Re: [ActiveDir] flaky gpo
thanks. just so i know for sure- in win 2000, this is not possible with a custom adm perference without running into the issues mentioned with ipconfig before? thanks again On 9/27/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yeah. what you said ;)Give me some time - I'll think up an explanation for why I F'ed the whole thing up.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Darren Mar-EliaSent: Mon 9/26/2005 2:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] flaky gpoAs far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied toall adapters on the system and set in the following registry value:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchL ist. Maybe you can override it per-adapter, but I didn't see where.When you set the policy, as you noted, the registry value is set atHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls underpolicy control there is a reg value under the Policies key that overrides thenative location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see anyqueries against either of these two reg. values. That might mean thatipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that couldhold the value, depending upon whether the policy has been set or not. I'malmost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy isrefreshed.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 26, 2005 12:54 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] flaky gpoCool. Good to know.In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correctsuffix orderOn 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it atHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix valuesand that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping anddrive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is ifyou issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for eachadapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. Iwon't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of TomKern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make aadm to reflect that and push it out? Does this also apply to the real policy that comes withwinxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays.Ipconfig reads the registryfor the information, but the suffix adm/gpo is notstored in the same location
Re: [ActiveDir] flaky gpo
ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui in network connections. also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the gui in network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom adm file to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being reboot never get it but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is a little flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this is what i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName: GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also fails with error 1317 as well. Does anyone know? thanks
RE: [ActiveDir] flaky gpo
When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you are setting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui in network connections. also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the gui in network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom adm file to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being reboot never get it but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is a little flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this is what i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName: GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also fails with error 1317 as well. Does anyone know? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the samelocation, so ipconfig will never be able to report whatever you are settingin the adm/gpo.You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though.That task is reserved for gpoguy, who will be around very shortly ;)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 9:42 AM To: activedirectorySubject: Re: [ActiveDir] flaky gpook, last time i reply to my own email :)I applied a gpo to add 3 domains to the dns suffix search order.these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig.the output of ipconfig.exe is different than whats in the gui in networkconnections.also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exewhy is that?does ipconfig.exe get net info from a different place than the gui innetwork connections?why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe?and why is ping.exe only using the one in ipconfig.exe and not the networkconnections one.thanksP.S.- all clients are dhcp, if that provides any clue. thanks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom admfile to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it.the really weird thing is, some clients after being reboot never getit but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is alittle flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this iswhat i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also failswith error 1317 as well. Does anyone know? thanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesBTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd)I'm just curious, and not at a place where I can test. I won't be able to seeyour response for a long time. Going offline.Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpothanks.disregard that last email...i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out?Does this also apply to the real policy that comes with winxp/2k3 as well?thanks again!!On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you aresetting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings,though. That task is reserved for gpoguy, who will be around very shortly;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a netadapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui innetwork connections. also, when you ping a unqaulified name, it doesn't apply the searchlist from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the guiin network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:To further elaborate, the setting i'm trying to apply is acustom adm file to add the dns search suffix to tcp/ip props.all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being rebootnever get it but when you type ipconfig /release and then renew, they get it.Thats bizzare.how would a reboot not get the pol but i release/renew would?thnaks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:I have a computer portion gpo at the domain level thatis a little flaky.For some pc's it applies, others take a number of reboots.All my pc's are win2k.The gpt has replicated to all DC's in all sites.When i enable userenv debugging on the affected pc,this is what i get -USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326I can't find what this error means anywhere. It also fails with error 1317 as well.Does anyone know?thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesBTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd)I'm just curious, and not at a place where I can test. I won't be able to seeyour response for a long time. Going offline.Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpo thanks.disregard that last email...i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out?Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!!On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you aresetting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a netadapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui innetwork connections. also, when you ping a unqaulified name, it doesn't apply the searchlist from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the guiin network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:To further elaborate, the setting i'm trying to apply is acustom adm file to add the dns search suffix to tcp/ip props.all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being rebootnever get it but when you type ipconfig /release and then renew, they get it.Thats bizzare.how would a reboot not get the pol but i release/renew would?thnaks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:I have a computer portion gpo at the domain level thatis a little flaky.For some pc's it applies, others take a number of reboots.All my pc's are win2k.The gpt has replicated to all DC's in all sites.When i enable userenv debugging on the affected pc,this is what i get -USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326I can't find what this error means anywhere. It also fails with error 1317 as well.Does anyone know?thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] flaky gpo
Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt tabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you are setting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo
Re: [ActiveDir] flaky gpo
thanks alot!! quick ques- if i machine already has a static entry in the suffix search order, will this script wipe out that entry or append to it? same question for the GPO verison- will it add or wipe out? thanks again On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Cool. Good to know.In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correctsuffix orderOn 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it atHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix valuesand that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping anddrive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is ifyou issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for eachadapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. Iwon't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of TomKern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make aadm to reflect that and push it out? Does this also apply to the real policy that comes withwinxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays.Ipconfig reads the registryfor the information, but the suffix adm/gpo is notstored in the same location, so ipconfig will never be able to reportwhatever you are settingin the adm/gpo.You are not crazy. You are just observing some known feature.I can not answer why some clients are not getting yourgpo settings, though.That task is reserved for gpoguy, who will be around very shortly ;)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- weknow ITwww.akomolafe.com http://www.akomolafe.com/Do you now realize that Today is the Tomorrow you wereworried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf ofTom KernSent: Mon 9/26/2005 9:42 AM To: activedirectorySubject: Re: [ActiveDir] flaky gpook, last time i reply to my own email :)I applied a gpo to add 3 domains to the dns suffix search order.these 3 domains show up in the gui, when you rightclick a net adapter butthe change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whatsin the gui in networkconnections.also, when you ping a unqaulified name, it doesn't apply the search list fromthe gui but rather the one in the output fromipconfig.exewhy is that?does ipconfig.exe get net info from a differentplace than the gui innetwork connections?why would the gpo apply to the network connections info but NOT theipconfig.exe info you see in cmd.exe?and why is ping.exe only using the one in ipconfig.exeand not the networkconnections one. thanksP.S.- all clients are dhcp, if that provides any clue.thanks again.On 9/26/05, Tom Kern [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom admfile to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients afterbeing reboot never getit but when you type ipconfig /release and thenrenew, they get it. Thats bizzare. how would a reboot not get
Re: [ActiveDir] flaky gpo
The guy in link using a batch file to call the VBS Script, You can directly put the VBS file into startup folder, instead of calling it from netlogon. Also, I guess, %logonserver% might create problem, as it might not be defined by the time, script runs. On 9/27/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Cool. Good to know.In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correctsuffix order
RE: [ActiveDir] flaky gpo
As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: When MS introduced that GPO
Re: [ActiveDir] flaky gpo
The adm i set, directly sets the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList value, NOT the policies key. Its for win2k, so its a tattoo, not a policiy. that other key never comes into play. as i stated, in the net coonections applet it changed the adapter. when doing an ipconfig, it didn't show up. drive mappings and pings with single label names failed(we don't use netbios) even though it showed up in the adapter gui. i suspect, ipconfig uses the Interfaces key under Parameters in the int guid key. and so does ping and net use? thanks On 9/26/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 26, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] flaky gpo Cool. Good to know.In the meantime, thishttp://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :) Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it atHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays. Ipconfig reads the registryfor the information, but the suffix adm/gpo is not stored in the samelocation, so ipconfig will never be able to report whatever you are settingin the adm
RE: [ActiveDir] flaky gpo
Yeah. what you said ;) Give me some time - I'll think up an explanation for why I F'ed the whole thing up. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Mon 9/26/2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchL ist. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt tabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess
