[ActiveDir] Naming Convention for Site Links

2007-01-28 Thread Brian Desmond 
Was wondering what other folks use for naming site links. A point to point link 
is obvious to me SiteA - SiteB or something like that. What about a link with 
three or four sites in it (e.g. SiteA, SiteB, SiteC, etc)?



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

RE: [ActiveDir] adsiedit question

2007-01-28 Thread joe 
Just an FYI, I kept reading in the responses about "move"... This doesn't
"move" the mailbox, it creates a new one at the new HomeMDB URL location and
the old mailbox is sitting there disconnected in the old store location.
This is something that can be done for normal users to get dialtone back
quickly in the event of a failure. I have written utilities that can get a
whole server worth of users (4000+) redirected to another Exchange server
for dialtone recovery in event of failure of a first Exchange server in
usually less than a minute. Of course later someone gets to have the fun of
merging the mailboxes. But if someone doesn't want to pay for full mailboxes
always being available and just needs a mailbox at any given time it is a
decent solution. :)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr
HP
Sent: Tuesday, January 23, 2007 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] adsiedit question

Hi all
I didn't OT this even though I'm making modifications to Exchange since
the question seems to be adsiedit related and therefore related to AD.
I'm trying to modify an attribute for a mailbox using adsiedit.
Particularly I'm rehoming it's database by modifying the homeMDB
attribute. 

The problem I'm running into is I'm getting an error stating "The name
reference is invalid" when I try to apply the change. I've done this a
few times but this is the first time I've run into this error. Google
doesn't give enough info to determine the cause...or maybe it is and I
just don't know enough about the response to see itthat never
happens. ;-)

If anyone can shed some light it would be greatly appreciated.

Many thanks 
Jerry 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-28 Thread joe 
Oh I am always about perl... TIMTOWTDI baby! ;o)
 
Perl is installed on my machines even before reskit and support tools. I
can't count the number of months it has saved me nor the number of $$$ on
third party tools. I know for a fact that there are enterprise level
companies out there still running in daily operations perl scripts I wrote
10 years ago that were supposed to be replaced with "something better"
(their words not mine) that are still flexible enough to do what they need
and haven't even been challenged with something better. This includes
monitoring scripts running as NT services, application launch helpers,
software delivery, intelligent logon scripts, file backup systems, etc. Most
everything I write though doesn't take a full blown perl install, just a
perl EXE and a perl DLL and the script. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 28, 2007 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


What?  Like simplesync? 
 
I was beginning to wonder if anyone was going to bring up perl for this
particular application.  It strikes me as the common glue for this
particular application that doesn't require the gnotes client software to be
installed.  i.e. self-sustaining. 
 
 
I think if I were not going to go with a COTS application I'd likely choose
something like perl to write it.  I have to agree that MIIS is way overkill
for this if this is your only usage scenario.  
 
Just curious, but why do you want to populate that data in AD? Seems silly
if nobody is using it for a directory other than admins.  Was there an
application that wants it? 
 


 
On 1/28/07, joe <[EMAIL PROTECTED]> wrote: 

I agree that MIIS could be convenient but only if it is already there or you
have other plans for it. If this was the only reason for it I would be more
apt to put something else together that had a far lower bar of entry such as
some basic scripts that are scheduled through task scheduler or made into a
service (Perl PSDK) or LDSU or some basic low end syncing tools that don't
require setting up a full blown SQL and MIIS server. 

 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:
<mailto:[EMAIL PROTECTED]>
[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, January 27, 2007 7:39 PM 

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


 


You can whack notes with ldifde or something. MIIS is a convenient way to do
it though.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM 
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


 

Ewww.  :)

 

Unless there are other needs that require MIIS I don't think I would deploy
it for this. MIIS is a 50 caliber when all that was probably needed was foam
pellet gun. 

 

I have seen folks doing this before, usually they get an LDIF extract from
Notes and just slam that into AD as contacts or mail-enabled users. Actually
getting the info out of Notes... no clue, I didn't even want to start
touching Exchange let alone any other messaging apps. I am happy just with
Windows Server 2003 SMTP and looking at the text files. ;o) 

 

 

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm  <http://www.joeware.net/win/ad3e.htm>  

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org  <mailto:ActiveDir@mail.activedir.org> 
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Have you looked at MIIS?

 

Laura

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org  <mailto:ActiveDir@mail.activedir.org> 
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well. 

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users. 

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc. 
Thanks in advance. 

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAI

RE: [ActiveDir] Adfind + Admod help

2007-01-28 Thread joe 
Sorry for how long it took me to respond to the lure... :) I am completely
swamped anymore. Just got back from a weeklong customer visit. Good visit,
the tech people at that company are very good, still I dislike going on the
road for anything. 
 
I agree with what the folks said and Hunter's logic below. Not going to be
doing this with a single simple command line. 
 
Adfind combined with a tool that generates a unique list _could_ cover the
first couple of items. Check out this post
 
http://www.mail-archive.com/activedir@mail.activedir.org/msg31542.html
 
That unique.exe tool is still out on my website and Guido's request is still
in the list of requests for AdFind. Still be troublesome though using that
to get both the Section and Dept in an efficient way. 
 
 
All that being said, that wouldn't be the way I would likely go myself as it
would require multiple queries. The way to tackle this efficiently is with a
good data structure. VBScript would likely be challenging to do this in.
Note though if you have a massive domain (hundreds of thousands of users)
and running the script on an underpowered machine this may have to be
reworked for scale. 
 
Most likely I would query all of the objects with dept and section populated
and then build a nice data structure that represented that layout...
Something like
 
Dept24
Sect242
Member1
Member2
Member3
Sect243
Member1
Member2
Dept69
Sect691
Member1
Member2
Member3
Member4
Sect692
Member1
etc. 
 
Then it would be a simple loop through the data structure to do the work.
Perl would be my choice for this. I would use a multilevel hash like
$hash{dept#}{sect#}{members} which will "unique" the data while building the
structure.
 
Again, the key to do this efficiently is the data structure. This is often
the case in programming, the data structures used can make or break the
entire solution. I have seen seemingly impossible problems that have been
made possible with great ideas about how to structure the data and I have
seen simple problems made nearly impossible because of bad data structures. 
 
   joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, January 23, 2007 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help


I agree with Al in that I don't see an obvious way to do this from a single
command line. The key, as he mentioned, is going to be getting a list of
unique department numbers and section numbers. I'd probably separate those
out into two distinct lists, one for departments and one for sections. Once
you have those lists, you could pipe them to admod or any other tool of your
choice to create the groups. However, since you're probably going to need
some script to generate the lists, you might as well keep the group creation
within the script as well.
 
The problem with trying to use adfind is that you are not going to be able
to construct an LDAP query that returns only unique instances of
apsgDepartment and apsgSection. No knock on adfind, you'll run into the same
thing with ldp or dsquery. You can query for and return any object that has
those attributes populated, but the returned set of those attributes will
have duplicates. That's where your script will throw the attributes into a
hash (or scripting dictionary) to eliminate the duplicates.
 
The outline of your script would look something like this:
-query AD for all user objects that have apsgDepartment and/or apsgSection
populated
-loop through the returned set to build unique lists of Department numbers
and Section numbers
-loop through the Department number list and create a group for each one
-loop through the Section number list and create a group for each one, and
nest it in the corresponding Department group
 
None of that is heinously difficult to script. I'd probably lean towards
powershell or perl, since they handle hashes better than VBScript. But it's
certainly feasible in VBScript as well. Holler if you want some help going
down this road.
 
Hunter
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help



Thank you for the response Al.

 

To answer your ultimate question, which was "Does that help, or ??", then I
would have to lean more towards ?? in my case.  Not to say you didn't give
some excellent options, but unfortunately it all boils down to me simply not
being any sort of a prog

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-28 Thread Brian Desmond 
Yeah personally I'd have written some little .net contraption doing it in the 
background if it was something as simple as this.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 28, 2007 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

I agree that MIIS could be convenient but only if it is already there or you 
have other plans for it. If this was the only reason for it I would be more apt 
to put something else together that had a far lower bar of entry such as some 
basic scripts that are scheduled through task scheduler or made into a service 
(Perl PSDK) or LDSU or some basic low end syncing tools that don't require 
setting up a full blown SQL and MIIS server.

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, January 27, 2007 7:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
You can whack notes with ldifde or something. MIIS is a convenient way to do it 
though.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Ewww.  :)

Unless there are other needs that require MIIS I don't think I would deploy it 
for this. MIIS is a 50 caliber when all that was probably needed was foam 
pellet gun.

I have seen folks doing this before, usually they get an LDIF extract from 
Notes and just slam that into AD as contacts or mail-enabled users. Actually 
getting the info out of Notes... no clue, I didn't even want to start touching 
Exchange let alone any other messaging apps. I am happy just with Windows 
Server 2003 SMTP and looking at the text files. ;o)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Have you looked at MIIS?

Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish in 
AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all 
addresses into a file, I can use that as a basis to update AD with proxy info 
etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]
"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]

01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org


To



cc

Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?







Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have second

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread Brian Desmond 
Going with a /24 when you're laying out a network just because its common and 
small doesn't really help anymore than picking a /16 out of the blue in the 
long run.

Migrating machines into new subnets is actually not that difficult if properly 
planned - I've been around that circuit quite a few times.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, January 28, 2007 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

My advice would have been to start with a 255.255.255.0 netmask (/24) - it's 
better for creating more subnets and hosts.  255.255.0.0 (/16) is more limiting 
if that is what the person is using, no matter what IP class is being used.  
But if not selected initially it's too late to easily go back...

Regards,

Chuck


-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sun, 28 Jan 2007 3:01 AM
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
hello,

just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?

Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com<http://lordoftheping.blogspot.com/>


- Original Message -
From: Brian Cline
To: 
ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.
Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Check out the new 
AOL<http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol>.
 Most comprehensive set of free safety and security tools, free access to 
millions of high-quality videos from across the web, free AOL Mail and more.

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread Brian Desmond 
Nowhere does the OP say he's assigned a /16 mask to any interface.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Sunday, January 28, 2007 4:02 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

hello,

just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?

Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message -
From: Brian Cline<mailto:[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-28 Thread Al Mulnick 

What?  Like simplesync?

I was beginning to wonder if anyone was going to bring up perl for this
particular application.  It strikes me as the common glue for this
particular application that doesn't require the gnotes client software to be
installed.  i.e. self-sustaining.


I think if I were not going to go with a COTS application I'd likely choose
something like perl to write it.  I have to agree that MIIS is way overkill
for this if this is your only usage scenario.

Just curious, but why do you want to populate that data in AD? Seems silly
if nobody is using it for a directory other than admins.  Was there an
application that wants it?




On 1/28/07, joe <[EMAIL PROTECTED]> wrote:


 I agree that MIIS could be convenient but only if it is already there or
you have other plans for it. If this was the only reason for it I would be
more apt to put something else together that had a far lower bar of entry
such as some basic scripts that are scheduled through task scheduler or made
into a service (Perl PSDK) or LDSU or some basic low end syncing tools that
don't require setting up a full blown SQL and MIIS server.

 --
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Brian Desmond
*Sent:* Saturday, January 27, 2007 7:39 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How to find non-primary SMTP addresses?
Slightly OT



*You can whack notes with ldifde or something. MIIS is a convenient way to
do it though.*

* *

*Thanks,*

*Brian Desmond*

[EMAIL PROTECTED]

* *

*c - 312.731.3132*

* *

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *joe
*Sent:* Saturday, January 27, 2007 3:08 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How to find non-primary SMTP addresses?
Slightly OT



Ewww.  :)



Unless there are other needs that require MIIS I don't think I would
deploy it for this. MIIS is a 50 caliber when all that was probably needed
was foam pellet gun.



I have seen folks doing this before, usually they get an LDIF extract from
Notes and just slam that into AD as contacts or mail-enabled users. Actually
getting the info out of Notes... no clue, I didn't even want to start
touching Exchange let alone any other messaging apps. I am happy just with
Windows Server 2003 SMTP and looking at the text files. ;o)







--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm






 --

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Laura A. Robinson
*Sent:* Friday, January 26, 2007 12:52 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] How to find non-primary SMTP addresses?
Slightly OT

Have you looked at MIIS?



Laura


 --

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Douglas W Stelley
*Sent:* Friday, January 26, 2007 10:19 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return *
all* addresses into a file, I can use that as a basis to update AD with
proxy info etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

  *"Brian Cline" <[EMAIL PROTECTED]>*
Sent by: [EMAIL PROTECTED]

01/26/2007 09:47 AM

Please respond to
ActiveDir@mail.activedir.org

To



cc

Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?






Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Lin

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread Michael A. Barker 
I agree with Joe. I think it's a two fold problem. 1) People don't know
that you can assign a block more than once and 2) they just don't seem
to understand CIDR notation. 

 

I'm responsible for adding those addresses in our enterprise and I get
requests all the time formatted like below and they apparently think
they you have to make the AD assignment match the mask length of the
clients. If that were the case I'd have thousands if not tens of
thousands of assignments.

 

Please add the following to West-HQ site

10.10.5.0/25

10.10.5.128/25

10.10.6.0/25

10.10.6.128/25

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 28, 2007 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries

 

> I think that someone knowing this wouldn't have post the question.

 

I don't agree with this part. A lot of people don't think you can
supernet AD subnets. In fact I have had people tell me outright it is
impossible to do that in AD even when I tell them it has been my
standard practice since Windows 2000 RTM'ed. They think it is just like
the routing subnets where you have to very careful what you are doing or
you will break packet routing. I see this question on a pretty regular
basis in various forums, at least once per month.

 

  joe

 

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Saturday, January 27, 2007 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

I know there is not a direct relation, but i don't know if the original
poster understand that this can't work if it's the

real implementation.

 

I think that someone knowing this wouldn't have post the question.

 

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com

 

 

- Original Message - 

From: joe <mailto:[EMAIL PROTECTED]>  

To: ActiveDir@mail.activedir.org 

    Sent: Saturday, January 27, 2007 9:03 PM

Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries

 

You are mistaking machine subnetting and subnetting defined in
AD. They are not connected. The definitions in AD do not have to reflect
what is really happening at the routing layer. They are generally close
but there isn't any technical reason why they have to be. 

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Friday, January 26, 2007 4:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

is it really 10.10.0.0/16 or a mistake (/24) ?

Because your first site won't be able to joint the other one as
it will think it's local and won't sent packet to the gateway (if it's
really a /16). 

 

If it's a real /24, then it will works as expected (10.10.41.104
will be attached to the secondary site).

 

If it's a /16 and you need router between both site, your
configuration can't work from a network point of view.

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com

 

 

    - Original Message - 

From: Brian Cline <mailto:[EMAIL PROTECTED]>  

    To: ActiveDir@mail.activedir.org 

Sent: Friday, January 26, 2007 10:19 PM

Subject: [ActiveDir] Overlapping AD Subnet Boundaries

 

Say I create an AD subnet of 10.10.0.0/16 and assign it
to our primary site, and another subnet as 10.10.41.0/24 and assign it
to a secondary site. Will AD treat a client address of, say,
10.10.41.104 as a client on the secondary site, or will it default to
the more general primary subnet? The reason I ask is we now have a need
for a second AD site (I can see all the enterprise folks grinning now)
and we have quite a number of other subnets that I'd have to manually
enter if this is not the case. I don't mind doing it, but I was curious
either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] AD Security Auditing

2007-01-28 Thread joe 
HILD];computer;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:CN=NTDS Quotas,DC=test,DC=loc
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Query Self Quota;;Everyone
>nTSecurityDescriptor: [SACL] AUDIT;[CONT INHERIT][SUCCESS];[CR CHILD][DEL
CHILD][SELF WRT][WRT PROP][DEL TREE][CTL][DEL][WRT PERMS][WRT
OWNER];;;Everyone
 
dn:CN=Program Data,DC=test,DC=loc
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
 
dn:CN=System,DC=test,DC=loc
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF
WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:OU=TestOU,DC=test,DC=loc
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];computer;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:CN=Users,DC=test,DC=loc
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST
CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
 

12 Objects returned

And of course again that could be output into CSV for further script
processing or excel/access use. The next thing that I would generally do
with this would be to put it through a script that will validate the
explicite ACEs against the default SD for the object type and alert you to
delta's there. 
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 25, 2007 5:21 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD Security Auditing



AdFind.exe -sddc++  -b DC=example,DC=com -resolvesids -f
"|(objectcategory=container)(objectcategory=organizationalUnit)" >OU_ACL.txt


Thanks, 
Andrew Fidel 




"Casey Robertson" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 


01/23/2007 05:41 PM 


Please respond to
ActiveDir@mail.activedir.org



To
 

cc

Subject
[ActiveDir] AD Security Auditing






We are embarking on a project to clean up our OUs structure and reassign
permissions that have grown unmanageable over time.  To accomplish this it
would be nice to be able to dump permissions on all OU objects and
individual object types (users, computers, etc) so that we can determine who
has rights to what.  The prospect of doing this manually is daunting at best
and for the most part I have only seen 3rd party tools (read: expensive)
that do this in an easy to use fashion. 
  
Any suggestions for tools, scripts etc would be appreciated.  Either that or
we can rebuild our OU structure :-) 
  
Casey Robertson

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread beads 
Coming from more of a networking background than an AD background I 
wouldn't have immediately thought of super-netting out right, myself. So 
the point is well taken. If given this problem with no other background 
I'd probably think more in terms of 'brouting' (bridged routing) or using 
Server 2000/2003 routing features to bridge the two segments rather than 
do some bridging through more traditional networking means. Either is 
possible - even viable it depends more on the individual preferences and 
topology. You could certainly test both options to see which gives you the 
best performace. Though I suspect that using the brouter technique, off 
loading some of the processing to the network may give the best 
performance in the longer run, no?

Been a long time since I have even said the term 'brouter'. Sounds so 
ancient. Theres my fuel to the fire, Enjoy!



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax: (312) 762-9275


The contents contain privileged and/or confidential information intended 
for the named recipient of this email. ETSI (Employee Technology 
Solutions, Inc.) does not warrant that the contents of any electronically 
transmitted information will remain confidential. If the reader of this 
email is not the intended recipient you are hereby notified that any use, 
reproduction, disclosure or distribution of the information contained in 
the email in error, please reply to us immediately and delete the 
document. 

Viruses, Malware, Phishing and other known and unknown electronic threats: 
It is the recipient/client's duties to perform virus scans and otherwise 
test the information provided before loading onto any computer system. No 
warranty is made that this material is free from computer virus or any 
other defect.

Any loss/damage incurred by using this material is not the sender's 
responsibility. Liability will be limited to resupplying the material.




"joe" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
01/28/2007 09:00 AM
Please respond to
ActiveDir@mail.activedir.org


To

cc

Subject
RE: [ActiveDir] Overlapping AD Subnet Boundaries






> I think that someone knowing this wouldn't have post the question.
 
I don't agree with this part. A lot of people don't think you can supernet 
AD subnets. In fact I have had people tell me outright it is impossible to 
do that in AD even when I tell them it has been my standard practice since 
Windows 2000 RTM'ed. They think it is just like the routing subnets where 
you have to very careful what you are doing or you will break packet 
routing. I see this question on a pretty regular basis in various forums, 
at least once per month.
 
  joe
 
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Saturday, January 27, 2007 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

I know there is not a direct relation, but i don't know if the original 
poster understand that this can't work if it's the
real implementation.
 
I think that someone knowing this wouldn't have post the question.
 
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 
- Original Message ----- 
From: joe 
To: ActiveDir@mail.activedir.org 
Sent: Saturday, January 27, 2007 9:03 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries

You are mistaking machine subnetting and subnetting defined in AD. They 
are not connected. The definitions in AD do not have to reflect what is 
really happening at the routing layer. They are generally close but there 
isn't any technical reason why they have to be. 
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Friday, January 26, 2007 4:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

is it really 10.10.0.0/16 or a mistake (/24) ?
Because your first site won't be able to joint the other one as it will 
think it's local and won't sent packet to the gateway (if it's really a 
/16). 
 
If it's a real /24, then it will works as expected (10.10.41.104 will be 
attached to the secondary site).
 
If it's a /16 and you need router between both site, your configuration 
can't work from a network point of view.
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 
- Original Message - 
From: Brian Cline 
To: ActiveDir@mail.activedir.org 
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary 
site, and another subnet as 10.10.41.0/24 and assign it to a secondary 
site. Will AD

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-28 Thread joe 
I agree that MIIS could be convenient but only if it is already there or you
have other plans for it. If this was the only reason for it I would be more
apt to put something else together that had a far lower bar of entry such as
some basic scripts that are scheduled through task scheduler or made into a
service (Perl PSDK) or LDSU or some basic low end syncing tools that don't
require setting up a full blown SQL and MIIS server. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, January 27, 2007 7:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



You can whack notes with ldifde or something. MIIS is a convenient way to do
it though.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

 

Ewww.  :)

 

Unless there are other needs that require MIIS I don't think I would deploy
it for this. MIIS is a 50 caliber when all that was probably needed was foam
pellet gun. 

 

I have seen folks doing this before, usually they get an LDIF extract from
Notes and just slam that into AD as contacts or mail-enabled users. Actually
getting the info out of Notes... no clue, I didn't even want to start
touching Exchange let alone any other messaging apps. I am happy just with
Windows Server 2003 SMTP and looking at the text files. ;o)

 

 

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Have you looked at MIIS?

 

Laura

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well. 

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users. 

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc. 
Thanks in advance. 

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED] 




"Brian Cline" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 

01/26/2007 09:47 AM 


Please respond to
ActiveDir@mail.activedir.org


To

 


cc



Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?

 






Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread joe 
> I think that someone knowing this wouldn't have post the question.
 
I don't agree with this part. A lot of people don't think you can supernet
AD subnets. In fact I have had people tell me outright it is impossible to
do that in AD even when I tell them it has been my standard practice since
Windows 2000 RTM'ed. They think it is just like the routing subnets where
you have to very careful what you are doing or you will break packet
routing. I see this question on a pretty regular basis in various forums, at
least once per month.
 
  joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Saturday, January 27, 2007 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


I know there is not a direct relation, but i don't know if the original
poster understand that this can't work if it's the
real implementation.
 
I think that someone knowing this wouldn't have post the question.
 
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 

- Original Message ----- 
From: joe <mailto:[EMAIL PROTECTED]>  
To: ActiveDir@mail.activedir.org 
Sent: Saturday, January 27, 2007 9:03 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries

You are mistaking machine subnetting and subnetting defined in AD. They are
not connected. The definitions in AD do not have to reflect what is really
happening at the routing layer. They are generally close but there isn't any
technical reason why they have to be. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Friday, January 26, 2007 4:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


is it really 10.10.0.0/16 or a mistake (/24) ?
Because your first site won't be able to joint the other one as it will
think it's local and won't sent packet to the gateway (if it's really a
/16). 
 
If it's a real /24, then it will works as expected (10.10.41.104 will be
attached to the secondary site).
 
If it's a /16 and you need router between both site, your configuration
can't work from a network point of view.
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 

- Original Message - 
From: Brian Cline <mailto:[EMAIL PROTECTED]>  
To: ActiveDir@mail.activedir.org 
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site,
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will
AD treat a client address of, say, 10.10.41.104 as a client on the secondary
site, or will it default to the more general primary subnet? The reason I
ask is we now have a need for a second AD site (I can see all the enterprise
folks grinning now) and we have quite a number of other subnets that I'd
have to manually enter if this is not the case. I don't mind doing it, but I
was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread chuckgaff 
My advice would have been to start with a 255.255.255.0 netmask (/24) - it's 
better for creating more subnets and hosts.  255.255.0.0 (/16) is more limiting 
if that is what the person is using, no matter what IP class is being used.  
But if not selected initially it's too late to easily go back...
 
Regards,
 
Chuck
 
 
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sun, 28 Jan 2007 3:01 AM
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


hello,
 
just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?
 
Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0
 
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 
- Original Message - 
From: Brian Cline 
To: ActiveDir@mail.activedir.org 
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I’d have to 
manually enter if this is not the case. I don’t mind doing it, but I was 
curious either way.
Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Check out the new AOL.  Most comprehensive set of free safety and security 
tools, free access to millions of high-quality videos from across the web, free 
AOL Mail and more.

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Jaspreet Jolly 
Hi Senthil,

Are Clients taking authentication from US office Server?

I faced this same issue while configuring "SSL Explorer". Client
authentication was happening from India server. Check the DNS entry, this
did the trick for me.

 

Regards,

Jaspreet Singh Jolly 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of senthil Kumar
Sent: Sunday, January 28, 2007 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Logon server authentication !!

 

Yes. We have configured separate sites. Both sites have separate GC in each
site.

 

Regards,

 

Senthil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, January 28, 2007 4:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Logon server authentication !!

 

Have you configured your AD Sites properly in AD Sites and Services MMC?

 

Cheers

Ken

 

  _  

From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!

Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Ken Schaefer 
Sorry - that should be AD Sites and Subnets...

 

Cheers

Ken

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, 28 January 2007 10:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Logon server authentication !!

 

Have you configured your AD Sites properly in AD Sites and Services MMC?

 

Cheers

Ken

 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!

Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Almeida Pinto, Jorge de 
check the SITES and SUBNETS configuration...make sure the subnet of the Citrix 
servers in defined in AD and assigned to the correct site.
 
also make sure the server (DC) B has not registered service records for the 
site of the Citrix servers. This can happen when that site initially does not 
have a DC, then a DC is added and the records for server B are for some reason 
not removed...
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 2007-01-28 11:32
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!



Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging on 
the Citrix server, it takes logon authentication from Server B. When we use the 
set command it shows logon server name as Server B. Is it any way I can do so 
that it takes authentication only from server A when it is available.

 

Regards,

 

Senthil



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread senthil Kumar 
Yes. We have configured separate sites. Both sites have separate GC in each
site.

 

Regards,

 

Senthil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, January 28, 2007 4:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Logon server authentication !!

 

Have you configured your AD Sites properly in AD Sites and Services MMC?

 

Cheers

Ken

 

  _  

From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!

Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Ken Schaefer 
Have you configured your AD Sites properly in AD Sites and Services MMC?
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!



Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

[ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread senthil Kumar 
Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread Mathieu CHATEAU 
Overlapping AD Subnet Boundarieshello,

just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?

Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


  - Original Message - 
  From: Brian Cline 
  To: ActiveDir@mail.activedir.org 
  Sent: Friday, January 26, 2007 10:19 PM
  Subject: [ActiveDir] Overlapping AD Subnet Boundaries


  Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

  Brian Cline, Applications Developer
  Department of Information Technology
  G&P Trucking Company, Inc.
  803.936.8595 Direct Line
  800.922.1147 Toll-Free (x8595)
  803.739.1176 Fax

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Brian Desmond 
AD subnets have nothing to do with how the WAN is actually routed. All they do 
is link an IP address to a site. If you don't have a blanket subnet as a last 
resort your DCs start filling their event logs with events about how clients 
are connecting from unknown subnets.

So what you do is you take your hub datacenter(s) and associate large supernets 
with the site objects (as big as 10.0.0.0/8 if appropriate). Then you associate 
the actual subnets with the sites where they're physically located.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> Sent: Saturday, January 27, 2007 1:34 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
>
> i don't agree.
> the /24 is included in the /16.
> You won't have layer 3 routing between the two site, at least from the
> primary to the secondary. Even if it will work from a routing point of
> view
> from the secondary to the primary.
>
> what's the point ?
>
> Regards,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> - Original Message -
> From: "Brian Desmond" <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, January 27, 2007 6:58 PM
> Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
> OK well you don't need a layer 2 link to do what the OP wants...
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> > Sent: Saturday, January 27, 2007 12:53 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
> >
> > hi,
> >
> > i am coming from network job, so i am used to sub/super netting
> somehow
> > :)
> > thanks anyway !
> >
> > Regards,
> > Mathieu CHATEAU
> > http://lordoftheping.blogspot.com
> >
> >
> > - Original Message -
> > From: "Brian Desmond" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Saturday, January 27, 2007 6:47 PM
> > Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
> >
> >
> > While your math is right you should look up supernetting and
> subnetting
> > somewhere.
> >
> > Thanks,
> > Brian Desmond
> > [EMAIL PROTECTED]
> >
> > c - 312.731.3132
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > > [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> > > Sent: Saturday, January 27, 2007 4:17 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
> > >
> > > In my opinion, there is a pure TCP/IP network issue...
> > >
> > > A sample example:
> > > The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as
> indicated).
> > > if you try to ping 10.10.41.104, it will try to communicate on the
> > LAN,
> > > seeking its arp.
> > > It won't send packet to the gateway since 10.10.41.0 must be on the
> > > LAN.
> > >
> > > The only way to get it work is to use a Layer 2 link between both
> > site.
> > >
> > >
> > > Regards,
> > > Mathieu CHATEAU
> > > http://lordoftheping.blogspot.com
> > >
> > >
> > > - Original Message -
> > > From: "Almeida Pinto, Jorge de"
> > <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Friday, January 26, 2007 11:37 PM
> > > Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
> > >
> > >
> > > it will go for the second site 10.10.41.0/24 (= best matching)
> > >
> > > Met vriendelijke groeten / Kind regards,
> > > Ing. Jorge de Almeida Pinto
> > > Senior Infrastructure Consultant
> > > MVP Windows Server - Directory Services
> > >
> > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> > > (   Tel : +31-(0)40-29.57.777
> > > (   Mobile : +31-(0)6-26.26.62.80
> > > *   E-mail : 
> > >
> > > 
> > >
> > > From: [EMAIL PROTECTED] on behalf of Brian Cline
> > > Sent: Fri 2007-01-26 22:19
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Overlapping AD Subnet Boundaries
> > >
> > >
> > >
> > > Say I create

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-27 Thread Brian Desmond 
You can whack notes with ldifde or something. MIIS is a convenient way to do it 
though.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Ewww.  :)

Unless there are other needs that require MIIS I don't think I would deploy it 
for this. MIIS is a 50 caliber when all that was probably needed was foam 
pellet gun.

I have seen folks doing this before, usually they get an LDIF extract from 
Notes and just slam that into AD as contacts or mail-enabled users. Actually 
getting the info out of Notes... no clue, I didn't even want to start touching 
Exchange let alone any other messaging apps. I am happy just with Windows 
Server 2003 SMTP and looking at the text files. ;o)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Have you looked at MIIS?

Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish in 
AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all 
addresses into a file, I can use that as a basis to update AD with proxy info 
etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]

01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org


To



cc

Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?







Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have secondary addresses vs. only having a primary and
there
isn't any practical way to just get the secondary addresses out of the
proxyAddresses attribute.  You essentially need to get all the data and
then
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP
itself doesn't help much.

Joe K.

- Original Message -
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
-
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Mathieu CHATEAU 
Overlapping AD Subnet BoundariesI know there is not a direct relation, but i 
don't know if the original poster understand that this can't work if it's the
real implementation.

I think that someone knowing this wouldn't have post the question.

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


  - Original Message - 
  From: joe 
  To: ActiveDir@mail.activedir.org 
  Sent: Saturday, January 27, 2007 9:03 PM
  Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


  You are mistaking machine subnetting and subnetting defined in AD. They are 
not connected. The definitions in AD do not have to reflect what is really 
happening at the routing layer. They are generally close but there isn't any 
technical reason why they have to be. 

  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
  Sent: Friday, January 26, 2007 4:34 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


  is it really 10.10.0.0/16 or a mistake (/24) ?
  Because your first site won't be able to joint the other one as it will think 
it's local and won't sent packet to the gateway (if it's really a /16). 

  If it's a real /24, then it will works as expected (10.10.41.104 will be 
attached to the secondary site).

  If it's a /16 and you need router between both site, your configuration can't 
work from a network point of view.
  Regards,
  Mathieu CHATEAU
  http://lordoftheping.blogspot.com


- Original Message - 
From: Brian Cline 
To: ActiveDir@mail.activedir.org 
    Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary 
site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. 
Will AD treat a client address of, say, 10.10.41.104 as a client on the 
secondary site, or will it default to the more general primary subnet? The 
reason I ask is we now have a need for a second AD site (I can see all the 
enterprise folks grinning now) and we have quite a number of other subnets that 
I'd have to manually enter if this is not the case. I don't mind doing it, but 
I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-27 Thread joe 
Ewww.  :)
 
Unless there are other needs that require MIIS I don't think I would deploy
it for this. MIIS is a 50 caliber when all that was probably needed was foam
pellet gun. 
 
I have seen folks doing this before, usually they get an LDIF extract from
Notes and just slam that into AD as contacts or mail-enabled users. Actually
getting the info out of Notes... no clue, I didn't even want to start
touching Exchange let alone any other messaging apps. I am happy just with
Windows Server 2003 SMTP and looking at the text files. ;o)
 
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Have you looked at MIIS?
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



Same topic, but this one is for Notes Admin/Gurus as well. 

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users. 

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc. 
Thanks in advance. 

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED] 



"Brian Cline" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 


01/26/2007 09:47 AM 


Please respond to
ActiveDir@mail.activedir.org



To
 

cc

Subject
RE: [ActiveDir] How to find non-primary SMTP addresses? 






Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread joe 
You are mistaking machine subnetting and subnetting defined in AD. They are
not connected. The definitions in AD do not have to reflect what is really
happening at the routing layer. They are generally close but there isn't any
technical reason why they have to be. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Friday, January 26, 2007 4:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


is it really 10.10.0.0/16 or a mistake (/24) ?
Because your first site won't be able to joint the other one as it will
think it's local and won't sent packet to the gateway (if it's really a
/16). 
 
If it's a real /24, then it will works as expected (10.10.41.104 will be
attached to the secondary site).
 
If it's a /16 and you need router between both site, your configuration
can't work from a network point of view.
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 

- Original Message - 
From: Brian Cline <mailto:[EMAIL PROTECTED]>  
To: ActiveDir@mail.activedir.org 
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site,
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will
AD treat a client address of, say, 10.10.41.104 as a client on the secondary
site, or will it default to the more general primary subnet? The reason I
ask is we now have a need for a second AD site (I can see all the enterprise
folks grinning now) and we have quite a number of other subnets that I'd
have to manually enter if this is not the case. I don't mind doing it, but I
was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread joe 
Active directory will use the most specific network address that applies to
it. For instance, I set up a class-A address (or multiple in some companies)
that applies to all of the network space of the company and assign that to
the primary data center location. Then I start making more focused subnets
that route clients / replication to more specific locations. That way you
don't run into the issue where clients can't find their own subnet so choose
a random DC. I have set up subnets all the way from 8 bit down to 32 bit as
needed and it all works fine. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 4:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries



Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site,
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will
AD treat a client address of, say, 10.10.41.104 as a client on the secondary
site, or will it default to the more general primary subnet? The reason I
ask is we now have a need for a second AD site (I can see all the enterprise
folks grinning now) and we have quite a number of other subnets that I'd
have to manually enter if this is not the case. I don't mind doing it, but I
was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Mathieu CHATEAU 

i don't agree.
the /24 is included in the /16.
You won't have layer 3 routing between the two site, at least from the 
primary to the secondary. Even if it will work from a routing point of view 
from the secondary to the primary.


what's the point ?

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message - 
From: "Brian Desmond" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, January 27, 2007 6:58 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


OK well you don't need a layer 2 link to do what the OP wants...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Saturday, January 27, 2007 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

hi,

i am coming from network job, so i am used to sub/super netting somehow
:)
thanks anyway !

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message -
From: "Brian Desmond" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, January 27, 2007 6:47 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


While your math is right you should look up supernetting and subnetting
somewhere.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> Sent: Saturday, January 27, 2007 4:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
>
> In my opinion, there is a pure TCP/IP network issue...
>
> A sample example:
> The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
> if you try to ping 10.10.41.104, it will try to communicate on the
LAN,
> seeking its arp.
> It won't send packet to the gateway since 10.10.41.0 must be on the
> LAN.
>
> The only way to get it work is to use a Layer 2 link between both
site.
>
>
> Regards,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> - Original Message -----
> From: "Almeida Pinto, Jorge de"
<[EMAIL PROTECTED]>
> To: 
> Sent: Friday, January 26, 2007 11:37 PM
> Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
> it will go for the second site 10.10.41.0/24 (= best matching)
>
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Brian Cline
> Sent: Fri 2007-01-26 22:19
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
>
> Say I create an AD subnet of 10.10.0.0/16 and assign it to our
primary
> site,
> and another subnet as 10.10.41.0/24 and assign it to a secondary
site.
> Will
> AD treat a client address of, say, 10.10.41.104 as a client on the
> secondary
> site, or will it default to the more general primary subnet? The
reason
> I
> ask is we now have a need for a second AD site (I can see all the
> enterprise
> folks grinning now) and we have quite a number of other subnets that
> I'd
> have to manually enter if this is not the case. I don't mind doing
it,
> but I
> was curious either way.
>
> Brian Cline, Applications Developer
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct Line
> 800.922.1147 Toll-Free (x8595)
> 803.739.1176 Fax
>
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Brian Desmond 
OK well you don't need a layer 2 link to do what the OP wants...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> Sent: Saturday, January 27, 2007 12:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
>
> hi,
>
> i am coming from network job, so i am used to sub/super netting somehow
> :)
> thanks anyway !
>
> Regards,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> - Original Message -
> From: "Brian Desmond" <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, January 27, 2007 6:47 PM
> Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
> While your math is right you should look up supernetting and subnetting
> somewhere.
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> > Sent: Saturday, January 27, 2007 4:17 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
> >
> > In my opinion, there is a pure TCP/IP network issue...
> >
> > A sample example:
> > The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
> > if you try to ping 10.10.41.104, it will try to communicate on the
> LAN,
> > seeking its arp.
> > It won't send packet to the gateway since 10.10.41.0 must be on the
> > LAN.
> >
> > The only way to get it work is to use a Layer 2 link between both
> site.
> >
> >
> > Regards,
> > Mathieu CHATEAU
> > http://lordoftheping.blogspot.com
> >
> >
> > - Original Message -
> > From: "Almeida Pinto, Jorge de"
> <[EMAIL PROTECTED]>
> > To: 
> > Sent: Friday, January 26, 2007 11:37 PM
> > Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
> >
> >
> > it will go for the second site 10.10.41.0/24 (= best matching)
> >
> > Met vriendelijke groeten / Kind regards,
> > Ing. Jorge de Almeida Pinto
> > Senior Infrastructure Consultant
> > MVP Windows Server - Directory Services
> >
> > LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> > (   Tel : +31-(0)40-29.57.777
> > (   Mobile : +31-(0)6-26.26.62.80
> > *   E-mail : 
> >
> > 
> >
> > From: [EMAIL PROTECTED] on behalf of Brian Cline
> > Sent: Fri 2007-01-26 22:19
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Overlapping AD Subnet Boundaries
> >
> >
> >
> > Say I create an AD subnet of 10.10.0.0/16 and assign it to our
> primary
> > site,
> > and another subnet as 10.10.41.0/24 and assign it to a secondary
> site.
> > Will
> > AD treat a client address of, say, 10.10.41.104 as a client on the
> > secondary
> > site, or will it default to the more general primary subnet? The
> reason
> > I
> > ask is we now have a need for a second AD site (I can see all the
> > enterprise
> > folks grinning now) and we have quite a number of other subnets that
> > I'd
> > have to manually enter if this is not the case. I don't mind doing
> it,
> > but I
> > was curious either way.
> >
> > Brian Cline, Applications Developer
> > Department of Information Technology
> > G&P Trucking Company, Inc.
> > 803.936.8595 Direct Line
> > 800.922.1147 Toll-Free (x8595)
> > 803.739.1176 Fax
> >
> >
> >
> > This e-mail and any attachment is for authorised use by the intended
> > recipient(s) only. It may contain proprietary material, confidential
> > information and/or be subject to legal privilege. It should not be
> > copied,
> > disclosed to, retained or used by, any other party. If you are not an
> > intended recipient then please promptly delete this e-mail and any
> > attachment and all copies and inform the sender. Thank you.
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Mathieu CHATEAU 

hi,

i am coming from network job, so i am used to sub/super netting somehow :)
thanks anyway !

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message - 
From: "Brian Desmond" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, January 27, 2007 6:47 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


While your math is right you should look up supernetting and subnetting 
somewhere.


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Saturday, January 27, 2007 4:17 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

In my opinion, there is a pure TCP/IP network issue...

A sample example:
The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
if you try to ping 10.10.41.104, it will try to communicate on the LAN,
seeking its arp.
It won't send packet to the gateway since 10.10.41.0 must be on the
LAN.

The only way to get it work is to use a Layer 2 link between both site.


Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message -
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
To: 
Sent: Friday, January 26, 2007 11:37 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


it will go for the second site 10.10.41.0/24 (= best matching)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Brian Cline
Sent: Fri 2007-01-26 22:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries



Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site,
and another subnet as 10.10.41.0/24 and assign it to a secondary site.
Will
AD treat a client address of, say, 10.10.41.104 as a client on the
secondary
site, or will it default to the more general primary subnet? The reason
I
ask is we now have a need for a second AD site (I can see all the
enterprise
folks grinning now) and we have quite a number of other subnets that
I'd
have to manually enter if this is not the case. I don't mind doing it,
but I
was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Brian Desmond 
While your math is right you should look up supernetting and subnetting 
somewhere.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
> Sent: Saturday, January 27, 2007 4:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
>
> In my opinion, there is a pure TCP/IP network issue...
>
> A sample example:
> The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
> if you try to ping 10.10.41.104, it will try to communicate on the LAN,
> seeking its arp.
> It won't send packet to the gateway since 10.10.41.0 must be on the
> LAN.
>
> The only way to get it work is to use a Layer 2 link between both site.
>
>
> Regards,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> - Original Message -
> From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, January 26, 2007 11:37 PM
> Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
> it will go for the second site 10.10.41.0/24 (= best matching)
>
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
>
> ____
>
> From: [EMAIL PROTECTED] on behalf of Brian Cline
> Sent: Fri 2007-01-26 22:19
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Overlapping AD Subnet Boundaries
>
>
>
> Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
> site,
> and another subnet as 10.10.41.0/24 and assign it to a secondary site.
> Will
> AD treat a client address of, say, 10.10.41.104 as a client on the
> secondary
> site, or will it default to the more general primary subnet? The reason
> I
> ask is we now have a need for a second AD site (I can see all the
> enterprise
> folks grinning now) and we have quite a number of other subnets that
> I'd
> have to manually enter if this is not the case. I don't mind doing it,
> but I
> was curious either way.
>
> Brian Cline, Applications Developer
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct Line
> 800.922.1147 Toll-Free (x8595)
> 803.739.1176 Fax
>
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-27 Thread joe 
To change the previous perl script to give the same output it would look
something like


open ofh,">QueryOutput.csv" or die("ERROR: Can't open CSV output file:
$!\n");
print ofh "First Name, Last Name, ID, Primary Mail Address,,Additional Email
Addresses\n";

@out=`adfind -nodn -sc exchaddresses:smtp -csv -csvq \"\" -csvmvdelim ,
-nocsvheader givenname sn samaccountname mail`;

foreach $thisline (@out)
 {
  $thisline=~s/smtp://ig; # strip smtp: and SMTP:
  print ofh $thisline;
 }
 

:)

Then to take it a step further for the later conversation about a disjoint
between mail and proxyaddresses primary SMTP (yes this is possible I see it
pretty regulary in companies, it is only enforced I believe by ADUC, nothing
in Exchange) you can make the script identify cases where you have a
disjoint between mail and the primary SMTP with something like

open ofh,">QueryOutput.csv" or die("ERROR: Can't open CSV output file:
$!\n");
print ofh "Disjoint Mail Attribs, First Name, Last Name, ID, Primary Mail
Address,,Additional Email Addresses\n";

@out=`adfind -nodn -sc exchaddresses:smtp -csv -csvq \"\" -csvmvdelim ,
-nocsvheader givenname sn samaccountname mail`;

foreach $thisline (@out)
 {
 
($mail,$primarysmtp)=($thisline=~/,([^,[EMAIL PROTECTED],]+),.*SMTP:([^,[EMAIL 
PROTECTED],]+)[\n,]/)
;
  $disjoint=($mail ne $primarysmtp)?"TRUE":"FALSE";
  $thisline=~s/smtp://ig; # strip smtp: and SMTP:
  print ofh "$disjoint,$thisline";
 }
 

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Friday, January 26, 2007 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Here is a cheesy VB script to list email addresses and kick them to a
CSV file***.  It's not horribly efficient, tight coding, or cleaned up
very much but it has worked for me. Remember to replace the 
with yours and you may have to adjust the page size if you have more
than 2000 objects.  Also watch for line feeds in the code that may be
email caused.

Have fun..
_Stuart Fuller

(***Full disclaimer of liability - use at own risk)

---
'--
'ListUsers Email Script
'Stuart Fuller
'7/7/05
'--

Dim adsComputer
Dim adsOU
Dim operatingSystem
Dim osVersion
Dim servicePack
Dim fileSys
Dim fileTxt
Const ForReading = 1, ForWriting = 2, ForAppending = 8

wscript.echo "Start"

'Create the output file
set fileSys = CreateObject("Scripting.FileSystemObject")
Set fileTxt = fileSys.OpenTextFile("QueryOutput.csv", ForWriting, True)
fileTxt.Writeline("First Name, Last Name, ID, Primary Mail
Address,,Additional Email Addresses")

'Create the connection to AD
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection

'Set the SQL type query against AD
'REPLACE  with OU or domain you want to query in the
objCommand.Commandtext line
'Example 'LDAP://ou=users,dc=joeware,dc=com'
objCommand.CommandText = "Select givenName, sn, sAMaccountName, mail,
ADsPath from ''" _
& "where objectClass='user' AND objectCategory='Person'" 
objCommand.Properties("Page Size") = 2000
objCommand.Properties("Timeout") = 60 
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.Properties("Cache Results") = False 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

'Loop through the returned records
Do Until objRecordSet.EOF
strGName = objRecordSet.Fields("givenName").value
strSName = objRecordSet.Fields("sn").value
strMail = objRecordSet.Fields("mail").value
strSAM = objRecordSet.Fields("sAMaccountName").value

'In order to get the multi-varied attribute go get the user object
'and then query the proxyaddress attribute
set objUser =
GetObject(objRecordSet.Fields("ADsPath").value)
on error resume next
For each strProxyAddress in
objUser.ProxyAddresses
strAdd = Left(strProxyAddress,4)
If ((strAdd = "SMTP") OR (strAdd =
"smtp")) Then
strAddress = Right(strProxyAddress,
LEN(strProxyAddress) - 5)

RE: [ActiveDir] Disable CD ROM through GP

2007-01-27 Thread Ulf B. Simon-Weidner 
Hello Dhiraj,

it's always a kind of risk to put something into production without testing
- even with good guidance there might be small issues which may lead to big
results.

That said - implementing a new Policy Extension in GP is pretty easy. First,
copy the ADM to the ADM-Files in the Group Policy Object in Sysvol. They are
referenced by GUID ({xxx-xxx-xxx-xxx}) there - you are able to find out the
GUID of your GPO using GPMC. After you copied the ADM-File there, open the
Group Policy. For custom ADMs you have to adjust the Filter (in the View
Menu of the GP-Object Editor): Select the Administrative Template Node
underneath either User or Computer Configuration (prop. Computer in your
case), then go into the View Menu and click "Filter". Unselect "Only show
policy settings that can be fully managed".
Afterwards you should be able to find your policy setting and you are able
to configure it.

I'd do this in a separate GPO for testing, and remove the Right (in
Security, make sure that you remove the right and do _not_ deny it) of
Authenticated Users to apply the policy. Afterward enter your own
computeraccount and give him the right to apply the policy - just to make
sure that you are testing it before. If it works on your computer you can
reset the rights be allowing Authenticated Users to apply it again and
remove your computer account from the security settings. Now they will apply
to all computer accounts underneath the level (domain, OU, site) where you
linked the GPO.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile &
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-
B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj
Sent: Samstag, 27. Januar 2007 09:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disable CD ROM through GP

If anyone had done the same, kindly guide me...

Bcoz right now donot have this mucb of time.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 27, 2007 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Disable CD ROM through GP

Why not setting up a test network/machine in VirtualPC/Vmware?


Haritwal, Dhiraj wrote:
>
> Hi All,
>
> I want to disable CD ROM on all client machines through GP. I found 
> the KB http://support.microsoft.com/kb/555324 & created the attached 
> test.adm file. Actually I don't have any testing machine where I can 
> test this *adm *file. Can anybody try & tell me the complete process 
> to enable it. Also tell me where it will reflect the changes whether 
> in registry or it will create that option in GP to disable/enable CD
ROM.
>
> Dhiraj Haritwal
>
>

>
> This email is confidential and intended only for the use of the 
> individual or entity named above and may contain information that is 
> privileged. If you are not the intended recipient, you are notified 
> that any dissemination, distribution or copying of this email is 
> strictly prohibited. If you have received this email in error, please 
> notify us immediately by return email or telephone and destroy the 
> original message. - This mail is sent via Sony Asia Pacific Mail
Gateway.
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




---
This email is confidential and intended only for the use of the individual
or entity named above and may contain information that is privileged. If you
are not the intended recipient, you are notified that any dissemination,
distribution or copying of this email is strictly prohibited. If you have
received this email in error, please notify us immediately by return email
or telephone and destroy the original message. - This mail is sent via Sony
Asia Pacific Mail Gateway.
---
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-27 Thread Mathieu CHATEAU 

In my opinion, there is a pure TCP/IP network issue...

A sample example:
The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
if you try to ping 10.10.41.104, it will try to communicate on the LAN, 
seeking its arp.

It won't send packet to the gateway since 10.10.41.0 must be on the LAN.

The only way to get it work is to use a Layer 2 link between both site.


Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message - 
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>

To: 
Sent: Friday, January 26, 2007 11:37 PM
Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


it will go for the second site 10.10.41.0/24 (= best matching)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Brian Cline
Sent: Fri 2007-01-26 22:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries



Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will 
AD treat a client address of, say, 10.10.41.104 as a client on the secondary 
site, or will it default to the more general primary subnet? The reason I 
ask is we now have a need for a second AD site (I can see all the enterprise 
folks grinning now) and we have quite a number of other subnets that I'd 
have to manually enter if this is not the case. I don't mind doing it, but I 
was curious either way.


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank you.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Disable CD ROM through GP

2007-01-27 Thread Haritwal, Dhiraj 
If anyone had done the same, kindly guide me...

Bcoz right now donot have this mucb of time.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 27, 2007 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Disable CD ROM through GP

Why not setting up a test network/machine in VirtualPC/Vmware?


Haritwal, Dhiraj wrote:
>
> Hi All,
>
> I want to disable CD ROM on all client machines through GP. I found 
> the KB http://support.microsoft.com/kb/555324 & created the attached 
> test.adm file. Actually I don't have any testing machine where I can 
> test this *adm *file. Can anybody try & tell me the complete process 
> to enable it. Also tell me where it will reflect the changes whether 
> in registry or it will create that option in GP to disable/enable CD
ROM.
>
> Dhiraj Haritwal
>
>

>
> This email is confidential and intended only for the use of the 
> individual or entity named above and may contain information that is 
> privileged. If you are not the intended recipient, you are notified 
> that any dissemination, distribution or copying of this email is 
> strictly prohibited. If you have received this email in error, please 
> notify us immediately by return email or telephone and destroy the 
> original message. - This mail is sent via Sony Asia Pacific Mail
Gateway.
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




---
This email is confidential and intended only for the use of the individual or 
entity named above and may contain information that is privileged. If you are 
not the intended recipient, you are notified that any dissemination, 
distribution or copying of this email is strictly prohibited. If you have 
received this email in error, please notify us immediately by return email or 
telephone and destroy the original message. - This mail is sent via Sony Asia 
Pacific Mail Gateway.
---
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Disable CD ROM through GP

2007-01-26 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Why not setting up a test network/machine in VirtualPC/Vmware?


Haritwal, Dhiraj wrote:


Hi All,

I want to disable CD ROM on all client machines through GP. I found 
the KB http://support.microsoft.com/kb/555324 & created the attached 
test.adm file. Actually I don’t have any testing machine where I can 
test this *adm *file. Can anybody try & tell me the complete process 
to enable it. Also tell me where it will reflect the changes whether 
in registry or it will create that option in GP to disable/enable CD ROM.


Dhiraj Haritwal



This email is confidential and intended only for the use of the 
individual or entity named above and may contain information that is 
privileged. If you are not the intended recipient, you are notified 
that any dissemination, distribution or copying of this email is 
strictly prohibited. If you have received this email in error, please 
notify us immediately by return email or telephone and destroy the 
original message. - This mail is sent via Sony Asia Pacific Mail Gateway.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Disable CD ROM through GP

2007-01-26 Thread Haritwal, Dhiraj 
Hi All,

 

I want to disable CD ROM on all client machines through GP. I found the
KB http://support.microsoft.com/kb/555324 & created the attached
test.adm file. Actually I don't have any testing machine where I can
test this adm file. Can anybody try & tell me the complete process to
enable it. Also tell me where it will reflect the changes whether in
registry or it will create that option in GP to disable/enable CD ROM.  

 

 

Dhiraj Haritwal

 



---
This email is confidential and intended only for the use of the individual or 
entity named above and may contain information that is privileged. If you are 
not the intended recipient, you are notified that any dissemination, 
distribution or copying of this email is strictly prohibited. If you have 
received this email in error, please notify us immediately by return email or 
telephone and destroy the original message. - This mail is sent via Sony Asia 
Pacific Mail Gateway.
---

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
Brian,

Thanks for the feedback - yes I think two T-1s or maybe even one is overkill. 
 But you do have to consider the WAN infrastructure before determining sites. 
 The number of users is a factor if you consider each user is probably on a 
workstation.  In the scenario we never had the information of why a separate 
site was being decided.

I'm not sure the person in question really needs a site and that's why I'm 
asking these questions -- you could technically have a fractional T-1 link and 
a 
handful of users and still stay with a single site rather than having a 
remote site.  There are two areas of consideration -- authentication traffic 
but 
also replication traffic so both have to be included.   I've personally found 
that a lot of people will decide to create additional sites when they often 
don't need to be created.  

Regards,

Chuck

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Brian Desmond 
Chuck-

Unfortunately I think your reasoning is a bit short sighted here. You can't 
make any of these assumptions without understanding the OP's environment both 
regard to business and technical requirements.

A T1 is way more than enough for hundreds of PCs to go to a DC across the WAN. 
While a couple of MLPPP T1s might be nice it's certainly not necessary. Logon 
traffic isn't that heavy.

The number of users at a site is usually not the driver so much as the number 
of workstations. Workstations are the limiting factor - you can have 100 guys 
someplace but they might share 10 PCs.

The business requirement is a real simple question - if the WAN link goes down 
will business continue at this site? If not, adding a DC doesn't do anything 
but cost money - doesn't matter whether users can log on. With cached 
credentials even when the link does go down they'll still be able to logon to 
their usual PCs anyway.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, January 26, 2007 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

What I would be interested to find out is:

1.  What is the WAN link speed for the proposed 2nd AD site?
2.  How much free available bandwidth do you have between the two desired sites?
3.  How many users sit in the proposed 2nd AD site?

If you have a fast reliable WAN connection (like a pair of bonded T-1s or 
higher) between the 2 sites then perhaps you don't need the 2nd site.

I understand subnetting and it's possible to use a different subnet mask to 
achieve a separate subnet.  However there should be a compelling reason to go 
to a second AD site before deploying it that requires it as this might save you 
making things more complex than required.

Regards,

Chuck

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Brian Desmond 
Yes. I have done this in organizations with hundreds of sites and a well 
designed subnetting scheme.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 4:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Joe Kaplan 
That's basically the same thing I was trying to get at.  I'm aware that you 
can call the Domino object model from COM.  I wrote so much LotusScript back 
in the day that I always tended to think of them as being synonymous.  :)


My overall point was that I didn't think you'd have much success with using 
ADSI and LDAP to query the Domino directory, but I'd love to see someone try 
it and prove me wrong.


I do like your idea of using COM to glue the two things together, either 
through script or some other thing that can do COM like PowerShell, VB6 or 
.NET (or C++ if you like that sort of thing).


Joe K.

- Original Message - 
From: "Dave Wade" <[EMAIL PROTECTED]>

To: 
Sent: Friday, January 26, 2007 6:30 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



If you want to query Notes and AD in the same script you don't need to use 
LotusScript you can use VBSCRIPT. There is a a set of objects that allow 
access to NOTES provided you have the notes client installed. They are 
documented in the Notes help file. Basically they are the same as the 
interfaces LotusScript uses. I seem to recall that LotusScript is virtually 
the same as VB Script/VBA but tweaked enough so Lotus/IBM does not have to 
pay MS license for VBA/Vbscript.


I used to have some examples to do that and if you need them I could 
probably fish them out...


Dave.



From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Fri 26/01/2007 22:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as
ADSI likes to use Windows auth by default and depends on the LDAP directory
to support the LDAP V3 subschemaSubentry rootDSE attribute to express its
abstract schema in order for ADSI to map LDAP data types to COM datatypes.
It might work, but I'd be more surprised if it did than didn't.  A lower
level LDAP tool like ADFind might make more progress, though.

Having done a lot of Domino programming back in "the day", my suggestion
would be to write a LotusScript program that goes against the NAB and gets
the addresses that way.  It would probably be less effort in the long run.
If I was asked to do the exact same thing, that is definitely how I'd do it.

If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious
to hear about it.  :)

Joe K.

- Original Message -
From: Douglas W Stelley
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 3:13 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I really don't see that much in the enterprise version of MIIS that'll
justify the cost. We have some tools/program files that query LDAP for valid
email addresses (GFI for one). I'd just like to be able to pull all email
addresses out of Lotus/Domino so I can populate AD correctly. Of course I
could do it manually. And Domino does support and use LDAP, but I don't have
enough experience with Domino to build a script.


Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]


"Laura A. Robinson" <[EMAIL PROTECTED]>
Sent by: <[EMAIL PROTECTED]>
01/26/2007 12:51 PM Please respond to


To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT







Have you looked at MIIS?

Laura



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org

To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses?









Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EM

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
What I would be interested to find out is:

1.  What is the WAN link speed for the proposed 2nd AD site?
2.  How much free available bandwidth do you have between the two desired 
sites?
3.  How many users sit in the proposed 2nd AD site?

If you have a fast reliable WAN connection (like a pair of bonded T-1s or 
higher) between the 2 sites then perhaps you don't need the 2nd site.

I understand subnetting and it's possible to use a different subnet mask to 
achieve a separate subnet.  However there should be a compelling reason to go 
to a second AD site before deploying it that requires it as this might save you 
making things more complex than required.

Regards,

Chuck

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Dave Wade 
 
If you want to query Notes and AD in the same script you don't need to use 
LotusScript you can use VBSCRIPT. There is a a set of objects that allow access 
to NOTES provided you have the notes client installed. They are documented in 
the Notes help file. Basically they are the same as the interfaces LotusScript 
uses. I seem to recall that LotusScript is virtually the same as VB Script/VBA 
but tweaked enough so Lotus/IBM does not have to pay MS license for 
VBA/Vbscript.
 
I used to have some examples to do that and if you need them I could probably 
fish them out...
 
Dave.
 


From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Fri 26/01/2007 22:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as
ADSI likes to use Windows auth by default and depends on the LDAP directory
to support the LDAP V3 subschemaSubentry rootDSE attribute to express its
abstract schema in order for ADSI to map LDAP data types to COM datatypes.
It might work, but I'd be more surprised if it did than didn't.  A lower
level LDAP tool like ADFind might make more progress, though.

Having done a lot of Domino programming back in "the day", my suggestion
would be to write a LotusScript program that goes against the NAB and gets
the addresses that way.  It would probably be less effort in the long run.
If I was asked to do the exact same thing, that is definitely how I'd do it.

If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious
to hear about it.  :)

Joe K.

- Original Message -----
From: Douglas W Stelley
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 3:13 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I really don't see that much in the enterprise version of MIIS that'll
justify the cost. We have some tools/program files that query LDAP for valid
email addresses (GFI for one). I'd just like to be able to pull all email
addresses out of Lotus/Domino so I can populate AD correctly. Of course I
could do it manually. And Domino does support and use LDAP, but I don't have
enough experience with Domino to build a script.


Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]


"Laura A. Robinson" <[EMAIL PROTECTED]>
Sent by: <[EMAIL PROTECTED]>
01/26/2007 12:51 PM Please respond to


To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT







Have you looked at MIIS?

Laura



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org

To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses?









Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ho

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Almeida Pinto, Jorge de 
it will go for the second site 10.10.41.0/24 (= best matching)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Brian Cline
Sent: Fri 2007-01-26 22:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries



Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
What is the criteria you are using to say you need another site?  That's the 
first question to ask - maybe you think you need one and you don't --

Chuck

Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Joe Kaplan 
I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as 
ADSI likes to use Windows auth by default and depends on the LDAP directory 
to support the LDAP V3 subschemaSubentry rootDSE attribute to express its 
abstract schema in order for ADSI to map LDAP data types to COM datatypes. 
It might work, but I'd be more surprised if it did than didn't.  A lower 
level LDAP tool like ADFind might make more progress, though.


Having done a lot of Domino programming back in "the day", my suggestion 
would be to write a LotusScript program that goes against the NAB and gets 
the addresses that way.  It would probably be less effort in the long run. 
If I was asked to do the exact same thing, that is definitely how I'd do it.


If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious 
to hear about it.  :)


Joe K.

- Original Message - 
From: Douglas W Stelley

To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 3:13 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



I really don't see that much in the enterprise version of MIIS that'll 
justify the cost. We have some tools/program files that query LDAP for valid 
email addresses (GFI for one). I'd just like to be able to pull all email 
addresses out of Lotus/Domino so I can populate AD correctly. Of course I 
could do it manually. And Domino does support and use LDAP, but I don't have 
enough experience with Domino to build a script.



Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]


"Laura A. Robinson" <[EMAIL PROTECTED]>
Sent by: <[EMAIL PROTECTED]>
01/26/2007 12:51 PM Please respond to


To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT







Have you looked at MIIS?

Laura



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley

Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish 
in AD the same info for groups and other addresses for users.


Even something that can query Domino for all users and groups and return all 
addresses into a file, I can use that as a basis to update AD with proxy 
info etc.

Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

"Brian Cline" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org

To
cc
SubjectRE: [ActiveDir] How to find non-primary SMTP addresses?









Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have secondary addresses vs. only having a primary and
there
isn't any practical way to just get the secondary addresses out of the
proxyAddresses attribute.  You essentially need to get all the data and
then
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP
itself doesn't help much.

Joe K.

----- Original Message - 
From: Ulf B. Simon-Weidner

To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mul

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Thommes, Michael M. 
An AD client will try to associate itself with the site that it is most
specific for its IP.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

 

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site, and another subnet as 10.10.41.0/24 and assign it to a secondary
site. Will AD treat a client address of, say, 10.10.41.104 as a client
on the secondary site, or will it default to the more general primary
subnet? The reason I ask is we now have a need for a second AD site (I
can see all the enterprise folks grinning now) and we have quite a
number of other subnets that I'd have to manually enter if this is not
the case. I don't mind doing it, but I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Kevin Brunson 
I don't know how AD would handle it.  However, if someone else chimes in
with "That will blow everything up!" then it seems like maybe you could
go with /19 or /20 networks at the primary site in AD and then manually
add any of the other ones that don't fit nicely.  Maybe that could save
you some work??

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

 

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site, and another subnet as 10.10.41.0/24 and assign it to a secondary
site. Will AD treat a client address of, say, 10.10.41.104 as a client
on the secondary site, or will it default to the more general primary
subnet? The reason I ask is we now have a need for a second AD site (I
can see all the enterprise folks grinning now) and we have quite a
number of other subnets that I'd have to manually enter if this is not
the case. I don't mind doing it, but I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Mathieu CHATEAU 
Overlapping AD Subnet Boundariesis it really 10.10.0.0/16 or a mistake (/24) ?
Because your first site won't be able to joint the other one as it will think 
it's local and won't sent packet to the gateway (if it's really a /16). 

If it's a real /24, then it will works as expected (10.10.41.104 will be 
attached to the secondary site).

If it's a /16 and you need router between both site, your configuration can't 
work from a network point of view.
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


  - Original Message - 
  From: Brian Cline 
  To: ActiveDir@mail.activedir.org 
  Sent: Friday, January 26, 2007 10:19 PM
  Subject: [ActiveDir] Overlapping AD Subnet Boundaries


  Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

  Brian Cline, Applications Developer
  Department of Information Technology
  G&P Trucking Company, Inc.
  803.936.8595 Direct Line
  800.922.1147 Toll-Free (x8595)
  803.739.1176 Fax

[ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Brian Cline 
Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site, and another subnet as 10.10.41.0/24 and assign it to a secondary
site. Will AD treat a client address of, say, 10.10.41.104 as a client
on the secondary site, or will it default to the more general primary
subnet? The reason I ask is we now have a need for a second AD site (I
can see all the enterprise folks grinning now) and we have quite a
number of other subnets that I'd have to manually enter if this is not
the case. I don't mind doing it, but I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Douglas W Stelley 
I really don't see that much in the enterprise version of MIIS that'll 
justify the cost. We have some tools/program files that query LDAP for 
valid email addresses (GFI for one). I'd just like to be able to pull all 
email addresses out of Lotus/Domino so I can populate AD correctly. Of 
course I could do it manually. And Domino does support and use LDAP, but I 
don't have enough experience with Domino to build a script.


Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]



"Laura A. Robinson" <[EMAIL PROTECTED]> 
Sent by: <[EMAIL PROTECTED]>
01/26/2007 12:51 PM
Please respond to



To

cc

Subject
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT






Have you looked at MIIS?
 
Laura

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT


Same topic, but this one is for Notes Admin/Gurus as well. 

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish 
in AD the same info for groups and other addresses for users. 

Even something that can query Domino for all users and groups and return 
all addresses into a file, I can use that as a basis to update AD with 
proxy info etc. 
Thanks in advance. 

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED] 


"Brian Cline" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 
01/26/2007 09:47 AM 

Please respond to
ActiveDir@mail.activedir.org



To
 
cc

Subject
RE: [ActiveDir] How to find non-primary SMTP addresses?








Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.act

Re: [ActiveDir] "Add or Remove Programs" GPO

2007-01-26 Thread Matheesha Weerasinghe 

might it be worth running something like filemon and regmon and
checking whats happening?

On 1/26/07, Bart Van den Wyngaert <[EMAIL PROTECTED]> wrote:

That opens the snap-in...

So through the Control Panel it doesn't work, directly running the .cpl it
does. Still don't understand it totally though...



On 1/25/07, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
>
>
>
>
> You would not get a permissions problem from that admin. templates policy.
They just don't work that way. So my guess is its something else. What
happens, as administrator, when you run "appwiz.cpl" from a command prompt?
>
>
>
> Darren
>
>
>
>
>
>
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bart Van den Wyngaert
> Sent: Thursday, January 25, 2007 4:31 AM
>
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] "Add or Remove Programs" GPO
>
>
>
>
>
>
>
>
>
> I did, but the local administrators group has full control on the file.
And ofcourse, my AD admin account is part of the local administrators group
on the workstations (naturally).
>
>
>
>
>
> That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...
>
>
>
>
> On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:
>
>
>
> So what is the NTFS security on
C:\WINNT\System32\rundll32.exe?  The error message could
naturally be a false hint, but might as well check it out.
>
>
>
>
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bart Van den Wyngaert
> Sent: Donnerstag, 25. Januar 2007 12:00
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] "Add or Remove Programs" GPO
>
>
>
>
>
> No NTFS or other restrictions set in that GPO or the PC GPO.
>
>
> Only some other restrictions like no access to control panel, no
messenger, ... stuff.
>
>
>
>
>
> These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).
>
>
>
>
>
> My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...
>
>
>
>
>
> Thanks,
>
>
> Bart
>
>
>
>
> On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:
>
>
>
> What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins
>
>
>
> /Guido
>
>
>
>
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bart Van den Wyngaert
> Sent: Mittwoch, 24. Januar 2007 17:38
> To: ActiveDir
> Subject: [ActiveDir] "Add or Remove Programs" GPO
>
>
>
>
>
> Hi,
>
>
>
>
>
> I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.
>
>
>
>
>
> But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe
>
>
>
>
>
> Is this normal?! Did I miss something before setting this GPO?
>
>
>
>
>
> Thanks,
>
>
> Bart
>
>
>
>



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Fuller, Stuart 
Here is a cheesy VB script to list email addresses and kick them to a
CSV file***.  It's not horribly efficient, tight coding, or cleaned up
very much but it has worked for me. Remember to replace the 
with yours and you may have to adjust the page size if you have more
than 2000 objects.  Also watch for line feeds in the code that may be
email caused.

Have fun..
_Stuart Fuller

(***Full disclaimer of liability - use at own risk)

---
'--
'ListUsers Email Script
'Stuart Fuller
'7/7/05
'--

Dim adsComputer
Dim adsOU
Dim operatingSystem
Dim osVersion
Dim servicePack
Dim fileSys
Dim fileTxt
Const ForReading = 1, ForWriting = 2, ForAppending = 8

wscript.echo "Start"

'Create the output file
set fileSys = CreateObject("Scripting.FileSystemObject")
Set fileTxt = fileSys.OpenTextFile("QueryOutput.csv", ForWriting, True)
fileTxt.Writeline("First Name, Last Name, ID, Primary Mail
Address,,Additional Email Addresses")

'Create the connection to AD
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection

'Set the SQL type query against AD
'REPLACE  with OU or domain you want to query in the
objCommand.Commandtext line
'Example 'LDAP://ou=users,dc=joeware,dc=com'
objCommand.CommandText = "Select givenName, sn, sAMaccountName, mail,
ADsPath from ''" _
& "where objectClass='user' AND objectCategory='Person'" 
objCommand.Properties("Page Size") = 2000
objCommand.Properties("Timeout") = 60 
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.Properties("Cache Results") = False 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

'Loop through the returned records
Do Until objRecordSet.EOF
strGName = objRecordSet.Fields("givenName").value
strSName = objRecordSet.Fields("sn").value
strMail = objRecordSet.Fields("mail").value
strSAM = objRecordSet.Fields("sAMaccountName").value

'In order to get the multi-varied attribute go get the user object
'and then query the proxyaddress attribute
set objUser =
GetObject(objRecordSet.Fields("ADsPath").value)
on error resume next
For each strProxyAddress in
objUser.ProxyAddresses
strAdd = Left(strProxyAddress,4)
If ((strAdd = "SMTP") OR (strAdd =
"smtp")) Then
strAddress = Right(strProxyAddress,
LEN(strProxyAddress) - 5)   
strAddAll = strAddAll & strAddress & ","
End If
Next
fileTxt.WriteLine(strGName & "," & strSName & "," & strSAM & ","
& strMail & ", ," & strAddAll )

'Since we are using strAddAll as additive - clear the vars  
strAddress = null
strAddAll = null

'Go grab the next record and restart loop   
objRecordSet.MoveNext
Loop

wscript.echo "DONE"



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 25, 2007 11:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

 
Yeah JoeK is right on, nothing in LDAP will help you with this. The
proxyAddresses attribute is case insensitive so there is no way to query
to
just get addresses that are secondary. 

AdFind can help with this in a small perl script. You use the CSV
capability
of AdFind combined with its ability to only display the multivalue
attributes that have a string match to smtp (AdFind isn't case sensitive
either for this query). That simply outputs just smtp addresses so it is
nice and clean. The perl script would look something like


@out=`adfind -sc exchaddresses:smtp -csv -nocsvheader`;

foreach $thisline (@out)
 {
  next unless $thisline=~/smtp:.+/;
  $thisline=~s/(SMTP:.+)([\";])/$2/; # strip out primary
  $thisline=~s/;{2,}/;/; # cleanup multiple semicolons
  $thisline=~s/;\"/\"/; # cleanup semicolon/quote
  print $thisline;
 }



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, January 25, 2007 7:52 PM
To: ActiveDir@mail.activ

[ActiveDir] OT: Deploying Visio 2007 via Group Policy

2007-01-26 Thread Salandra, Justin A. 
I wanted to post this and see what kind of feed back I get from this
group, maybe some of you have tried this already.

 

 

When modifying the config.xml I was able to enter in the license info,
however the .msp that I created and placed in the Updates folder did
nothing.  When I ran the .msp manually it appeared to do what I wanted,
like placing the icon on the desktop.

 

Is there a way to run the msiexec command to update the VisProWW.msi
file with the updates from the .msp.  Apparently, all the statements
from Microsoft that anything in this folder will be installed and
applied during initial install is false.  Unless this statement is if
installing it manually and not via Group Policy.

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]  

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren Mar-Elia
Sent: Friday, January 26, 2007 10:36 AM
To: [EMAIL PROTECTED]
Subject: [gptalk] Re: Push out Visio 2007 via Group Policy

 

Right. If you go to the archive for this list, Michael Pietrzak had
posted some items about this. I don't believe the .msp buys you anything
in terms of customization. I hope to test some of this today, however.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Salandra, Justin A.
Sent: Friday, January 26, 2007 7:31 AM
To: [EMAIL PROTECTED]
Subject: [gptalk] Re: Push out Visio 2007 via Group Policy

 

What about using the setup.exe /admin switch to create the .msp file?  I
read that if you leave the .msp file in the Updates folder of the folder
structure on the network share that it will apply it during
installation.  I am not sure I believe this works, because an
installation of Visio 2007 pushed out but once I opened the product it
asked me for the CD Key which I had already put in the .msp file that I
created.

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]  

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren Mar-Elia
Sent: Thursday, January 25, 2007 4:50 PM
To: [EMAIL PROTECTED]
Subject: [gptalk] Re: Push out Visio 2007 via Group Policy

 

Good question Justin. Actually it is possible to deploy Office 2007
through GP but it has completely changed. You no longer create an admin
install point. You just copy the CD  bits to the share. And, it no
longer supports transforms. You have a file called config.xml that
support minimal customization that you put in the install directory
along with the bits. Really a step back actually. MS used to have a
technet article describing this but the pulled it recently. However,
thanks to the wonders of Google, you can still find it cached at 

 
http://209.85.165.104/search?q=cache:kLaHkfhp8PoJ:technet2.microsoft.com
/Office/en-us/library/efd0ee45-9605-42d3-9798-3b698fff3e081033.mspx+conf
ig.xml+office+2007+"Group+Policy"&hl=en&gl=us&ct=clnk&cd=1
 

 

Darren

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Salandra, Justin A.
Sent: Thursday, January 25, 2007 11:26 AM
To: [EMAIL PROTECTED]
Subject: [gptalk] Push out Visio 2007 via Group Policy

 

Does anyone know who the Office 2007 products can be pushed out via
group policy?  How do you create an administrative installation point?
How to you include customizations?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]  

 

 

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Laura A. Robinson 
Have you looked at MIIS?
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT



Same topic, but this one is for Notes Admin/Gurus as well. 

I populate the mail attribute in AD with the Notes Users primary internet
address. Does anyone have a script or method that will allow me to publish
in AD the same info for groups and other addresses for users. 

Even something that can query Domino for all users and groups and return all
addresses into a file, I can use that as a basis to update AD with proxy
info etc. 
Thanks in advance. 

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED] 



"Brian Cline" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 


01/26/2007 09:47 AM 


Please respond to
ActiveDir@mail.activedir.org



To
 

cc

Subject
RE: [ActiveDir] How to find non-primary SMTP addresses?






Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.12/653 - Release Date: 1/26/2007
11:11 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.12/653 - Release Date: 1/26/2007
11:11 AM

[ActiveDir] How to find non-primary SMTP addresses? Slightly OT

2007-01-26 Thread Douglas W Stelley 
Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish 
in AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return 
all addresses into a file, I can use that as a basis to update AD with 
proxy info etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]



"Brian Cline" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org


To

cc

Subject
RE: [ActiveDir] How to find non-primary SMTP addresses?






Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Brian Cline 
Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

----- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Wells, James Arthur 
The ADUC GUI does this, but I'm not sure what other tools do/don't do.  ADSI 
doesn't enforce this that I've seen, and I'm not even sure how the Recipient 
Update Service handles this.  We actually have an app that checks the FROM: 
address in a received email against that 'mail' attribute and rejects
things if they don't match.  I've had a few people over the past year suddenly 
complain, and it turns out that their 'mail' attribute DIDN'T update.

--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, January 26, 2007 7:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Huh. you're right. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday, January 26, 2007 8:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Michael B. Smith 
Huh. you're right. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday, January 26, 2007 8:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Michael B. Smith 
Nope, that's it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Wells, James Arthur 
It should also update the 'mail' attribute to the new primary SMTP: address.


--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

----- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-26 Thread Brian Cline 
Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query 
for users that have secondary addresses vs. only having a primary and
there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and
then 
check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
- 
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-26 Thread Michael B. Smith 
Nope.

 

I used adfind for the answer there, and another fellow used adfind plus
find.exe. About the same as he got here (excepting joe's neat little
perl script).

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, January 26, 2007 1:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

 

Were the answers along the lines of "it can't be done"?

 

http://www.akomolafe.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%
20of%20users%20OR%20Groups.txt

 

YMWV

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com   - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 



From: Michael B. Smith
Sent: Thu 1/25/2007 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

I'm guessing you didn't like the answers you got on the exchange list?

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing something wrong.  Thanks again.

Re: Re: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Paul Williams 
XFER = Short for transfer.  Sorry, I abbreviate most things.

Basically, in k3 SP1, if you run the metadata cleanup command on a dead DC that 
holds FSMO roles, the process will seize the roles to another server.  I'm not 
sure of the exact logic for the choice of server, IIRC it's something like 
local (site) and GC (unless it's the IM).  Dmitri, Brett, Eric, Dean or Joe can 
clarify the logic.

I would imagine it's using the same underlying code as the Seize option 
elsewhere with the tool, therefore it will try a TRANSFER first and only SEIZE 
if the transfer fails.

http://technet2.microsoft.com/WindowsServer/en/library/819bea8b-3889-4479-850f-1f031087693d1033.mspx?mfr=true


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Friday, January 26, 2007 8:43 AM
  Subject: RE : Re: [ActiveDir] remove orphan DC from the domain


  Really ?

  That is a very interesting... Could you develop this statement please ? What 
is a XFER ?
  When you say "it does a seize", that means it choose a DC nearby ? and seize 
*automatically* a seizure ?

  Thanks,

  Yann

  Paul Williams <[EMAIL PROTECTED]> a écrit :
> If the DC that died had FSMO roles, you need to seize them (check which 
> DC had FSMO roles with --> NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I 
remember correctly, it tries a XFER and then does a Seize (as that's the 
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message - 
From: "Almeida Pinto, Jorge de" 
To: 
    Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which 
DC 
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or 
wait 
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other computers 
(other 
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
    To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do 
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
    Jorge de
Sent: Friday, January 26, 2007 5:10 AM
    To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects 
that belong to a DC that is not live anymore. Just other like other object 
deletions (user, group, etc) the deletions will replicate to other DCs 
(assuming replication is working fine) that host the same partitions from 
which the objects were removed. Because of that you only need to target ONE 
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail : 





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then click 
Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, 
the 
administrator can perform the removal, but additional configuration 
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently logged on user 
does no

Re: RE : Re: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Paul Williams 

SP level doesn't matter when performing a seizure using NTDSUTIL.

I was referring to the fact that NTDSUTIL, as of k3 SP1, automatically tries 
to transfer and seize when you metadata cleanup.



--Paul

- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
<[EMAIL PROTECTED]>

To: 
Sent: Friday, January 26, 2007 9:05 AM
Subject: Re: RE : Re: [ActiveDir] remove orphan DC from the domain


Just what it says... it first attempts to transfer the FSMO roles from the 
one to the other...and it if can't find the proper DC.. it merely seizes 
the roles.


It tries to negotiate politely with the role holder.. and if there is none 
for it to argue with it says "fine... I'm taking the roles".


I'm not sure sp1 matters does it?
http://support.microsoft.com/kb/255504

Yann wrote:

Really ?
 That is a very interesting... Could you develop this statement please ? 
What is a XFER ?
When you say "it does a seize", that means it choose a DC nearby ? and 
seize *automatically* a seizure ?

 Thanks,
 Yann

*/Paul Williams <[EMAIL PROTECTED]>/* a écrit :

> If the DC that died had FSMO roles, you need to seize them
(check which
> DC had FSMO roles with --> NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for
you. If I
remember correctly, it tries a XFER and then does a Seize (as
that's the
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message -
From: "Almeida Pinto, Jorge de"
To:
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them
(check which DC
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done
manually or wait
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other
computers (other
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of
objects
that belong to a DC that is not live anymore. Just other like
other object
deletions (user, group, etc) the deletions will replicate to other
DCs
(assuming replication is working fine) that host the same
partitions from
which the objects were removed. Because of that you only need to
target ONE
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup
the AD
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail :





From: [EMAIL PROTECTED] on behalf of senthil Kumar
    Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down
permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then
click Command
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options
given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged
on user
does not have ad

Re: [ActiveDir] "Add or Remove Programs" GPO

2007-01-26 Thread Bart Van den Wyngaert 

That opens the snap-in...

So through the Control Panel it doesn't work, directly running the .cpl it
does. Still don't understand it totally though...


On 1/25/07, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:


 You would not get a permissions problem from that admin. templates
policy. They just don't work that way. So my guess is its something else.
What happens, as administrator, when you run "appwiz.cpl" from a command
prompt?



Darren





*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Thursday, January 25, 2007 4:31 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO



I did, but the local administrators group has full control on the file.
And ofcourse, my AD admin account is part of the local administrators group
on the workstations (naturally).



That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error
message could naturally be a false hint, but might as well check it out.



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Donnerstag, 25. Januar 2007 12:00
*To:* ActiveDir@mail.activedir.org
*Subject: *Re: [ActiveDir] "Add or Remove Programs" GPO



No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no
messenger, ... stuff.



These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).



My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...



Thanks,

Bart



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

RE: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Almeida Pinto, Jorge de 
correct!
 
however he never mentioned the OS en SP level... ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Paul Williams
Sent: Fri 2007-01-26 09:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] remove orphan DC from the domain



>  If the DC that died had FSMO roles, you need to seize them (check which
> DC had FSMO roles with --> NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1.  NTDSUTIL does it for you.  If I
remember correctly, it tries a XFER and then does a Seize (as that's the
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message -
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
To: 
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which DC
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other computers (other
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects
that belong to a DC that is not live anymore. Just other like other object
deletions (user, group, etc) the deletions will replicate to other DCs
(assuming replication is working fine) that host the same partitions from
which the objects were removed. Because of that you only need to target ONE
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message:

Error 2094. The DSA Object cannot be deleted0x2094

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

Re: RE : Re: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
Just what it says... it first attempts to transfer the FSMO roles from 
the one to the other...and it if can't find the proper DC.. it merely 
seizes the roles.


It tries to negotiate politely with the role holder.. and if there is 
none for it to argue with it says "fine... I'm taking the roles".


I'm not sure sp1 matters does it? 


http://support.microsoft.com/kb/255504

Yann wrote:

Really ?
 
That is a very interesting... Could you develop this statement please 
? What is a XFER ?
When you say "it does a seize", that means it choose a DC nearby ? and 
seize *automatically* a seizure ?
 
Thanks,
 
Yann


*/Paul Williams <[EMAIL PROTECTED]>/* a écrit :

> If the DC that died had FSMO roles, you need to seize them
(check which
> DC had FSMO roles with --> NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for
you. If I
remember correctly, it tries a XFER and then does a Seize (as
that's the
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message -
From: "Almeida Pinto, Jorge de"
To:
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them
(check which DC
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done
manually or wait
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other
computers (other
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of
objects
that belong to a DC that is not live anymore. Just other like
other object
deletions (user, group, etc) the deletions will replicate to other
DCs
(assuming replication is working fine) that host the same
partitions from
which the objects were removed. Because of that you only need to
target ONE
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup
the AD
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail :





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down
permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then
click Command
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options
given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged
on user
does not have administrative permissions, different credentials
can be
supplied by specifying the credentials to use before making the
connection.
To do this, type set creds DomainNameUserNamePassword, and then
press ENTER.
For a null password, type null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You
should receive
confirmation that the connection is successfully established.

RE : Re: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Yann 
Really ?
   
  That is a very interesting... Could you develop this statement please ? What 
is a XFER ?
  When you say "it does a seize", that means it choose a DC nearby ? and seize 
*automatically* a seizure ?
   
  Thanks,
   
  Yann

Paul Williams <[EMAIL PROTECTED]> a écrit :
  > If the DC that died had FSMO roles, you need to seize them (check which 
> DC had FSMO roles with --> NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I 
remember correctly, it tries a XFER and then does a Seize (as that's the 
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message - 
From: "Almeida Pinto, Jorge de" 
To: 
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait 
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do 
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects 
that belong to a DC that is not live anymore. Just other like other object 
deletions (user, group, etc) the deletions will replicate to other DCs 
(assuming replication is working fine) that host the same partitions from 
which the objects were removed. Because of that you only need to target ONE 
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail : 





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration 
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently logged on user 
does not have administrative permissions, different credentials can be 
supplied by specifying the credentials to use before making the connection. 
To do this, type set creds DomainNameUserNamePassword, and then press ENTER. 
For a null password, type null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions 
on the server.

Note If you try to connect to the same server that you want to delete, when 
you try to delete the server that step 15 refers to, you may receive the 
following error message:

Error 2094. The DSA Object cannot be deleted0x2094

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
dom

Re: [ActiveDir] remove orphan DC from the domain

2007-01-26 Thread Paul Williams 
 If the DC that died had FSMO roles, you need to seize them (check which 
DC had FSMO roles with --> NETDOM QUERY FSMO)


This step is no longer necessary in k3 SP1.  NTDSUTIL does it for you.  If I 
remember correctly, it tries a XFER and then does a Seize (as that's the 
logic for the Seize anyway).


I believe this was added in SP1.


--Paul

- Original Message - 
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>

To: 
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait 
if you have aging/scavenging enabled


Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do 
automatically.




Regards,



Senthil





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de

Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects 
that belong to a DC that is not live anymore. Just other like other object 
deletions (user, group, etc) the deletions will replicate to other DCs 
(assuming replication is working fine) that host the same partitions from 
which the objects were removed. Because of that you only need to target ONE 
live DC in the same domain when using NTDSUTIL.




Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))




Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article




1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration 
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently logged on user 
does not have administrative permissions, different credentials can be 
supplied by specifying the credentials to use before making the connection. 
To do this, type set creds DomainNameUserNamePassword, and then press ENTER. 
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions 
on the server.


Note If you try to connect to the same server that you want to delete, when 
you try to delete the server that step 15 refers to, you may receive the 
following error message:


Error 2094. The DSA Object cannot be deleted0x2094

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is 
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.


11.

Type s

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Sorry - I've missed that point.

 

Yes - you're right, I got the same results.

 

However, if you use robocopy which is now included in Vista in System32
(XP027, 5.1.10.1027) you can use a new switch to accomplish this:

robocopy /dcopy:t /E /B /copyall . .

 

The /dcopy:t does the trick.

 

Thanks for bringing this up so I had to look into it - I'll blog this since
it's a very interesting change.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Freitag, 26. Januar 2007 02:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

I don't have any problems with the "creation date" on files.  It's the
"creation date" on the directory folders that is not right.  Could you try
robocopy again, this time trying to copy some tree structure that has
branches (subdirectories) and see what "creation date" is on the
subdirectory folders?  Thanks much!

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the "modified date" and the "creation date" are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Almeida Pinto, Jorge de 
I forgot to mention:
 
* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if 
you have aging/scavenging enabled
 
Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do automatically.

 

Regards,

 

Senthil

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain

 

the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.

 

Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 

 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS) host name, and the location of

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread joe 
 
Yeah JoeK is right on, nothing in LDAP will help you with this. The
proxyAddresses attribute is case insensitive so there is no way to query to
just get addresses that are secondary. 

AdFind can help with this in a small perl script. You use the CSV capability
of AdFind combined with its ability to only display the multivalue
attributes that have a string match to smtp (AdFind isn't case sensitive
either for this query). That simply outputs just smtp addresses so it is
nice and clean. The perl script would look something like


@out=`adfind -sc exchaddresses:smtp -csv -nocsvheader`;

foreach $thisline (@out)
 {
  next unless $thisline=~/smtp:.+/;
  $thisline=~s/(SMTP:.+)([\";])/$2/; # strip out primary
  $thisline=~s/;{2,}/;/; # cleanup multiple semicolons
  $thisline=~s/;\"/\"/; # cleanup semicolon/quote
  print $thisline;
 }



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, January 25, 2007 7:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to query 
for users that have secondary addresses vs. only having a primary and there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and then

check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE - 
you'd either have to use LDIFDE or VBScript or anything else to view all 
values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Akomolafe, Deji 
Were the answers along the lines of "it can't be done"?

http://www.akomolafe.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of%20users%20OR%20Groups.txt

YMWV


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Michael B. Smith
Sent: Thu 1/25/2007 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses?


I'm guessing you didn't like the answers you got on the exchange list?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?


How does one go about getting the non-primary SMTP addresses for every Exchange 
user?  I can't seem to find a way via csvde, but maybe I'm doing something 
wrong.  Thanks again.

Re: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Alex Fontana 
LMAO...I thought my Outlook rule was broken for a second...


On 1/25/07 5:12 PM, "Michael B. Smith" <[EMAIL PROTECTED]> wrote:

> I'm guessing you didn't like the answers you got on the exchange list?
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
> Sent: Thursday, January 25, 2007 6:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] How to find non-primary SMTP addresses?
> 
> How does one go about getting the non-primary SMTP addresses for every
> Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
> something wrong.  Thanks again.

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M. 
Hi Ulf,

I don't have any problems with the "creation date" on files.  It's
the "creation date" on the directory folders that is not right.  Could
you try robocopy again, this time trying to copy some tree structure
that has branches (subdirectories) and see what "creation date" is on
the subdirectory folders?  Thanks much!

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4
89-F2F1214C811D>
  Weblog: http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner> 
  Website: http://www.windowsserverfaq.org
http://www.windowsserverfaq.org/> 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the "modified date" and the "creation date" are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Michael B. Smith 
I'm guessing you didn't like the answers you got on the exchange list?



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?


How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing something wrong.  Thanks again.

Re: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Joe Kaplan 
In addition to what Ulf said, there also isn't any practical way to query 
for users that have secondary addresses vs. only having a primary and there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and then 
check for the values that are prefixed with lower case "smtp".


Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.


Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner

To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE - 
you'd either have to use LDIFDE or VBScript or anything else to view all 
values of those attributes.


Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D

 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett

Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing 
something wrong.  Thanks again. 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread senthil Kumar 
Thanks for your logic. I hope so in the remaining Dc it will do
automatically.

 

Regards,

 

Senthil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain

 

the AD metadata cleanup is nothing more then removal/deletion of objects
that belong to a DC that is not live anymore. Just other like other object
deletions (user, group, etc) the deletions will replicate to other DCs
(assuming replication is working fine) that host the same partitions from
which the objects were removed. Because of that you only need to target ONE
live DC in the same domain when using NTDSUTIL.

 

Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD
metadata of one of the DCs on the other 999 DCs... ;-))

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 

 

  _  

From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article 

 


1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.


3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message: 

Error 2094. The DSA Object cannot be deleted0x2094 


6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.


7.

Type select operation target and press ENTER.


8.

Type list domains and press ENTER. A list of domains in the forest is
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number
associated with the domain the server you are removing is a member of. The
domain you select is used to determine whether the server being removed is
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated
number, appears.


11.

Type select site number and press ENTER, where number is the number
associated with the site the server you are removing is a member of. You
should receive a confirmation listing the site and domain you chose.


12.

Type list servers in site and press ENTER. A list of servers in the site,
each with an associated number, is displayed. 


13.

Type select server number, where number is the number associated with the
server you want to remove. You receive a confirmation listing the selected
server, its Domain Name System (DNS) host name, and the location of the
server's computer account you want to remove.


14.

Type quit and press ENTER. The Metadata Cleanup menu appears.


15.

Type remove selected server and press ENTER. You should receive confirmation
that the removal completed successfully. If you receive the following error
message, the NTDS Settings object may already be removed from Active
Directory as the result of another administrator removing the NTDS Settings
object or replication of the successful removal of the object after running
the DCPROMO utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain
controller that will be removed. Ntdsutil has to bind to a domain controller
other than the one that will be removed with metadata cleanup.


16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You
should re

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Ulf B. Simon-Weidner 
Hi Stu,

 

I don't think there's a way to expose mulitvalued attributes with CSVDE -
you'd either have to use LDIFDE or VBScript or anything else to view all
values of those attributes.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

 

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
something wrong.  Thanks again.

[ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Stu Packett 

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
something wrong.  Thanks again.

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Almeida Pinto, Jorge de 
the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.
 
Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain



Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS) host name, and the location of the 
server's computer account you want to remove.

14.

Type quit and press ENTER. The Metadata Cleanup menu appears.

15.

Type remove selected server and press ENTER. You should receive confirmation 
that the removal completed successfully. If you receive the following error 
message, the NTDS Settings object may already be removed from Active Directory 
as the result of another administrator removing the NTDS Settings object or 
replication of the successful removal of the object after running the DCPROMO 
utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain controller 
that will be removed. Ntdsutil has to bind to a domain controller other than 
the one that will be removed with metadata cleanup.

16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You 
should receive confirmation that the connection disconnected successfully.

17.

Remove the cname record in the _msdcs.root domain of forest zone in DNS. 
Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings 
object is created with a new GUID and a matching cname record in DNS. You do 
not want the DCs that exist to us

Re: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Matt . Duguid 
It should be removed. We have the same situation on our site in the past
and used the same article. We did a search on the AD later and found the
odd piece of data hanging around in AD which we tidied up.

Which domain controllers held which FSMO roles? Were any on the DC that you
have lost? Have you managed to transfer these to another DC?

Cheers,

Matt Duguid
Microsoft Systems Engineer
Information and Technology Group - Identity Services
The Department of Internal Affairs Te Tari Taiwhenua

Direct Dial: +64 4 4748028 x8028
Fax: +64 4 4748894
Mobile: +64 21 1713290
Address: Level 4, 47 Boulcott Street, Wellington, New Zealand
Internet: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "senthil Kumar"|
| |   <[EMAIL PROTECTED]|
| |   com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   26/01/2007 12:14 p.m.  |
| |   Please respond to  |
|     |   ActiveDir  |
| |  |
|-+-->
  
>--|
  | 
 |
  |To:
 |
  |cc:  
     |
  |    Subject: [ActiveDir] remove orphan DC from the domain
 |
  
>--|


Hi,

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article




   
 1.  Click Start, point to Programs, point to Accessories, and then click 
Command Prompt.  

   
 2.  At the command prompt, type ntdsutil, and then press ENTER.
   

   
 3.  Type metadata cleanup, and then press ENTER. Based on the options given, 
the administrator can perform the removal, but   
 additional configuration parameters must be specified before the removal 
can occur.   

   
 4.  Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently   
 logged on user does not have administrative permissions, different 
credentials can be supplied by specifying the credentials to   
 use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null 
 password, type null for the password parameter.
   

   
 5.  Type connect to server servername, and then press ENTER. You should 
receive confirmation that the connection is successfully  
 established. If an error occurs, verify that the domain controller being 
used in the connection is available and the credentials  
 you supplied have administrative permissions on the server.
   

   
 Note If you try to connect to the same server that you want to delete, 
when you try to delete the server that step 15 refers to,  
 you may receive the following error message:   
   
 Error 2094. The DSA Ob

[ActiveDir] remove orphan DC from the domain

2007-01-25 Thread senthil Kumar 
Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article 

 


1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.


3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message: 

Error 2094. The DSA Object cannot be deleted0x2094 


6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.


7.

Type select operation target and press ENTER.


8.

Type list domains and press ENTER. A list of domains in the forest is
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number
associated with the domain the server you are removing is a member of. The
domain you select is used to determine whether the server being removed is
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated
number, appears.


11.

Type select site number and press ENTER, where number is the number
associated with the site the server you are removing is a member of. You
should receive a confirmation listing the site and domain you chose.


12.

Type list servers in site and press ENTER. A list of servers in the site,
each with an associated number, is displayed. 


13.

Type select server number, where number is the number associated with the
server you want to remove. You receive a confirmation listing the selected
server, its Domain Name System (DNS) host name, and the location of the
server's computer account you want to remove.


14.

Type quit and press ENTER. The Metadata Cleanup menu appears.


15.

Type remove selected server and press ENTER. You should receive confirmation
that the removal completed successfully. If you receive the following error
message, the NTDS Settings object may already be removed from Active
Directory as the result of another administrator removing the NTDS Settings
object or replication of the successful removal of the object after running
the DCPROMO utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain
controller that will be removed. Ntdsutil has to bind to a domain controller
other than the one that will be removed with metadata cleanup.


16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You
should receive confirmation that the connection disconnected successfully.


17.

Remove the cname record in the _msdcs.root domain of forest zone in DNS.
Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings
object is created with a new GUID and a matching cname record in DNS. You do
not want the DCs that exist to use the old cname record.

As best practice, you should delete the host name and other DNS records. If
the lease time that remains on Dynamic Host Configuration Protocol (DHCP)
address assigned to offline server is exceeded then another client can
obtain the IP address of the problem DC.


18.

In the DNS console, use the DNS MMC to delete the A record in DNS. The A
record is also known as the Host record. To delete the A record, right-click
the A record, and then click Delete. Also, delete the cname record in the
_msdcs container. To do this, expand the _msdcs container, right-click
cname, and then click Delete.

Important If this is a DNS server, remove the reference to this DC under the
Name Servers tab. To do this, in the DNS console, click the domain name
under Forward Lookup Zones, and then remove this server from the Name
Servers tab. 

Note If you have reverse lookup zones, also remove the server from these
zones. 


19.

If the deleted computer is the last domain controller in a child domain, and
the child domain was also deleted, use AD

Re: [ActiveDir] AD Security Auditing

2007-01-25 Thread AFidel 
AdFind.exe -sddc++  -b DC=example,DC=com -resolvesids -f 
"|(objectcategory=container)(objectcategory=organizationalUnit)" 
>OU_ACL.txt

Thanks,
Andrew Fidel




"Casey Robertson" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
01/23/2007 05:41 PM
Please respond to
ActiveDir@mail.activedir.org


To

cc

Subject
[ActiveDir] AD Security Auditing






We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and 
individual object types (users, computers, etc) so that we can determine 
who has rights to what.  The prospect of doing this manually is daunting 
at best and for the most part I have only seen 3rd party tools (read: 
expensive) that do this in an easy to use fashion.
 
Any suggestions for tools, scripts etc would be appreciated.  Either that 
or we can rebuild our OU structure J
 
Casey Robertson

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the "modified date" and the "creation date" are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-25 Thread Ulf B. Simon-Weidner 
A Hostname underneath a folder "1"? I'd agree if just the number would be
there, but not with a name (<> other number) underneath.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Donnerstag, 25. Januar 2007 15:14
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

You can register records like this by messing up a reverse lookup record
addition using DNSCMD.

 

--Paul

 

- Original Message - 

From: EIS Lists <mailto:[EMAIL PROTECTED]>  

To: ActiveDir@mail.activedir.org 

Sent: Wednesday, January 24, 2007 9:28 PM

Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Thanks, all. Ulf, you explanation was great! I am sure it was someone
(probably me!) just typed a .1 in some setting on the printer and allowed it
to register in DNS. 

 

Many thanks.

 

-- nme

 

Noah Eiger

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, January 24, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Just 9:30 pm here, so not really late.

 

Many are mixing up the zones with the "DNS-Subdomains" or whatever they are
actually called. But in this case he even had it right, he said that under
the domain zone he has the "_*"-folders as well as a folder "1". I had to
reread too ;-)

 

How are things? See you in March?

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 21:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

That's what I would expect.  But since the original poster called it a
"zone" I figured I'd ask. What are you doing up so late? :)

On 1/24/07, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

No Zone - no properties ;-)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists <[EMAIL PROTECTED]> wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: "1" (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Ryan A. Conrad 
If you suspect it's the KerbTray tool, you may wish to use KList (part of the 
Reskit) to verify that both are showing the same output.

Ryan

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Question

The Time is the same on the PDC emulator as my PC - no event logs I could find 
- I guess it might be a problem with the tool - I don't have any firewalls 
between my PC and the DC. The loss of the ticket information is what raised the 
flag for me.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, January 25, 2007 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Question

It could also mean you have a problem with the tool, right?

Are you seeing some other symptoms that caused you to look at this tool?
Time? you can check that pretty easily by checking the time on your machine and 
comparing to a DC in your environment.

What do you see in your system event log?
On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote:

Just curious -



I have the resource kit tool Kerbtray running on my taskbar - When I double 
click it; it list my tickets, etc...

Twice during the day yesterday it turned red and said there was no tickets 
available. It's already done this once today -



When it was showing information it had a ticket renewal until time up to 8 days 
and a start and end time offset of 10 minutes



Does this mean my ticket is getting renewed or that I could have a time 
problem, connecting to the PDC emulator problem, etc.



Thanks in advance for any insight on this.



Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer 
Cool - sounds good to me! 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 25, 2007 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Question 

 

I think you are seeing your Kerberos tickets start to reach their
expiration time.  The kerbtray icon will go from green to red.  I think
the last 5 or 15 minutes the default configuration will also issue an
audible (and very distinctive) sound.  The tickets will renew
automatically (and the icon will go from red back to green).  This will
happen until you reach the default "renew tickets until..." date.  At
that time you will need to manually renew your ticket unless you do
something like logoff and then logon to automatically get new tickets.

 

Hth,

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Question 

 

Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Thommes, Michael M. 
I think you are seeing your Kerberos tickets start to reach their
expiration time.  The kerbtray icon will go from green to red.  I think
the last 5 or 15 minutes the default configuration will also issue an
audible (and very distinctive) sound.  The tickets will renew
automatically (and the icon will go from red back to green).  This will
happen until you reach the default "renew tickets until..." date.  At
that time you will need to manually renew your ticket unless you do
something like logoff and then logon to automatically get new tickets.

 

Hth,

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Question 

 

Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer 
The Time is the same on the PDC emulator as my PC – no event logs I could find 
– I guess it might be a problem with the tool – I don’t have any firewalls 
between my PC and the DC. The loss of the ticket information is what raised the 
flag for me. 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, January 25, 2007 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Question

 

It could also mean you have a problem with the tool, right? 

Are you seeing some other symptoms that caused you to look at this tool? 
Time? you can check that pretty easily by checking the time on your machine and 
comparing to a DC in your environment. 

What do you see in your system event log? 

On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]> wrote: 

Just curious – 

 

I have the resource kit tool Kerbtray running on my taskbar – When I double 
click it; it list my tickets, etc… 

Twice during the day yesterday it turned red and said there was no tickets 
available. It's already done this once today – 

 

When it was showing information it had a ticket renewal until time up to 8 days 
and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time 
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

Re: [ActiveDir] Kerberos Question

2007-01-25 Thread Al Mulnick 

It could also mean you have a problem with the tool, right?

Are you seeing some other symptoms that caused you to look at this tool?
Time? you can check that pretty easily by checking the time on your machine
and comparing to a DC in your environment.

What do you see in your system event log?

On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]> wrote:


 Just curious –



I have the resource kit tool *Kerbtray *running on my taskbar – When I
double click it; it list my tickets, etc…

Twice during the day yesterday it turned red and said there was no tickets
available. It's already done this once today –



When it was showing information it had a ticket renewal until time up to 8
days and a start and end time offset of 10 minutes



Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc.



Thanks in advance for any insight on this.



Mike

[ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer 
Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

RE: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Darren Mar-Elia 
You would not get a permissions problem from that admin. templates policy.
They just don't work that way. So my guess is its something else. What
happens, as administrator, when you run "appwiz.cpl" from a command prompt?

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Thursday, January 25, 2007 4:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

 

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either... 

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error
message could naturally be a false hint, but might as well check it out.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Donnerstag, 25. Januar 2007 12:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no messenger,
... stuff.

 

These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).

 

My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want... 

 

Thanks,

Bart

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin?  If you've applied some lockdown GPOs
for file-system permissions, those will also apply for your admins 

 

/Guido

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO

 

Hi,

 

I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside. 

 

But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe 

 

Is this normal?! Did I miss something before setting this GPO?

 

Thanks,

Bart

Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-25 Thread Paul Williams 
You can register records like this by messing up a reverse lookup record 
addition using DNSCMD.

--Paul


  - Original Message - 
  From: EIS Lists 
  To: ActiveDir@mail.activedir.org 
  Sent: Wednesday, January 24, 2007 9:28 PM
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone


  Thanks, all. Ulf, you explanation was great! I am sure it was someone 
(probably me!) just typed a .1 in some setting on the printer and allowed it to 
register in DNS. 

   

  Many thanks.

   

  -- nme

   

  Noah Eiger

   


--

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
  Sent: Wednesday, January 24, 2007 12:29 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  Just 9:30 pm here, so not really late.

   

  Many are mixing up the zones with the "DNS-Subdomains" or whatever they are 
actually called. But in this case he even had it right, he said that under the 
domain zone he has the "_*"-folders as well as a folder "1". I had to reread 
too ;-)

   

  How are things? See you in March?

   

  Gruesse - Sincerely, 

  Ulf B. Simon-Weidner 

Profile & Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 21:17
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  That's what I would expect.  But since the original poster called it a "zone" 
I figured I'd ask. What are you doing up so late? :)

  On 1/24/07, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

  No Zone - no properties ;-)

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 20:24
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  What are properties of the 1 zone? 

  On 1/24/07, EIS Lists <[EMAIL PROTECTED]> wrote:

  Hi -



  Under one of our forward lookup zones (AD-integrated), we have the usual
  folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
  as a single folder just named: "1" (without the quotes). There is a single 
  A-record  under it for one of our printers.



  Any idea what this folder is?



  Thanks.



  -- nme

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M. 
Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the "modified date" and the "creation date" are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner 
Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

Re: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Bart Van den Wyngaert 

I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:


 So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The
error message could naturally be a false hint, but might as well check it
out.



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Donnerstag, 25. Januar 2007 12:00
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO



No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no
messenger, ... stuff.



These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).



My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...



Thanks,

Bart



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

[ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M. 
What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Grillenmeier, Guido 
So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error 
message could naturally be a false hint, but might as well check it out.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den 
Wyngaert
Sent: Donnerstag, 25. Januar 2007 12:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

No NTFS or other restrictions set in that GPO or the PC GPO.
Only some other restrictions like no access to control panel, no messenger, ... 
stuff.

These apply to the specific Users OU + Computer OU, making a User & PC 
configuration for those PC's + Users (certain department).

My admin account is totally somewhere else in the directory without those GPO's 
applied to. The restrictions in the Computer GPO are also not set to block the 
admin. I can drilldown the Computer GPO if you want, as I don't see any 
relevant setting in it. Otherwise I would be blocking myself and that's just 
the point I don't want...

Thanks,
Bart


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> 
wrote:

What other things did you change in the same or other GPOs that apply to the 
machine you're logging on as admin?  If you've applied some lockdown GPOs for 
file-system permissions, those will also apply for your admins



/Guido



From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [mailto:[EMAIL 
PROTECTED]<mailto:[EMAIL PROTECTED]>] On Behalf Of Bart Van den Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove Programs" 
(User Configuration\Administrative Templates\Control Panel\Add or Remove 
Programs). This GPO is linked to a specific OU where those users reside.



But now I have even with admin accounts to which the GPO doesn't apply (totally 
different OU location and so on...) problems with opening the interface, it 
refers to security that is not correct on C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

  1   2   3   4   5   6   7   8   9   10   >