RE: Query help

[Coleman, Hunter]

Dynamic distribution group: 
http://technet.microsoft.com/en-us/library/aa996561(v=EXCHG.80).aspx


From: Heaton, Joseph@Wildlife [mailto:joseph.hea...@wildlife.ca.gov]
Sent: Thursday, April 11, 2013 1:16 PM
To: NT System Admin Issues
Subject: Query help

I've recently created a Org_all distribution group.  Somehow, I must have not 
added myself to it, as I didn't get a message from our Director this morning.  
But, that brought up the thought that I need to make sure everyone is a member 
of that distribution group.  With 3000 users, I don't want to do it manually.  
Any ideas?

Thanks,

Joe Heaton
Enterprise Server Support
CA Department of Fish and Wildlife
1807 13th Street, Suite 201
Sacramento, CA  95811
Desk:  (916) 323-1284


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DC server 2003 Time service

[Coleman, Hunter]

Use this as a basis for configuring your current PDC: 
http://technet.microsoft.com/en-us/library/cc794937(v=WS.10).aspx


-Original Message-
From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, January 7, 2013 12:36 PM
To: NT System Admin Issues
Subject: RE: DC server 2003 Time service

A Haa.
NTP time software running on that old DC.
Uninstalled
Rebooted.
Did all of the below
And w32tm /resync
Now w32tm /monitor reads perfectly.
Now on the PDC and I point to a local unbuntu server I have added as the first 
NTP server to try?


-Original Message-
From: Coleman, Hunter [mailto:hcole...@mt.gov] Posted At: Monday, January 7, 
2013 1:40 PM Posted To: itli...@imcu.com
Conversation: DC server 2003 Time service
Subject: RE: DC server 2003 Time service

That would work as well, though you would want to include the "/reliable:no" 
flag.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, January 7, 2013 10:54 AM
To: NT System Admin Issues
Subject: Re: DC server 2003 Time service

Would not this:

w32tm /config /syncfromflags:domhier /update

have the same effect, or is it a less reliable option?

Kurt

On Mon, Jan 7, 2013 at 8:12 AM, Coleman, Hunter  wrote:
> On the old 2003 DC, check
> HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type. It 
> should be “NT5D5”. If it shows “NTP”, then the DC is synchronizing 
> time with an external time source. It was probably the forest root 
> PDCe in the past, but if it no longer is then on that DC run
>
> Net stop w32time
>
> W32tm /unregister
>
> W32tm /register
>
> Net start w32time
>
>
>
> That will clear out the old time configuration and reset it to a 
> domain hierarchy configuration.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, January 7, 2013 8:22 AM
> To: NT System Admin Issues
> Subject: RE: DC server 2003 Time service
>
>
>
> From my PC:
>
> (Looks like I have everything working except the first one.  It is an 
> old
> 2003 DC.)  Why is it being so difficult?
>
> All the other 2008 DC’s and 2003 DC’s are behaving except it?
>
> Where can I look?
>
>
>
> C:\windows\system32>w32tm /monitor
>
> 030405MF663P44.IMCU.local[10.0.10.5:123]:
>
> ICMP: 6ms delay
>
> NTP: +0.0225576s offset from 081012210GL255.IMCU.local
>
> RefID: tick.usno.navy.mil [192.5.41.40]
>
> Stratum: 2
>
> 0304090304zu55.IMCU.local[10.0.50.205:123]:
>
> ICMP: 0ms delay
>
> NTP: +0.0127904s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 0302040304zu77.IMCU.local[10.0.90.205:123]:
>
> ICMP: 13ms delay
>
> NTP: +0.0002909s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 0810123404XB44.IMCU.local[10.0.10.2:123]:
>
> ICMP: 9ms delay
>
> NTP: +0.0136959s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 081012210GL255.IMCU.local *** PDC ***[10.0.50.2:123]:
>
> ICMP: 0ms delay
>
> NTP: +0.000s offset from 081012210GL255.IMCU.local
>
> RefID: white.web-ster.com [65.182.224.39]
>
> Stratum: 3
>
> 08101223061O77.IMCU.local[10.0.90.2:123]:
>
> ICMP: 10ms delay
>
> NTP: +0.0069312s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
>
>
> From: Ken Schaefer [mailto:k...@adopenstatic.com] Posted At: Friday, 
> January 4, 2013 12:05 AM Posted To: itli...@imcu.com
> Conversation: DC server 2003 Time service
> Subject: RE: DC server 2003 Time service
>
>
>
> You need to read this:
>
> http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
>
>
>
> Cheers
>
> Ken
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Friday, 4 January 2013 3:33 AM
> To: NT System Admin Issues
> Subject: DC server 2003 Time service
>
>
>
> I am bringing 2008 R2 servers on line to take the FSMO jobs.
>
> I have set one of them as a W32time server but my pc’s are still 
> getting time from the old
>
> 2003 DC SNTP server???
>
> Any ideas on how to correct this?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe

RE: DC server 2003 Time service

[Coleman, Hunter]

That would work as well, though you would want to include the "/reliable:no" 
flag.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, January 7, 2013 10:54 AM
To: NT System Admin Issues
Subject: Re: DC server 2003 Time service

Would not this:

w32tm /config /syncfromflags:domhier /update

have the same effect, or is it a less reliable option?

Kurt

On Mon, Jan 7, 2013 at 8:12 AM, Coleman, Hunter  wrote:
> On the old 2003 DC, check
> HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type. It 
> should be “NT5D5”. If it shows “NTP”, then the DC is synchronizing 
> time with an external time source. It was probably the forest root 
> PDCe in the past, but if it no longer is then on that DC run
>
> Net stop w32time
>
> W32tm /unregister
>
> W32tm /register
>
> Net start w32time
>
>
>
> That will clear out the old time configuration and reset it to a 
> domain hierarchy configuration.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, January 7, 2013 8:22 AM
> To: NT System Admin Issues
> Subject: RE: DC server 2003 Time service
>
>
>
> From my PC:
>
> (Looks like I have everything working except the first one.  It is an 
> old
> 2003 DC.)  Why is it being so difficult?
>
> All the other 2008 DC’s and 2003 DC’s are behaving except it?
>
> Where can I look?
>
>
>
> C:\windows\system32>w32tm /monitor
>
> 030405MF663P44.IMCU.local[10.0.10.5:123]:
>
> ICMP: 6ms delay
>
> NTP: +0.0225576s offset from 081012210GL255.IMCU.local
>
> RefID: tick.usno.navy.mil [192.5.41.40]
>
> Stratum: 2
>
> 0304090304zu55.IMCU.local[10.0.50.205:123]:
>
> ICMP: 0ms delay
>
> NTP: +0.0127904s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 0302040304zu77.IMCU.local[10.0.90.205:123]:
>
> ICMP: 13ms delay
>
> NTP: +0.0002909s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 0810123404XB44.IMCU.local[10.0.10.2:123]:
>
> ICMP: 9ms delay
>
> NTP: +0.0136959s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
> 081012210GL255.IMCU.local *** PDC ***[10.0.50.2:123]:
>
> ICMP: 0ms delay
>
> NTP: +0.000s offset from 081012210GL255.IMCU.local
>
> RefID: white.web-ster.com [65.182.224.39]
>
> Stratum: 3
>
> 08101223061O77.IMCU.local[10.0.90.2:123]:
>
> ICMP: 10ms delay
>
> NTP: +0.0069312s offset from 081012210GL255.IMCU.local
>
> RefID: 081012210GL255.IMCU.local [10.0.50.2]
>
> Stratum: 4
>
>
>
> From: Ken Schaefer [mailto:k...@adopenstatic.com] Posted At: Friday, 
> January 4, 2013 12:05 AM Posted To: itli...@imcu.com
> Conversation: DC server 2003 Time service
> Subject: RE: DC server 2003 Time service
>
>
>
> You need to read this:
>
> http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
>
>
>
> Cheers
>
> Ken
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Friday, 4 January 2013 3:33 AM
> To: NT System Admin Issues
> Subject: DC server 2003 Time service
>
>
>
> I am bringing 2008 R2 servers on line to take the FSMO jobs.
>
> I have set one of them as a W32time server but my pc’s are still 
> getting time from the old
>
> 2003 DC SNTP server???
>
> Any ideas on how to correct this?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoi

RE: DC server 2003 Time service

[Coleman, Hunter]

On the old 2003 DC, check 
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type. It should be 
"NT5D5". If it shows "NTP", then the DC is synchronizing time with an external 
time source. It was probably the forest root PDCe in the past, but if it no 
longer is then on that DC run
Net stop w32time
W32tm /unregister
W32tm /register
Net start w32time

That will clear out the old time configuration and reset it to a domain 
hierarchy configuration.

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, January 7, 2013 8:22 AM
To: NT System Admin Issues
Subject: RE: DC server 2003 Time service

>From my PC:
(Looks like I have everything working except the first one.  It is an old 2003 
DC.)  Why is it being so difficult?
All the other 2008 DC's and 2003 DC's are behaving except it?
Where can I look?

C:\windows\system32>w32tm /monitor
030405MF663P44.IMCU.local[10.0.10.5:123]:
ICMP: 6ms delay
NTP: +0.0225576s offset from 081012210GL255.IMCU.local
RefID: tick.usno.navy.mil [192.5.41.40]
Stratum: 2
0304090304zu55.IMCU.local[10.0.50.205:123]:
ICMP: 0ms delay
NTP: +0.0127904s offset from 081012210GL255.IMCU.local
RefID: 081012210GL255.IMCU.local [10.0.50.2]
Stratum: 4
0302040304zu77.IMCU.local[10.0.90.205:123]:
ICMP: 13ms delay
NTP: +0.0002909s offset from 081012210GL255.IMCU.local
RefID: 081012210GL255.IMCU.local [10.0.50.2]
Stratum: 4
0810123404XB44.IMCU.local[10.0.10.2:123]:
ICMP: 9ms delay
NTP: +0.0136959s offset from 081012210GL255.IMCU.local
RefID: 081012210GL255.IMCU.local [10.0.50.2]
Stratum: 4
081012210GL255.IMCU.local *** PDC ***[10.0.50.2:123]:
ICMP: 0ms delay
NTP: +0.000s offset from 081012210GL255.IMCU.local
RefID: white.web-ster.com [65.182.224.39]
Stratum: 3
08101223061O77.IMCU.local[10.0.90.2:123]:
ICMP: 10ms delay
NTP: +0.0069312s offset from 081012210GL255.IMCU.local
RefID: 081012210GL255.IMCU.local [10.0.50.2]
Stratum: 4

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Posted At: Friday, January 4, 2013 12:05 AM
Posted To: itli...@imcu.com
Conversation: DC server 2003 Time service
Subject: RE: DC server 2003 Time service

You need to read this:
http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx

Cheers
Ken

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Friday, 4 January 2013 3:33 AM
To: NT System Admin Issues
Subject: DC server 2003 Time service

I am bringing 2008 R2 servers on line to take the FSMO jobs.
I have set one of them as a W32time server but my pc's are still getting time 
from the old
2003 DC SNTP server???
Any ideas on how to correct this?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: AD Washout

[Coleman, Hunter]

Lucky timing. I'm subscribed to the RSS feed for the AskPFE blog, and happened 
to see the posting not too long after Dan sent out his message.

