[ActiveDir] OT: DFS Access Denied Error
Hello, all. I am receiving an Access Denied error when attempting to add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate AD objects and they look correct. Any ideas would be appreciated. Thanks, James dfs-error.PNG Description: PNG image
RE: [ActiveDir] OT: DFS Access Denied Error
I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFS attributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e. had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a new link to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attempting to add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate AD objects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: DFS Access Denied Error
I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFS attributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e. had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a new link to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate AD objects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma
RE: [ActiveDir] OT: DFS Access Denied Error
Domain root James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Domain or stand-alone root? (should have asked that earlier...) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFS attributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e. had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a newlink to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate ADobjects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about theauthenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email
RE: [ActiveDir] OT: DFS Access Denied Error
It is within the structure already published James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Where is the link located that you are trying to add - is it within the DFS structure already published? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFS attributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e. had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a newlink to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate ADobjects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about theauthenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake
RE: [ActiveDir] OT: DFS Access Denied Error
I apologize for my DFS illiteracy, but I'm not sure what you mean by the FRS-Staging folder... James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James... and one more thing - it might have something to do with the fact that the folder is set to replicate. Where is the FRS-Staging folder for the replica you are adding the link to, and do you have permission to that folder? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFS attributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e. had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a newlink to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate ADobjects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about theauthenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This email (including any attachments) contains confidential information and is intended only for the named addressee. If you
RE: [ActiveDir] OT: DFS Access Denied Error
I'm trying to add a new link to a new share (call it Folder3) James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 11:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error So let me get this straight... You have a root with folders like this: RootFolder --Folder1 --Folder2 You've published the RootFolder as your domain root, and it is shared accordingly, so when you go to \\domain\rootfoldershare you see folder1 and folder2. You then are trying to add a link to Folder1 within the replicated structure of the DFSroot already established. I am assuming you are doing this so that you can replicate it independently of Folder2. Is this the case? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error It is within the structure already publishedJames Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Where is the link located that you are trying to add - is it within the DFS structure already published? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFSattributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e.had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a newlink to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate ADobjects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidentialinformation and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake
RE: [ActiveDir] OT: DFS Access Denied Error
Thanks for the info, that helps -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 11:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, DFS under Win2K3 R1 uses the File Replication System (the same one that replicates the SYSVOL share's contents) to replicate files. It's a bit kludgy, which is why DFSR under Win2K3 R2 is such a breath of fresh air (to be frank I think it would do what you are trying to do, but I get that upgrading to R2 isn't easy for everyone). The FRS-Staging folder is automatically created on each replica instance that you are replicating a folder to to manage the file copying between shares. When it is created it should give the administrators group and the system group full control of this folder. Please check that is indeed the case (you'll have to view it through advanced properties, though). themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I apologize for my DFS illiteracy, but I'm not sure what you mean by the FRS-Staging folder...James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James... and one more thing - it might have something to do with the fact that the folder is set to replicate. Where is the FRS-Staging folder for the replica you are adding the link to, and do you have permission to that folder? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions to the link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFSattributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e.had it had time to replicate this information everywhere)? I'm interested by the phrase look correct - what do you mean? Just so I have it right in my head - you are trying to add a newlink to an existing DFS root, right? This is Win2K3 R1 (the image suggests so, but just checking)? So many questions, so little help so far... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 5:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS Access Denied Error Hello, all. I am receiving an Access Denied error when attemptingto add a New Link into an existing DFS namespace. I am a DA/EA and I have checked the ACL's on the appropriate ADobjects and they look correct. Any ideas would be appreciated. Thanks, James This email (including any attachments) contains confidential
RE: [ActiveDir] OT: DFS Access Denied Error
No problem - and yes, that is correct. I have created a separate DFS root, added a link to Folder3 and everything works fine. Think my existing DFS root is whacked? James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Thursday, January 11, 2007 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error OK, so Folder3 exists and lives totally outside the existing DFS root or it's actual location - this is a new share that you are trying to add as a link - yes? Sorry to be so persnickety - just want to make sure I understand your situation. As a matter of interest, if you create another domainroot, and add Folder3 as a link (no replication), does it let you? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I'm trying to add a new link to a new share (call it Folder3) James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 11:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error So let me get this straight... You have a root with folders like this: RootFolder --Folder1 --Folder2 You've published the RootFolder as your domain root, and it is shared accordingly, so when you go to \\domain\rootfoldershare you see folder1 and folder2. You then are trying to add a link to Folder1 within the replicated structure of the DFSroot already established. I am assuming you are doing this so that you can replicate it independently of Folder2. Is this the case? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error It is within the structure already publishedJames Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Where is the link located that you are trying to add - is it within the DFS structure already published? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions tothe link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I don't see any interesting event log entries. Not a big forest really, 5 domains, 120,000 users, 1 DFS site. The root has been around for 4 years. By look correct I mean that DA/EA have full rights on the DFSattributes in the domain. You are correct, R1 and existing DFS root. Thanks for the reply, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Any specific event log entries around then? Do you have a big forest? How recently was the root setup (i.e.had it had time to replicate
RE: [ActiveDir] OT: DFS Access Denied Error
Will do - thanks much for your help. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Thursday, January 11, 2007 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, This may sound harsh, but it could be. Humour us all and try deleting the root and rebuilding it and let us know... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error No problem - and yes, that is correct. I have created a separate DFS root, added a link to Folder3 and everything works fine. Think my existing DFS root is whacked?James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Thursday, January 11, 2007 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error OK, so Folder3 exists and lives totally outside the existing DFS root or it's actual location - this is a new share that you are trying to add as a link - yes? Sorry to be so persnickety - just want to make sure I understand your situation. As a matter of interest, if you create another domainroot, and add Folder3 as a link (no replication), does it let you? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I'm trying to add a new link to a new share (call it Folder3) James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 11:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error So let me get this straight... You have a root with folders like this: RootFolder --Folder1 --Folder2 You've published the RootFolder as your domain root, and it is shared accordingly, so when you go to \\domain\rootfoldershare you see folder1 and folder2. You then are trying to add a link to Folder1 within the replicated structure of the DFSroot already established. I am assuming you are doing this so that you can replicate it independently of Folder2. Is this the case? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error It is within the structure already publishedJames Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, Where is the link located that you are trying to add - is it within the DFS structure already published? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, 11 January 2007 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error I verified that DA/EA has Full Control both share and NTFS.James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, January 10, 2007 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DFS Access Denied Error James, I may not be able to help, but I hope at least I don't confuse things. Does your DA/EA account have both share and NTFS permissions tothe link you are trying to add? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL
[ActiveDir] Is ADAM free?
Is ADAM free? If not, how much does it cost? Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Is ADAM free?
Great - thanks for the info. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Tuesday, January 02, 2007 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is ADAM free? Just as an additional fyi, ADAM also has a redistribution license that is free so that ISVs and vendors can redist ADAM with their applications and programs - like we do. That's an awesome benefit for us. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, January 02, 2007 6:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is ADAM free? Free download for 2K3 or Windows XP (with some feature limitations on the latter), integrated into R2 and later. http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4 EF6-A3E5-2A2A57B5C8E4displaylang=en On 1/2/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Is ADAM free? If not, how much does it cost? Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Quest Recovery Manager
Sorry - refering to RM for AD James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Wednesday, December 06, 2006 2:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager James - Recovery Manager for Exchange, AD or both? We've been very happy with Quest Recovery Manager for Exchange. No experience with the AD product... --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 4:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quest Recovery Manager Does anybody have anything particularly good or bad to say about Quest's Recovery Manager product? We are evaluating it for an 2 forests, and 3 domains. As always, thanks for all of your insight and expertise. -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Quest Recovery Manager
Todd, thanks for your insight. Good points to think about. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 9:14 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Same here... Good stuff. To be fair though, most of the major AD players have these tools now. The thing about the Quest (Aelita) tool was its use of their own APIs to address issues like Domain Local Groups etc. I haven't kept up with the latest versions so I am not sure what direction they have gone since 2003. Latest information I remember was they offered you the option to use the MS API methods for recovery, or their special brew for more advanced recovery options. Now if put some extra effort into your query, you might get this thread nice and hot, and generate input from people like Stuart Kwan discussing supportability issues using the various recovery methods, Guido Vladimir discussing in great depth the inherent problems of group recovery, various opinions on how to use isolates sites with rubber chickens, MIIS, ADAM to reanimate deleted objects (This seems to be a favorite topic of Gil's to use to fill in spots at DEC)... did I forget anyone... hmm maybe Robbie might take time away from work on his fields medal or latest cookbook to write you a Monad shell script that Joe will find a way to compile into a .exe to execute from a ADFIND query pipe. In all seriousness though, when evaluating DR feature for AD you will have a lot of things to consider, technologies being just one. The nature of the type of AD objects you want to recover and in what state should be considered (Groups, GPO's, etc, attribute data). How much time you want to dedicate to this operation? How much you want to spend? And who will support you if the recovery operations fail or seem to cause more problems. If you are looking just to recover deleted users, the various free tools out there will do just fine. I highly recommend that you start your DR project today by just using the good'old MS backup utility at a minimum to make a MST formatted backup of the system state and data from a domain controller in each of your domains you think has the most current AD data in your organization. That pretty much guarantees you can recover every object given that you have the data in some backup. And to all the people I mentioned above. Happy Holidays... and New Year. Todd -Original Message- From: Day, James (NPS) Sent: Wednesday, December 06, 2006 8:03 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Quest Recovery Manager Hi James We bought this when it was an Aelita tool and loved the product - it pretty much paid for itself in one step the second month we were using it. The product is still good but I have nothing good to say about Quest support (but I could complain for hours about it if I am allowed to). There are a couple of other similar ones that may also be worth. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-354-1464 202-230-2983 (CEL) [EMAIL PROTECTED] [EMAIL PROTECTED] ger.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 12/05/2006 05:11 [ActiveDir] Quest Recovery Manager PM EST Please respond to [EMAIL PROTECTED] tivedir.org Does anybody have anything particularly good or bad to say about Quest's Recovery Manager product? We are evaluating it for an 2 forests, and 3 domains. As always, thanks for all of your insight and expertise. -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] ADUC - Simple question
In ADUC, under Saved Queries/New/Query, why is the Query string: text box greyed out and uneditable? Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Quest Recovery Manager
Does anybody have anything particularly good or bad to say about Quest's Recovery Manager product? We are evaluating it for an 2 forests, and 3 domains. As always, thanks for all of your insight and expertise. -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] BIND allow-update
Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] BIND allow-update
Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] BIND allow-update
Very much - thanks everyone. James Masters Systems Architecture and Engineering The Kroger Co. (859) 363-2346 - Desk (859) 653-8644 - Cell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of itgeek Sent: Friday, October 06, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] BIND allow-update The DC in the child domain needs to update the dns zone that represents it's domain. It also needs to update the _msdcs.root domain zone. The _msdcs.root domain zone contains records for the GC's and the CNAME records that are used for replication. Hope that helps. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 3:45 PM Subject: RE: [ActiveDir] BIND allow-update Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DFS - Null Server-Reference Attributes
Hello, All. Im pretty sure that Im experiencing the Null Server-Reference Attributes issue as described in http://support.microsoft.com/default.aspx?scid=kb;EN-US;312862 My problem Im hitting a wall right out of the gate: In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard. Im using ADSIedit, but I cant find the object the article is asking me to copy. Any help would be appreciated, as always. -James
RE: [ActiveDir] DFS - Null Server-Reference Attributes
I have found the path to the NTDS Settings object. Please let me share the problem we are having with you, if anyone has any ideas or experience with this, please share. For some time now, we have been receiving 13508 errors in the event logs between ServerA and ServerB. Coincidently, both servers participate in DFS. I've traced the problem back to a possible null server-reference in AD. Below is the output of ntfrsutl ds: MEMBER: {5EC47DD8-C518-4D90-A424-3417F7592647} DN : cn={5ec47dd8-c518-4d90-a424-3417f7592647},cn=service_id|service_id,cn=service_id,cn=dfs volumes,cn=file replication service,cn=system,dc=domain,dc=com Guid : 7328d3a9-bf4c-4991-abdfc70835888de6 Server Ref : (null) Computer Ref : (null) WhenCreated : 12/31/2003 13:1:53 Eastern Standard Time Eastern Daylight Time [300] WhenChanged : 10/12/2005 17:10:2 Eastern Standard Time Eastern Daylight Time [300] CXTION: {1D2056BA-7638-40D8-AB8F-4424B562637E} DN : cn={1d2056ba-7638-40d8-ab8f-4424b562637e},cn={5ec47dd8-c518-4d90-a424-3417f7592647},cn=DFSServer1|service_id,cn=DFSServer1,cn=dfs volumes,cn=file replication service,cn=system,dc=domain,dc=com Guid : 3b10787d-66b5-49db-b675b4463a28feae Partner Dn : cn={1d2056ba-7638-40d8-ab8f-4424b562637e},cn=DFSServer1|service_id,cn=service_id,cn=dfs volumes,cn=file replication service,cn=system,dc=domain,dc=com Partner Rdn : {1D2056BA-7638-40D8-AB8F-4424B562637E} Enabled : TRUE WhenCreated : 12/31/2003 13:1:53 Eastern Standard Time Eastern Daylight Time [300] WhenChanged : 10/12/2005 17:10:2 Eastern Standard Time Eastern Daylight Time [300] Options : 0x7000 [0x7000 ] I stumbled across the following Microsoft KB 312862 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;312862) article explaining how to resolve this but I wanted to run this by you and get your thoughts on it. Has anyone heard of this happening before and do you think this would resolve it? Basically, FRS is broke between the two servers due to this. I've verified DNS resolution is working. Thanks, James
[ActiveDir] OT: Computer Account in Local Administrators Group
Im definitely not wanting to do this but a vendor was saying to do it to allow one of their services to run as Local System and be able to interact with another machine. I am very skeptical, and not allowing it. Thanks, James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om Sent: Wednesday, July 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group More directly - WHY are you looking to do this? What problem are you trying to solve? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Wed 7/5/2006 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group Ultimately, anyone with physical access to the remote PC will have Adminrights over the PC in which you add the account to the admins group for. Directly, anyone who can run anything as localsystem or networkservice willhave those rights.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]omSent: Wednesday, July 05, 2006 12:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Computer Account in Local Administrators GroupWhat is the net effect of placing a remote computer account(\\domain\computer_name) in the Local Administrators group?Thanks,JamesList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Computer Account in Local Administrators Group
Will do thank you very much for all of your responses. -James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om Sent: Thursday, July 06, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group I see... If the service runs as LocalSystem, then it already has the highest privilege possible on that system. In this case, the vendor (or the vendor's support rep) may be asking for this simply for the interact portion of your statement. Without knowing what the app does, it's hard to tell. But, I'd ask the vendor's rep specifically what level of access is needed to perform whatever the app is supposed to perform on the other machine. Because, you see, if the app runs in the context of LocalSystem on ServerA and needs to do something on ServerB, the Network Service credentials will be used. If whatever is running on ServerB allows Network Service account to do the job, then there is no additional config or privilege to add on ServerA. Ask the vendor if Network Service has the ability to successfully interact with the other machine in question, or if the access can be configured to accommodate theNetwork Service account. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]om Sent: Thu 7/6/2006 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Computer Account in Local Administrators Group Im definitely not wanting to do this but a vendor was saying to do it to allow one of their services to run as Local System and be able to interact with another machine. I am very skeptical, and not allowing it. Thanks, James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om Sent: Wednesday, July 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group More directly - WHY are you looking to do this? What problem are you trying to solve? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services http://www.readymaids.com/ - we know IT http://www.akomolafe.com/ -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Wed 7/5/2006 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group Ultimately, anyone with physical access to the remote PC will have Adminrights over the PC in which you add the account to the admins group for. Directly, anyone who can run anything as localsystem or networkservice willhave those rights.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]omSent: Wednesday, July 05, 2006 12:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Computer Account in Local Administrators GroupWhat is the net effect of placing a remote computer account(\\domain\computer_name) in the Local Administrators group?Thanks,JamesList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Computer Account in Local Administrators Group
What is the net effect of placing a remote computer account (\\domain\computer_name) in the Local Administrators group? Thanks, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Service time-out
Thanks for the reply, Joe. I am referring to the the timeout of a service on startup. (ie. The service did not respond in a timely manner Thanks, James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 27, 2006 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Service time-out Do mean timeout for how long a service is allowed to live during a shutdown before it is just killed? If so that is under the key hklm\system\currentcontrolset\control in the value WaitToKillServiceTimeout. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 26, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Service time-out Does anybody know where the service timeout period is set for NT services? Also, is there a global setting for time outs for all services? Any help would be appreciated - thanks. James Masters Midrange Support The Kroger Co. (859) 363-2346 - Desk (859) 653-8644 - Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Service time-out
That is exactly what I was after. Thank you, Steve. -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, June 27, 2006 2:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Service time-out You can try http://support.microsoft.com/?id=824344 How to debug Windows services Specifically the section: When a service starts, the service communicates to the Service Control Manager how long the service must have to start (the time-out period for the service). If the Service Control Manager does not receive a service started notice from the service within this time-out period, the Service Control Manager terminates the process that hosts the service. This time-out period is typically less than 30 seconds. If you do not adjust this time-out period, the Service Control Manager ends the process and the attached debugger while you are trying to debug. To adjust this time-out period, follow these steps: ServicesPipeTimeout However - if you have a svc which isnt starting , its better to figure out why IMO steve - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 27, 2006 10:54 AM Subject: RE: [ActiveDir] Service time-out Thanks for the reply, Joe. I am referring to the the timeout of a service on startup. (ie. The service did not respond in a timely manner Thanks, James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 27, 2006 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Service time-out Do mean timeout for how long a service is allowed to live during a shutdown before it is just killed? If so that is under the key hklm\system\currentcontrolset\control in the value WaitToKillServiceTimeout. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 26, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Service time-out Does anybody know where the service timeout period is set for NT services? Also, is there a global setting for time outs for all services? Any help would be appreciated - thanks. James Masters Midrange Support The Kroger Co. (859) 363-2346 - Desk (859) 653-8644 - Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Service time-out
Does anybody know where the service timeout period is set for NT services? Also, is there a global setting for time outs for all services? Any help would be appreciated - thanks. James Masters Midrange Support The Kroger Co. (859) 363-2346 - Desk (859) 653-8644 - Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Exchange alternate email address
Hi, all. Quick question for you: I have a user who wishes to send/receive email as a different address than her own. We use Exchange 2003 and Outlook 2003. I am just inquiring as to the best practice for accomplishing this. Thanks in advance, James
RE: [ActiveDir] OT: Exchange alternate email address
Thanks Brian. I will give this a shot. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, October 03, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange alternate email address If I understand this correctly, You have Jane Doe ([EMAIL PROTECTED]), and she would like to send mail as suzy que ([EMAIL PROTECTED]). In order to do this, you actually need to create an additional account and mailbox for Suzy Que. You can disable this account, though. Once the account is created and the RUS has whacked it (e.g. it has an email address), go in the Exchange Advanced tab in ADUC for suzy que, and then into mailbox rights. You want to do two things: Add Jane Doe on there and give her rights to Send As In the SELF entry, tick full mailbox access and associated external account. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 03, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange alternate email address Hi, all. Quick question for you: I have a user who wishes to send/receive email as a different address than her own. We use Exchange 2003 and Outlook 2003. I am just inquiring as to the best practice for accomplishing this. Thanks in advance, James
RE: [ActiveDir] OT: exchange max. dist. list size
Thanks for the replies Michael is right, I believe looks like more of an outlook thing (were using Outlook 2003 and Exchange 2003 Std.) This sums it up: http://support.microsoft.com/default.aspx?scid=kb;en-us;238569Product=out From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 21, 2005 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: exchange max. dist. list size James is probably actually referring to Outlook personal distribution lists. That sounds about right around 150 users, depending on length of addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, September 21, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: exchange max. dist. list size I have thousands of people in DLs Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: exchange max. dist. list size Has anyone encountered the max distribution list size in exchange? Seems like its 8KB, or between 100-200 email addresses? Am I missing something? Thanks, James
[ActiveDir] OT: exchange max. dist. list size
Has anyone encountered the max distribution list size in exchange? Seems like its 8KB, or between 100-200 email addresses? Am I missing something? Thanks, James
[ActiveDir] OT: ADSI bind to eDirectory
Has anyone here been able to successfully bind to eDirectory using ADSI over SSL/TLS? (if so.. code snippet please?) We can easily bind without SSL, but when throwing in the ADS_SECURE_AUTHENTICATION = 1 and ADS_USE_SSL = 2 into the mix, we get a The remote computer is not functioning properly. Certificate has been created out of eDir, and imported on the Windows machine. Slightly OT, but I'm always impressed with this group's breadth of knowledge. Thanks, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Access Denied when adding machine into domain
Hello, All. I am receiving Access Denied when attempting to join a Windows 2003 member server to our domain. I also receive this error when attempting to map \\dcname\ipc$ (I do not receive this error when mapping to other resources). I am in enterprise admins, so I have proper privileges. I have verified (sufficiently I think) that there is no pre-existing computer account. I have tried pre-creating the computer account, and receive similar errors. Here is the very end of the NetSetup.log file (with replaced servername) --- 08/02 18:50:19 NetpDoDomainJoin 08/02 18:50:19 NetpMachineValidToJoin: 'SERVER' 08/02 18:50:19 NetpGetLsaPrimaryDomain: status: 0x0 08/02 18:50:19 NetpMachineValidToJoin: status: 0x0 08/02 18:50:19 NetpJoinDomain 08/02 18:50:19 Machine: N060MFGF03 08/02 18:50:19 Domain: kroger.com 08/02 18:50:19 MachineAccountOU: (NULL) 08/02 18:50:19 Account: [EMAIL PROTECTED] 08/02 18:50:19 Options: 0x27 08/02 18:50:19 OS Version: 5.2 08/02 18:50:19 Build number: 3790 08/02 18:50:19 NetpValidateName: checking to see if 'domain.com' is valid as type 3 name 08/02 18:50:19 NetpCheckDomainNameIsValid [ Exists ] for 'domain.com' returned 0x0 08/02 18:50:19 NetpValidateName: name 'domain.com' is valid for type 3 08/02 18:50:19 NetpDsGetDcName: trying to find DC in domain 'domain.com', flags: 0x1020 08/02 18:50:19 NetpDsGetDcName: found DC '\\dc.domain.com' in the specified domain 08/02 18:50:19 NetUseAdd to \\dc.domain.com\IPC$ returned 5 08/02 18:50:19 NetpJoinDomain: status of connecting to dc '\\dc.domain.com': 0x5 08/02 18:50:19 NetpDoDomainJoin: status: 0x5 --- Any help would be greatly appreciated... Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Virtual Server mailing lists?
On a related OT, if anyone could point me in the direction of a good VMware ESX list, Id appreciate it. Ive searched around, to little avail. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, July 22, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Virtual Server mailing lists? Anyone know any good virtual server 2005 mailing lists?