Re: DC eventid 1168, bizarre behavior

[Elijah Buck]

Thanks for the suggestion. The behavior with Windows Update does seem
to suggest that. However, from what I can gather from Task Manager it
does not appear to be the problem:

Freshly booted:
Physical Memory: Total 2046, Cache 730, Free 369
Kernel: Total 203, Paged 139, Nonpaged 64
System: handles 27885, Thread 844, Processes 67

In its current semi-broken state:
Physical Memory: Total 2046, Cache 938, Free 83
Kernel:Total 199, Paged 135, Nonpaged 63
System: handles 29464, Threads 863, Processes 69

Do you think its worth running poolmon with numbers like that? It must
be running out of some other resource...

On Mon, Jan 28, 2013 at 8:29 PM, Ken Schaefer  wrote:
> Maybe you are running out of system resources (like non-paged pool). You can 
> try using poolmon to diagnose that (there's an old blog post on my blog about 
> using that tool)
>
> Cheers
> Ken
>
> -Original Message-
> From: Elijah Buck [mailto:elijah.b...@gmail.com]
> Sent: Tuesday, 29 January 2013 12:10 PM
> To: NT System Admin Issues
> Subject: Re: DC eventid 1168, bizarre behavior
>
> Yes, we ran adprep /rodc from the server 2008 cd. The RODC appears to be 
> functioning correctly. The servers with event id 1168 are not rodc, by the 
> way, if that wasn't clear.
>
> Elijah
> Sent from my iPhone
>
> On Jan 28, 2013, at 6:57 PM, Greg Olson  wrote:
>
>> Did you prep the domain for the read-only dc using the adprep /rodcprep cmd?
>> http://technet.microsoft.com/en-us/library/cc771055(v=ws.10).aspx
>>
>> Even if you have no 2003 servers if I remember right (and I could be wrong) 
>> you still need to do the above with certain versions of Samba.
>>
>>
>> -Greg
>>
>>
>> -Original Message-
>> From: Elijah Buck [mailto:elijah.b...@gmail.com]
>> Sent: Monday, January 28, 2013 1:58 PM
>> To: NT System Admin Issues
>> Subject: DC eventid 1168, bizarre behavior
>>
>> Hello,
>>
>> I've been battling an odd issue with our domain controllers, and am 
>> completely stumped. This seems to have been precipitated by adding a Read 
>> Only Domain Controller and adding a number of Linux samba servers. The 
>> symptoms of the issue follows:
>>
>> On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):
>>
>> 0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.
>>
>> 1.) In the Directory Service event log the following two errors are logged:
>> *Event ID 1168 - Internal error: An Active Directory Domain Services error 
>> has occured.
>> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, 
>> Internal ID: 124048b *Event ID 1168 - Internal error: An Active Directory 
>> Domain Services error has occured.
>> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
>> Internal ID: 1240627
>>
>> 2.) This has happened three times on DC11, and once on DC10 (also 2008 sp2). 
>> The time that it affected both DC11 and DC10, manually pushing 
>> passwords-to-be-cached to the RODC failed.
>>
>> 3.) Trying to read the properties of an object with ADSI edit (connected to 
>> DC11) returns:
>> Windows could not load the values for all the attributes. Operation failed. 
>> Error Code:
>> 0x2121. The search failed to retrieve attributes from the database.
>> 2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.
>>
>> 4.) Attempting to run Windows Update gives Error 0x800705AA, which I believe 
>> is ERROR_NO_SYSTEM_RESOURCE.
>>
>> 5.) Running 'runas /user:me cmd' fails with "5: Access is denied"
>>
>> 6.) The server appears to continue to service auth requests, and LDAP binds 
>> still work. However, we seem to encounter intermittent issues with the samba 
>> servers during this time.
>>
>> Site topology:
>>  CORP:
>>  DC4, DC5 (server 2003, auto-site coverage disabled by registry)
>> DC10, DC11 (server 2008 sp2)
>>
>>  CAL: connected to CORP
>>  RODC1 (server 2008 R2, read only domain controller)
>>
>>  NY: connected to CORP and DRSITE
>>  NYDC4 (server 2003)
>>
>>  DRSITE: connected to CORP and NY
>>  DC3 (server 2003)
>>  DC20 (server 2008 R2)
>>
>> DC4 is the Schema Master. All other roles are on DC5.
>>
>> repadmin /showrepl and dcdiag don't show any errors.
>>
>> Two additional bits of information. (1) For some reasons, IIS is installed 
>> on the DC10 and DC11 domain controllers. (2) a similar thing recently 
>> happened with our Exchange 2010 server (2008 R2). The same error with 
>> 'runas' failing occured, IIS app pools couldn't restart, and the windows 
>> process activation service couldn't be restarted (also with error 5 access 
>> denied).
>>
>> I am planning on setting up a new RWDC, physically in CORP but in the CAL AD 
>> site, and seeing if the issue follows the new server or stays with DC11.
>>
>> Any help would be appreciated.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forum