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, November 27, 2012 10:08 AM
To: NT System Admin Issues
Subject: RE: AD Washout

This was a good thread for me, even though I wasn't affected it has been added 
to my brain as a "wow, I would have never thought of that" item.

Hunter, how did you find that article?

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Tuesday, November 20, 2012 1:41 PM
To: NT System Admin Issues
Subject: RE: AD Washout

Maybe a long shot, but check 
http://blogs.technet.com/b/askpfeplat/archive/2012/11/19/did-your-active-directory-domain-time-just-jump-to-the-year-2000.aspx


From: Dan Bartley [mailto:bartl...@corp.netcarrier.com]
Sent: Tuesday, November 20, 2012 9:04 AM
To: NT System Admin Issues
Subject: RE: AD Washout

No to these questions.

Actually it all seems centered around time sync problem that I have no idea the 
cause of. It seems the 2003 PDCe server developed a problem with access denied 
issues and that cascaded time sync errors to everything else. The 2 2000 DCs 
show the correct amount of uptime based on them being rebooted yesterday. The 
2003 DCs however show correct time and date, but say uptime 4300+ days after 
their reboot. They are syncing with time server now, but clearly still have an 
issue. That is probably what is causing the one way replicate problem between 
just the 2 2003 DCs. I can actually replicate either one to a 2000 DC and then 
replicate that to the server that won?t replicate from the PDCe and changes 
show up. Still haven?t figured the best way to rectify the issue. I definitely 
do not favor a transfer of roles and dcpromo to demote and then promote again.

Best Regards,

Dan Bartley

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Tuesday, November 20, 2012 07:54
To: NT System Admin Issues
Subject: RE: AD Washout

Tombstonelifetime error makes me think this might be an issues with lingering 
objects. Were any of the domain controllers migrated from physical to virtual 
recently? Or restored from a backup?
Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CDCC88.8D63A9F0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>







From:"Dan Bartley" 
mailto:bartl...@corp.netcarrier.com>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:11/19/2012 09:51 PM
Subject:RE: AD Washout




No.

However, I just discovered that when I try to do a manual replication on one 
2003 DC from the PDCe 2003 DC, I get an error that it can?t replicate due to 
tombstone lifetime being exceeded. It does replicate the other direction. I am 
not getting any Event errors in the Directory Service event log of either DC 
when I try the manual replication (such as 2042-which I did find references on).

Best Regards,

Dan Bartley
Director - Security, IT, Billing, A-R
NetCarrier Telecom
Phone: (877) 255-7733; Fax: (267) 638-0317; Direct: (215) 966-3310


From: Jon Harris [mailto:jk.har...@live.com]
Sent: Monday, November 19, 2012 21:37
To: NT System Admin Issues
Subject: RE: AD Washout

Any new patches added just prior to this.

Jon



Subject: AD Washout
Date: Mon, 19 Nov 2012 21:31:10 -0500
From: bartl...@corp.netcarrier.com<mailto:bartl...@corp.netcarrier.com>
To: 
ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>
I mostly watch and learn, but today a question. Today I had an issue I can?t 
find any reason for.

Mixed 2000-2003 domain. 2 of each. All the roles have been moved to the 2003 
DCs, except time server. Fully patched.

Out of nowhere I started getting SCOM alerts from 2 of the DCs that various DC 
functions were failing when contacting one of the 2003 DCs. The 2 2000 servers 
could be RDP, but not accessed via MMC for services, etc. from a Win7 
workstation. I saw various KCC NTDS Replication related errors on one of the 
2003 DCs. I could attach to them via RPC (MMC) though. One of the 2000 DCs is 
still the time server. Neither of the 2003 DCs could update time with it having 
a server error 5, access denied error. The other 2000 DC could update time 
fine. Logins to various internal systems and DFS links started to fail with 
access denied errors.

Eventually I rebooted the 2003 DC with the PDCe role and everything started to 
come back. There were no Directory Service errors or warnings in the event log 
at or before this happened. At the time this started this DC had system errors 
that the other 2003 DC had a time in the

RE: AD Washout

[Coleman, Hunter]

Maybe a long shot, but check 
http://blogs.technet.com/b/askpfeplat/archive/2012/11/19/did-your-active-directory-domain-time-just-jump-to-the-year-2000.aspx


From: Dan Bartley [mailto:bartl...@corp.netcarrier.com]
Sent: Tuesday, November 20, 2012 9:04 AM
To: NT System Admin Issues
Subject: RE: AD Washout

No to these questions.

Actually it all seems centered around time sync problem that I have no idea the 
cause of. It seems the 2003 PDCe server developed a problem with access denied 
issues and that cascaded time sync errors to everything else. The 2 2000 DCs 
show the correct amount of uptime based on them being rebooted yesterday. The 
2003 DCs however show correct time and date, but say uptime 4300+ days after 
their reboot. They are syncing with time server now, but clearly still have an 
issue. That is probably what is causing the one way replicate problem between 
just the 2 2003 DCs. I can actually replicate either one to a 2000 DC and then 
replicate that to the server that won?t replicate from the PDCe and changes 
show up. Still haven?t figured the best way to rectify the issue. I definitely 
do not favor a transfer of roles and dcpromo to demote and then promote again.

Best Regards,

Dan Bartley


From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Tuesday, November 20, 2012 07:54
To: NT System Admin Issues
Subject: RE: AD Washout

Tombstonelifetime error makes me think this might be an issues with lingering 
objects. Were any of the domain controllers migrated from physical to virtual 
recently? Or restored from a backup?
Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.jpg@01CDC72D.0C9A58B0]

The Guardian Life Insurance Company of America

www.guardianlife.com







From:"Dan Bartley" 
mailto:bartl...@corp.netcarrier.com>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:11/19/2012 09:51 PM
Subject:RE: AD Washout




No.

However, I just discovered that when I try to do a manual replication on one 
2003 DC from the PDCe 2003 DC, I get an error that it can?t replicate due to 
tombstone lifetime being exceeded. It does replicate the other direction. I am 
not getting any Event errors in the Directory Service event log of either DC 
when I try the manual replication (such as 2042-which I did find references on).

Best Regards,

Dan Bartley
Director - Security, IT, Billing, A-R
NetCarrier Telecom
Phone: (877) 255-7733; Fax: (267) 638-0317; Direct: (215) 966-3310


From: Jon Harris [mailto:jk.har...@live.com]
Sent: Monday, November 19, 2012 21:37
To: NT System Admin Issues
Subject: RE: AD Washout

Any new patches added just prior to this.

Jon



Subject: AD Washout
Date: Mon, 19 Nov 2012 21:31:10 -0500
From: bartl...@corp.netcarrier.com
To: 
ntsysadmin@lyris.sunbelt-software.com
I mostly watch and learn, but today a question. Today I had an issue I can?t 
find any reason for.

Mixed 2000-2003 domain. 2 of each. All the roles have been moved to the 2003 
DCs, except time server. Fully patched.

Out of nowhere I started getting SCOM alerts from 2 of the DCs that various DC 
functions were failing when contacting one of the 2003 DCs. The 2 2000 servers 
could be RDP, but not accessed via MMC for services, etc. from a Win7 
workstation. I saw various KCC NTDS Replication related errors on one of the 
2003 DCs. I could attach to them via RPC (MMC) though. One of the 2000 DCs is 
still the time server. Neither of the 2003 DCs could update time with it having 
a server error 5, access denied error. The other 2000 DC could update time 
fine. Logins to various internal systems and DFS links started to fail with 
access denied errors.

Eventually I rebooted the 2003 DC with the PDCe role and everything started to 
come back. There were no Directory Service errors or warnings in the event log 
at or before this happened. At the time this started this DC had system errors 
that the other 2003 DC had a time in the future, however it did not. In the 
application log there were errors when it started for ID 1058, Windows cannot 
access the file gpt.ini for GPO?? and ending with ?(There is a time and/or date 
difference between the client and server. ). Group Policy processing aborted.?

All of the other DCs showed nothing other than the breakdown between them and 
this server. After the reboot all was well again. No performance issues for 
CPU, HDD or memory while it was going on. No services stopped.

Anybody have any thoughts on what might have caused this?

Best Regards,

Dan Bartley



CONFIDENTIALITY NOTICE***The information contained in this me

RE: GPO Hell (Unlinked/Empty GPOs)

[Coleman, Hunter]

This is what I use to check for empty GPOs. It checks the XML report for empty 
user configuration and computer configuration sections, and dumps the name and 
last modified timestamp of the empty GPOs to an output file. Darren had posted 
a while back on his GPTalk list that checking for empty user and computer 
configuration settings isn't 100% accurate, but I haven't had a chance to 
follow up and see what the edge cases are. Regardless, I end up checking the 
GPOs that get flagged as empty before I delete them just to be sure.



#System Requirements:
# SDM Group Policy cmdlets
# Group Policy Management Console (GPMC.msc)
# Powershell v2

#---
#---

#requires -version 2

$gpm = new-object -comObject gpmGMT.gpm
$constants = $gpm.getConstants()
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$gpmDomain = $gpm.GetDomain($domain.name,$null,$constants.useanydc)
$folderPath = get-location
$xmlReport = $folderPath.path + "\tempGPOReport.xml"


$reportFile = "EmptyGPOs.txt"
$tempLine = "GPO Name;OU Link Count;Linked OUs;Last Modified Date"
add-content -path $reportFile -value $tempLine -encoding ASCII

$allGPOs = get-SDMgpo -name *

foreach ($tempGPO in $allGPOs) {
$gpmGPO = $gpmDomain.GetGPO($tempGPO.ID)
$gpmGPO.GenerateReportToFile($constants.ReportXML,$xmlReport)
$myXMLFile = [xml](Get-Content $xmlReport)

$computerNodeProperties = $myXMLFile.GPO.Computer | gm
$computerConfigured = $false
foreach ($member in $computerNodeProperties) {
 if (($member.MemberType -eq "Property") -and ($member.name -eq 
"ExtensionData")) {
  $computerConfigured = $true
 }
}

$userNodeProperties = $myXMLFile.GPO.User | gm
$userConfigured = $false
foreach ($member in $userNodeProperties) {
 if (($member.MemberType -eq "Property") -and ($member.name -eq 
"ExtensionData")) {
  $userConfigured = $true
 }
}

if ($computerConfigured -or $userConfigured) {
 #write-host "This is not an empty GPO"
} else {
 write-host " EMPTY GPO: " + $tempGPO.name
 $tempLine = $tempGPO.name + ";EMPTY;;" + $tempGPO.modificationtime
 add-content -path $reportFile -value $tempLine -encoding ASCII
}

   }



From: Free, Bob [mailto:r...@pge.com]
Sent: Friday, November 16, 2012 2:24 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)

Web-

There are canned scripts for unlinked, orphaned, disabled and empty sec filter 
but not empty settings as I recall.

Low-tech way if in a hurry would be run the GetReportsForAllGPOs.wsf and look 
at the xml, the really small files would likely be empty. Very low tech but it 
would show you where to look.

I'll have a peek at Darren's posh module but I don't think it does it either.

--bob

From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, November 16, 2012 1:15 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)

Bob,

I thought one of the scripts also did empty GPOs?


Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com

From: Free, Bob [mailto:r...@pge.com]
Sent: Friday, November 16, 2012 3:01 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)

FindUnlinkedGPOs.wsf in the GPMC scripts should solve the first issue. Have to 
think about the second one a bit more :)

From: Guyer, Don [mailto:dgu...@che.org]
Sent: Friday, November 16, 2012 12:38 PM
To: NT System Admin Issues
Subject: GPO Hell (Unlinked/Empty GPOs)

Greetings,

We have over 800 GPOs, org-wide, and I'm in cleanup mode. Have 
been trying to find a script/utility to run that will list out unlinked GPOs 
and/or ones with no settings. Haven't had much luck.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


PG&E is committed to protecting our customers' privacy.
To learn more, please visit http://www.pge.com/about/company/privacy/customer/


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-s

RE: in-depth AD

[Coleman, Hunter]

It sounds like the reality for the customer is a new Active Directory 
environment. Even if you managed to delete the corrupt entry from the .dit, it 
would be reasonable to expect that deletion to create other problems within the 
database.

The cut-your-losses approach may be to spin up a new forest (at least 2 DCs), 
install ADMT, and start migrating out what you can from the broken forest into 
the new one.

From: Daniel Chenault [mailto:dchena...@lgnetworksinc.com]
Sent: Tuesday, June 12, 2012 3:57 PM
To: NT System Admin Issues
Subject: RE: in-depth AD

*shrug*

Alrighty then...

I may actually be able to get my grubby little hands on a backup that predates 
the first 447 event (that is, before 1/6/12). Rather concerned though; that is 
well past the default tombstone age of 60 days (and what is currently set). 
From what I read in Technet the restore of one that old will be disallowed.

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Andrew S. Baker 
[mailto:asbz...@gmail.com]
Sent: Tuesday, June 12, 2012 4:50 PM
To: NT System Admin Issues
Subject: RE: in-depth AD


What Steven said.

You only have one functional DC, and no useful historical backups. You might 
want to know if the one you have can be restored, and, if perchance the restore 
avoids the problem.

-ASB: http://XeeMe.com/AndrewBaker

Sent from my Motorola Droid RAZR
On Jun 12, 2012 5:17 PM, "Daniel Chenault" 
mailto:dchena...@lgnetworksinc.com>> wrote:
Uh... what's the point? The problem I'm having predates that backup by MONTHS.

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, June 12, 2012 3:53 PM
To: NT System Admin Issues
Subject: Re: in-depth AD

Try restoring that somewhere offline and see if the problem remains

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...


On Tue, Jun 12, 2012 at 3:56 PM, Daniel Chenault 
mailto:dchena...@lgnetworksinc.com>> wrote:
Did a backup last night before booting into DSRM and it completed without error 
for whatever that is worth.

2008 R2 SP1, English, 64-bit

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Damien Solodow 
[mailto:damien.solo...@harrison.edu]
Sent: Tuesday, June 12, 2012 2:04 PM

To: NT System Admin Issues
Subject: RE: in-depth AD

Ah... I was thinking something different based on what you were saying earlier.

Are able to get a successful system state backup from that DC?
Also, what Windows version is the DC in question?

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Daniel Chenault 
[mailto:dchena...@lgnetworksinc.com]
Sent: Tuesday, June 12, 2012 2:38 PM

To: NT System Admin Issues
Subject: RE: in-depth AD

It's an object of type... uh... I dunno... you tell me...

NTDS (1836) A bad page link (error -327) has been detected in a B+ Tree 
(ObjectID: 163, PgnoRoot: 952) of database c:\windows\ntds\ntds.dit (2596 => 
3372, 3369)


Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Damien Solodow 
[mailto:damien.solo...@harrison.edu]
Sent: Tuesday, June 12, 2012 1:27 PM

To: NT System Admin Issues
Subject: RE: in-depth AD

Couple questions:

1)  I assume there are multiple domain controllers? Do they all report this 
same error or is it just one DC?

2)  What object is an error being reported on? Depending on the object type 
you may have different options for dealing with it

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Daniel Chenault 
[mailto:dchena...@lgnetworksinc.com]
Sent: Tuesday, June 12, 2012 2:19 PM

To: NT System Admin Issues
Subject: RE: in-depth AD

Failed with an error (1206 I believe) stating the database is corrupt.

Let me clarify: I, and Microsoft, have run every possible switch or command 
available via ntdsutil and esentutl. Each one failed with an error stating 
corruption. Wanting to try and edit the file manually is not a whim or a wild 
idea but a last-ditch effort unless someone has a better idea.

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Michael B. Smith 
[mailto:mich...@smithcons.com]
Sent: Tuesday, June 12, 2012 11:56 AM

To: NT System Admin Issues
Subject: RE: in-depth AD

RE: in-depth AD

[Coleman, Hunter]

Are you only seeing the 447 event ID on one DC? Is replication only blocked 
to/from that one DC?




From: Daniel Chenault [dchena...@lgnetworksinc.com]
Sent: Tuesday, June 12, 2012 10:22 AM
To: NT System Admin Issues
Subject: RE: in-depth AD

Oh yes, it’s up and running. Basic AD functionality is there; I can create 
users, assign permissions and other simple stuff. No replication is happening 
and it’s to the point that I cannot open the EMC.

Daniel Chenault
dchena...@lgnetworksinc.com
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, June 12, 2012 11:13 AM
To: NT System Admin Issues
Subject: RE: in-depth AD

Does the machine boot?

Thanks,
Brian Desmond
br...@briandesmond.com

w – 312.625.1438 | c   – 312.731.3132

From: Daniel Chenault 
[mailto:dchena...@lgnetworksinc.com]
Sent: Tuesday, June 12, 2012 10:54 AM
To: NT System Admin Issues
Subject: in-depth AD

It’s a long story, aren’t they all, but the root of my issue is this: I am 
getting Event ID 447 for Database Corruption on ntds.dit. Microsoft is telling 
me to do an authoritative restore. Problem is this problem goes back to 
January; it is highly doubtful I can locate a backup pre-dating that time 
frame. I inherited this mess and am just trying to fix it. This corruption is 
causing several different problems (naturally).

What I want to know from the collective list wisdom and knowledge is… is it 
possible to use a tool, such as adsiedit, to locate a specific object (it is 
called out specifically in the aforementioned event) and 
edit/massage/delete/assassinate the object?

Because, as I see it, I have three choices at this point:

1)  Auth restore (highly unlikely)

2)  Edit/massage ntds.dit (maybe?)

3)  Recreate this entire domain from scratch (seven locations 
internationally, hundreds of users and computers, lord knows how many printers 
total, plus Exchange and Great Plains, permissions on umpty-hundred shares – 
just shoot me now)

Daniel Chenault
dchena...@lgnetworksinc.com
Office: 972-528-6546 x 1002
Fax: 972-982-0054
9550 Skillman Road
Suite 500
Dallas, TX 75243
[Description: Description: cid:image001.jpg@01CCF24C.F9B05160]


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Reality check

[Coleman, Hunter]

You can delegate off the GPO stuff as well.

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Friday, June 8, 2012 1:03 PM
To: NT System Admin Issues
Subject: RE: Reality check

Already did exactly this for the Service Desk a couple years ago, the only 
different for the SE's would be allowing it to OU's the SD guys can't get to. 
I'd bet it'd take a while before they noticed...like the next time they went to 
mess with a GPO (which is rare, but it happens).

Dave

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Friday, June 08, 2012 11:47 AM
To: NT System Admin Issues
Subject: Re: Reality check

If that's all they need, then delegation is your friend. It's pretty dang easy 
to set up, too.

Create accounts, put them in the new groups, use the delegation wizard to add 
the new groups to the relevant OUs, and you're good to go.

Kurt

On Fri, Jun 8, 2012 at 10:40 AM, David Lum  wrote:
>
> That’s funny, I *JUST* had this discussion with someone else here. If 
> they could create accounts, join machines, and install software on 
> some systems they’d likely not know the difference..
>
>
>
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Friday, June 08, 2012 10:23 AM
>
>
> To: NT System Admin Issues
> Subject: Re: Reality check
>
>
>
> In your shoes I might be tempted to present them with a fait accompli
> - over the weekend strip their user accounts of DA privileges and 
> create new accounts for them that allows them to do what they need to do.
>
> Of course, you'd want to show the manager of the department references 
> on why you're doing it, and get his blessing.
>
> Kurt
>
> On Fri, Jun 8, 2012 at 9:29 AM, David Lum  wrote:
>
> “separation of privileges or separation of duties which should be 
> firmly entrenched in most workplaces”
>
> HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should”
>
>
>
> Dude, our users are still local admins and I’m the only one who seems 
> to care, not one of the 5 Service Desk guys are inclined to move us in 
> that direction, they only see it as extra work. Only one other SE has 
> a separate DA account for Domain Admin access, the rest of ‘em they’re 
> normal accounts are DA accounts.
>
>
>
> Hmm…that might be a vent…
>
>
>
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Friday, June 08, 2012 6:57 AM
>
>
> To: NT System Admin Issues
>
> Subject: RE: Reality check
>
>
>
> Seems strange that business users would have admin access to a server, 
> which wouldn’t obey separation of privileges or separation of duties 
> which should be firmly entrenched in most workplaces ( again YMMV as 
> stated before).
>
>
>
> Z
>
>
>
> Edward Ziots
>
> CISSP, Security +, Network +
>
> Security Engineer
>
> Lifespan Organization
>
> ezi...@lifespan.org
>
>
>
> From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
> Sent: Friday, June 08, 2012 9:28 AM
>
>
> To: NT System Admin Issues
>
> Subject: Re: Reality check
>
>
>
> It depends on your environment. That's almost identical to the 
> procedure we have here. When provisioning a new server here, part of 
> the process is to create a new AD group with this naming convention:
>
> ACME_ADMINS_SERVERNAME
>
> This group is then placed in the local administrators group of the server.
> All business users that need admin access to servers have a separate 
> account for that purpose. They submit a privileged access request, and 
> when approved our "user admin" group adds them to the appropriate AD 
> group that was created for the server. In a small environment this might be 
> overkill.
>
> YMMV
>
> Christopher Bodnar
> Enterprise Achitect I, Corporate Office of Technology:Enterprise 
> Architecture and Engineering Services
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com
>
>
>
> The Guardian Life Insurance Company of America
>
> www.guardianlife.com
>
>
>
>
>
>
> From:        David Lum 
> To:        "NT System Admin Issues"
> 
> Date:        06-08-12 09:14 AM
> Subject:        Reality check
>
> 
>
>
>
>
> A fellow team member (not an SE, but more of an application owner type 
> of tech person) needs Local Admin access to a server to install and 
> configure a new application on it. I understand the need and agree with it.
>
> Instead of just throwing his account into the local admin group on 
> that server I did the following:
> Created a LA- account (LA= Local Admin) Created a security 
> group called LA-_LocalAdmin, added the above to it Created 
> a GPO to put said security group into local admins on that server
>
> My thinking is
> 1.       This keeps him from using his daily account to be local admin 
> on the box 2.       I don’t have an individual assignment on that 
> server
>
> In general, I view putting a user specifically into a server’s local 
> group as the same as putting a user (instead of a group) into the ACL 
> of an NTFS folder. If said employee leaves, it’s difficult/tedio

RE: DNS Quirkyness....

[Coleman, Hunter]

Yes, but it was a long time ago. IIRC, you can delete the record using 
dnscmd.exe

From: Troy Adkins [mailto:tadk...@house.virginia.gov]
Sent: Thursday, April 26, 2012 1:46 PM
To: NT System Admin Issues
Subject: DNS Quirkyness

Has anyone experienced this?

I have a PTR record in the reverse lookup zone that still shows it belonging to 
an old computer.
I cannot delete it.

http://support.microsoft.com/kb/842127

Troy Adkins
Network Administrator
Virginia House of Delegates
General Assembly Bldg. Room 815
804.698.1567 (O)
804.771.7917 (F)
tadk...@house.virginia.gov
http://legis.virginia.gov

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Speaking of Lync 2010....

[Coleman, Hunter]

SP 1 isn't a requirement for the Lync mobile clients. No need for old OCS 
infrastructure either. 
http://www.microsoft.com/download/en/details.aspx?id=28355


From: Jonathan [mailto:ncm...@gmail.com]
Sent: Thursday, February 02, 2012 5:55 PM
To: NT System Admin Issues
Subject: Speaking of Lync 2010


Does anyone here have any insider info on when Lync 2010 SP 1 will be released? 
We have some users that are asking for Lync mobilethe clients are out, but 
not much good if you don't have the old OCS infrastructure in place.and 
fully functional.

Jonathan

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Forest trust question

[Coleman, Hunter]

FQDN

From: Heaton, Joseph@DFG [mailto:jhea...@dfg.ca.gov]
Sent: Monday, January 09, 2012 3:43 PM
To: NT System Admin Issues
Subject: Forest trust question

When creating a forest trust, what domain name is keyed on?  Is it the FQDN, or 
is it the NetBIOS name?

From my HTC Amaze 4G on T-Mobile. The first nationwide 4G network

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: OT - converting a VMware VM back to a physical box

[Coleman, Hunter]

>>While I also think that *should* work, what happens if I'm wrong? I
wouldn't have any fall back, as the VM won't work due to SID changes
during the domain removal/re-join. And while a domain removal/re-join
should have no impact on the application ... what if we're wrong, and it
does have some freaky weird effect? I have nowhere to go at that point ...



You could do an authoritative restore of that computer object from your AD 
backups, which would get your SID and computer object password matched back to 
your VM.



From: Mike Leone [oozerd...@gmail.com]
Sent: Tuesday, November 15, 2011 7:56 AM
To: NT System Admin Issues
Subject: Re: OT - converting a VMware VM back to a physical box

On 11/14/2011 7:52 PM, Crawford, Scott wrote:
> Your general plan sounds decent and, as other have mentioned, your concerns 
> could probably be overcome with a pre-sysprep snapshot. But, why not go a 
> step further and create a copy of the .vmdk file and try the migration with 
> that while the original sits safely turned off?

I thought of that - trying it out on a clone of the production machine.
That way, if it fails, I can power the original backup. The problem is
the sysprep - if I do this (and that's the recommended way, even by
VMware), then even trying the attempts will fubar up the SID, and I
won't be able to power on the old machine and have it Just Work, as it's
SID won't match the domain SID.

Doing the BMR should keep the same SID, which would be restored with the
backup, so if it didn't work as a physical machine, I could still power
the VM back up.

My boss thinks we should do the BMR, and - if we had to - do a Windows
repair installation on the physical machine, giving it whatever drivers
it wants. And if needed, remove from domain and re-join.

While I also think that *should* work, what happens if I'm wrong? I
wouldn't have any fall back, as the VM won't work due to SID changes
during the domain removal/re-join. And while a domain removal/re-join
should have no impact on the application ... what if we're wrong, and it
does have some freaky weird effect? I have nowhere to go at that point ...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: CITRIX - Outlook 2003 - Destroys BODY of Email

[Coleman, Hunter]

Are you running ESET/NOD32 on the Citrix box? A year or so back, we found that 
it would do exactly what you describe to HTML-formatted messages if it was set 
to "Integrate into Microsoft Outlook".

From: Mark Boeck [mailto:netadmin...@gmail.com]
Sent: Monday, October 31, 2011 9:55 AM
To: NT System Admin Issues
Subject: CITRIX - Outlook 2003 - Destroys BODY of Email

Repeatable for any user:
Users have either Outlook 2007 or Outlook 2003 on their LOCAL machine (not 
Cirtrix) desktop. ==ALL== email is fine on their local machine.
Any user logs onto CITRIX and in CITRIX uses Outlook 2003 to look at their 
email, that email's BODY is deleted.  The BODY is now also gone from the LOCAL 
machine.

Ideas greatly appreciated

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: ADFIND

[Coleman, Hunter]

The batch file you posted (including manager) runs fine for me (tweaking the 
base and email filter for my environment). Are you not getting any output, or 
not getting what you expect/want?

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Friday, October 28, 2011 11:28 AM
To: NT System Admin Issues
Subject: RE: ADFIND

Sorry, manager isn't in the command line that works, for the first time ever 
[1] I mis-posted.

[1] ever defined as the last 5 minutes

-Original Message-
From: Coleman, Hunter [mailto:hcole...@mt.gov] 
Sent: Friday, October 28, 2011 10:11 AM
To: NT System Admin Issues
Subject: RE: ADFIND

You have manager included in the list of attributes returned and say the batch 
file works as advertised. Then you say that if you add manager it all goes to 
pot.

What does "all goes to pot" mean?

-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Friday, October 28, 2011 10:55 AM
To: NT System Admin Issues
Subject: RE: ADFIND

Looking for 100% hands free export and FTP

Here's the first batch file, works as advertised:
c:\automate\adfind -b ou=main,cn=users,dc=nwea,dc=org -csv -f 
"&(objectcategory=user) (mail=*@nwea.org*)" -csvnoq -nodn mail CN streetAddress 
postalCode title company department physicalDeliveryOfficeName telephoneNumber 
manager -csvdelim \t > C:\automate\ftp\nweaoutput.txt

If I add "manager" it all goes to pot.

Dave

-Original Message-
From: Anders Blomgren [mailto:chanks...@gmail.com]
Sent: Friday, October 28, 2011 9:05 AM
To: NT System Admin Issues
Subject: Re: ADFIND

Yeah, -nodn is just to stop adfind from outputting the dn for each object found 
no matter what attributes you find. If you're doing a larger report and not 
including group memberships, just add -csv and redirect to file. Then open in 
excel and text to column twice, once for the file and once more for the manager 
column.

-Anders

Sent from my iPhone

On 28 okt 2011, at 17:58, David Lum  wrote:

> Eh, answered my own Q. I already have -nodn in the command line...adding it 
> again in front if manager predictably had no effect.
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Friday, October 28, 2011 8:52 AM
> To: NT System Admin Issues
> Subject: RE: ADFIND
>
> AH!   Do you use -nodn in front of *each* field that might contain all that 
> stuff?
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Friday, October 28, 2011 8:38 AM
> To: NT System Admin Issues
> Subject: Re: ADFIND
>
> adfind -b dc=mycompany,dc=com -f "samaccountname=kbuff" -nodn manager
>
> On Fri, Oct 28, 2011 at 06:14, David Lum  wrote:
>> ADFIND is outputting the complete details of the "manager" field 
>> (CN=BillyBob,CN=Users,DC=nwea,DC=org), anyone here how to to make it 
>> output just the manager's CN? Probably some piping needed in the 
>> command line right? Just can't get my head around it this morning...
>>
>> David Lum
>> Systems Engineer // NWEATM
>> Office 503.548.5229 // Cell (voice/text) 503.267.9764
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscript

RE: ADFIND

[Coleman, Hunter]

You have manager included in the list of attributes returned and say the batch 
file works as advertised. Then you say that if you add manager it all goes to 
pot.

What does "all goes to pot" mean?

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Friday, October 28, 2011 10:55 AM
To: NT System Admin Issues
Subject: RE: ADFIND

Looking for 100% hands free export and FTP

Here's the first batch file, works as advertised:
c:\automate\adfind -b ou=main,cn=users,dc=nwea,dc=org -csv -f 
"&(objectcategory=user) (mail=*@nwea.org*)" -csvnoq -nodn mail CN streetAddress 
postalCode title company department physicalDeliveryOfficeName telephoneNumber 
manager -csvdelim \t > C:\automate\ftp\nweaoutput.txt

If I add "manager" it all goes to pot.

Dave

-Original Message-
From: Anders Blomgren [mailto:chanks...@gmail.com] 
Sent: Friday, October 28, 2011 9:05 AM
To: NT System Admin Issues
Subject: Re: ADFIND

Yeah, -nodn is just to stop adfind from outputting the dn for each object found 
no matter what attributes you find. If you're doing a larger report and not 
including group memberships, just add -csv and redirect to file. Then open in 
excel and text to column twice, once for the file and once more for the manager 
column.

-Anders

Sent from my iPhone

On 28 okt 2011, at 17:58, David Lum  wrote:

> Eh, answered my own Q. I already have -nodn in the command line...adding it 
> again in front if manager predictably had no effect.
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Friday, October 28, 2011 8:52 AM
> To: NT System Admin Issues
> Subject: RE: ADFIND
>
> AH!   Do you use -nodn in front of *each* field that might contain all that 
> stuff?
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Friday, October 28, 2011 8:38 AM
> To: NT System Admin Issues
> Subject: Re: ADFIND
>
> adfind -b dc=mycompany,dc=com -f "samaccountname=kbuff" -nodn manager
>
> On Fri, Oct 28, 2011 at 06:14, David Lum  wrote:
>> ADFIND is outputting the complete details of the "manager" field 
>> (CN=BillyBob,CN=Users,DC=nwea,DC=org), anyone here how to to make it 
>> output just the manager's CN? Probably some piping needed in the 
>> command line right? Just can't get my head around it this morning...
>>
>> David Lum
>> Systems Engineer // NWEATM
>> Office 503.548.5229 // Cell (voice/text) 503.267.9764
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: "lastLogon" time is different on different DCs

[Coleman, Hunter]

The domain functional level and forest functional level don't matter. 
http://msdn.microsoft.com/en-us/library/ms676823(VS.85).aspx


"This attribute is not replicated and is maintained separately on each domain 
controller in the domain. To get an accurate value for the user's last logon in 
the domain, the Last-Logon attribute for the user must be retrieved from every 
domain controller in the domain. The largest value that is retrieved is the 
true last logon time for that user.

"



-Original Message-
From: Mike Leone [mailto:oozerd...@gmail.com]
Sent: Wednesday, September 28, 2011 9:11 AM
To: NT System Admin Issues
Subject: Re: "lastLogon" time is different on different DCs



On 9/28/2011 11:03 AM, James Rankin wrote:

> Maybe I should have said..   Last Logon time isn't replicated if you

> are using a Windows 2000 domain  my bad



Our domain is now Win2008. It started out as Win2000, and we updated to

2003, then 2008.



But the info is replicating, at least from the DC in that site, to at

least one of the DCs here.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~

~   ~



---

To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to listmana...@lyris.sunbeltsoftware.com

with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Migrated user cannot send emails

[Coleman, Hunter]

If the permissions are changing on a fairly predictable interval, start looking 
at adminSDHolder: 
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx



From: Straub, Patrick [mailto:patrick.str...@lanexpert.ch]
Sent: Thursday, August 25, 2011 1:52 PM
To: NT System Admin Issues
Subject: Migrated user cannot send emails

Hello folks

I have the following szenario:
- 2 trusted AD with Exchange 2007 each
- Users have been migrated with ADMT with SID history
- some users had already an account in the target domain with a different login 
name
- After the mailbox migration the users still login to the source domain
When we migrate the mailbox of one of these accounts (see above) he can connect 
to his mailbox, he can receive emails (internal and external) but he cannot 
send emails (error: user has no send as rights)
We have set the full control and send as rights the the user of the source 
domain, but after 15 minutes they disappear again because of the migrated SID.

Any idea what's wrong?

Patrick


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: aging and scavenging of stale records

[Coleman, Hunter]

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx


From: Jimmy Tran [mailto:jt...@teachtci.com]
Sent: Tuesday, July 05, 2011 2:21 PM
To: NT System Admin Issues
Subject: aging and scavenging of stale records

Hi All,

I was looking at my DNS zone and noticed there were a lot of host records that 
show a time stamp of 1+ months old.  Is there a reason why those timestamps are 
not updated?  My DHCP leases are currently set to 4 hours.  DNS servers are 
both W2K8.  Maybe I just need to understand what the timestamp does?  I enabled 
aging and scavenging, ran dnscmd /ageallrecords zone, ran "scavenge stale 
resource records" but the entries are still there.

Any clarification on how this works would be awesome.

Thanks,

Jimmy


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Anyone got a good source of PBX Visio Stencils

[Coleman, Hunter]

There are a couple of them in the Lync Server stencil: 
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=65b5a396-2c87-445d-be23-d324727d19cb


From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Friday, May 06, 2011 9:08 AM
To: NT System Admin Issues
Subject: RE: Anyone got a good source of PBX Visio Stencils

Yep tried avayas site didn't find exactly what I needed ( which is just a silly 
generic set of PBX icons)

Z

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org]
Sent: Friday, May 06, 2011 11:07 AM
To: NT System Admin Issues
Subject: Re: Anyone got a good source of PBX Visio Stencils


Tried going to a specific PBX site and seeing if they have the stencils?
--
richard

"Ziots, Edward"  wrote on 05/06/2011 09:57:20 AM:

> Been searching high and low for PBX visio Stencils, and can't see to
> find a generic set of telecom visio stencils.
>
> ( Tried visio café, and other sites)
>
> Z
>
> Edward E. Ziots
> CISSP, Network +, Security +
> Security Engineer
> Lifespan Organization
> Email:ezi...@lifespan.org
> Cell:401-639-3505
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: http://lyris.sunbelt-software.
> com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: ADMOD question

[Coleman, Hunter]

physicalDeliveryOfficeName

From: David Lum [mailto:david@nwea.org]
Sent: Thursday, February 03, 2011 1:14 PM
To: NT System Admin Issues
Subject: RE: ADMOD question

So when using Outlook 2007 doing a address book search one column is titled 
"Location", what AD attribute is that?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 503.548.5229 // (Cell) 503.267.9764




From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, February 03, 2011 11:24 AM
To: NT System Admin Issues
Subject: RE: ADMOD question

The location attribute exists only on a computer object, not on a user object.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: David Lum [mailto:david@nwea.org]
Sent: Thursday, February 03, 2011 1:21 PM
To: NT System Admin Issues
Subject: ADMOD question

This works perfectly:
c:\automate\admod -b "CN=David Lum,OU=Users,OU=Main,DC=Mydomain,DC=ORG" 
"roomNumber::5West-48"

Changing nothing but roomNumber to location it fails with "object class 
violation" which makes me think location can't take the string field I am 
sending it. I have tried different values but all fail.

This page makes it look like it should works as well:
http://www.aspfree.com/c/a/Windows-Scripting/Modifying-Computer-Objects-with-Active-Directory/

Ideas?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 503.548.5229 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: ADMOD question

[Coleman, Hunter]

Yes, it's not defined in the schema as an available attribute to the user 
object class. It's only valid for computer, print-queue, room, site, and subnet 
object classes. http://msdn.microsoft.com/en-us/library/ms676839(v=VS.85).aspx


From: David Lum [mailto:david@nwea.org]
Sent: Thursday, February 03, 2011 11:21 AM
To: NT System Admin Issues
Subject: ADMOD question

This works perfectly:
c:\automate\admod -b "CN=David Lum,OU=Users,OU=Main,DC=Mydomain,DC=ORG" 
"roomNumber::5West-48"

Changing nothing but roomNumber to location it fails with "object class 
violation" which makes me think location can't take the string field I am 
sending it. I have tried different values but all fail.

This page makes it look like it should works as well:
http://www.aspfree.com/c/a/Windows-Scripting/Modifying-Computer-Objects-with-Active-Directory/

Ideas?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 503.548.5229 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: So...our data centre is under water

[Coleman, Hunter]

Sorry, I missed that part in the OP about already having some R2 DCs...

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Friday, January 14, 2011 3:06 PM
To: NT System Admin Issues
Subject: RE: So...our data centre is under water

If you don't have any R2 domain controllers, and you haven't otherwise run 
adprep /forestprep, then you will be looking at necessary schema changes.

In general, I'd say that a disaster recovery is not the time to be making 
infrastructure changes like this. You have enough work ahead of you as it is, 
so why complicate things further?

From: James Hill [mailto:hill.ja...@gmail.com]
Sent: Friday, January 14, 2011 2:57 PM
To: NT System Admin Issues
Subject: Re: So...our data centre is under water

Thanks Michael  Great advice as always from you.

We already have R2 servers no schema changes necessary.
On Sat, Jan 15, 2011 at 7:44 AM, Michael B. Smith 
mailto:mich...@smithcons.com>> wrote:
Yes.

But your first step is to seize the FSMO roles on an existing group catalog 
server, and then delete the old servers from AD.

See http://support.microsoft.com/kb/216498

Then you can build a new 2008 R2 server. You WILL have to extend the schema, 
but you don't have to update the forest or domain functional levels.

My thoughts are with you. Good luck!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com<http://theessentialexchange.com/>

From: James Hill [mailto:hill.ja...@gmail.com<mailto:hill.ja...@gmail.com>]
Sent: Friday, January 14, 2011 4:41 PM

To: NT System Admin Issues
Subject: Re: So...our data centre is under water

Thanks Jim.

I didn't want to change the domain level.  Wanted to leave it at 2008 but was 
wondering if the FSMO roles can be installed on a 2008R2 server with the domain 
level at 2008.
On Sat, Jan 15, 2011 at 7:38 AM, Jim Holmgren 
mailto:jholmg...@xlhealth.com>> wrote:
James,
My thoughts are with you as we are in the middle of implementing our DR plan.  
Given all that you have to deal with, I am not sure I would change your domain 
level at this point.

If you need help - I do have a valid US passport and relatives in Oz.:)

Jim


Jim Holmgren
Senior Manager, Infrastructure Services
XLHealth Corporation
The Warehouse at Camden Yards
351 West Camden Street, Suite 100
Baltimore, MD 21201
410.625.2200 (main)
443.524.8573 (direct)
443-506.2400 (cell)
www.xlhealth.com<http://www.xlhealth.com/>



From: James Hill [mailto:hill.ja...@gmail.com<mailto:hill.ja...@gmail.com>]
Sent: Friday, January 14, 2011 4:36 PM
To: NT System Admin Issues
Subject: So...our data centre is under water

If you've seen the news you may have heard that we've had some very serious 
flooding here in Brisbane, Australia.  As a result we lost our data centre, it 
ended up being completely under water.  We managed to save some components 
thanks to some knee high walking in water before it got too high.  A very 
critical server was later rescued thanks to a boat and some roof removal.  
Walking in to your Data Centre in knee high water is some what depressing.  
Seeing the lights on equipment that is higher in the racks(and dry) still being 
powered by the UPS in a dark room filling up with water is well...uncomforting.

We are now in hectic DR mode and are restoring services as quickly as possible. 
 Unfortunately we didn't have a DR location(planning was under way but nothing 
was in place) and so a lot of the restore means retrieving data from tapes and 
building servers from scratch.

I'm in new territory here and so I'm hoping the list can help me out with some 
questions that I know will arise as I work through this mess.

We have secured space in a nice and dry Data centre and have organised WAN and 
Internet connectivity(although it's not fired up yet), some rack space, and 
have rented VM's and disk space.

We have a 2008 level domain with a mix of 2008 and 2008 R2 DC's.  The two DC's 
we lost were running 2008 and held the FSMO roles.  We have C: drive and system 
state backups of these.  We have a number of other DC's out in our stores that 
are high and dry.  What I would like to do is:-

Create a new DC in the new Data Centre with a new name but running 2008R2 (take 
the opportunity to upgrade it).
Give it the FSMO roles (is this possible considering the domain level is at 
2008 but the server would be 2008 R2)?
Clear out the two lost DC's from AD entirely.

Thoughts, suggestions and messages of sympathy are all welcome.

James.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, po

RE: So...our data centre is under water

[Coleman, Hunter]

If you don't have any R2 domain controllers, and you haven't otherwise run 
adprep /forestprep, then you will be looking at necessary schema changes.

In general, I'd say that a disaster recovery is not the time to be making 
infrastructure changes like this. You have enough work ahead of you as it is, 
so why complicate things further?

From: James Hill [mailto:hill.ja...@gmail.com]
Sent: Friday, January 14, 2011 2:57 PM
To: NT System Admin Issues
Subject: Re: So...our data centre is under water

Thanks Michael  Great advice as always from you.

We already have R2 servers no schema changes necessary.
On Sat, Jan 15, 2011 at 7:44 AM, Michael B. Smith 
mailto:mich...@smithcons.com>> wrote:
Yes.

But your first step is to seize the FSMO roles on an existing group catalog 
server, and then delete the old servers from AD.

See http://support.microsoft.com/kb/216498

Then you can build a new 2008 R2 server. You WILL have to extend the schema, 
but you don't have to update the forest or domain functional levels.

My thoughts are with you. Good luck!

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: James Hill [mailto:hill.ja...@gmail.com]
Sent: Friday, January 14, 2011 4:41 PM

To: NT System Admin Issues
Subject: Re: So...our data centre is under water

Thanks Jim.

I didn't want to change the domain level.  Wanted to leave it at 2008 but was 
wondering if the FSMO roles can be installed on a 2008R2 server with the domain 
level at 2008.
On Sat, Jan 15, 2011 at 7:38 AM, Jim Holmgren 
mailto:jholmg...@xlhealth.com>> wrote:
James,
My thoughts are with you as we are in the middle of implementing our DR plan.  
Given all that you have to deal with, I am not sure I would change your domain 
level at this point.

If you need help - I do have a valid US passport and relatives in Oz.:)

Jim


Jim Holmgren
Senior Manager, Infrastructure Services
XLHealth Corporation
The Warehouse at Camden Yards
351 West Camden Street, Suite 100
Baltimore, MD 21201
410.625.2200 (main)
443.524.8573 (direct)
443-506.2400 (cell)
www.xlhealth.com



From: James Hill [mailto:hill.ja...@gmail.com]
Sent: Friday, January 14, 2011 4:36 PM
To: NT System Admin Issues
Subject: So...our data centre is under water

If you've seen the news you may have heard that we've had some very serious 
flooding here in Brisbane, Australia.  As a result we lost our data centre, it 
ended up being completely under water.  We managed to save some components 
thanks to some knee high walking in water before it got too high.  A very 
critical server was later rescued thanks to a boat and some roof removal.  
Walking in to your Data Centre in knee high water is some what depressing.  
Seeing the lights on equipment that is higher in the racks(and dry) still being 
powered by the UPS in a dark room filling up with water is well...uncomforting.

We are now in hectic DR mode and are restoring services as quickly as possible. 
 Unfortunately we didn't have a DR location(planning was under way but nothing 
was in place) and so a lot of the restore means retrieving data from tapes and 
building servers from scratch.

I'm in new territory here and so I'm hoping the list can help me out with some 
questions that I know will arise as I work through this mess.

We have secured space in a nice and dry Data centre and have organised WAN and 
Internet connectivity(although it's not fired up yet), some rack space, and 
have rented VM's and disk space.

We have a 2008 level domain with a mix of 2008 and 2008 R2 DC's.  The two DC's 
we lost were running 2008 and held the FSMO roles.  We have C: drive and system 
state backups of these.  We have a number of other DC's out in our stores that 
are high and dry.  What I would like to do is:-

Create a new DC in the new Data Centre with a new name but running 2008R2 (take 
the opportunity to upgrade it).
Give it the FSMO roles (is this possible considering the domain level is at 
2008 but the server would be 2008 R2)?
Clear out the two lost DC's from AD entirely.

Thoughts, suggestions and messages of sympathy are all welcome.

James.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY NO

RE: RSAT tools question

[Coleman, Hunter]

You won't need to do anything beyond loading the RSAT tools on the user's 
workstation. By default, users have read access to most everything in the 
directory.

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Friday, January 07, 2011 10:49 AM
To: NT System Admin Issues
Subject: RSAT tools question

I need to setup a domain user to be able to read ADUC.  They won't have 
permissions to change anything, but they need to be able to browse, look at 
certain groups, and get memberships of those groups.

Sadly, I've never had to do this before, the only people who have ever had 
access were Domain Admins, so I need some help in setting this up.


Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: LDIFDE brain cramp

[Coleman, Hunter]

You may need to surround your text file name with parenthesis: '...in 
(phoneupdate2.csv) do admod.exe...'

Also, open your text file in notepad or something similar and see if the fields 
are surrounded by quotes; if so, get rid of the quotes.

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 1:00 PM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

Thanks1


1.   I always dump to Notepad first - removes the funny stuff and once I 
get a command to work I save the notepad document for later use and reference. 
I then cut and paste from Notepad to the command line.

2.   Yes I created a 2nd text file with just 2 accounts. In addition I am 
testing it on a cloned DC VM so I can not affect production.

Command run: for /f "tokens=1,2,3 delims=;" %1 in phoneupdate2.csv do admod.exe 
-b "%1" "telephoneNumber::%2" "otherTelephone::%3"

Result: "1 was unexpected at this time"

Text file content was in the format you listed without my obfuscation 
..semicolons delimiting each record

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Friday, December 17, 2010 11:21 AM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

2 other things:

-You'll need to retype the command rather than copy/paste. Outlook tends to 
wreck the "-" character and convert it to an emdash, which hoses the command 
line.
-test it on one or two accounts before doing it on all of them

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 12:11 PM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

OH?  I can change my formatting to match that format easy. Does the admod you 
posted command need any changes other than the correct filename to work as is?

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Friday, December 17, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

If you have a text file that has your desired information in a format like
cn=David Lum,ou=Users,dc=domain,dc=nwea,dc=pvt;503-548-5229;5229

then you can run something like
for /f "tokens=1,2,3 delims=;" %1 in (yourFile.txt) do admod.exe -b "%1" 
"telephoneNumber::%2" "otherTelephone::%3"

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 11:39 AM
To: NT System Admin Issues
Subject: LDIFDE brain cramp

So I need to change 295 phone numbers in AD, and I could have SWORE I've done 
similar without too much headache, but it looks like taking an LDIFDE export 
and making it a "modify" is far more involved than an add.

Sample exported record:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :add

telephoneNumber: 4311

otherTelephone: 971-222-1025


I need it to change to:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :modify
replace: telephoneNumber

 telephoneNumber: 503-548-5229
-
Replace: otherTelephone
otherTelephone: 5229

I usually use Excel to handle repositioning/matching magic, but can't figure 
this one out and there has to be a better way.

Anyone?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunb

RE: LDIFDE brain cramp

[Coleman, Hunter]

2 other things:

-You'll need to retype the command rather than copy/paste. Outlook tends to 
wreck the "-" character and convert it to an emdash, which hoses the command 
line.
-test it on one or two accounts before doing it on all of them

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 12:11 PM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

OH?  I can change my formatting to match that format easy. Does the admod you 
posted command need any changes other than the correct filename to work as is?

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Friday, December 17, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

If you have a text file that has your desired information in a format like
cn=David Lum,ou=Users,dc=domain,dc=nwea,dc=pvt;503-548-5229;5229

then you can run something like
for /f "tokens=1,2,3 delims=;" %1 in (yourFile.txt) do admod.exe -b "%1" 
"telephoneNumber::%2" "otherTelephone::%3"

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 11:39 AM
To: NT System Admin Issues
Subject: LDIFDE brain cramp

So I need to change 295 phone numbers in AD, and I could have SWORE I've done 
similar without too much headache, but it looks like taking an LDIFDE export 
and making it a "modify" is far more involved than an add.

