes for the password change to get back to the PDCE and then onward to the rest of
RE: [ActiveDir] Replication issues
The password will get replicated "out of band" [1] back to the PDC on apassword change. Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, specifically check the piece on "immediatereplication". I missed this. Let's hope I don't get smacked too hard for it. But, are you saying password change qualifies for "immediate" (or urgent) replication? Not according to this: By default, urgent replication does not occur across site boundaries. Because of this, administrators should make manual password changes and account resets on a domain controller that is in that user's site. This is what acctinfo addressed. This was the problem I was facing a year ago. My helpdesk admins in Santa Clara reset an EMEA (or Tokyo)user's password. They call up the user and say "here's your password", user tries it and hits the lockout threshold, BAM! user is locked out. User gets really PO'ed because now he can't get helpdesk, because helpdesk had left for the day shortly after calling user. I unlock user's account, which now triggers urgent replication, tell user "wait for about 5-10 minutes and try it". User is then able to login and make that million dollars sales presentation. I get bonus, and I'm still employed because I'm the "Guru". Helpdesk get the shaft andthey are pissed at me for not telling them about this "feature". Now, I will shut up. Really :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 4/29/2004 3:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication issues The password will get replicated "out of band" [1] back to the PDC on a password change. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/bpactlck.mspx, specifically check the piece on "immediate replication". "Theoretically, there should be no need for these tools, but in reality, chaining did not work as designed." Yes it actually does, I see it in action every single day. We process thousands of password requests a day. It does work. Wherever the password is changed, it gets back to the PDC and then whatever DC is hit, the request is chained back to the PDC to allow the authentication. "before the locking out DC learns about the reset." Lockouts are handled differently. Dig into the documentation. An unlock has some special stuff around it in terms of how often it will go back and check. I don't recall the details, however, not every attempt is sent back to the PDC when the account is locally locked. I believe the logic was put in to protect the PDC from DOSed from things like viruses and such that pound the DCs. The "AvoidPDConWAN" will of course change the default functionality, that is what it was designed to do. If someone blindly applied it without understanding the repercussions, they deserve everything that happens to them. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;232690 / http://support.microsoft.com/?kbid=225511 for more info on AvoidPDConWan setting. One other thing I want to point out that is usually documented horribly. Password changes are urgently replicated within a site, not to all domain controllers. So if you change a password, you will go through urgent notification (i.e. bypassing the holdback time) within the site and those DCs will replicate in an urgent manner [2]. Once you hit site boundaries that are living with normal site link replication periods then you wait for that replication period to come up to get that password sent across. So if you have a 4 day wait on the link, then you wait that long to get that replication through. If you don't have avoidpdconwan set though and you have good connectivity, this will not be an issue. If you do, the very fact that you set that setting means you WANT to have to go change the password on the DC the user is using. In a simple environment this is a trivial thing to work out (assuming proper configuration everywhere). In a large complex environment this can be decidely non-trivial. joe [1] A specific RPC call is made. I have seen this in action with one of my tools that watches DCs for changes and notifies on object modifications. The longest delay I have seen has been about 500ms. However if the PDC is for some reason unavailable, this call will fail and the password will get back to the PDC through the standard replication methods. [2] I don't believe however that the priority is any higher than any other domain context change, just simply the notification is urgent which means that if there is a queue on the inbound thread on what it is working on, it will get thrown at the bottom of the items with the same priority. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28,
RE: [ActiveDir] blocking user access to terminal services via group policy
I think it would be better if you just clear the "Allow Logon to Terminal Service" attributes for all your users. Then you will come back andenable this attribute for any specific user you want to grant the right to. It's cleaner than trying to do this server-by-server. The problem with this, however, is that you will have to ALWAYS remember to clear this attribute from any new user account you create. You can get snippets of codes to clear and set "Allow Logon to Terminal Service" from MS Script Center http://www.microsoft.com/technet/community/scriptcenter/default.mspx Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Zach HusebySent: Wed 4/28/2004 7:45 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] blocking user access to terminal services via group policy I'm having a hard time figuring out the best way to block terminal service access by user using group policy- is this something that can be addressed by a user configuration setting or is this an issue better handled on the terminal server- i.e. granting or denying 'log on locally' rights? I'm just getting started implementing GPOs so forgive me if this seems simple. Zach
RE: [ActiveDir] (OT?) Slow resume from computer Lock
It would more likely be DNS if this were happening on boot-up. But he says this happens on resumption from a locked state. More likely to be AV or powersaving issue. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bruce ClingamanSent: Mon 4/19/2004 6:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] (OT?) Slow resume from computer Lock I did not mean to imply my antivirus was related to DNS. The av would do scans and updates at unexpected times. Your problem looks like a DNS issue. Compare the settings between clients that are slow to those that are not. Using DHCP? Is their dns entry being updated? Firewall? Proxy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Monday, April 19, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] (OT?) Slow resume from computer Lock Bruce, I did dozens of tests, some of which involved disabling antivirus software. How were DNS and antivirus related in your case? Thank you It does look like a DNS issue. My antivirus software has caused these symptoms on my network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Monday, April 19, 2004 3:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] (OT?) Slow resume from computer Lock This might be OT, if so i apologize. On my AD network, i have some clients needing a lot of time to resume from a computer lock. A user types his/her credentials to unlock and must wait 40-60 seconds before the desktop would be displayed. Using alternate credentials than the logged on user makes no difference. This is happening on some 10-12 WinXP machines out of 500. Win2000 and Non-Domain members clients seems not affected. I couldn't determine whether this might be related to a domain issue. Thanks all. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts
What can I say? I'm still jet-lagged, I guess :)
Thanks for the pointer.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Roger SeielstadSent: Tue 4/13/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts
Except Deji forgets one important piece of information (which is rare for him) - VBScript doesn't natively run on Win9x. It requires a separate install of Windows Scripting Host.
-- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 12:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts
Smart guy.
:op
-rtk
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts
I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this:
Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user")
For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts
What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts?
Example:
IF MEMBER OF "GROUP" THEN BEGIN
MAP H:=SERVER1\VOL1:
END
RE: [ActiveDir] logon scripts
I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this:
Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user")
For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts
What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts?
Example:
IF MEMBER OF "GROUP" THEN BEGIN
MAP H:=SERVER1\VOL1:
END
RE: [ActiveDir] logon scripts
I don't remember telling you my middle name :p
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Rick KingslanSent: Mon 4/12/2004 9:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts
Smart guy.
:op
-rtk
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Monday, April 12, 2004 11:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon scripts
I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this:
Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share = "file://myserver/myShare3"str_Super_Share = "file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = GetObject("WinNT://MyDomainName/" usrName ",user")
For Each grp In usr.Groups WScript.Echo grp.NameIf grp.Name = "BS-Group" Then wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit ForElseif grp.Name = "SOME_GROUP" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Group1_ShareExit ForElseif grp.Name = "yet_Another_Group" OR grp.Name = "Super-DuperUser" ThenwshNetwork.MapNetworkDrive strDriveToMap, str_Super_SharewshNetwork.MapNetworkDrive "K:", str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet wshNetwork = Nothing
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Nathan CaseySent: Mon 4/12/2004 4:17 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] logon scripts
What is a recommended logon script solution that will work with win9x, win2k/xp clients for drive mapping, etc that works similar to Novell logon scripts?
Example:
IF MEMBER OF "GROUP" THEN BEGIN
MAP H:=SERVER1\VOL1:
END
RE: [ActiveDir] Verifying DNS records of many DC's
Check them/verify themfor what? Check if they exist or if they are good? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: David AdnerSent: Sun 4/11/2004 10:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Verifying DNS records of many DC's What's the best way of verifying the AD related DNS records for a Domain that has upwards of 100+ DC's? I know dnslint.exe will check records, but is there a way to get it to check the records for so many DC's easily? Or some other tool? Thx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Logon-Script Help
For Eachthe Computer In aryP1
If UCASE(theComputer) = UCASE(strComputer) Then
Printer1
End If
Next
I wonder whyyou have to put this in an array and do it this way. But then, you understand your requirement and setup better. Also, are the spaces "\\Local_Print_Server \P1 " and other just typos or intentional?
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Raymond McClinnisSent: Sat 4/3/2004 2:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Logon-Script Help
Hi All;
Im trying to set up each computer at my remote locations to use a specific Default Printer (also needs to be mapped to LPT3: ) using an array. I used IFTHENELSEIF, but it required more coding than I really wanted to do (but it worked fine). After I put the Arrays in place no matter what the Computer Name it always executes Sub Printer1 and ignores Sub Printer2. Im pretty sure Im missing a call to the obj.Network.ComputerName or something, Im just not sure where to put it
Any help will be greatly appreciated.
Thanks in Advance,
Raymond McClinnis
Begin Script:
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.Username
aryP1 = Array("COMPUTER1", " COMPUTER2", " COMPUTER3", " COMPUTER4")
aryP2 = Array("COMPUTER5", " COMPUTER6", " COMPUTER7", " COMPUTER8", " COMPUTER9")
'Logon script start
' Mapping ALL LOCAL Network Printers
objNetwork.AddWindowsPrinterConnection "\\Local_Print_Server \P1 "
objNetwork.AddWindowsPrinterConnection "\\Local_Print_Server \P2"
objNetwork.AddWindowsPrinterConnection "\\Remote_Print_Server \P1"
objNetwork.AddWindowsPrinterConnection "\\Remote_Print_Server \P2"
'--==In the event of \\Local_Print_Server Hardware failure, remove the ' from in front of \\Remote_Print_Server==--
'--==And put them in front of \\Local_Print_Server ==--
' Setting Default Printers by DEV#
For Each objNetwork.ComputerName In aryP1
Printer1
Next
For Each objNetwork.ComputerName In aryP2
Printer2
Next
wscript.echo "Your logon to is Complete. Thank You, Have A Nice Day!"
wscript.Quit
Sub Printer1
objNetwork.AddPrinterConnection "LPT3:", \\Local_Print_Server\P1"
objNetwork.SetDefaultPrinter Remote_Print_Server\P1
objNetwork.AddPrinterConnection "LPT3:", \\Remote_Print_Server\P1"
objNetwork.SetDefaultPrinter \\Remote_Print_Server\P1
'--==In the event of \\Local_Print_Server Hardware failure, remove the ' from in front of \\Remote_Print_Server==--
'--==And put them in front of \\Local_Print_Server ==--
End Sub
Sub Printer2
objNetwork.AddPrinterConnection "LPT3:", \\Local_Print_Server\P2"
objNetwork.SetDefaultPrinter \\Local_Print_Server\P2
objNetwork.AddPrinterConnection "LPT3:", \\Remote_Print_Server\P2"
objNetwork.SetDefaultPrinter \\Remote_Print_Server\P2
'--==In the event of \\Local_Print_Server Hardware failure, remove the ' from in front of \\Remote_Print_Server==--
'--==And put them in front of \\Local_Print_Server ==--
End Sub
RE: [ActiveDir] Server up/downtime
So say an Exchange Server that is responding to pings but isn't handling mail at all or not very well is considered UP for availability numbers. This you handle by using the Built-in Exchange monitoring tool. You can roll your own sink to monitor queue and send you an alert IF it reaches a certain threshold or if it can't determine the threshold. I want to bet thatyou know this already and you are just picking on Exchange as usual ;) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] DNS not intergrating into AD
Carlos, you did not mention your flavor of Windows. But I think what you described is a Win2K3 DNS behavior (EDNS-0) -especially since you mentioned ISA. Try http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ModifyEDNS.asp HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Carlos MagalhaesSent: Sun 3/21/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS not intergrating into AD Ok boys and girls I have a nice little question, I have a single domain single forest setup. I have Active Directory Integrated domains. I have forwarders to an External DNS server. And I have a reverse lookup zone created. Now the problems, I first noted that I can easily do internal name resolution not a problem at all. Then I tried to external domain resolution thinking that the DNS server would use its wonderful forwarder to resolve the address but it failed. Here are the commands: Nslookup Default Server: internalDC.InternalDomain.net Address: Internal IP SomeInternalMachine Server: internalDC.InternalDomain.net Address: Internal IP Name: SomeInternalMachine.InternalDomain.net Address: Internal IP Nice Ok now lets look at external lookup: google.com Server: internalDC.InternalDomain.net Address: Internal IP DNS request timed out. timeout was 2 seconds. *** Request to internalDC.InternalDomain.net Hmm which lead me to believe it might be my ISA server, then I did another test: server ExternalDnsServer DNS request timed out. timeout was 2 seconds. Default Server: [ExternalDnsServer] Address: ExternalDnsServer google.com Server: [ExternalDnsServer] Address: ExternalDnsServer Name: google.com Addresses: 216.239.57.99, 216.239.39.99, 216.239.37.99 So I deduce that I can do DNS queries in and out of the network (plus I checked all the Rules etc on the ISA server) Now checking the DNS there is no . (root) zone in my Forward lookup zones (there is one in my Cache Zone (and if I delete it , it comes back). Then I checked the famous RootDNSServers Container in the Domain -- System -à MirosoftDNS container, nothing there three is only the reverse lookup zone data in that folder. Then I performed the task to net stop dns, net stop netlogon, copy cache.dns from the samples folder to the dns folder net start netlogon, net start dns. Apparently this is suppose to recreate the RootDNSServers Container in AD, but it doesnt (all these operations are being performed as Entp Admins.) I forced replication on all the servers replication is working and replicating but NO RootDNSServer object under MicrosoftDNS container. Enabled Auditing on the System container in AD for any success or failure and allowed to be applied to its child objects checked the child objects and the auditing was enabled. Tried the process above again, NOTHING in the event log like DNS didnt even try to create the container (the DNS server is on the DC and is AD intergrated). So I though what the heck let me create a secondary DNS server on the other DC to see what is going on, when I created it the Forward lookup zones did not replicate but the reverse look up zones did, I went the primary DNS server changed DNS option to replication from All DNS server in Active Directory Forest to All DNS server in Active Directory Domain (remembering that this is a ONE FOREST ONE DOMAIN Setup). Then refreshed the Secondary DNS server and vola the Forward lookup Zones are there, Check AD for the RootDNSServers container and it was there (but NO ROOT HINTS within the container as its suppose to be), then I thought ok let me be clever and try the , netlogon and DNS stop and start and copy Cache.dns file Q article to get everything wrong and RootDNSServer disappeared again, and ever since I have followed everything I have done here and have not been able to get it back? Thats the first problem, then I have FW | DC (DNS) I am trying to get all clients to pass all forward request to an DNS server address outside of the firewall, as you saw in the example above if I sepify that address with the SERVER EXTERNALDNSSERVERADDY command in Nslookup it works but it doesnt work with the domain controller passing the packets to that address EVEN THOUGH that address is set up as a FORWARDER. The only replication error I had is when I the time server went wacky, it put the one DC in 2003 and the other DC in 2004 , then the replication failed and I had TombStone errors on Replication, I applied the Reg hack for the work around (set the Strict Replication Consistency REG_DWORD value to 0 on the DCs getting the 'tombstone' error.), then replicating and removing the registry setting. I have almost lost hope and am thinking of creating a split brain DNS (I am not sure the advantages are really that great for this network but I am sure you will convince
RE: [ActiveDir] DNS not intergrating into AD
Hate to make you do this, but it would help if you could explain some more about your config. If you look in the ISA log at the time you are issuing the nslookup against your DNS server, what do you see? I see you made references to internalIP. Does this mean that this server is multi-home? If you could, please post you ipconfig /all from the server and from a client. One more thing, try removing the "forwarders" altogether. Then be sure that you allow this server to make DNS queries and receive DNS responses to the outside world. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Carlos MagalhaesSent: Mon 3/22/2004 7:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS not intergrating into AD Ok, here is the main test that seems to prove to me (I would like any suggestions out there on how to test the dns and firewall otherwise) that DNS queries via the firewall are working: If I launch NSLOOKUP, specified SERVER externalDnsServe.domain.com ,then did a lookup on google.com it would resolve google.com, have a look at the results below. But if I just do a nslookup , it resolves my internal DNS server, then try google.com , I get a DNS time out , again check below. If you know any other way to check please let me know :) Thanks for you time and effort once again. Carlos Magalhaes - [EMAIL PROTECTED] (if you want to chat directly:) ) Nslookup Default Server: internalDC.InternalDomain.net Address: Internal IP SomeInternalMachine Server: internalDC.InternalDomain.net Address: Internal IP Name: SomeInternalMachine.InternalDomain.net Address: Internal IP Nice Ok now let's look at external lookup: google.com Server: internalDC.InternalDomain.net Address: Internal IP DNS request timed out. timeout was 2 seconds. *** Request to internalDC.InternalDomain.net Hmm which lead me to believe it might be my ISA server, then I did another test: server ExternalDnsServer DNS request timed out. timeout was 2 seconds. Default Server: [ExternalDnsServer] Address: ExternalDnsServer google.com Server: [ExternalDnsServer] Address: ExternalDnsServer Name: google.com Addresses: 216.239.57.99, 216.239.39.99, 216.239.37.99
RE: [ActiveDir] OU design quandary
From where I'm sitting, Option 1 is out of the equation simply because I don't think you base OU design considerations on whether you search or query. OU is for "Administrative" convenience and I think it is best for your design to reflect your Organization structure, geography, and Administration setup. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mike BaudinoSent: Thu 3/4/2004 9:19 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OU design quandary All, We are in the final stages of a global AD design for our company. The design will have two user domains -- one for North America and one for Europe -- and it will have an empty root. Each of the user domains will have approximately 35,000 users. Software distribution will be via Tivoli. Two camps have emerged regarding OU structure and there's a rather large gap between them. I'm asking for your expert and experienced input to help resolve this issue. Camp one: We're going to search instead of browse. So put all users in a single users OU, put all desktop machines in a single desktops OU, put all laptops in a single laptops OU, put all IIS servers in a single OU, all SQL servers in a single, etc, etc, etc. Manage by groups instead of by OU in which the object resides. Camp two: Regardless of whether we're going to search or browse, at some point having office heirarchy in the OU design will be helpful enough that it's necessary to build it now. Users, desktops and laptops will be grouped as child OUs to the office OUs. Servers for applications will be grouped by function and then by the , by the application suite or ASP that is responsible for the application. Allows more granular delegation and application of group policy. We have too little actual deployement and management experience in Active Directory, especially this size, to make a definitive decision so I would appreciate any and all feedback regarding the pros and cons. Thanks, Mike *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir]
http://www.joeware.net/win32/zips/OldCmp.zip Hello, Juan. Where have been? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Juan IbarraSent: Wed 3/3/2004 9:12 PMTo: [EMAIL PROTECTED] activedir. org ([EMAIL PROTECTED])Subject: [ActiveDir] Clean up utility We are going to an upgrade to AD from an NT 4.0 domain and I don't want to transfer all the old computer accounts that have been accumulating over time. I am looking for a third party utility or a way to purge out old computer accounts from an NT 4.0 domain. Any help is much appreciated. Thanks, juan OLDCMP.url Description: OLDCMP.url
RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...
Man! You guys are good :) Thanks for digging this up.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Free, BobSent: Sun 2/29/2004 1:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...
Eric Fleischman mailto:[EMAIL PROTECTED] wrote:
Willem do you happen to have the article that talks about it handy? I
couldn't track it down.
This one?
810076 - Updates to Restricted Groups ("Member of") Behavior of
User-Defined Local Groups:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willem
Kasdorp Sent: Sunday, February 29, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
It's true. There is a XP post-SP1 hotfix for that. It works through
Member
Of, that no longer removes all members but just adds the one you
need. I believe it works by default on W2003. I just deployed that
capability.
3. Do something around restricted groups GPO though this is tough to
do when you want different admins on different boxes.
Can't you set restricted groups to do an 'add' rather than a
'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that
was made. If there
is doubt that I can dig up some documentation on itI'd swear I
read this
before but it has been a while.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 27, 2004 10:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
You can't stop them from removing it.
I would think to use one of several solutions once it is removed
however. I
will let you pick.
1. Have a script that watches for the removal of your group from the
local
admins group. If it occurs, the machine gets kicked out of the domain.
They
should get the hint shortly.
2. Have a startup script from a GPO put the group back in the admins
group
every time the machine reboots.
3. Do something around restricted groups GPO though this is tough to
do when
you want different admins on different boxes.
4. Set up a special service that monitors that group and makes sure
the remote management group is always there. You could write it to be
fast enough to put it back before their command that removes it
returns from removing.
When you are an admin of a box it is very difficult to be stopped from
doing
things on the box.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd
Povilaitis Sent: Friday, February 27, 2004 6:02 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management
group from local admins...
We have a few developers where their domain user account is a member
of Local Admins group. With this privilege, some have elected to
delete the
DOMAIN\Remote Management group from the Local Admins group. Among
other things, this interferes with maintenance routines utilizing WMI
and or Remote Scripting. Is there any to delete inhibit DOMAIN\Remote
Management
group from Local Admins?
__
Todd Povilaitis
LAN Administrator
Huntington Hospital
[EMAIL PROTECTED]
Phone: (626) 397-3392
Fax: (626) 397-2901
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...
I, for one, would be VERY interested in that documentation. I hope it's true and that MS has reworked the whole "Restricted Group" thingy. I personally got sobadly burnedby the lack of thoughts/testing that went into the original design, I have so far been scared of even thinking about anything with "Restricted" in its name. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Eric FleischmanSent: Sat 2/28/2004 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... I'm not a group policy expert but Joe with this point: 3. Do something around restricted groups GPO though this is tough to do when you want different admins on different boxes. Can't you set restricted groups to do an 'add' rather than a 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that was made. If there is doubt that I can dig up some documentation on itI'd swear I read this before but it has been a while. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 27, 2004 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... You can't stop them from removing it. I would think to use one of several solutions once it is removed however. I will let you pick. 1. Have a script that watches for the removal of your group from the local admins group. If it occurs, the machine gets kicked out of the domain. They should get the hint shortly. 2. Have a startup script from a GPO put the group back in the admins group every time the machine reboots. 3. Do something around restricted groups GPO though this is tough to do when you want different admins on different boxes. 4. Set up a special service that monitors that group and makes sure the remote management group is always there. You could write it to be fast enough to put it back before their command that removes it returns from removing. When you are an admin of a box it is very difficult to be stopped from doing things on the box. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Povilaitis Sent: Friday, February 27, 2004 6:02 PM To: ActiveDir (E-mail) Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... We have a few developers where their domain user account is a member of Local Admins group. With this privilege, some have elected to delete the DOMAIN\Remote Management group from the Local Admins group. Among other things, this interferes with maintenance routines utilizing WMI and or Remote Scripting. Is there any to delete inhibit DOMAIN\Remote Management group from Local Admins? __ Todd Povilaitis LAN Administrator Huntington Hospital [EMAIL PROTECTED] Phone: (626) 397-3392 Fax: (626) 397-2901 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Off-topic: ISA Server and WMI
Title: Message I'd ask Jim Harrison at MS ([EMAIL PROTECTED]). He has his own corner on isaserver.org, and if2 peoplecan help you, I think Jim would be one of the 2. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, MarkSent: Wed 2/25/2004 6:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Off-topic: ISA Server and WMI ISA is installed in integrated mode. As an example, Id like to chart the number of current users in Denika Performance trender (which works with Whats Up Gold). I have a limited exposure to WMI. Ive used some WMI scripts successfully, but they all have been specific to Windows or the hardware, rather than focused on an application (e.g. ISA). ISA has specific counters in the Performance applet, so I thought that meant there are some WMI providers (is that the right word?) that I could use in Denika. But I havent found any documentation of such. Thanks! mc -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 9:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Off-topic: ISA Server and WMI Do you have a little more detail? What are you wanting to monitor and how do you have ISA deployed (firewall or proxy or both?) -Original Message-From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 4:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Off-topic: ISA Server and WMI Am having trouble finding documentation on WMI as far as what I can use it for with ISA server. We're using What's Up Gold for basic monitoring and the admin tells me if I can provide WMI objects for him to collect data on, he can report on it in WUG. Thanks for any help on that, as always Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Off-topic: ISA Server and WMI
Title: Message OK, just to explain, before anyone asks. I posted Jim's official email address only because it's publicly available. That notwithstanding, I still believe I was wrong to have posted it and I went "ps" just after I clicked "Send", so I feel the need to serously apologize for the oversight. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: deji AgbaSent: Wed 2/25/2004 7:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Off-topic: ISA Server and WMI I'd ask Jim Harrison at MS ([EMAIL PROTECTED]). He has his own corner on isaserver.org, and if2 peoplecan help you, I think Jim would be one of the 2. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, MarkSent: Wed 2/25/2004 6:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Off-topic: ISA Server and WMI ISA is installed in integrated mode. As an example, Id like to chart the number of current users in Denika Performance trender (which works with Whats Up Gold). I have a limited exposure to WMI. Ive used some WMI scripts successfully, but they all have been specific to Windows or the hardware, rather than focused on an application (e.g. ISA). ISA has specific counters in the Performance applet, so I thought that meant there are some WMI providers (is that the right word?) that I could use in Denika. But I havent found any documentation of such. Thanks! mc -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 9:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Off-topic: ISA Server and WMI Do you have a little more detail? What are you wanting to monitor and how do you have ISA deployed (firewall or proxy or both?) -Original Message-From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 4:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Off-topic: ISA Server and WMI Am having trouble finding documentation on WMI as far as what I can use it for with ISA server. We're using What's Up Gold for basic monitoring and the admin tells me if I can provide WMI objects for him to collect data on, he can report on it in WUG. Thanks for any help on that, as always Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Disaster Recovery Test
So, where's the DNS server for domain.net? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer FountainSent: Wed 2/25/2004 8:35 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in "Normal" mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type "NTDSUTIL" and then press ENTER. 10. Type "AUTHORITATIVE RESTORE" and then press ENTER. 11. Type "RESTORE DATABASE", press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the "main" AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Removing AD from Exchange Server +
Will there be any problems in demoting all but dc01? I am inferring from this that you are on a Win2K domain :). I would say leavingONLYdc01 is not a "good thing" for Single Point of Failurereasons. However, you can "do it", although I recommend that you leave 2 DCs. To answer your question directly, unless DC01 has all the FSMO roles AND is a Global Catalog, yes there could be tons of troubles. The saving grace is that IF you properly demote the rest of the DCs, the roles will eventually get dumped on the last standing DC (dc01 in your case). Just to be sure that this is the case, though, you want to read http://support.microsoft.com/default.aspx?scid=kb;en-us;255690and be sure that you manually transfer the roles to dc01 before you start your demotion exercise. As for the GC, you want to be sure that the last standing DC(s) is (are) Global Catalog(s), otherwise things WILL break. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael McCannSent: Tue 2/24/2004 7:21 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Removing AD from Exchange Server + Hey guys, been reading the list for a while now and have to first say thanks.. There's a tonne of info provided here.. I have a few DC's at my primary site that I want to demote.. here's an output of an nltest on my site: C:\ nltest /server:dc01 /dclist:xxx Get list of DCs in domain 'xxx' from '\\BACKUP01'. vfc1.xxx.yyy [DS] Site: Default-First-Site-Name dc01.xxx.yyy [PDC] [DS] Site: Default-First-Site-Name backup01.xxx.yyy [DS] Site: Default-First-Site-Name MAIL01.xxx.yyy [DS] Site: Default-First-Site-Name The command completed successfully vfc1 is about to be decommissioned, backup01 used to be the PDC at one point in time (before I started), MAIL01 is our exchange server.. Will there be any problems in demoting all but dc01? (Please bear with me, I am a programmer that has to wear the network support hat every once and a while) Thanks in advance, Mike
RE: [ActiveDir] Dcdiag.exe giving problems.
I don't know if anyone has mentioned this or not, but it appears to me that you are a victim of the SP4-Single-labelled-domain-name "bug", which is not really a bug. Read more on it here: http://support.microsoft.com/default.aspx?kbid=300684 Then follow discussions about it here: http://www.mcse.ms/message264120.html http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20799755.html Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Abhishek SharmaSent: Sun 2/22/2004 10:42 PMTo: '[EMAIL PROTECTED]'Cc: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Dcdiag.exe giving problems. Hi Eric, THANKS FOR UR REPLY. MY ANSWERS ARE IN UPPER CASE. 0) Does the following work to register, if not please tell us the errors thrown: ipconfig /registerdns FOLLOWING IS THE OUTPUT: C:\Documents and Settings\Administratoripconfig /registerdns Windows 2000 IP Configuration Registration of the DNS resource records for all adapters of this computer has b een initiated. Any errors will be reported in the Event Viewer in 15 minutes. 1) Does netlogon.dns have all of the appropriate records in it? If you restart netlogon do you get DNS registration errors in the event logs? I AM RUNNING THE TESTS WITHOUT ACTIVE DIR INSTALLED, HENCE THE NETLOGON.DNS FILE IS NOT PRESENT AND ALSO A RESTART OF NETLOGON SERVICE FAILS AS THE SYSTEM IS IN A WORKGROUP. 2) Noticed that you have a single label domain name (admin)do you have the single label domain name reg changes in place? WHT IS THE "reg" CHANGES THING? I HAVE CHECKED IN THE REGISTRY AND THERE ARE CORRECT ENTRIES FOR THE HOSTNAME AND DOMAIN NAME OF THE SYSTEM. IS THERE ANY SPECIFIC ENTRY WHICH NEEDS TO BE LOOKED UPON? 3) Can you paste in the actual command and such that you issued? I can tell you did not do this below as your re-type of the command has a typo in it. An actual cut-and-paste would be a bit more useful. SORRY FOR THE TYPO, HERE IS THE COMMAND: E:\Program Files\Support Toolsdcdiag /test:DcPromo /DnsDomain:admin /newforest E:\Program Files\Support Toolsdcdiag /test:RegisterInDns /DnsDomain:admin /newforest -- thanks, Best regards, Abhishek Sharma | Network Architect | netdecisions Mumbai Software Development Centre 6th Flr, MET Building, Gen. A.K.Vaidya Chowk Bandra Reclamation, Bandra (W), Mumbai 400050. INDIA t Direct - +91 22 2644 0564, Board - +91 22 2644 - Extn: 564. f +91 22 2655 8048 Email : [EMAIL PROTECTED] Website: www.netdecisions.com -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Monday, February 23, 2004 12:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Dcdiag.exe giving problems. A few other thoughts come to mind: 0) Does the following work to register, if not please tell us the errors thrown: ipconfig /registerdns 1) Does netlogon.dns have all of the appropriate records in it? If you restart netlogon do you get DNS registration errors in the event logs? 2) Noticed that you have a single label domain name (admin)do you have the single label domain name reg changes in place? 3) Can you paste in the actual command and such that you issued? I can tell you did not do this below as your re-type of the command has a typo in it. An actual cut-and-paste would be a bit more useful. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, February 22, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Dcdiag.exe giving problems. If it is a problem on a hardened and unhardened machine this is most probably in DNS. Do you have dynamic updates enabled? Go into DNS with the admin tools and look for the GUID record specified below and verify manually it is there. Alternatively you can do an nslookup on it, it will be a cname. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abhishek Sharma Sent: Friday, February 20, 2004 7:45 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Dcdiag.exe giving problems. Hello all, I am facing a problem in using dcdiag.exe. I am using dcdiag.exe to diagnose the installation/configuration of a hardened Windows 2000 box. I have configured DNS server and there is no problem in the name resolution. When I used dcdiag.exe on a hardened box without ADS installed, I got the following result: E:\Program Files\Support Toolsdcdiag /test:DcPormo /DnsDomain:admin /newforest Starting test: DcPromo Messages logged below this line indicate whether this domain controller will be able to dynamically register DNS records required for the location of this DC by other devices on the network. If any misconfiguration is detected, it might prevent dynamic DNS registration of some records, but does not prevent successful completion of the Active Directory Installation Wizard.However, we recommend fixing the
RE: [ActiveDir] Exchange Migration with Domain
First take a look at this: http://support.microsoft.com/default.aspx?scid=%2fservicedesks%2fwebcasts%2fwc031803%2fwcblurb031803.asp Like they say, there are many ways to skin a cat (apologies to all animal lovers :)). Starting with one DC. Add a BDC, make sure this machine is a good one because we will eventually make it "The DC". For redundancy/fall-back/ooops, install a second BDC and take that offline. Now Promote the First BDC to PDC. The Original PDC will automagically become a BDC. If no "special" reason for you to change the Domain Name, then just upgrade the new PDC to Win2K3. Don't mess with the "Functional Domain Level" stuff. Test mail flow and every service and be sure all OK. Get a new server that will host your Exchange. Don't try to cheat. It's not a "good idea" to put Exchange on your DC, even though you can legally and technically do it. Install W2K3 and E2K3 on this server, making sure that you install it into theOriginal Exchange Org Test sending mail from this server to some test internal and external addresses. If all OK, then use Active Directory Users and Computers to move the mailboxes (using the"Exchange Tasks" wizard) from the 5.5 to the 2003 See http://www.microsoft.com/usa/webcasts/ondemand/2340.asp After moving the mailboxes, you will need to move more stuffs. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307917 and this http://support.microsoft.com/default.aspx?kbid=284148 I have probably overlooked a thing or 2, but the general idea here should get you started in the right direction. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Network AdministratorSent: Mon 2/23/2004 7:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange Migration with Domain It's happy newb question time! This might be better oriented toward an Exchange list, but since it's regarding a domain migration, I thought I'd try here first. My employer recently acquired a small firm with a horribly maintained NT4 domain. It consists of a single (!) domain controller running all network services, SQL 7, Exchange 5.5, and a myriad of third party software. Suffice it to say it's in real bad shape and their entire network is a ticking time bomb. Anyway, I'm looking into rolling out two new 2003 domain controllers and using ADMT to migrate from the NT4 domain to a new 2003 AD. I'm wondering if it would be possible to keep the Exchange 5.5 server in place for the moment once I've rolled out the new domain. I'd like to leave a couple weeks leeway to `fix the quirks' with the domain migration before migrating the mail server to Exchange 2003, but at this point I'm not entirely certain that will be possible. My understanding is that you can't `decommission' an NT4 PDC per se, but that you must simply `pull the plug' on the last domain controller. Is that true? The network migration will be difficult enough without having to worry about migrating the SQL server and Exchange server at the same time. I'll have enough things to track down as it is! So, if you folks could set me straight, I'd greatly appreciate it. Thanks! -James R. Rogers
RE: [ActiveDir] AD lists Last Name in the First Name Field
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717 Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Grantham, CaronSent: Fri 2/20/2004 9:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD lists Last Name in the First Name Field We used a 3rd Party Migration Tool (BindView) to migrate user accounts, mailboxes and profiles and now we have a problem wherein the AD properties for a user show up with their last name in the first name field and first name in the last name field. The GAL and the name display properties are correct however. The problem exists when a users wishes to search by first name in Outlook. My question: Is there an easy way or another tool we can use to fix these fields? We dont want to use the cumbersome CSV import/export tool to do this unless its our only option. Caron Grantham Chicago Housing Authority Information Technology Services ,[EMAIL PROTECTED] ( 312-742- 2731 Working smarter towards a common goal -- EFFICIENCY This e-mail and any files transmitted with it are the property of CHA, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 312-742.4000 and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.
RE: [ActiveDir] OU/Computer accounts reorganization
I just posted this from my archives http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=30. Not pretty, but works. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: J0mbSent: Fri 2/20/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OU/Computer accounts reorganization Good morning, We work in a native windows 2000 AD Architecture, with a single domain and 4 sites. Computer accounts have been organized into OUs according to which site they belong to. Unfortunately the reorganization wasn't performed well. We have cases of machines that were placed in the wrong Ous with subsequent problems with group policies which, in many cases, are linked to the Organizational units. There are Thousands of Pc accounts, unfortunately machine names do not help to determine their site. Anybody might want to suggest the best strategy to reorganize the PC accounts (maybe a script, or a commercial tool)? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OY: Adding a 2nd Exchange server...
will we end up having to re-point all of our e-mail clients, or is that all automatic? It depends.It"should" be transparent, but mypersonal experience is thatOffice XP and above clients tend to auto-discover the changes very seamlessly. Older clients have more often than notrequired manual reconfiguration. This could be due to the fact that the time between moving the mailboxes and when theend-users "HAVE" to connect to the server is always very short. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Raymond McClinnisSent: Tue 2/17/2004 4:48 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OY: Adding a 2nd Exchange server... Hello all, My company is getting ready to deploy a 2nd Exchange 2k box to eventually replace our old Exchange 2K box. Are there any special precautions we need to take before implementation? Also, when we pull the old one down, will we end up having to re-point all of our e-mail clients, or is that all automatic? Thanks in advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Protected groups
That's a very interesting take. Very intriguing indeed . The voices in my head ... :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rich MilburnSent: Mon 2/16/2004 11:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Protected groups Deji wrote: .It's just my way of pointing out that this is not a localized incident. They are all reading from the same economic page, shedding needed manpower and cutting supports to their PAYING customers. At the end of the day, they all report some very outrageous bazillion dollars in profits and everyone smiles. Its a very sad state things are getting in then again, from what I read below, theres a need. If vendors cant meet that need (or wont because they wont keep the staff on hand to meet requirements) then someone is going to. Thats just basic business. Theres a demand, and I suspect its growing. Whos the supply? Rich From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Saturday, February 14, 2004 7:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Protected groups Unfortunately a decision was made to start using IBM.the service is worse than Dell's service and we didn't think it was possible to get worse service than what we got from Dell. Actually had a problem last week where the response is, ok we will see you tomorrow morning. This was when the call went in at like noon. That 4 hour SLA took 24 hours to handle Joe, I don't really think this is an "IMB thing" anymore. I think the litany of displeasure and horror stories can be applied to virtually most of the vendors these days. I had a particularly horrific experience with the Fiorina Cartel (you know, the "no god-given rights" company) where they could not find a certain 36Gig hard drive anywhere in the whole continental USA to service a server under their 4-hr contract. They were very effusive in their apologies, but I did not get a drive until the 6th day of placing the original call. I just had a particularly dis-heartening experience with MS where an "Exchange-Down" call to PSS, placed around 4:00pm resulted first in a 90 minutes hold time before a "Duty Manager" informed me that MS was "swampped" and every call was now being handled on a "3-hour call back" basis. Then after the 3 hour had expired without anyone checking in with me, I called MS again only to be told that the "3-hour call back" had been slightly adjusted to a "6-hour call back". I did not get a call until 2:00am the following day. A "10-hour" response to a critical situation such as an "exchange-down" situation is not what I'd call acceptable. This is not a defense of IBM, or an attempt to say "Live with it". It's not a knock on any particular vendor either.It's just my way of pointing out that this is not a localized incident. They are all reading from the same economic page, shedding needed manpower and cutting supports to their PAYING customers. At the end of the day, they all report some very outrageous bazillion dollars in profits and everyone smiles. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Active Directory Design Issues
Title: Active Directory Design Issues You will find most of what you need for your project planning here: http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp and here http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Kent MaxwellSent: Sat 2/14/2004 10:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Design Issues I am working on a Windows 2003 ADS design for an organization with multiple locations. We have decided to have a single forest with a single domain. We are planning to create a separate OU for each organization to keep their computers, groups, and users in. Each location needs to have administrative control over it's servers, users, groups, etc. Does anyone know where I can find good planning and deployment guides that demonstrate best practices on how to create this type of scenario? Thanks, Kent -This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.
RE: [ActiveDir] MS04-007 checking
In case anyone here is having difficulties justifying (to management)the "urgent" need patch systems against this new vulnerability, here's one for your ammunition: There is now a "Proof of Concept" exploit code that exploits this vulnerability. The clock is now ticking in the race for another Blaster. I am not sure if it's OK to post URL to exploits here, so I will err on the side of prudence and say if you need to know where, email me. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, RussSent: Fri 2/13/2004 9:21 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-007 checking Might check with RetinA (http://www.eeye.com/). We're using Patchlink to not only detect, but patch and deploy software as well. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] MS04-007 checkingDoes anyone know of a tool to make sure that all the users have this patch applied? I know Microsoft had something for the Blaster and was wondering if anyone has anything that would check to make sure this patch has been applied? Thanks again Ryan McDonald ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Where did Additional Acct Info tab go to?
Let me guess... you are doing a "find" in ADUC, and you are then looking at the object's properties from the result of the "find". Correct? Try drilling down to where the account is located and then looking at the properties directly, you will very likely see the "additional account info" tab there. I submitted this to MS a long time ago, but I didn't hear back, so I concluded it "must be me" :). Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Thommes, Michael M.Sent: Mon 2/9/2004 6:30 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] Where did "Additional Acct Info" tab go to? Hi, This morning I noticed that the "Additional Acct Info" (sp?) tab in ADUC on my Windows 2000 DCs (withextra "acctinfo.dll" installed) and on my Windows 2003 DC (additional info by default) is no longer there. While I don't use this feature on a daily basis, I am sure I have used it in the last few weeks. I even tried logging on with the principle domain admin account after my normal admin failed to show this feature; that also didn't work. Has anyone experienced this? Thanks for any help! Mike Thommes
RE: [ActiveDir] DNS SOA entered incorrectly during installation
Title: Message Anyway, whenever Ive set up DNS separately from DCPROMO, set up my forward and reverse zones, then pointed my soon-to-be DC at it and run DCPROMO Is there a special reason for your doing it this way, instead of: ".point my soon-to-be-DC at one (or 2) of my existing DNS servers for DNS resolution, run dcpromo and let dcpromo install DNS . blah...blah.life is good.look at me, I'm guzzling beer and whistling while waiting for dcpromo to complete and have DNS foward and reverse zones automagically populated without breaking my waxed fingernails la la la la la la..." Or something appropriatealong that line :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rich MilburnSent: Mon 2/9/2004 6:34 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS SOA entered incorrectly during installation Its possible Ive seen this behavior because Im doing something wrong, but I think it might be a bug? Anyway, whenever Ive set up DNS separately from DCPROMO, set up my forward and reverse zones, then pointed my soon-to-be DC at it and run DCPROMO, it tells me the DNS could not be found or does not accept dynamic registrations. So when I go back onto the DNS to check what I did wrong, I find that I have to go into the SOA record and add the domain name (to make it a FQDN and not just a host name). Voila, it works. So the question is, if the SOA is created automatically, and it knows the domain name (because it is the SOA record for that domains zone, duh!), shouldnt it write the FQDN there or assume if the domain suffix is not specified that it should tack on its own domain name just like it does for any of the other records? Or am I missing something? Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Scripting terminology question
IADs: Interface for Active Directory Services Mind you, the referenced page does not "define" the acronym, and that's what he was looking for. but IF it comes from you, I'll buy it any day :). I just haven't seen it defined that way until now, and I've been using it since it came out of Redmond. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Sat 2/7/2004 6:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Scripting terminology question Meaning: 42 Origin: A moon around Saturn that blew apart and is now a ring. IADs: Interface for Active Directory Services http://msdn.microsoft.com/library/default.asp?url=""> TheI is a COM naming guideline thing indicating this is an interface. Not required by anything that I am aware of but helps them stick out. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Thursday, February 05, 2004 10:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Scripting terminology question H...I think this belogs in the class of the "what is the meaning/origin of life?" questions :). I never bothered to ask. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Wed 2/4/2004 7:05 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Scripting terminology question OK, scripting gurus. I'm trying to wrap my brain around more scripting than I currently know. I have Robbie's books open and ScriptCenter on the web. Still can't find an answer to a simple yet obscure question. What does IADs stand for? I'm understanding what the IADs interface consists of, but it would be a lot easier if I knew what the abbreviation meant. Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting terminology question
H...I think this belogs in the class of the "what is the meaning/origin of life?" questions :). I never bothered to ask. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Wed 2/4/2004 7:05 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Scripting terminology question OK, scripting gurus. I'm trying to wrap my brain around more scripting than I currently know. I have Robbie's books open and ScriptCenter on the web. Still can't find an answer to a simple yet obscure question. What does IADs stand for? I'm understanding what the IADs interface consists of, but it would be a lot easier if I knew what the abbreviation meant. Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Removing Legal Notice Caption Text GPO
Before you set it to "Not Define", remove the Notice and,after it's all propagated, thenset it to "Disabled". You can then set it to "Not Defined" after a while. What's happening is that the clients are already tattooed with the setting and you need to clear it out first. Another way is to just run a script that removes the entries from the registry on each computer that's been tattooed. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, RussSent: Tue 2/3/2004 6:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Removing Legal Notice Caption Text GPO We had a GPO in place to apply a legal notice at logon. Now we were directed to remove it due to political reasons, and I've set it back to Not Defined. For some reason, it's still applying. I tried refreshing using secedit and its still appearing. Am I just not patient enough? Or did the GPO apply to everyones registries permanently and somehow has to be 'un-done' other than setting the GPO to "Not Defined"? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory International Support
I removed admin from all but 5 people, we became stable and secure and had 55 pissed off people. Are you talking about me again? :) jk. You are superb, you know that. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Wed 1/28/2004 7:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory International Support We are global (~250,000 IDs and 150,000 contacts from New Zealand to England to South Africa to Germany to NA and SA) and have no issues with the control you are talking about. Even in Germany which has some of the "tightest" restrictions on how much info others have about users we don't have issues. We have three Admins across the world, they are all based in the US. Everyone else has some level of delegated rights from none up toa small group of 5 or so that have account op though all of their work is mostly done through a provisioning system and they just use the IDs to manually make corrections occasionally. The closest we had to having a problem was due to some banking laws in Europe but the bank auditors seemed to have gotten over their issues. In terms of locking out enterprise admins from a domain in a forest, not going to happen. Period. If you absolutely have to have that, you now have a multi-forest implementation, easy decision. If you have more than 3-5 full admins on the domains, you need to investigate your support structure, you are probably shooting fish in a barrel with a rocket launcher. Full Domain Admin or even administrator rights are needed so rarely if things are configured properly people shouldn't even have to know who the domain admins are. I hear often that people say that running an Enterprise can't be done with just a couple of domain admins, this is incorrect. We have three though we are trying to get money for a fourth. That fourth is more for the ability to spread pager coverage more and to help cover vacation time and personnel turnover than anything because we prove daily that we can do it with three. And actually the last 9 months I have been mostly doing Dev work for Exchange so the team is mostly running with two people. When I initially took over this environment it was NT4 and we have some 60 admins and we were a standard Windows shop where we had no stability and systems crashing all the time. I removed admin from all but 5 people, we became stable and secure and had 55 pissed off people. We converted to W2K and everything got even better. I left for 6 months, came back and some how the admin rights got distributed again and the stability had gone back down the crapper. I took all the admins way again but this time limited to three people. We got nice and stable and secure again and have stayed that way for several years. It took me 18 months of searching and cleaning to find all of the misconfigurations perpetrated by all of the people who were given the rights in my absence. Most people will just give out admin rights instead of fighting with who should get them; I say bring your boxing gloves and your technical experts if you think you need it. Most of my day I am doing things from my normal userid because most of an admin's job is looking and troubleshooting, very little should be actively changing and a lot of information is available as a normal user. If you have to change things regularly to make things stay working, you have a bad design and need to work it out once and for all. Things that do need to change regularly say for new implementations or data updatesshould be delegated to lesser power IDs or should be automated so they are done safely and with good logging. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 28, 2004 7:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory International Support This is a question for the admins out there that work for companies with users and domains world-wide. We have been running Active Directory for two and a half years here at RockwellCollins on Windows 2000. We have an empty root domain and basically one large domestic domain serving around 15000 active users. We are in the middle of a project to bring our international domains up to Active Directory as well with several due to roll to Windows 2003 soon. There are seven international domains ranging from 40 users to 700 users, each in a different country. The plan is to join all the domains into this one, existing forest. The problem would be due to export compliance and some European laws still being worked, the potential need to lock Enterprise Admins out of any of the foreign domains. There currently are only two of us that are Enterprise admins due to the presence of that empty root and some good control when we moved to Active Directory. How do other companies deal with international domains in the same forest? Are
RE: [ActiveDir] [OT] DSACLS Gripe
you are bot alone ;) but, still I rate dsacls high up there with most other tools from MS. For the things you can do with it, after getting the syntax down pat, dsacls is the next best thing since Portable Milk Shake : Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Sun 1/25/2004 7:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] DSACLS Gripe (uppercase i) So who else is annoyed by the case sensitive nature of DSACLS What a pain! Not sure how many times I have retyped a command thinking a completely screwed it up and it was only a matter of the case of the switch or the case of the property set or whatever that I was trying to set... Quite annoying. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Saturday, January 24, 2004 12:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing properties dsacls /I(uppercase i):T should work for you. I have a short blurb on dsacls here: http://www.akomolafe.com/docs/dsacls.htm HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] Changing properties
dsacls /I(uppercase i):T should work for you. I have a short blurb on dsacls here: http://www.akomolafe.com/docs/dsacls.htm HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Woerth, RyanSent: Fri 1/23/2004 4:27 PMTo: AD List (E-mail)Subject: [ActiveDir] Changing properties I need to re-check the 'allow inheritable permissions from parent to propagate to this object' box on a number of users in my AD. I have a basic script that can modify properties on many users at the same time but can't seem to find what the object is that controls this property. Any clues? Thanks, Ryan Ryan Woerth Capitol Indemnity Lead Network Specialist 608-232-0497 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Help, file locked
Then that would be openfileS.exe, and it does not run on anything older than XP. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thu 1/22/2004 4:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Help, file locked my mistake - it's not in the ResKit, instead it's part of the OS - so you should also have it ;-) also works on XP - not sure if you can grab the file and run in on 2k. but yes, oh.exe is also quite nice. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Donnerstag, 22. Januar 2004 01:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help, file locked GRILLENMEIER,GUIDO (HP-Germany,ex1) mailto:[EMAIL PROTECTED] wrote: or "openfile.exe" from the Win2k3 Reskit... I remember the old Novell openfile.exe but there isn't one in my W2K3 RK. You big guys get all the cool stuff :-) Did you by chance mean oh.exe or do I have a crappy RK? -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Montag, 19. Januar 2004 23:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help, file locked handle usually always comes through for me- http://www.sysinternals.com/ntw2k/freeware/handle.shtml or the GUI relative- http://www.sysinternals.com/ntw2k/freeware/procexp.shtml -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Monday, January 19, 2004 1:33 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Help, file locked We have a problem where an INI file is being locked and it's part of a DFS share. I can't figure out what is holding the file locked open. I'm not sure if filemon will show open INI files but is there any other way I can find out what process is locking this file open? It's SAPLOGON.INI which is part of the SAP R/3 GUI application and the user doesn't even have the application open. We have the users terminal server home directories and roaming profiles on this DFS share and the INI file is part of their home directory. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forcing a logoff
Whenwe had a similar project, the intention was not so much to prevent "the user" from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not RPC-DCOM-protected turned off from the network. These computers don't NEED anyone to be logged into them with any domain credentials before they become infected and start spreading. Needless to say, the project was still-born :( Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Creamer, MarkSent: Tue 1/20/2004 5:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] forcing a logoff 2. Win2K and later (I have no NT 4) has cached credentials, so a user could unplug, log in, replug and thereby bypass the logon script But they still wouldn't have access to anything network based. Those cached credentials will only get them on their local machine. I would think they would simply be prompted for user name and password, at which time they would again have access to the resource. My point was this process avoids the logon script. Thanks for the 802.1x tip - I'll look into that. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrade to Win2k
Title: Upgrade to Win2k http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sudhir KaushalSent: Tue 1/20/2004 8:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Upgrade to Win2k I have to upgrade my network from NT 4.0 to Win2k. My current scenario is: 1. PDC with DNS ( having 2 zones: secondary abc.com and primary abc.net ) 2. Domain Name is Test. 3. 2 BDC. Plan is 1. Install fresh BDC, Configure the DNS on it by configuring the same zones. While creating the zones i would copy the records from the DNS files on PDC and past it into the dns files on the BDC This way i will have my DNS Zones configured with all the records in that 2. promote the BDC to PDC 3. Upgrade to win2k along with ADS 4. What shall i give as "New DNS Domain Name" in order to retain the same setting. I dont want to change the name of the current domain 5. When i will join a new client where his A record would be created dynamically? In test.local zone or abc.net zone ? As all my clients has to be part of abc.net zone. These clients are being accessed by outside world. Would appreciate if someone can guide me on this or can refer me some good artical on how to upgrade the NT 4 DNS to Win2K DNS keeping the current configurations intact. Or do i have to give the new DNS domain name according to dns zone like abc.net. to get the srv records created under the abc.net zone and whenever new client joins in, its A record would get created in abc.net Thanks in Advance. Regards, Sudhir Kaushal
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Tue 1/13/2004 12:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO and the Outlook Dumpster Does anyone know a GPO setting that will allow me to prevent users from accessing the Recover Deleted Items addin in Outlook ? Someone on an exchange mailing list said that there is a GP setting to prevent this addin being loaded. Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDIFDE and Perl...
For importing, try ADModify http://hellomate.info/exchange/admodify_1.5.zip For auto account creation, try http://www.microsoft.com/technet/treeview/default.asp?url=""> HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mike HogenauerSent: Wed 1/14/2004 10:09 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS KCC error
IF I were troubleshooting this, I'd remove thebridgehead designations and let everything go over any available server, then wait for the problem to go away.After that,examine your bridgehead designations closely again.You willlikely find outthat the DC in LEX site that you've designated as the bridgehead for that sitedoes NOThave a Connectionto a DC that holds a copy of the DC=coopcam,DC=com partition. Wherever I've seen this error, it's more likely due to the fact that the Domain Naming Master does not have a connection(link) to the LEX Bridgehead. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, RussSent: Wed 1/14/2004 7:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] NTDS KCC error All, We're getting these errors on our domain controllers. I see Q271997 says that it's reported if a non-preferred bridgehead was used. What did we do to cause this and what's the recommended best fix? Explicit bridgeheads to support inter-site replication to and from site CN=LEX,CN=Sites,CN=Configuration,DC=coopcam,DC=com over transport CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=coopcam,DC=com have been selected, but none of these servers can replicate the partition DC=coopcam,DC=com. Please use the Active Directory Sites and Services snap-in to do the following: 1. Configure servers that can support replication of the given partition as preferred bridgeheads for this transport. You can do this by modifying the corresponding server objects. 2. Ensure the server objects have an address for this transport. For example, servers performing replication over the SMTP transport must have a mailAddress attribute. This attribute is normally configured automatically after the IIS/SMTP service is installed. In the meantime the KCC will consider all servers in this site as possible bridgeheads for this partition. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Reset after removing old domain
You most likely have the "Logon as a Service" user rights defined on one of your Group Policies (most likely the Default Domain Policy). This is located under Computer Configuration - Windows Settings - Local Policies -User Rights Assignment. You need to either NOT define this right, or add Tr as one of the accounts listed there. HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Wed 1/14/2004 10:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Account Reset after removing old domain Hi All, I was hoping someone might have come across this problem and could offer some suggestions. I recently installed 2 DC and assign domain name Test.local. I had to change the domain name and ran dcpromo to remove AD from both machines. My 2 dcs are running fine under the new domain load.local. I created account tr and assigned log on as service right to the account. The account Tr is running several services. Every night at 12:00 the services are supposed to restart but they alway fail giving a log error message. They only way I can restart the service is to add the log on service account again to service I need to restart. I thought I had cleaned up old domain name but from the naming context and the dns logs but the problem still exist. I will appreciate it if someone can point to the right direction to resolve this. Thanks in advance. Regards Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO and the Outlook Dumpster
That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver Marshall Sent: Tue 1/13/2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be par
RE: [ActiveDir] GPO and the Outlook Dumpster
your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Tue 1/13/2004 12:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO and the Outlook Dumpster Does anyone know a GPO setting that will allow me to prevent users from accessing the Recover Deleted Items addin in Outlook ? Someone on an exchange mailing list said that there is a GP setting to prevent this addin being loaded. Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Happy Birthday [list owner]
Congrats, Tony. And to everyone who have been filling my head with so much "techie" stuffs since I joined this list, I say thank you for your selfless contributions. I know I have personally benefitted from your contributions. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tony MurraySent: Mon 1/12/2004 11:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Happy Birthday [list owner] The ActiveDir.org discussion forum is 3 years old today! The list membership has grown somewhat since the January 13th 2001 (when it consisted of me, various friends, family, acquaintances and anyone else I could cajole, coerce or bribe) to over 1000 today. I might be ever-so-slightly biased, but I think this is a great technical forum. Thanks for making it what it is today, and especially to those of you who give of their time to make regular, helpful and well-informed contributions (you know who you are). Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting TS properties
Something like:
Const ADS_PROPERTY_CLEAR = 1
Use ADO to query you AD for the users' DistinguishedName
Then do:
objUserDN = objRecordSet.Fields("distinguishedName").Value
Set ObjPath = getObject("LDAP://" objUserDN)objPath.PutEx ADS_PROPERTY_CLEAR, "profilePath", 0objPath.SetInfo'Do It Now
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Creamer, MarkSent: Fri 1/2/2004 1:52 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] setting TS properties
I found a control (wts_admin.dll) that will allow me to set terminal services properties for a user in a Win2K domain, such as profile path, home directory etc. These extensions are only available from Microsoft for Windows 2003 as I understand it (http://msdn.microsoft.com/library/default.asp?url="">)
When I use the control to set the profile path, it works fine, but I want to clear it so no path is specified. I thought just passing as the string would work, but it fails.
Is that a function of the way the control is written? I just want to clear the path for each userif theres a better way, please share
Thanks!
Mark Creamer
Systems Engineer
Cintas Corporation
Honesty and Integrity in Everything We Do
RE: [ActiveDir] Policy to distribute domain wide HOSTS file
What would be the purpose? Maybe letting us in on your line of thoughts would make it easier for someone to help you with this or recommend an alternative. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dolphin, JeffSent: Tue 12/30/2003 8:43 AMTo: 'ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] Policy to distribute domain wide HOSTS file Either I've been hit with the stupid stick or I'm looking in the wrong place! Can anyone assist me in creating a policy to add an entry to the HOSTS file on our domain computers? Thank you for any help... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] inactive computers question
though I haven't used dsquery this way before, i think I can hazard a simple theory as to why you are getting inconsistent reports. Since pwdLastSet is not replicated among DCs, the values will be DIFFERENT across all you DCs. There is no magical way to determine which DC has the most current value for a specific non-replicated attribute. Richard Mueller(http://www.rlmueller.net/) has a very handy script that loops thru ALL your DCs and get the most current pwdLastSetvalue. I think this would be a better option. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rich MilburnSent: Mon 12/22/2003 7:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] inactive computers question I know that dsquery and dsrm are good for AD2003 environments to find and remove inactive computer accounts in AD, as is Robbies script. Someone on the SMS list has AD 2000 though, dsquery doesnt work, and Robbies script is returning nothing. Even if the info is not easily convertible to a date, seems like you should be able to sort by a column in a csvde export and see the same information i.e. sort by pwdLastSet? Any ideas? It looked like lastLogonTimestamp might be a good one but alas thats new with 2003 so thats no good for him. The main source of my confusion is that dsquery and a sort by pwdLastSet do not show the same computers as being inactive the longest. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
[ActiveDir] Is DBFlag a DWORD or a STRING?
Excuse my confusion, but I have noticed a seemingly confusing directives from some MS literature that I need help clarifying. Q109626 states: Windows 2000 Server VersionsThe version of Netlogon.dll that has tracing included is installed by default. To enable debug logging, set the debug flag that you want in the registry and restart the service by using the following steps: Start the Regedt32 program. Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 0x2080 hexadecimal value. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag Fine, we can do that. But .. "Account Passwords and Policies" http://owa.akomolafe.com/exchweb/bin/redir.asp?URL="">) (a very fine document, if I may say) state: Enabling Netlogon Logging on Computers Running Windows2000 Server To enable Netlogon logging on computers that are running Windows2000 Server, at a command prompt, type nltest /dbflag:2080 Problem is nltest /dbflag:2080 creates a REG_SZ value, NOT a REG_DWORD value. So, myquestion is "should it be DWORD or REG_SZ", or does it really matter? I know I won't be disappointed. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] Event Log monitoring tools
Clay, EventCombMT is actually part of the SECOPS tools and it's publicly available for download. http://download.microsoft.com/download/c/e/3/ce3fd3de-ae44-4c10-858c-67df0b06771e/secops.exe I personally think dumpevt (http://www.systemtools.com/somarsoft/) kicks butt. HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Clay PerrineSent: Wed 12/17/2003 6:53 AMTo: [EMAIL PROTECTED]Subject: FW: [ActiveDir] Event Log monitoring tools We have a free resource kit style tool called EventCombMT. It will query the event logs on selected servers for selected events. It doesn't do active monitoring, but it will generate a file of all the specified event id's from all the servers specified. Anyone who would like a copy can contact me directly. I tried to post it here, but the file is too big to send. There is a doc file that has the directions on how to use it. Give it a try. Clay Perrine MCSE Microsoft Directory Services Support Team. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, December 17, 2003 8:22 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Event Log monitoring tools I'm wondering what people are using for event log monitoring. Looks like our environment will be expanding to the degree that I'll need to monitor numerous independent server farms and would like to be able to get daily centralized reports based on logs. I know MOM and NetIQ will do this, but 800 lb gorillas aren't really my style. ;-) Is there anything else good out there that will do this? Thanks. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Design question
# 3 is a VERY VALID reason for a separate Domain or even a Forest. If they argue with you, tell them to re-read their Active Directory manual :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 11/24/2003 5:23 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Design question All, I've lurked on this list for a long time now - and it's been a real learning experience... Thanks to all of you!! Now I'm finally in a position to have something to put to the list - I'm afraid I'm still running an NT domain... But that is about to change :- We have (fairly) recently been bought out by a company who are in the process of migrating to AD (to allow them to use Exchange 2000). I (and some others) have been asked to justify why we / they should create a separate domain in their forest to migrate our business into. I've come up with a number of reasons (detailed below) - but first, some background :- "My Domain" NT 4.0 with some Win2K member servers, mixed Win2K and NT4.0 PC's (APPLICATION.RLI) Exchange 5.5 One way trust with FOONT001 (we trust them) Approx 300 Users and 40 Servers "Their domain(s)" NT 4.0 with some Win2K member servers, mixed Win2K and NT4.0 PC's (FOONT001)(our domain trusts this one). Win2K Forest, Empty root domain (FOOGROUP.NET) 1 sub-domain (FOO.FOOGROUP.NET) Exchange 2000 - migration underway from mainframe based system (Memo) Approx 5000-6000 Users and 500+ Servers Company Structure: Us: We are an offshore finance house - pensions and investments mostly to far-east customers. To maintain this status we have to show a level of "off-shoreness" to the authorities. IT has historically been provided in-house, with little reliance on parent company. Group: Centralised IT structure, heavy use of Citrix and web-based apps provided from head office. Tend to have little or no IT presence in "remote" offices. What we are leaning towards is that we create another sub-domain (FOOI.FOOGROUP.NET) and migrate our domain into this. They are suggesting that we migrate into FOONT001 - and will ultimately be assimilated into FOO.FOOGROUP.NET. I'm trying to avoid the pain and suffering for our users of a double migration Reasons for separate domain: 1. Ease of migration - one step, at our pace - we "control" the sub-domain, so we control the migration. Consolidation into one domain at a later date would be relatively easy. 2. Ease of separation in the event we are sold off. We are an entirely separate business unit - and could be sold easily and at short notice. 3. Separate policies - as a part of our offshore status, we are sometimes subjected to different regulatory requirements. Based on my understanding, GP's are (to an extent) domain specific - so we could implement different password requirements for example, if required. Basically, does my argument seem sensible - or should we be looking to create an OU for us? Or something else entirely? Sorry for the long post - Any comments / suggestions / flames / help would be gratefully received - and I'd be happy to clarify anything. Thanks in advance Jack List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration Tool
Title: Message This is one classic reason why a vendor should try as much as possible to go beyond the first step of "closing the sale". I swore offthisvendora long time ago, and I have never looked back since. The technical difficulties we encountered with their products are just too numerous to recount here. I know products do not always live up to their promises, but I had expected that this vendor would at least commit to supporting the shortcomings of its product with some degree of interest and dedication. When a company makes impressive sales presentation, then come back after hooking the customer to: 1.Promise that "that feature will be in the next 2 release", or 2.Argue that "we did not say it would do that", or 3.Say that the only Engineer that knows about the feature is in training for the next 2 weeks while the customer is putting out fires in the middle of a project, or 4.Tell the customer "if you have an in-house programmer/developer, they can write a tool to make THAT feature work", or 5.Blame their Sales People for misunderstanding the ability of their products, or 6.A combination of any of the above then,I say that vendor is not worthy of being recommended. My impressionof thisparticular vendor is that, as soon as they close the sale, they don't care about you anymore and they don't care about what you think of their product, because -in their opinion - you've already bought it and you are not going to buy it again anytime soon, at least not for the same project. So, like a predator, their attention is shifted to the next prey. Sorry for the rant, but my blood still boils anytime I hear anyone mention this vendor's product. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Byron FackenthallSent: Fri 11/14/2003 8:57 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Migration Tool My company chose to use Aelita but we ran into a major snag. The tool was only able to migrate about a hundred workstations at a time. With 35,000 workstations to migrate we were not pleased. The problem came when we tried to reboot the machines after the move to the new domain. We started with small groups but as the groups got larger the tool was unable to reboot all the machine. We had to write our own VBScript to do the reboot. They have professional services but they think that fixing any deficiencies in their tool should be a billable cost. I feel they should pay me for all the suggestions I have had about fixing their product. -Original Message-From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Migration Tool Our migration is very simple, and basic. -Original Message-From: Morley, Scott [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 11:06 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Migration Tool The vendorsI've dealtwith(Quest/Aelita) both wanted Prof Services.initially I felt the same way. Unfortunately, the products aremade for people to do simple migrations. If your migration gets complicated (i.e. simple=migration within a single maintence cycle) then you need to dig into the products. THeir prof services provides the backdoors and the undocumented features to make life easier. In most cases, the documentation provided looks nice and clean, but is utterly deviod of any serious technical content. I've evaluated both products and my descision was based upon the lesser of two evilsreally! Scott MorleyMCSE 2000/4.0, Exchange 2000/5.5, MCT, CCNA, CNE, CNI Senior Systems Engineer/Architect Global Messaging Services, Starwood Technology Center Starwood Hotels and Resorts, Worldwide Phone: 781-348-7120 Learning is not compulsory... neither is survival.- W. Edwards Deming -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 10:41 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Migration Tool We have used Bindview, I am surprised to hear Bindview only wants to sell professional services... Bindview has a tools division, and the Professional Services Division. Chip Dibias is on reader on the site and works for Bindview. He might be someone you should talk to maybe clear this up... Aelita is pretty good. They can do NT4 to AD, AD to AD, and Exchange 5.5 to Exchange 2K, pretty well. They like to sell tools, but also offer professional services. My recommendation is to hire the professionals to come in and manage it like a project. That way you build from the Vendors experience, and also put a serious dollar figure on the migration to get people to move their asses, instead of BWM about breaking stuff. Todd -Original Message-From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 6:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Migration Tool My company
RE: [ActiveDir] Window 98 Desktops are being locked out
what do you mean? did you look for it on MS' website and not find it? Did you google it? http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Chris BlairSent: Fri 11/14/2003 7:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Window 98 Desktops are being locked out Why don't they make that available to the public.? -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 9:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Window 98 Desktops are being locked out Have you applied the directory services client to the PCs? If not, try that but call Microsoft to get the latest version. They have one available that supercedes the one that is on the Win2K CD. mc -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 10:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Window 98 Desktops are being locked out Since our AD upgrade, all of the Windows 98 machines have been having problems with authentication. Seems that if a windows 98 machines hits a Active Directory DC for authentication, it will lockout the machine. If the Windows 98 machines gets a Windows NT 4.0 server it authenticates with no problem. Anyone ever heard of this and do you know of a possible fix. Thanks Samantha List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Services Restore Password
No, they are not compatible. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Fri 11/14/2003 2:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Directory Services Restore Password try it - and tell us ;-) -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Freitag, 14. November 2003 22:45 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password Might the w2k3 version of ntdsutil work on w2k, even if only for that purpose? -Original Message- From: DiBias, Chip [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 3:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password I just looked on a W2K SP4 box and I don't see it. I believe this is a new feature as of W2K3. Chip -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 4:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password Your only option to validate the PW later is to activate the SAM on the DC to perform an authentication = you do so by booting into the DS Restore Mode... and entering the PW for the admin account ;-) I wouldn't know of a way how to do it while you are online - I am pretty confident, that the setpwd option still exists in W2k as it was introduced with SP2 and that this function was not added to NTDSUTIL as in 2k3. But I don't have a 2k SP4 DC at Hand right now to prove it. /Guido -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Freitag, 14. November 2003 19:11 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password Rocky, That was my question too. :) I know it does not work with W2k SP3, but since I don't have an SP4 box handy, I can't check if this option is now in NTDSUTIL. Does anyone here who has an SP4 box handy mind checking out if you can reset the DSRM password in NTDSUTIL, or if it's only in W2k3. Jef Original Message: From: "Rocky Habeeb" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password Date: Fri, 14 Nov 2003 12:46:43 -0500 "Yikes". I forgot to mention, I'm talking W2K not W2K3. Do you know if that will work in W2K? Thanks for responding. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jef Kazimer Sent: Friday, November 14, 2003 12:11 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: re: [ActiveDir] Directory Services Restore Password HmmI think the setpwd was a "hack" they threw together to address the issue quickly. You'll now found this ability to reset the password in the ntdsutil command on win2003. the setpwd doesn't exist in 2003 either. I am not running SP4, but if you are, you might want to check ntdsutil to see if that option was added to it. It was on the main menu, and I believe it was "reset DSRM password" was the command. just a thought... Jef Original Message: From: "Rocky Habeeb" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Services Restore Password Date: Fri, 14 Nov 2003 11:47:48 -0500 Good People Of The List, Please consider answering the following question if you have the time and inclination: You've lost control of your Directory Services Restore Password, however, not to worry, because everything is up and healthy. So you go to the DC and log on, switch to %SystemRoot%\System32 and run "setpwd". The system says "Put in the new password." However, unlike most other password entry procedures, the system does not echo anything, even asterisks and it does not ask you to confirm the password. Is there a method, or tool that you can run to query the DC after the fact to confirm the password, where it says "OK, what is it? Yes that's correct." Thanx in advance for anything you can offer. - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] native mode
Guido, John. I (personally) don't think the biggest consideration in this "roll-back" plan is whether or not it can be done, or which methodology is more "supported" than the other. In my selfish opinion, the consideration should be what it will break. What it will break depends greatly on the length of time that has transpired between when the Native switch was flipped and when the roll-back trigger is being pulled AND what changes have occurred in the environment since that time For example, since you switched to Native mode, sayyou have upgraded your EXC 5.5 to 2000 and have your DLs converted to UGs. Then say you have done some fancy nesting that became available to you in Native mode. Say you have installed some ERP applications that have extended the Schema based on its Native status. Now, regardless of HOW you do your roll-back and what type of convergence occurs, how would one address the new "orphans" that will be created now that Nativity is gone? However, if Mark's original question - "Although the change is not reversible, we could restore from AD backup and be back where we were" - is along the line of "oh, [EMAIL PROTECTED], It didn't work, let's back out!!", then I completely agree with his line of thinking. But if it is along the line of "oh, yeah, we took a backup last month or 2 months ago before the switch", then I am afraid he may be seriously disappointed. As usual, I've been known to be wrong before. Sorry about the long rant. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wed 11/5/2003 11:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] native mode John - I've also had various discussions about this is likely not the case where "one solution fits all". While I agree it should be technically feasable to take a *healthy* backup of EVERY DC of a domain at roughly the *same* time (at least prior to switching the domain modes), you are getting into the "unsupported" area of things - that's why I said restoring one and re-promoting the others is "most supported". As you mentioned, it's the procedure MS also supports for the forest recovery - although I hope nobody needs to go through this ;-) I also agree that it's a lot of work, but how much work it really is mostly depends on how the network and sites are setup. You'll certainly not like this approach with a lot of DCs in sites accross slow links (especially in 2k). /Guido From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 6. November 2003 08:01To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] native mode Interesting discussion ... you're telling that "any other option would be too risky". I've had this discussion with MS before and they (initially) said the exact same thing (you're scaring me Guido ;-) ... However, I'm convinced that restoring every single DCof a domain that was taken at a *healthy* point in time eventually leads to the same situation as restoring a single one and repromoting the rest. It's a matter of convergence ... Eventually the MS guys agreed with me (at least the ones I've discussed this issue with). The best practice of restoring a single DC from backup and repromoting all others is described in the Forest Recovery white paper. However, in a situation in which you need a Forest Recovery a piece of "magic" hasoccurred that corrupted your complete forest. Unless you know how and when this corruption entered your AD it is wise to restore a single DC, test this one very thoroughly and then repromote the others, to make sure that you do not reintroduce the corruption. In the case of Mark, the "corruption" would be the switch to native mode, which is made at a specific point in time and can therefore be reverted by using backups from all other DCs. One of the advantages of restoring all DCs from backup is that you do not need to do any seizing of FSMOs, cleanup metadataand that kind of stuff. Which method to choose is a matter of taste and also depends on your environment. Repromoting every single DC (except 1) is a hell of a job in large environments that have limited bandwidth like we European guys ;-). The install from media option in W2003 reduces the impact of repromotion in W2003 environments, but that's not what Mark is at I presume. John From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 22:04To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] native mode John - it sounds like Mark is talking about a 2000 domain - not that it makes too much of a difference, but 2000 doesn't know about functional levels (especially not about forest functional levels). Mark, correct me if I'm wrong. However, since in 2000 the domain mode really only effects the domain, you should be able to revert to mixed mode by turning back the clock. I wouldn't do so by restoring every DC though - I'd just
RE: [ActiveDir] VPN
It's a tough question to respond to in one sitting. So, I hope these references help you along the way: VPN on W2Khttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpnsol.asphttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpnscen.asphttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpninter.asp VPN on W2K3http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/rmotevpn.asp Yes, they are about 2 days worth of reading, but you will find the exercise very rewarding. There is also the white paper but I have it in .doc format locally and I can't remember where I downloaded it from. HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Salandra, Justin A.Sent: Wed 11/5/2003 5:22 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN Maybe I should back up here. DO any of you have documentation on how to setup a Windows 2000 Server as a VPN server? WHen I set up the server manually, I can connect but then after about a minute I lose the connection. My server is only using 1 NIC Card. I have the firewall all configured correctly with all the right ports opened. But when I try to configure RRAS through the wizard and choose VPN, the wizard cannot continue because it says that a interface is needed and the configuration stops. Any ideas? -Original Message- From: Salandra, Justin A. Sent: Wednesday, November 05, 2003 8:15 PM To: ActiveDir (E-mail) Subject: [ActiveDir] VPN Does a VPN server have to have 2 NICs? Can't you have a VPN server behind a firewall Natted? Justin A. Salandra, MCSE Senior Network Engineer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message The bug lies in the "FIX up". It's a "known" PIX issue and most truthful Cisco TAC personnel will admit to that. I went back and looked in the DNS Debug log that Miles sent last week. The "SERVFAIL" portion of the response packet is a good symptom of a "FIXED UP" anomaly. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: ml.adlistSent: Tue 11/4/2003 8:00 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 In my case, yes. Disabling the DNS Fixupon my PIX made the issue disappear as soon as I entered the command. The PIX fixup was mangling the responses back to the dns servers (much like SMTP fixup does when in front of an Exchange server). Later yesterday I removed the acl and static nat entries to those DNS servers. Everything is running smooth as silk now (and I don't have any of my DC's exposed to the internet now either). Michael, the exchange issue you had during the beta is exactly what I experienced in production. Was your DNS behind a PIX with the DNS Fixup command running? If so, maybe it is not a bug with the Windows DNS, but just a stupid PIX trick. At this point I don't really care where the "bug" really lies, I have it working the way I want it too now, and I'm not having to bang my head against a wall anymore. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:14 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 So are we saying it works as long you don't use the fixup command for DNS? Do you still need to NAT and the conduits (in my case of older PIX ver.)? -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:23 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entriesto my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions givenhelpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that
RE: [ActiveDir] GP and TS lockdown
Title: Message I tried sending a screen-shot as a guide, but it's too large for the list. the Configuration is done on the RDP Properties. Go to Admin Tools - Terminal Services Configuration - Connections - RDP-Tcp (or whatever your connection is named). Double-click on it and go to Environment. Check the "Override settings from user." option. Then, in the "Program path and file name", specify the path to the executable of the application you want to auto-launch (with the name of the executable, e.g. C:\winnt\system32\notepad.exe). For the "start in" option, I would put in the path to the executable (without the name of the executable, e.g. C:\winnt\system32). Forget what I said earlier about "logon locally". If you still need to see the screen shot, email me offline at deji at akomolafe dot com HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Tue 11/4/2003 5:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GP and TS lockdown Hi Deji. I'm not sure I'm following you here. TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop. I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix). The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the clientwithout a desktop session, I'd love to use it. Enlighten me... :-) **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083** -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GP and TS lockdown Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie KaiserSent: Tue 11/4/2003 1:57 PMTo: ([EMAIL PROTECTED])Subject: [ActiveDir] GP and TS lockdown I just spent the morning looking around at resources and doing some thingsto lock down a new W2K TS. This box is a member server in a W3K domain, andis hosting an app that end users hit. We needed to make it so that was theonly thing they could do on the box, but we still needed admin access. Sohere's what I did. I'm looking for any gotchas on this before it swings intoproduction...New OU, termservers.2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 isan Admin access, which disables everything in the lockdown for those timesthat we need to do something to the box.Set Admin GP at top w/no override, lockdown second. Appropriate rightsassignments.Seems to work pretty well. Any glaring issues?Found a couple of interesting nasties while trying to lockdown the box,though. Why the heck is it SO difficult to prevent IE from running? We don'twant a browser to open on this box for users at all. Couldn't find any wayto lock it down within the policy, and didn't want to get involved with IEAKat this point. So, I put it on the list of apps that you can't run. Alsoadded the one app we want to the list of apps you can run. (along with allthe other lockdown tweaks in the policy) That should do it, right? Wrong.Picture this. Locked down desktop, with a log off command and one icon forthe app we want to run. Can't do much, except hit F1. Hit F1, up comes ahelp box. On the top bar is "Web Help". Click on that, a browser opens.Nice. Let's you do anything at that point. Even though it's on theprohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removedusers, etc., left admins, system. Still the same problem. Cute. IE runs inthe system context when launched from help. Removed perms for system accountand that finally did it. Nasty. Not exactly the context I want a web browserrunning from...**Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083
RE: [ActiveDir] Lock-outs after only one attempt...
"Best Practice" is not a constant, you know. Reality and feedbacks from the trenches sometimes conspire to alter "best practices" every now and then. Some auditors forget this salient truth. 5 is not practical, for various reasons, one of which is the "fast user switch" bug of WinXP. Anyways, regardless of what the auditors say, you'd do better by spending a day with the "Account Lockout and Management Tools" document, and playing with the supplied tools. These tools and document came about through inputs from a lot of people that went through the same thing you are going through now. And I can tell you the recommendations and tools are really effective. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Raymond McClinnisSent: Wed 10/15/2003 2:59 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... One of these days Ill learn how to proof read for coherency J I just read what I sent, doesnt make much sense. Windows 2K Domain, Majority of Clients is Windows 2K. Attempts is set =5,(for obvious reasons I dont want to say the exact #) Joe: I thought best practices were to have it set to less than 5? At least thats what I remember hearing from our auditors Ill give anything a try to keep this from happening though, just takes it happening to your boss one time before you have to dedicate a whole day on attempting to fix it. J Next time I hear it reported Ill use EventCombMT to get more forensic data. I know I did it once before, and was discouraged quickly by my findings. Ill post more when I get a call (probably later today) Thanks for all the suggestions so far! Thanks, Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Tuesday, October 14, 2003 9:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere = 5. I wager that this is the problem, barring the obvious multiple wrong password of course. I know there is a Q article regarding this somewhere on support.microsoft.com. Good luck Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: JoeSent: Tue 10/14/2003 6:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... How low is your policy set? If it is 10 or less reconsider. Think about whatthe lockout policy is in place to avoid and what a good logical number is touse to accomplish that goal. Are your machines all W2K+ or what are they? Do you have logging enabled on your DC's and have you chased the event logentries to see how the requests are coming in (i.e. very quickly or spreadout or ?). joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Tuesday, October 14, 2003 7:40 PMTo: [EMAIL PROTECTED]Hello All,We recently implemented the Require Strong Passwords on out WIN2K and itseems that some users get locked out after entering an incorrect passwordonly one time. (I assure you that I allow more than one mistake; I too amhuman) This was happening before the change, but I am seeing it more now(harder password's = more mistakes)The only thing I can think of is that we have multiple remote DCs in abridged WAN environment, so when someone logs on, it hits a couple of themat the same time and they all count it as an invalid try. That's my theoryanyways, I'm open for suggestions. Thanks,RaymondList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lock-outs after only one attempt...
I figured it would help to include this link: http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Raymond McClinnisSent: Wed 10/15/2003 2:59 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... One of these days Ill learn how to proof read for coherency J I just read what I sent, doesnt make much sense. Windows 2K Domain, Majority of Clients is Windows 2K. Attempts is set =5,(for obvious reasons I dont want to say the exact #) Joe: I thought best practices were to have it set to less than 5? At least thats what I remember hearing from our auditors Ill give anything a try to keep this from happening though, just takes it happening to your boss one time before you have to dedicate a whole day on attempting to fix it. J Next time I hear it reported Ill use EventCombMT to get more forensic data. I know I did it once before, and was discouraged quickly by my findings. Ill post more when I get a call (probably later today) Thanks for all the suggestions so far! Thanks, Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Tuesday, October 14, 2003 9:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere = 5. I wager that this is the problem, barring the obvious multiple wrong password of course. I know there is a Q article regarding this somewhere on support.microsoft.com. Good luck Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: JoeSent: Tue 10/14/2003 6:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... How low is your policy set? If it is 10 or less reconsider. Think about whatthe lockout policy is in place to avoid and what a good logical number is touse to accomplish that goal. Are your machines all W2K+ or what are they? Do you have logging enabled on your DC's and have you chased the event logentries to see how the requests are coming in (i.e. very quickly or spreadout or ?). joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Tuesday, October 14, 2003 7:40 PMTo: [EMAIL PROTECTED]Hello All,We recently implemented the Require Strong Passwords on out WIN2K and itseems that some users get locked out after entering an incorrect passwordonly one time. (I assure you that I allow more than one mistake; I too amhuman) This was happening before the change, but I am seeing it more now(harder password's = more mistakes)The only thing I can think of is that we have multiple remote DCs in abridged WAN environment, so when someone logs on, it hits a couple of themat the same time and they all count it as an invalid try. That's my theoryanyways, I'm open for suggestions. Thanks,RaymondList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lock-outs after only one attempt...
they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere = 5. I wager that this is the problem, barring the obvious multiple wrong password of course. I know there is a Q article regarding this somewhere on support.microsoft.com. Good luck Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: JoeSent: Tue 10/14/2003 6:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after only one attempt... How low is your policy set? If it is 10 or less reconsider. Think about what the lockout policy is in place to avoid and what a good logical number is to use to accomplish that goal. Are your machines all W2K+ or what are they? Do you have logging enabled on your DC's and have you chased the event log entries to see how the requests are coming in (i.e. very quickly or spread out or ?). joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Tuesday, October 14, 2003 7:40 PM To: [EMAIL PROTECTED] Hello All, We recently implemented the Require Strong Passwords on out WIN2K and it seems that some users get locked out after entering an incorrect password only one time. (I assure you that I allow more than one mistake; I too am human) This was happening before the change, but I am seeing it more now (harder password's = more mistakes) The only thing I can think of is that we have multiple remote DCs in a bridged WAN environment, so when someone logs on, it hits a couple of them at the same time and they all count it as an invalid try. That's my theory anyways, I'm open for suggestions. Thanks, Raymond List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix
Title: Message Actually, looking "solely"in the registry would make this exercise "worse than useless". It is this same reliance on registry entries that makes me hate Windows Update and some other Patch Mgt Tools I would not like to mention here. The registry check is a 50-50 hit or miss as far as determining the true patch state of a machine. I am not a coder, but I like the idea. Where can I send my $0.02? :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Fri 9/12/2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix LOL... I can see why that makes your head hurt. I like the idea in general, and I think all the info is in existance somewhere within the registry, too, so it might be easy enough to do, but I do see the point about pending updates verses actually installed updates (i.e. has it been rebooted). I'll try to ponder this some more... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix Good thoughts. 1. I have tested the attribute to greater than 2048 ascii characters. I should have mentioned this in the original post. That should be a considerable number of hotfixes. I have gone back and forth in my head on dropping the prefix letters since no one will be googling AD to do the search... It does make sense that way someone doesn't have to try and figure out if the fix was a KB or a Q when setting up the search "operatingsystemhotfix=*;824146;*". 2. This would assume that the person running the update has the permission to modify the attribute which in some secure installationswouldn't be correct such as ours. Hotfix would have to force the update to go through the computers localsystem account. Yes the computer itself has more rights in our directory than the person who is an admin on the computer in most every case and most of the people don't have an idea that localsystem could be more powerful than a localadmin 3. Bah, you skipped the part about lets not debate how this is done. This makes my head hurt... Though I think it looks at the registry as well as does something else because it does know if a hotfix hasn't been properly applied because say it needs a reboot to be completed. Long term my goal would be to have something native in the code to do the checks but I also want to release a V1 that does something, and then make it better... Sound familiar? I'll try to leave out the buffer overflows though. :op joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, September 12, 2003 9:41 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix In general, I like the concept. A few thoughts. First - what's the size limit of the attribute? Some Win2k systems have required upwards of 30 patches, if not more, between service packs - which is 30x9 +1 = 271 bytes. So if that's a 255 char limit, you're going to overflow it. If that's the limit, what about storing as hex and dropping the leading KB or Q number? Second - I'd suggest a push for hotfix.exe to be modified to append whatever appropriate value is decided upon for the first issue to that attrib. That strikes me as fairly simple, assuming permissions on that attribute are logical. Obviously this would require some buy in from the team at Microsoft, but its there and usable, it should be used. Third - Where does QFECheck get its information? It can't scan the drives - it is WAY too fast for that. I'm guessing its stored in the registry (I know most hotfixes are stored there by default). I'd think that might be a faster and more trustworthy scheme than scraping the output of QFECheck. If I ever get out from under my current workload (the end is definitely in sight) I'd be willing to chip in and help with that. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 8:54 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Any AD GURUS who Patch Systems? - using operatingSystemHotFix Howdy! As you may or may not know there is an attribute in Active Directory tied to computer objects called operatingSystemHotFix (Operating-System-Hotfix). As you may or may not know MS does not currently use this attribute though they do use operatingSystem and operatingSystemServicePack. Has anyone heard from anyone at MS any intent
RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix
Title: Message Rick, I actually run MBSA/SP4in my test Lab. One of the things it couldn't find today was a directx hotfix on XP Corp Edition. granted, it's much better than the one in my production environment, still . those whacky stuffs are not entirely gone - at leastnot from my Lab. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Fri 9/12/2003 5:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix "Even the MS BSA tool cant verify that a number of patches are installed, even though they are. We currently have about 6-10 patches as part of the build that cant actually be verified that they are installed or not. Makes it a bit difficult to ensure patches are installed when even MS (who released the patch) cant tell me." Glenn - have you ran MBSA on a system with SP4? Changes the look quite a bit. Those whacky "gee, we're just really not sure if it's patched or not" entries go away.. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Friday, September 12, 2003 7:03 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix Darren, yuo would think so, and this is one thing that s**ts me about the current way MS handle hotfixes. A number of the hotfixes installed dont appear to leave any trace in the registry or otherwise, and cant actually be verified if the patch is installed. Run the base security analyser anytime recently ? As part of our build release process, we incorporate patches intot eh core build and have a different build version based on the installed patches. Even the MS BSA tool cant verify that a number of patches are installed, even though they are. We currently have about 6-10 patches as part of the build that cant actually be verified that they are installed or not. Makes it a bit difficult to ensure patches are installed when even MS (who released the patch) cant tell me. G. - Original Message - From: Darren Mar-Elia To: [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 4:35 AM Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix Typically the better patch management tools use more than just whats in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix to determine if patch is really applied. For example, they will use hash checks or version checks of the actual patched system files themselves to verify that someone hasn't come along and overwritten a patched file with a regressed version. I'm not sure about qfecheck but I'm pretty sure that hfnetchk.exe did this extra check. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix LOL... I can see why that makes your head hurt. I like the idea in general, and I think all the info is in existance somewhere within the registry, too, so it might be easy enough to do, but I do see the point about pending updates verses actually installed updates (i.e. has it been rebooted). I'll try to ponder this some more... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 10:22 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix Good thoughts. 1. I have tested the attribute to greater than 2048 ascii characters. I should have mentioned this in the original post. That should be a considerable number of hotfixes. I have gone back and forth in my head on dropping the prefix letters since no one will be googling AD to do the search... It does make sense that way someone doesn't have to try and figure out if the fix was a KB or a Q when setting up the search "operatingsystemhotfix=*;824146;*". 2. This would assume that the person running the update has the permission to modify the attribute which in some secure installationswouldn't be correct such as ours. Hotfix would have to force the update to go through the computers localsystem account. Yes the computer itself has more rights in our directory than the person who is an admin on the computer in most every case and most of the people don't have an idea that localsystem could be more powerful than a localadmin 3. Bah, you skipped the part about lets not debate how this is done. This makes my head hurt... Though I think it looks at the registry as well as does something else because it does
RE: [ActiveDir] Anti-Virus Software and AD
Title: Message Say, Joe, what do you do to protect against the share-burrowing Worms/Virii? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: JoeSent: Tue 9/2/2003 4:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anti-Virus Software and AD Good info Todd. Actually I avoidAV on DC's but then we don't do file and print from them. If we did it would be a different story. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Tuesday, September 02, 2003 2:47 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Anti-Virus Software and AD A few months back I started a thread about installing AV software on Domain Controllers. There were a lot of good comments generated as part of the discussion with the recommendation to avoid software that triggered FRS replication, and recommendations to also exclude certain file types. Another trend that was reported was that some people were getting recommendations from Microsoft that they don't run AV software on DC's because their Firewalls and such protect them. Recently I have discovered two new KB's that seem to offer some definitive recommendations from Microsoft. Virus Scanning Recommendations on a Windows 2000 Domain Controller http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 Antivirus, Backup, and Disk Optimization Programs That Are Compatible with the File Replication Service http://support.microsoft.com/default.aspx?scid=kb;EN-US;815263 Below is a summary of the MS recommendations Programs That Do Not Trigger FRS Replication The following programs do not modify files in a way that triggers FRS replication. Antivirus eTrust Antivirus build 96 or later with the "NTFS incremental scan" feature disabled McAfee/NAI NetShield 4.50 with the NetShield Hotfix Rollup Norton AntiVirus 7.6 or later File and System State Backup Legato Octopus/Replistor 5.2.1 Disk Optimization None currently reported Toddler
RE: [ActiveDir] sysvol not replicating
The more I read this original question, the more I keep thinking that there is likely to be a low-level answer to the problem. I am not so sure anymore, especiallygiven all that you've tried so far:). Being that as it may, I would like tofly this low-level kite anyway, in the hope that it may help. So, you upgd the BDC - what happened to the original PDC thereafter? I am sorry if you've mentioned this in subsequent response, I just didn't see it. Now, if you read Chapter 8 of the domain Migration Cookbook (http://www.microsoft.com/technet/treeview/default.asp?url="">), you will notice that the PDC is the one that ought to be up'ed, not the BDC. However, more importantly, note the pertinent information about potential REPLICATION (LMRepl) failure/problemIF some specific config are not made: Synchronize File Replication Services The two file replication services, LMRepl for Windows NT 4.0 and NT File Replication service (NTFRS) for the SYSVOL on Windows 2000, are not compatible, meaning they do not replicate files between them. Therefore, administrators have to create a manual process that copies new scripts from the logon folder in the SYSVOL to the LMRepl export folder on the Windows NT 4.0 domain controller. The easiest way to perform this operation is as follows: Read full text on the link, it is midway down to the bottom of the page Also note: Windows 2000 domain controllers do not replicate files using the LMRepl file replication service to Windows NT 4.0 domain controllers. Configure LMRepl File Replication Service Because the PDC won't be able to play the role as LMRepl export server after the operating system upgrade, another computer must be configured to play this role until all Windows NT 4.0 domain controllers have disappeared from the domain. Ideally, this should be the last Windows NT 4.0 domain controller that will be upgraded or decommissioned. There is more to that. Please take the time to read it. I honestly hope it helps narrow down the source of the problem. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rittenhouse, CindySent: Fri 8/29/2003 7:32 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Chapter 8- Domain Upgrade.url Description: Chapter 8- Domain Upgrade.url