RE: on-premises storage application

[Michael B. Smith]

This is a respectable fit; they are testing it out. Thanks!

AppSense DataNow from Mr. Rankin was the closest fit and we are looking at 
pricing.

Thank you all for your suggestions!

-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: Thursday, January 24, 2013 5:02 PM
To: NT System Admin Issues
Subject: Re: on-premises storage application

On 24 Jan 2013 at 19:11, Michael B. Smith  wrote:

> 
> I have a client that wants something like SkyDrive or DropBox - but they
> want to host it onsite - no cloud storage. They also want the company that
> produces the application to be in north America or western Europe. I have
> googled and binged a bit, and I have some options - but I'd prefer some
> recommendations. Does anyone here have any that they would be willing to
> share? Thanks!

Been meaning to set up one of these for a while:

ownCloud | Your Cloud, Your Data, Your Way!
https://owncloud.com/

Community (free, no support) edition available:
ownCloud.org | Your Cloud, Your Data, Your Way!
http://owncloud.org/

The price is right, at least for the community edition.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DC eventid 1168, bizarre behavior

[Ken Schaefer]

Maybe you are running out of system resources (like non-paged pool). You can 
try using poolmon to diagnose that (there's an old blog post on my blog about 
using that tool)

Cheers
Ken

-Original Message-
From: Elijah Buck [mailto:elijah.b...@gmail.com] 
Sent: Tuesday, 29 January 2013 12:10 PM
To: NT System Admin Issues
Subject: Re: DC eventid 1168, bizarre behavior

Yes, we ran adprep /rodc from the server 2008 cd. The RODC appears to be 
functioning correctly. The servers with event id 1168 are not rodc, by the way, 
if that wasn't clear.

Elijah
Sent from my iPhone

On Jan 28, 2013, at 6:57 PM, Greg Olson  wrote:

> Did you prep the domain for the read-only dc using the adprep /rodcprep cmd?
> http://technet.microsoft.com/en-us/library/cc771055(v=ws.10).aspx
>
> Even if you have no 2003 servers if I remember right (and I could be wrong) 
> you still need to do the above with certain versions of Samba.
>
>
> -Greg
>
>
> -Original Message-
> From: Elijah Buck [mailto:elijah.b...@gmail.com]
> Sent: Monday, January 28, 2013 1:58 PM
> To: NT System Admin Issues
> Subject: DC eventid 1168, bizarre behavior
>
> Hello,
>
> I've been battling an odd issue with our domain controllers, and am 
> completely stumped. This seems to have been precipitated by adding a Read 
> Only Domain Controller and adding a number of Linux samba servers. The 
> symptoms of the issue follows:
>
> On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):
>
> 0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.
>
> 1.) In the Directory Service event log the following two errors are logged:
> *Event ID 1168 - Internal error: An Active Directory Domain Services error 
> has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, 
> Internal ID: 124048b *Event ID 1168 - Internal error: An Active Directory 
> Domain Services error has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, 
> Internal ID: 1240627
>
> 2.) This has happened three times on DC11, and once on DC10 (also 2008 sp2). 
> The time that it affected both DC11 and DC10, manually pushing 
> passwords-to-be-cached to the RODC failed.
>
> 3.) Trying to read the properties of an object with ADSI edit (connected to 
> DC11) returns:
> Windows could not load the values for all the attributes. Operation failed. 
> Error Code:
> 0x2121. The search failed to retrieve attributes from the database.
> 2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.
>
> 4.) Attempting to run Windows Update gives Error 0x800705AA, which I believe 
> is ERROR_NO_SYSTEM_RESOURCE.
>
> 5.) Running 'runas /user:me cmd' fails with "5: Access is denied"
>
> 6.) The server appears to continue to service auth requests, and LDAP binds 
> still work. However, we seem to encounter intermittent issues with the samba 
> servers during this time.
>
> Site topology:
>  CORP:
>  DC4, DC5 (server 2003, auto-site coverage disabled by registry)  
> DC10, DC11 (server 2008 sp2)
>
>  CAL: connected to CORP
>  RODC1 (server 2008 R2, read only domain controller)
>
>  NY: connected to CORP and DRSITE
>  NYDC4 (server 2003)
>
>  DRSITE: connected to CORP and NY
>  DC3 (server 2003)
>  DC20 (server 2008 R2)
>
> DC4 is the Schema Master. All other roles are on DC5.
>
> repadmin /showrepl and dcdiag don't show any errors.
>
> Two additional bits of information. (1) For some reasons, IIS is installed on 
> the DC10 and DC11 domain controllers. (2) a similar thing recently happened 
> with our Exchange 2010 server (2008 R2). The same error with 'runas' failing 
> occured, IIS app pools couldn't restart, and the windows process activation 
> service couldn't be restarted (also with error 5 access denied).
>
> I am planning on setting up a new RWDC, physically in CORP but in the CAL AD 
> site, and seeing if the issue follows the new server or stays with DC11.
>
> Any help would be appreciated.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DC eventid 1168, bizarre behavior

[Elijah Buck]

Yes, we ran adprep /rodc from the server 2008 cd. The RODC appears to
be functioning correctly. The servers with event id 1168 are not rodc,
by the way, if that wasn't clear.

Elijah
Sent from my iPhone

On Jan 28, 2013, at 6:57 PM, Greg Olson  wrote:

> Did you prep the domain for the read-only dc using the adprep /rodcprep cmd?
> http://technet.microsoft.com/en-us/library/cc771055(v=ws.10).aspx
>
> Even if you have no 2003 servers if I remember right (and I could be wrong) 
> you still need to do the above with certain versions of Samba.
>
>
> -Greg
>
>
> -Original Message-
> From: Elijah Buck [mailto:elijah.b...@gmail.com]
> Sent: Monday, January 28, 2013 1:58 PM
> To: NT System Admin Issues
> Subject: DC eventid 1168, bizarre behavior
>
> Hello,
>
> I've been battling an odd issue with our domain controllers, and am 
> completely stumped. This seems to have been precipitated by adding a Read 
> Only Domain Controller and adding a number of Linux samba servers. The 
> symptoms of the issue follows:
>
> On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):
>
> 0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.
>
> 1.) In the Directory Service event log the following two errors are logged:
> *Event ID 1168 - Internal error: An Active Directory Domain Services error 
> has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, 
> Internal ID: 124048b *Event ID 1168 - Internal error: An Active Directory 
> Domain Services error has occured.
> Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, 
> Internal ID: 1240627
>
> 2.) This has happened three times on DC11, and once on DC10 (also 2008 sp2). 
> The time that it affected both DC11 and DC10, manually pushing 
> passwords-to-be-cached to the RODC failed.
>
> 3.) Trying to read the properties of an object with ADSI edit (connected to 
> DC11) returns:
> Windows could not load the values for all the attributes. Operation failed. 
> Error Code:
> 0x2121. The search failed to retrieve attributes from the database.
> 2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.
>
> 4.) Attempting to run Windows Update gives Error 0x800705AA, which I believe 
> is ERROR_NO_SYSTEM_RESOURCE.
>
> 5.) Running 'runas /user:me cmd' fails with "5: Access is denied"
>
> 6.) The server appears to continue to service auth requests, and LDAP binds 
> still work. However, we seem to encounter intermittent issues with the samba 
> servers during this time.
>
> Site topology:
>  CORP:
>  DC4, DC5 (server 2003, auto-site coverage disabled by registry)
>  DC10, DC11 (server 2008 sp2)
>
>  CAL: connected to CORP
>  RODC1 (server 2008 R2, read only domain controller)
>
>  NY: connected to CORP and DRSITE
>  NYDC4 (server 2003)
>
>  DRSITE: connected to CORP and NY
>  DC3 (server 2003)
>  DC20 (server 2008 R2)
>
> DC4 is the Schema Master. All other roles are on DC5.
>
> repadmin /showrepl and dcdiag don't show any errors.
>
> Two additional bits of information. (1) For some reasons, IIS is installed on 
> the DC10 and DC11 domain controllers. (2) a similar thing recently happened 
> with our Exchange 2010 server (2008 R2). The same error with 'runas' failing 
> occured, IIS app pools couldn't restart, and the windows process activation 
> service couldn't be restarted (also with error 5 access denied).
>
> I am planning on setting up a new RWDC, physically in CORP but in the CAL AD 
> site, and seeing if the issue follows the new server or stays with DC11.
>
> Any help would be appreciated.
>
> Thanks,
> Elijah
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