Sample exported record:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :add

telephoneNumber: 4311

otherTelephone: 971-222-1025


I need it to change to:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :modify
replace: telephoneNumber

 telephoneNumber: 503-548-5229
-
Replace: otherTelephone
otherTelephone: 5229

I usually use Excel to handle repositioning/matching magic, but can't figure 
this one out and there has to be a better way.

Anyone?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: LDIFDE brain cramp

[Coleman, Hunter]

You shouldn't need to make any changes, assuming that admod.exe is in the same 
folder as your text file, or you specify the full path to the text file.

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 12:11 PM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

OH?  I can change my formatting to match that format easy. Does the admod you 
posted command need any changes other than the correct filename to work as is?

From: Coleman, Hunter [mailto:hcole...@mt.gov]
Sent: Friday, December 17, 2010 10:58 AM
To: NT System Admin Issues
Subject: RE: LDIFDE brain cramp

If you have a text file that has your desired information in a format like
cn=David Lum,ou=Users,dc=domain,dc=nwea,dc=pvt;503-548-5229;5229

then you can run something like
for /f "tokens=1,2,3 delims=;" %1 in (yourFile.txt) do admod.exe -b "%1" 
"telephoneNumber::%2" "otherTelephone::%3"

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 11:39 AM
To: NT System Admin Issues
Subject: LDIFDE brain cramp

So I need to change 295 phone numbers in AD, and I could have SWORE I've done 
similar without too much headache, but it looks like taking an LDIFDE export 
and making it a "modify" is far more involved than an add.

Sample exported record:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :add

telephoneNumber: 4311

otherTelephone: 971-222-1025


I need it to change to:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :modify
replace: telephoneNumber

 telephoneNumber: 503-548-5229
-
Replace: otherTelephone
otherTelephone: 5229

I usually use Excel to handle repositioning/matching magic, but can't figure 
this one out and there has to be a better way.

Anyone?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: LDIFDE brain cramp

[Coleman, Hunter]

If you have a text file that has your desired information in a format like
cn=David Lum,ou=Users,dc=domain,dc=nwea,dc=pvt;503-548-5229;5229

then you can run something like
for /f "tokens=1,2,3 delims=;" %1 in (yourFile.txt) do admod.exe -b "%1" 
"telephoneNumber::%2" "otherTelephone::%3"

From: David Lum [mailto:david@nwea.org]
Sent: Friday, December 17, 2010 11:39 AM
To: NT System Admin Issues
Subject: LDIFDE brain cramp

So I need to change 295 phone numbers in AD, and I could have SWORE I've done 
similar without too much headache, but it looks like taking an LDIFDE export 
and making it a "modify" is far more involved than an add.

Sample exported record:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :add

telephoneNumber: 4311

otherTelephone: 971-222-1025


I need it to change to:
dn: CN=David Lum,OU=Users, DC=Domain,DC=nwea,DC=pvt

changetype :modify
replace: telephoneNumber

 telephoneNumber: 503-548-5229
-
Replace: otherTelephone
otherTelephone: 5229

I usually use Excel to handle repositioning/matching magic, but can't figure 
this one out and there has to be a better way.

Anyone?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS question

[Coleman, Hunter]

>> And perhaps I should not provide external DNS servers via DHCP; provide 
>> internal only, and have only ISP DNS servers on my servers that provide DNS 
>> services
Correct, this is what you want to do.
From: Tom Miller [mailto:tmil...@hnncsb.org]
Sent: Wednesday, November 17, 2010 9:19 AM
To: NT System Admin Issues
Subject: DNS question

Folks,

I have an AD system with mostly 2008 servers.  All DCs provide DNS services.  
DHCP provides internal servers first as DNS servers, then several of our ISP 
DNS servers are listed.  This has never been an issue until recently when staff 
have begun to  report internal addresses/names cannot be resolved, and they get 
a Cox (our ISP) page not found display in their browsers.  Also this only 
happens at some locations even though DHCP is similar at all WAN locations.

So I'm wondering why the clients are not using the first servers in the list 
(they are on-line, no issues).  And perhaps I should not provide external DNS 
servers via DHCP; provide internal only, and have only ISP DNS servers on my 
servers that provide DNS services.

It's been ages since I set this up so a best practices would be helpful if 
anyone has them.

Tom


Confidentiality Notice: This e-mail message, including attachments, is for the 
sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure, or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: User last login info

[Coleman, Hunter]

If you're not attached to Powershell for this information, oldcmp.exe from 
joeware.net (http://www.joeware.net/freetools/tools/oldcmp/index.htm) is 
probably the quickest way to get it. You'll want to use the "-users" flag to 
focus on user accounts, instead of the default computer accounts.

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, November 02, 2010 12:23 PM
To: NT System Admin Issues
Subject: User last login info

I have a Server 2003 DC, and a Server 2008 DC (not R2)


I've found some Powershell stuff that uses the AD module, but all I can find 
references R2.  Is there a way to get that module for 2008, not R2?  Or is 
there another way of getting the info I'm looking for easily?


What I'm trying to find is the last login time for a user, to find out if the 
account is needed anymore.  Doing it one-by-one would be fine, as that's how 
I'm doing the first step of this process.

I am a Powershell noob, but very willing, and desiring to learn more.


Thanks.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: BES install question

[Coleman, Hunter]

Yes, you can run it more than once to include different OUs. However, you 
shouldn't be using your domain admin accounts for regular user activity, like 
reading email. Set up alternate accounts that have the domain admin rights, and 
use them for nothing other than domain admin activities.

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Wednesday, September 15, 2010 4:13 PM
To: NT System Admin Issues
Subject: RE: BES install question

Ok, so in our AD structure, all our normal users would be under one OU, and 
various sub-OUs.  But, our domain admin users are located in a different OU.  
Is it possible to run this command twice, to include the different OUs?  Or do 
I have to have all accounts under the one?

>>> Charlie Kaiser  9/15/2010 1:54 PM >>>
Actually, it's more the other way around; it's providing the BESAdmin
account with rights to send as users in the OU. For example, in section A:
you're adding an inherited perm to user accounts below the OU level. You're
allowing BESAdmin to send as any account in that OU. PS: You spelled
identity wrong (indentity).
Section B is providing the same rights but to a specific CN, so BESAdmin
could send as whatever account you specify in CN=.

So you'd want to set the OU in section A to the full DN of the OU where your
blackberry users reside. Let's hope it's a true OU and not a container for
various reasons. So let's say you had an OU named employees where all your
users reside and it's in yourdomain.local. Here's what you'd need:

Add-ADPermission -InheritedObjectType User - InheritanceType Descendents
-ExtendedRights Send-As -User "BESAdmin" -Identity
"OU=employees,DC=yourdomain,DC=local"

The BESAdmin account needs that right to be able to do its job within the
mailboxes.

Hope that helps.

***
Charlie Kaiser
charl...@golden-eagle.org 
Kingman, AZ
***  


> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
> Sent: Wednesday, September 15, 2010 1:34 PM
> To: NT System Admin Issues
> Subject: BES install question
> 
> Doing pre-installation tasks for BES and Exchange 2010.
> 
> I've created the BESAdmin mailbox, and I'm now configuring the Exchange
2010
> permissions.  It's asking me to type one of the following commands within
the Exchange
> Management Shell.  I'm not sure what exactly the commands are trying to
do, so I'm not
> sure how to fill in the blanks.  Can someone take a look and help me?
> 
> Do one of the following:
> 
> a)  To set the permissions at the organizational unit level, type
Add-ADPermission -
> InheritedObjectType User - InheritanceType Descendents -ExtendedRights
Send-As -
> User "BESAdmin" -Indentity "OU= unit>,DC=,DC=,DC="  where
,, and
>  form the name of the domain.
> 
> b) To set the permissions at the common name level, type Add-ADPermission
-
> InheritedObjectType User - InheritanceType Descendents -ExtendedRights
Send-As -
> User "BESAdmin" -Indentity
> "CN=,DC=,DC=,DC=" where
> ,, and  form the name of the domain.
> 
> 
> 
> If I'm correct, these commands setup who can Send As the BESAdmin account,
correct?
> The documentation doesn't explain it, and I need to know exactly, so I
know what to put
> in as  or .
> 
> 
> Thanks,
> 
> Joe Heaton
> 
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/ 
> or send an email to listmana...@lyris.sunbeltsoftware.com 
> with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Odd group name in AD

[Coleman, Hunter]

Object name conflict: http://technet.microsoft.com/en-us/library/cc535063.aspx
and
http://www.windowsitpro.com/article/john-savills-windows-faqs/i-have-objects-in-my-active-directory-ad-domain-that-have-cnf-in-their-name-followed-by-a-globally-unique-identifier-guid-what-are-these-objects-.aspx



-Original Message-
From: Mike Leone [mailto:oozerd...@gmail.com] 
Sent: Tuesday, August 10, 2010 9:11 AM
To: NT System Admin Issues
Subject: Odd group name in AD

As part of a Lotus upgrade project, the consultants have been making 
LDAP caalls to AD, to lookup users, and get the list of groups they 
belong to. And we've noticed a user with some groups that look like this:

"CN=Remote Control 
Operators\0ACNF:ea55fc7c-26e5-4d90-8203-a9ef411402f6,CN=Users,DC="

What's with the slash in the group name? I don't recognize this type of 
entry at all. How can I track it down?

Note that I don't see them on the "Member of" tab in AD U&C, but am 
seeing them in an LDAP lookup ...

 >dsget user "cn=The User Name,ou=..." -memberof -expand

"CN=Remote Control Operators,CN=Users,DC=..."
"CN=Remote Control 
Operators\0ACNF:ea55fc7c-26e5-4d90-8203-a9ef411402f6,CN=Users,DC=..."
"CN=Remote Control 
Operators\0ACNF:e1468d9f-9e7c-4e6c-ba84-4fa83bde3f05,CN=Users,DC=..."
"CN=Remote Control 
Operators\0ACNF:072ae809-02fc-45e1-979a-d431a46a8919,CN=Users,DC=..."
"CN=Remote Control 
Operators\0ACNF:017ec349-8a66-4e57-8737-5f42536c5937,CN=Users,DC=..."
"CN=Remote Control 
Operators\0ACNF:42b12dc8-c08e-47d8-9a0c-6eb681f81fc8,CN=Users,DC=..."

Can anyone shed any light on these type of entries? I've snipped out the 
rest of the groups, all of which look normal.

Thanks

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Question about Spliting Active directory files on seperate volumes

[Coleman, Hunter]

We're in that neighborhood for directory size/object count. We use:
C:\ -> OS and Transaction logs
D:\ ->Sysvol
E:\ ->ntds.dit

The politics of our shop dictate that lots of people have their hands in group 
policy, so we've had to deal with sysvol bloat. From a performance standpoint, 
it would be fine for us to dump everything on a single volume. Take your 
existing DCs and watch the physical disk perfmon counters for a couple of days. 
As long as your disk queue lengths aren't elevated, and the disk read times are 
staying low (~ <15ms), you should be OK using similar disk layouts on your new 
DCS. With x64 DCs, just make sure to put enough memory in them to cache the 
DIT. 4GB is probably the minimum to spec, but you might not need more than that 
depending on the DIT size.

From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, August 10, 2010 6:55 AM
To: NT System Admin Issues
Subject: Question about Spliting Active directory files on seperate volumes


Preface: Going from Windows 2003 R2 to Windows 2008 R2 domain ( X64), new 
Domain Controllers are going to be virtual ( ESX 4.x) all but one.

I saw the following article from the Active Directory team about best practices 
and recommendations

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2007/02/09/active-directory-on-separate-volumes.aspx

I also saw the same recommendations in Miansi book, in splitting the 
sysvol/transaction Logs on separate Luns.

Basically

OS C:\

SYSVOL\NTDS.DIT ( D:\)

Transaction Logs: E:\

Is anyone else doing this out there for a forest of less than 20K in users, and 
probably less than 100K in objects?

Only issue I could see is usually we store additional virtual disks with the 
.VMX file which means they would be on the same SAN LUN, which would basically 
negate the benefit of splitting the IO and files on different disks in the 
virtual land.  On the physical server I could go with 3 RAID 1 arrays and put 
each section on that accordingly.

Thoughts,  I am interested in hearin what others are doing, to increase the 
performance in there R2 AD environments.

Z

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cannot delete a PTR record, AD integrated DNS

[Coleman, Hunter]

The hotfix only prevents new PTR records from getting created with capital 
letters in the host name. Existing records with that affliction can only be 
deleted with dnscmd.exe, IIRC.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Thursday, August 05, 2010 5:17 PM
To: NT System Admin Issues
Subject: RE: Cannot delete a PTR record, AD integrated DNS

The KB he linked should be rolled in to 2003 SP1 based on the date.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Thursday, August 05, 2010 6:05 PM
To: NT System Admin Issues
Subject: Re: Cannot delete a PTR record, AD integrated DNS

I think Hunter is on the right track. I seem to recall having to run through a 
similar process for a similar issue.

- Sean
On Thu, Aug 5, 2010 at 1:53 PM, Brian Desmond 
mailto:br...@briandesmond.com>> wrote:
So is the record on all your DCs or just one? Are you sure the reverse zone is 
replicating in the ForestDnsZones NDNC?

What I would suggest doing is turning on auditing for this subtree in AD and 
enabling DS Access auditing and then you can figure out what's causing it to 
get created.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132
-Original Message-
From: mb [mailto:midphan12...@gmail.com]
Sent: Thursday, August 05, 2010 4:25 PM
To: NT System Admin Issues
Subject: Re: Cannot delete a PTR record, AD integrated DNS

There is no corresponding A record for this PTR record.  There is however a 
different machine at that IP with A & PTR records, and this ghost PTR record is 
causing a little bit of grief to the folks that manage this other system.
The A record that originally existed for this ghost PTR record, that's been 
gone a couple of years at least.

Was looking for zone files just on a hunch.  I do understand that being AD 
integrated, this is stored in AD, but in my original note I mentioned that I 
used ADSIEdit to look in ForestDNSZones, and this ghost PTR record does not 
exist there.  So it's somehow local to any domain controller (because it 
reappears faster than it could be replicating back), and it's not where it 
should be within the AD database.

I'm missing something.


--
From: "Brian Desmond" mailto:br...@briandesmond.com>>
Sent: Thursday, August 05, 2010 4:09 PM
To: "NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Subject: RE: Cannot delete a PTR record, AD integrated DNS

> There are no zone files there because your zones are stored in AD.
>
> What's the corresponding A record for this represent?
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: mb [mailto:midphan12...@gmail.com]
> Sent: Thursday, August 05, 2010 4:07 PM
> To: NT System Admin Issues
> Subject: Re: Cannot delete a PTR record, AD integrated DNS
>
> This is interesting.
>
> Checked \system32\dns on a few of our domain controllers, I'm not
> finding any zone files with any data in them.  I haven't checked all
> the domain controllers.  One thing though - on any DC, if I delete
> this record and then immediately refresh the zone, that record is
> right there again, like it's coming from something local or I didn't
> actually delete the record (though I'm not seeing any kind of error dialogue).
>
> Checked properties on this record.  There's no timestamp, it's a
> static record.  I suppose that means it could never become stale -
> thought about trying the "Delete this record when it becomes stale"
> checkbox.  Just because I've tried everything I know that makes sense.
>
> I could interrupt DHCP if I do it late on a weekend night.  And it's
> worth a try.  But I just keep going back to the fact that this record
> reappears instantly, as fast as I can delete/refresh, that record is
> there, on any domain controller (all our DC's are running DNS).  So
> I'm thinking this isn't replicating from another DC or being
> dynamically created from a DHCP server.
>
>
> --
> From: "Ben Scott" mailto:mailvor...@gmail.com>>
> Sent: Thursday, August 05, 2010 2:00 PM
> To: "NT System Admin Issues" 
> mailto:ntsysadmin@lyris.sunbelt-software.com>>
> Subject: Re: Cannot delete a PTR record, AD integrated DNS
>
>> On Thu, Aug 5, 2010 at 2:38 PM, mb 
>> mailto:midphan12...@gmail.com>> wrote:
>>> I've tried through ADSIEdit,
>>> and interestingly, this record does not exist there.  It does show
>>> up in the DNS console as a 'static' record, but I'm at a loss where
>>> it's coming from.
>>
>>  Check %SystemRoot%\system32\dns\ for any files which might contain
>> the offending record.  Some vague notion deep in the dusty reaches of
>> the back of my mind says there's a thing where MS-DNS will
>> automatically load/merge records from (some of?) 

RE: Cannot delete a PTR record, AD integrated DNS

[Coleman, Hunter]

http://support.microsoft.com/kb/842127


-Original Message-
From: mb [mailto:midphan12...@gmail.com] 
Sent: Thursday, August 05, 2010 12:38 PM
To: NT System Admin Issues
Subject: Cannot delete a PTR record, AD integrated DNS

Details - have a PTR record I am unable to get rid of.  I can delete it, 
immediately refresh the zone, and there it is.  The machine name in the 
record is in all caps, which is unusual.  There is no corresponding forward 
record.  This machine has not existed for a long time, was a fax server long 
ago.

All our zones are propagated to all DNS servers in the AD forest.  I've 
tried connecting to several DC's at one time, enumerating that reverse zone, 
deleting the record on all of them.  No help.  I've tried through ADSIEdit, 
and interestingly, this record does not exist there.  It does show up in the 
DNS console as a 'static' record, but I'm at a loss where it's coming from. 
Looked in WINS, nothing there.

Anyone have an idea for me? 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cannot delete a PTR record, AD integrated DNS

[Coleman, Hunter]

This was a bug in the DNS MMC. Use dnscmd.exe to delete the record:
"dnscmd.exe  /recordDelete 10.in-addr.arpa 12.34.56 PTR"
Will delete 10.56.34.12 from the reverse zone. Adjust accordingly for your PTR 
record.

I'll see if I can find the KB article that documented the bug.

-Original Message-
From: mb [mailto:midphan12...@gmail.com] 
Sent: Thursday, August 05, 2010 12:38 PM
To: NT System Admin Issues
Subject: Cannot delete a PTR record, AD integrated DNS

Details - have a PTR record I am unable to get rid of.  I can delete it, 
immediately refresh the zone, and there it is.  The machine name in the 
record is in all caps, which is unusual.  There is no corresponding forward 
record.  This machine has not existed for a long time, was a fax server long 
ago.

All our zones are propagated to all DNS servers in the AD forest.  I've 
tried connecting to several DC's at one time, enumerating that reverse zone, 
deleting the record on all of them.  No help.  I've tried through ADSIEdit, 
and interestingly, this record does not exist there.  It does show up in the 
DNS console as a 'static' record, but I'm at a loss where it's coming from. 
Looked in WINS, nothing there.

Anyone have an idea for me? 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Exchange 5.5 and Key Management Server

[Coleman, Hunter]

Did 
you try "password"?
 
Hunter

  -Original Message-From: Rocky Stefano 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
  2001 1:08 PMTo: NT System Admin IssuesSubject: RE: 
  Exchange 5.5 and Key Management Server
   
  Nothing other then the fact that I just installed it on a fresh server 
  and I can't figure out the password for the kms management 
  console.
  
-Original Message-From: Michael Plotsker 
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael Plotsker 
(E-mail 3)Sent: September 25, 2001 9:47 AMTo: NT 
System Admin IssuesSubject: Exchange 5.5 and Key Management 
Server
any issues regarding using KMS?
 
-- 
Michael D. Plotsker 
Technology Consultant 
KJ Technology Consulting, Inc. 
T. 718-575-1595 C. 917-406-4215 F. 212-202-5013 [EMAIL PROTECTED]Want 
to unsub? Do that 
here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=englishWant 
  to unsub? Do that 
  here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: SirCam Virus Problem Exchange Server

[Coleman, Hunter]

On your Exchange server, go to the IMC properties, Connections tab, Message
Filtering. Enter in the offending home.com address and then restart your
IMC. You can check on the box to have the messages automatically deleted
instead of accumulating in the TurfDir on the server.

Hunter

-Original Message-
From: Murray Freeman [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 9:22 AM
To: NT System Admin Issues
Subject: SirCam Virus Problem Exchange Server


Our webmaster seems to have found a "friend" who apparently doesn't know she
has the SirCam virus. We're being sent hundreds of emails from this one
account to our webmaster. We've set up a rule to forward all these emails to
our webmasters delete folder, but apparently that's creating problems as
well. Our webmaster doesn't want us to shut down that alias, so does anyone
have any other ideas to somehow eliminate the problem. All the email is
coming from an address at HOME.COM.

Murray

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm