Hi Joe,
I've seen your DC numbers in the past (~400) and wonder how just two guys can keep
all that hardware going!? While we have many fewer DCs and servers (dozens), the two
of us that work on them seem to have our hands full. 'Course we're also involved with
other things besides
Let me ask you this - are they accessing OWA over an SSL connection?
Not that it matters - since you're encapsulating the username and password
as part of the URL, its not secure. IIRC, the URL is NEVER encrypted via
SSL. So, you're passing username and password in clear text.
You should be able to rewrite the button to post their username and password
rather than URL encapsulate that data. I know one of our cross-system apps
does that.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis
We realize that however with Exchange 5.5 there is really no other way that
we are aware of until we migrate to Exchange 2003 which is getting under
way.
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Friday, February 13, 2004 8:12 AM
To: '[EMAIL
I still have yet to install SP4. Wanted to wait to see what everyones
experiences were with it first. Does everyone feel pretty comfortable with
SP4? I heard something like SP 5 was out but haven't seen anything on it.
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
SP 4 is pretty stable; there is one post SP4 hot fixes that should be
applied to AD DC's specifically.(KB828297) (Updates LSASS and components
related to it.
http://itc.uncc.edu/steve/weblog/archives/001757.html
Here is a weblog post that is a pretty good synthesis.
KB Article 828297:
Thanks
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Friday, February 13, 2004 9:31 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Windows 2000 SP 4
SP 4 is pretty stable; there is one post SP4 hot fixes that should be
applied to AD
Title: Message
http://www.susserver.com/FAQs/FAQ-AutoUpdateSettings.asp
The
setting you want is called NoAutoRebootWithLoggedOnUsers
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
Best practice is to start with ensuring that name
resolution is sound.
Netdiag, dcdiag, dnslint are several tools that might be
helpful for this. Also, here's a reference link to some other folks that
had similar: http://www.eventid.net/display.asp?eventid=6702eventno=294
Can you post the
Yesterday, while dcpromoing a machine (which was already domain member),
I have noticed that while the LDAP session was initiated against PDCE in
site A, the computer account move to Domain Controllers OU was
performed on a DC in site B. Although after the replication everything
was nice and
My domain is not connected to the Internet, I think dnslint
will not work.
Attached is dcdiag and netdiag in
diag.txt
I am still getting FRS 13570 once a
day.
I can connect to Event Viewer remotely from other
DCs.
All machines' have DNS entries.
Thanks
From: [EMAIL PROTECTED]
Does anyone know of a tool to make sure
that all the users have this patch applied? I know Microsoft had
something for the Blaster and was wondering if anyone has anything that
would check to make sure this patch has been applied?
Thanks again
Ryan McDonald
The Microsoft Baseline Security Analyzer should be able to
check for this.
http://www.microsoft.com/technet/treeview/default.asp?url="">
Or a third party vulnerability assessment tool, such as
Retina from www.eeye.com (the folks that
discovered MS04-007).
William Lefkovics
eEye Digital
Title: Message
HFNetChk. The MS hotfix tool. It's now the MBSA or something like that. I
like the command line version, but I also use HFNetChkPro from Shavlik. It's OK,
but the MS version is quick and easy to use. You can scan your whole domain with
it pretty quickly. Available from MS...
Might
check with RetinA (www.eeye.com). We're
using Patchlink to not only detect, but patch and deploy software as
well.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
[EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06
AMTo: [EMAIL
I'm preparing an upgrade of a NT domain to a W2k domain.
The scenario:
I have one NT PDC and one NT BDC in my domain TEST.
In the TEST domain I have one W2kclient. Everything works great.
I upgrade the PDC to W2k DC and with the upgrade I also install DNS on the DC and name
the domain
It is possible that your member server on boot utilized the DNM DC as
its authentication server. When you try and logon as a user by default
you will attempt to authenticate to the same DC as the machine
authenticated to assuming of course the user and computer object are
members of the same
The lag is only about 3 or 4 minutes. I have not tested workstations since
there are non in that AD Site.
-Original Message-
From: Bernard, Aric [mailto:[EMAIL PROTECTED]
Sent: Friday, February 13, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Domain Naming
Niklas-
See if this helps:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298713
Hunter
-Original Message-
From: Niklas Wikander [mailto:[EMAIL PROTECTED]
Sent: Friday, February 13, 2004 11:11 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K not authenticated by NT4 BDC when
Are your SYSVOL directories properly shared out? Can
one of the DC's connect to the other SYSVOL properly (check to see if they are
shared out properly and that you can browse to it from the opposite DC; both
directions would be good).
Have you restarted the FRS service to see if that has
Try repadmin /showrepl and dcdiag
/test:replications we had an issue recently that sounds a little different
from yours, but we had to use netdom to resync one of the DCs machine
passwords. Replication was failing with Access Denied and User does not have
the requested logon type errors
Hunter,
That was a good article but didn't help me in my case.
My problem is that the computer account is missing in server manager when the DC is
down,
and therefore the W2kclient cannot login.
Thanks anyway
-Ursprungligt meddelande-
Från: Coleman, Hunter
Title: Message
Check DNS to see if the SRV records for the BDC are available; also
verify that the BDC is properly registered in WINS if you have WINS
running.
Sounds like only the W2K DC is registered in DNS
maybe?
You should be able to do a NSLOOKUP on the domain name
and resolve all the
Anyone have any experience extending the Win2003 schema to be compliant with
the eduperson schema?
I'm having trouble trying to import the ldif file.
Any hints, sites, whitepapers out there I've missed? (1)
thanks,
Paul Wehner
Systems Engineer/Mail Administrator
University of Cincinnati
51
I had a bad experience with SP4. Here is KB article. Good luck!
http://support.microsoft.com/default.aspx?scid=kb;en-us;827531
Santhosh
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, February 13, 2004 8:12 AM
To:
In my case the DNS is not available because the DC is down.
WINS is installed on the BDC and it is registered.
-Ursprungligt meddelande-
Från: Charlie Kaiser [mailto:[EMAIL PROTECTED]
Skickat: fr 2004-02-13 20:34
Till: '[EMAIL PROTECTED]'
I can browse to other sysvol from all
DCs.
Replication is working on Netlogon, I dropped a file and it
appeared immediately on the other DCs.
Restarting FRS seemed to have no
effect.
Replmon gave no FRS errors.
Thanks Al.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Sounds like a DNS issue. What is your DNS config on workstation, PDC and
BDC?
Santhosh
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Friday, February 13, 2004 12:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K not
The DC, BDC and W2kclient all points to the DNS on the DC.
-Ursprungligt meddelande-
Från: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
Skickat: fr 2004-02-13 22:00
Till: [EMAIL PROTECTED]
Kopia:
Ämne: RE: [ActiveDir] W2K not
Title: Message
I think you're going to need working DNS in order to contact a DC in an
AD domain.
Maybe configure the BDC as a DNS server for the DNS domain. If the DNS
domain is AD-integrated, I think you can set up an NT DNS box as a secondary to
that AD-integrated zone. I haven't had to
Title: Message
Yep. You need a DNS server and you can
configure an NT box as a secondary. Configure a secondary DNS zone on the BDC
and try again!
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, February 13, 2004
4:04 PM
To: '[EMAIL
I've solved the problem with the script that wouldn't run on XP, after
exhaustive searches and trying all sorts of things with the script. I tried
reinstalling WSH 5.6 with no success. I then reinstalled MDAC 2.8, and that
fixed it!
Now I can get back to getting this script to go out and talk to
Im sure a Dcpromo will always hook back to the PDCE... that should be
normal.
I'm not really sure what you want to find out please elaborate.
Rob
Guy Teverovsky
It has been several years since I have played with NT and 2K DCs side by
side but I seem to recall that once a W2K client finds a W2K Server it won't
go back and use an NT4 server. I.E. No failback. That may not be the case
anymore with the various SP's as my experiences were SP0 but worth
If you want to anonymously scan I would check the the eeye
site, they probably have something. Additionally you could write a script to
loop through doing srvinfo's against the machines and pull the info out. If you
don't mind using admin rights, you couldwrite a script that went through
Title: Message
People were scared of change. Change should cause concern
but only enough to make sure the change is done correctly. Some people take it a
bit far and use it as an excuse to never move forward. We have a ton of people
in our company who feel we never should have come down out
Never even heard of it but if you post the errors here possibly someone can
give some suggestions.
For AD specific LDAP scripting I would recommend Robbie Allen's book - AD
Cookbook.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wehner,
What site was the machine that was being promoted to in?
I would expect it was in site B. The change should be done on the machine
that it did its initial replication with. How do you know that it did that
replication with the PDC? Is this info from the dcpromo log?
joe
-Original
I'm having a problem with some INI files located in users terminal server
home directories, which are stored on a DFS share not unlocking when the
users log off my Citrix servers. Has anyone seen anything like this? The
next time the user logs on, their INI file is still locked open, and their
What's everyone syncing all their clocks up with? Do Win2k AD domain
controllers automatically respond to SNTP requests? We are currently
running a firewall that acts as a NTP server for all our internal PCs
(Symantec Enterprise FW) and we're looking at switching to a NetScreen
firewall which
The team is three people + a manager.
I am one of the three people but I never get to work on stuff anymore, I am
constantly being dragged into meetings to point out things that aren't right
so people can get mad at me for pointing out the things that aren't right. I
am also the shield for the
Title: Message
I spoke with MS Alliance PSS about this exact issue with
the ADC... This is possible in W2K, however it is completely unsupported and the
directions I saw were painful and I said, NFW. The min permissions requires are
Admin, not domain admin with this.
"Allegedly" MS said
Russ,
I point two of our corp level Linux DNS boxes to tick.usno.navy.mil and
tock.usno.navy.mil and create a quorum with these. The PDCE is then pointed
to the DNS servers. Our other Windows 2kX DCs will synch off of the PDCE.
Repeat for each domain.
When you ask if a Win2k DC will respond to
Title: AD Protected groups
I have gotten A LOT of offline responses to this post.
I am concerned at the responses however...
I am getting several responsesof "well you were
allowed to set it up right" or "your management is helping you"
etc...
Folks, management isn't helping with much at
Hey Rick's back in town... :o)
I will add to his response.
Hard set the Forest Root DCs that have the most likely chance of being the
PDCs plus obviously the current Root PDC to some reliable source, in Rick's
case the DNS Servers. Some people will use core routers.
Next clear the SNTP address
Rimmerman, Russ mailto:[EMAIL PROTECTED] wrote:
What's everyone syncing all their clocks up with?
We have our own enterprise NTP servers, the forest root DCs synch to
them. Everything else in AD is in NT5DS mode and time flows down the
domain hierarchy. The [gag] remaining NT boxes, have
46 matches
Mail list logo