For all the great leaders of our technological evolution!

[Jozef Vegh]

How far are you ready to go to be successful and challenge yourself? The
ones who do not dare will never succeed! The ones who dare might fall, but
the real winners stand up, fight and never give up! This is my contribution
to all the entrepreneurs! 

The fall of the tiger

The fall of the tiger

What do you do when you have a skiing accident at 109kmh? Do you die? NO,
you simply SURVIVE! Don't try it at home if you are not IRONMAN!

Comment, share, react! 

Regards

Jozef

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DC eventid 1168, bizarre behavior

[Greg Olson]

Did you prep the domain for the read-only dc using the adprep /rodcprep cmd? 
http://technet.microsoft.com/en-us/library/cc771055(v=ws.10).aspx

Even if you have no 2003 servers if I remember right (and I could be wrong) you 
still need to do the above with certain versions of Samba. 


-Greg 


-Original Message-
From: Elijah Buck [mailto:elijah.b...@gmail.com] 
Sent: Monday, January 28, 2013 1:58 PM
To: NT System Admin Issues
Subject: DC eventid 1168, bizarre behavior

Hello,

I've been battling an odd issue with our domain controllers, and am completely 
stumped. This seems to have been precipitated by adding a Read Only Domain 
Controller and adding a number of Linux samba servers. The symptoms of the 
issue follows:

On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):

0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.

1.) In the Directory Service event log the following two errors are logged:
*Event ID 1168 - Internal error: An Active Directory Domain Services error has 
occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, Internal 
ID: 124048b *Event ID 1168 - Internal error: An Active Directory Domain 
Services error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa, Internal 
ID: 1240627

2.) This has happened three times on DC11, and once on DC10 (also 2008 sp2). 
The time that it affected both DC11 and DC10, manually pushing 
passwords-to-be-cached to the RODC failed.

3.) Trying to read the properties of an object with ADSI edit (connected to 
DC11) returns:
Windows could not load the values for all the attributes. Operation failed. 
Error Code:
0x2121. The search failed to retrieve attributes from the database.
2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.

4.) Attempting to run Windows Update gives Error 0x800705AA, which I believe is 
ERROR_NO_SYSTEM_RESOURCE.

5.) Running 'runas /user:me cmd' fails with "5: Access is denied"

6.) The server appears to continue to service auth requests, and LDAP binds 
still work. However, we seem to encounter intermittent issues with the samba 
servers during this time.

Site topology:
  CORP:
  DC4, DC5 (server 2003, auto-site coverage disabled by registry)
  DC10, DC11 (server 2008 sp2)

  CAL: connected to CORP
  RODC1 (server 2008 R2, read only domain controller)

  NY: connected to CORP and DRSITE
  NYDC4 (server 2003)

  DRSITE: connected to CORP and NY
  DC3 (server 2003)
  DC20 (server 2008 R2)

DC4 is the Schema Master. All other roles are on DC5.

repadmin /showrepl and dcdiag don't show any errors.

Two additional bits of information. (1) For some reasons, IIS is installed on 
the DC10 and DC11 domain controllers. (2) a similar thing recently happened 
with our Exchange 2010 server (2008 R2). The same error with 'runas' failing 
occured, IIS app pools couldn't restart, and the windows process activation 
service couldn't be restarted (also with error 5 access denied).

I am planning on setting up a new RWDC, physically in CORP but in the CAL AD 
site, and seeing if the issue follows the new server or stays with DC11.

Any help would be appreciated.

Thanks,
Elijah

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Steven Peck]

Years ago our networking team insisted on having them on so we had a
discussion.  Cisco's response at the time was ... we comply with RFC821 and
RFC822.  My reply was those were deprecated years ago and here's the
current standard (2821/2822 at the time) and that was all it took to get
them disabled.

My guess is Cisco still hasn't updated them.

On Thu, Jan 24, 2013 at 5:15 AM, Kennedy, Jim
wrote:

> The one that amazes me is the smtp fixup on Cisco. That one has been an
> issue for 10 years or so.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, January 23, 2013 5:44 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > To clarify...the dns fixup refers to Cisco firewalls/asa's.
>
>   I've noticed that Cisco's "fixup" features tend to break things.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

DC eventid 1168, bizarre behavior

[Elijah Buck]

Hello,

I've been battling an odd issue with our domain controllers, and am
completely stumped. This seems to have been precipitated by adding a
Read Only Domain Controller and adding a number of Linux samba
servers. The symptoms of the issue follows:

On DC11 (2008 sp2 ReadWrite DC, 2GB ram, virtual machine on ESXi 5.0u2):

0.) cpu usage is low, typically under 5%. Memory is 800M cached. 118M free.

1.) In the Directory Service event log the following two errors are logged:
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 124048b
*Event ID 1168 - Internal error: An Active Directory Domain Services
error has occured.
Additional data: Error value (decimal): 1450, Error Value (hex): 5aa,
Internal ID: 1240627

2.) This has happened three times on DC11, and once on DC10 (also 2008
sp2). The time that it affected both DC11 and DC10, manually pushing
passwords-to-be-cached to the RODC failed.

3.) Trying to read the properties of an object with ADSI edit
(connected to DC11) returns:
Windows could not load the values for all the attributes. Operation
failed. Error Code:
0x2121. The search failed to retrieve attributes from the database.
2121: SvcErr: DSID-0312048E, problem 5012 (DIR_ERROR), data 1450.

4.) Attempting to run Windows Update gives Error 0x800705AA, which I
believe is ERROR_NO_SYSTEM_RESOURCE.

5.) Running 'runas /user:me cmd' fails with "5: Access is denied"

6.) The server appears to continue to service auth requests, and LDAP
binds still work. However, we seem to encounter intermittent issues
with the samba servers during this time.

Site topology:
  CORP:
  DC4, DC5 (server 2003, auto-site coverage disabled by registry)
  DC10, DC11 (server 2008 sp2)

  CAL: connected to CORP
  RODC1 (server 2008 R2, read only domain controller)

  NY: connected to CORP and DRSITE
  NYDC4 (server 2003)

  DRSITE: connected to CORP and NY
  DC3 (server 2003)
  DC20 (server 2008 R2)

DC4 is the Schema Master. All other roles are on DC5.

repadmin /showrepl and dcdiag don't show any errors.

Two additional bits of information. (1) For some reasons, IIS is
installed on the DC10 and DC11 domain controllers. (2) a similar thing
recently happened with our Exchange 2010 server (2008 R2). The same
error with 'runas' failing occured, IIS app pools couldn't restart,
and the windows process activation service couldn't be restarted (also
with error 5 access denied).

I am planning on setting up a new RWDC, physically in CORP but in the
CAL AD site, and seeing if the issue follows the new server or stays
with DC11.

Any help would be appreciated.

Thanks,
Elijah

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: [Bulk] Re: Progress in password cracking

[MMF]

Just as an aside, I heard yesterday that President Teddy Roosevelt issued 1000 
executive orders, one of which was to require that words be spelled 
phonetically as in “ENUF” instead of enough!
Enuf sed!!!

Murray

From: Kurt Buff 
Sent: Monday, January 28, 2013 2:58 PM
To: NT System Admin Issues 
Subject: [Bulk] Re: Progress in password cracking

Be careful - your inner curmudgeon is starting to show...

But, it probably won't make a difference after a while - most people tend to 
misspell things the same way, or in a limited number of ways, and that will 
fall to analysis as well...

Kurt


On Mon, Jan 28, 2013 at 8:27 AM, Andrew S. Baker  wrote:

  This must be great news to all the people under the age of 20, who seem quite 
unable to either spell or use grammatically correct sentences. 








ASB
http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations & Information Security) 
for the SMB market…
   






  On Sat, Jan 26, 2013 at 5:50 PM, Kurt Buff  wrote:

Grammar badness makes cracking harder the long password

Password crackers get an English lesson.

by Dan Goodin
Jan 24 2013
Ars Technica

When it comes to long phrases used to defeat recent advances in
password cracking, bigger isn't necessarily better, particularly when
the phrases adhere to grammatical rules.


http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~   ~

  ---
  To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Progress in password cracking

[MMF]

Ain’t dat da trut!

Murray

From: Andrew S. Baker 
Sent: Monday, January 28, 2013 10:27 AM
To: NT System Admin Issues 
Subject: Re: Progress in password cracking

This must be great news to all the people under the age of 20, who seem quite 
unable to either spell or use grammatically correct sentences. 








  ASB
  http://XeeMe.com/AndrewBaker
  Providing Virtual CIO Services (IT Operations & Information Security) for 
the SMB market…
 






On Sat, Jan 26, 2013 at 5:50 PM, Kurt Buff  wrote:

  Grammar badness makes cracking harder the long password
  Password crackers get an English lesson.

  by Dan Goodin
  Jan 24 2013
  Ars Technica

  When it comes to long phrases used to defeat recent advances in
  password cracking, bigger isn't necessarily better, particularly when
  the phrases adhere to grammatical rules.

  
http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/

  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~   ~

  ---
  To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

Add to the below...your ISP turned on dns fixup this weekend on their internet 
facing firewall since they don't have that issue and the below scenario fits 
the symptoms anyway.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, January 28, 2013 12:10 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson  
wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we 
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP 
nameservers don't support EDNS0, so when talking to your ISP nameservers, EDNS0 
doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the* classic problem 
report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Ben Scott]

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson
 wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP
nameservers don't support EDNS0, so when talking to your ISP
nameservers, EDNS0 doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the*
classic problem report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

If found the main "road block" or "bottleneck" that we were experiencing with 
DNS services, just not sure why we didn't see these issues years before.

We were directed years ago to NOT setup "Forwarders" in DNS, and instead rely 
totally on Root Hints if our DNS could not resolve, it's been that way for 
multiple years.  However, once we added our ISP's DNS resolvers as "Forwarder" 
we immediately restored DNS performance.

Could something happened over last weekend to limit use of Root Hints? 



-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, January 24, 2013 9:26 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

I still wonder why just this past weekend it hit you. Sounded very sudden.

-Original Message-
From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Thursday, January 24, 2013 10:22 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Seeding a remote DFS share

[Christopher Bodnar]

Yes, that will work. Going under the assumption that you have the (2) 
folder targets setup in DFS:

\\siteA\software

\\siteb\software


Also keep in mind that the share has to be available. If it's not, the 
client will pull from the closest available site. Which means pulling 
across the wire if it's local DFS target is down for some reason. 




Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Oliver Marshall 
To: "NT System Admin Issues" 
Date:   01/26/2013 02:33 PM
Subject:Seeding a remote DFS share



Hi

We have a GPO that installs Adobe Master Collection. It's amazingly huge 
in its hugeness. 

Currently we have two GPOs, one for each site to ensure that users at the 
remote site don't get the install from the server at the other site. 

Each GPO is limited to a group, again with one group for each site. 

This works fine but I'd rather have one GPO, one group and one policy on 
what to do if users need Adobe. 

So I want to setup a DFS share so that the GPO can point to 
\\mydomain\software\adobe\big_installer.msi, and the user will get the 
install from their nearest DFS location. 

Can i just ship up the installer on USB and have someone copy it to the 
correct location?

If you have any comments on the setup as well then let me know.

Olly



Network Support
Online Backups
Server Management
Tel: 0845 307 3443
Web: http://www.g2support.com
Twitter: g2support
Google+: http://www.g2support.com/plus
Facebook: http://www.facebook.com/g2support
Mail: Unit H, Hove Technology Centre, Hove, Sussex, BN3 7ES
Have you said something nice about us to a friend or colleague ? Let us 
say thanks. Find out more at www.g2support.com/referral
G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
BN3 7LE. Our registered company number is OC316341.

  
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: New Article on Documenting a XenApp 6.5 Farm

[Webster]

"a" is beyond my PoSH ability at this moment in time.  I am not a programmer or 
developer or someone who really understands 90% of what I read about PoSH.  I 
am a hack who brute forces his way through getting these scripts done and who 
pesters MBS to no end for help along the way.

MBS has started pushing me to developing an object oriented version of the 
script but it is proving extremely difficult to do.

All I know is, as far as I know, no one else has produced any product to 
document a XenApp 6.5 farm because Citrix documentation just sucks big time.  
There is a company that charges $995 for their product that produces an HTML 
and Word versions of documentation for PS4.x and XenApp 5 for Server 2003.

I will gladly welcome ANY assistance you can provide to better understand what 
you recommend for "a".

"b" in XenApp 6.5, Citrix dropped MFCOM object model support so any 
VB/VBA/VBScripts that exist for MFCOM will not work for XenApp 6.x or higher.

I wish you to understand this is not a derogatory response to your email.  Just 
a plea from a weak student asking for help from a far more experienced teacher. 
 Just ask MBS, I really don't know or understand what I am doing in PoSH.  I am 
just trying to serve a need in my Citrix community.

Thanks


Webster

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Monday, January 28, 2013 5:43 AM
To: NT System Admin Issues
Subject: RE: New Article on Documenting a XenApp 6.5 Farm

A few thoughts:

a)  Loosely coupled code allows greater reuse (SOA and all that jazz). I'd 
recommend one script to output data to an XML file or ini file (or whatever 
format) in whatever schema you decide. Another script picks that up and creates 
a Word document. Then, from now on you have one script to create Word documents 
for whatever documentation scripts you create

b)  Having done a ton of Office automation ~15-20 years ago, if you are 
having to use the COM object model, then there's resources out there if using 
VB/VBA/VBScript - that might be easier than trying to use PowerShell (or .NET 
natively)

Cheers
Ken

From: Webster [mailto:webs...@carlwebster.com]
Sent: Monday, 28 January 2013 10:18 PM
To: NT System Admin Issues
Subject: New Article on Documenting a XenApp 6.5 Farm

New Article: Documenting a Citrix XenApp 6.5 Farm with Microsoft PowerShell and 
Word - Version 3 
http://carlwebster.com/documenting-a-citrix-xenapp-6-5-farm-with-microsoft-powershell-and-word-version-3/


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: New Article on Documenting a XenApp 6.5 Farm

[Ken Schaefer]

A few thoughts:

a)  Loosely coupled code allows greater reuse (SOA and all that jazz). I'd 
recommend one script to output data to an XML file or ini file (or whatever 
format) in whatever schema you decide. Another script picks that up and creates 
a Word document. Then, from now on you have one script to create Word documents 
for whatever documentation scripts you create

b)  Having done a ton of Office automation ~15-20 years ago, if you are 
having to use the COM object model, then there's resources out there if using 
VB/VBA/VBScript - that might be easier than trying to use PowerShell (or .NET 
natively)

Cheers
Ken

From: Webster [mailto:webs...@carlwebster.com]
Sent: Monday, 28 January 2013 10:18 PM
To: NT System Admin Issues
Subject: New Article on Documenting a XenApp 6.5 Farm

New Article: Documenting a Citrix XenApp 6.5 Farm with Microsoft PowerShell and 
Word - Version 3 
http://carlwebster.com/documenting-a-citrix-xenapp-6-5-farm-with-microsoft-powershell-and-word-version-3/

Thanks


Webster

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin