Hi,
For more info see http://support.microsoft.com/kb/310105
Regards,
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales,
MarioSent: Monday, November 15, 2004 21:03To:
'[EMAIL PROTECTED]'Subject: [ActiveDir] Syskey and
AD
Is it still necessary to
syskey DC's?
Hi,
NT4 only has a FULL NAME field and does not have a FIRST NAME and LAST NAME
field. So when you migrate user objects to AD only the FULL NAME FIELD and
the DISPLAY NAME field is migrated (the display name, used for the GAL, by
default depends on the full name). If you have Exchange 5.5 running
Return Receipt
Your RE: [ActiveDir] ADMT migrated users
document
:
Return Receipt
Your RE: [ActiveDir] Syskey and AD
document
:
It's still possible, but whether or
not it will still be necessary with Windows Server 2003 is another question. The
default security of the SAM is higher than with NT. This page gives you the
process. http://support.microsoft.com/kb/310105
From:
[EMAIL PROTECTED]
Anyone?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
Devon
Sent: Monday, November 15, 2004
2:51 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] adfind and
-excl
Adfind.exe has a switch called
excl which
The Default Domain Policy is the *only* affective policy for those settings.
That's not an accurate statement...
Only Password Policies created at the domain level are effective for
domain users, but they don't have to be in the default domain policy
object.
-ASB
On Sun, 7 Nov 2004 12:58:57
Since changing our DNS design from forwarding to our old firewall which
had root-hints built into it, to forwarding our DNS to our empty forest root
domain controllers with the root-hints on them, we are not getting all our DNS
lookups.
For example, http://www.volksbanksalzburg.at right
Id advise using forwarding for the
functions you require.
It may seem stupid but I take it
the DNS server/s have appropriate rules in your firewall/s?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 16 November 2004 13:48
To: [EMAIL
What have you done to date for troubleshooting?
For example, have you used NSLOOKUP with the debug options before?
How is your DNS setup in relation to your internet connection?
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Yes, all DNS is working fine except for some rare instances
of hostnames we've run into. Last week we couldn't get to ftp.nai.com but now we can. All our
workstations are pointed to our child DCs for DNS. They are set to forward
to our empty root DCs, and the empty root DCs have the
Why dont you forward the root DC/s
out to your ISPs DNS server/s? See if that works.
If you do an nslookup from the root DC,
can you resolve correctly?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 16 November 2004 13:58
To: [EMAIL
Return Receipt
Your RE: [ActiveDir] Syskey and AD
document:
You also need enterprise for autoenrollment.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, November 15, 2004 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] RDP
There are a number of PKI things that can't be done
Doh!
You should have stuck to your guns James!
My only defence is that I had never actually used User components in site
policies before. I have now and agree that the User does receive the User
based settings that exist in the policies connected to the site.
Alan C
- Original Message
Ken Cornetet wrote:
You also need enterprise for autoenrollment.
Weird, I wonder why autoenrollment works for me then? I'm only running
standard, not enterprise. Autoenrollment is definitely working.
- Robbie
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
My company was using Standard and auto enrollment would not work. We
consulted our TAM and he said we had to have Enterprise for Auto Enrollment.
Debbie Ellis
Systems Administrator
Viasat, Inc.
4356 Communications Drive
Norcross, GA 30093
678-924-2591
-Original Message-
From:
Dusting off the old NT 4.0 memories... Key point is that browsing is
not related to name resolution at all. Browsing is a simple NetBIOS
based directory that allows users to find resources. Conecting to the
resource either by clicking on an object in the browse list or by
manually connecting
I'm sure that is the case. I'll take a look at my setup and see if I
can figure out what I did to make it work. (or maybe discover that I'm
completely going insane) :-)
- Robbie
Ellis, Debbie wrote:
My company was using Standard and auto enrollment would not work. We
consulted our TAM and he
TCP or UDP through the firewall?
What have you done to troubleshoot? Logs? ??
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, November 16, 2004 8:58 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Issues
Yes, all
If I remember right, I thought WINS would make your browse list if the
Master Browser on Subnets were not available.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Tuesday, November 16, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE:
I've seen something similar to this and it was because of
corrupt cache on the server. Try clearing out the cache and see if that
works.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman,
RussSent: Tuesday, November 16, 2004 7:48 AMTo:
[EMAIL PROTECTED]Subject:
Ok, maybe this clears it up (from windows server 2003 help)
Windows Server 2003, Enterprise Edition, or Windows Server 2003,
Datacenter Edition, is required to configure version 2 certificate
templates for autoenrollment requests. However, autoenrollment manages
certificates or pending
Russ,
At the forest root DNS servers, enable
forwarding and point these forwarders to your ISP DNS. The root hints are
really not that reliable in the case that you are currently using them. Making
use of an established DNS system is much more robust than using the root hints
at your
True - but that also makes the assumption that Computer Browsing is
robust. The reason that things have moved to DNS - Computer Browsing is
not robust, and not standard. It hasn't been enhanced in some time,
though WINS now works better - just in time to deprecate it
;o)
Rick Kingslan
Correct - Auto-enrollment is not available to Standard. Why it works
for some Good question. Upgrade, perhaps?
Rick
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Tuesday, November 16, 2004 9:32 AM
To: [EMAIL
IIRC domain master browsers will register themselves with WINS (don't
recall the hex code anymore) and the subnet master browsers will use
this info to populate the list of domains. However the mechanism for
resolving the host name to an IP address is separate..
-Original Message-
It's built-in. :-)
For example: adfind -root -f "name=Michael B. Smith"
name cn proxyaddresses
Lists my name, my common name, and all of my
proxyaddresses. If I don't have the attributes there, it lists all
attributes.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Devon,
Likely not. However, go directly to the
source hell answer.
[EMAIL PROTECTED]
Rick
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, November 16, 2004
7:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] adfind
and
You need to run adclean to merge the mailbox with the user object after ADMT is
run.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, November 16, 2004 3:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT
I have to say... Master Browser issues and WINS were some of the biggest
Headaches in NT 4.0!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Tuesday, November 16, 2004 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Only Password Policies created at the domain level are effective for
domain users, but they don't have to be in the default domain policy
object.
Can you elaborate on this? I've only had one coffee this morning, and I
don't think I follow what you're saying
Are you saying that a GPO
How to I return only certain attributes with adfind? I would just like
to get Display name and sam account name. I am just using it to find
users based on EmployeeID
Adfind dc=domain, dc=com -f EmployeeID=somenumber
I would eventually like to write a graphical tool to find that user and
then be
Well, learn something new every day. Thats
why adfind is the Swiss Army Knife of AD Tools. You always
find another neat toothpick you didnt know was there.
Rick
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, November 16, 2004
Yep. Contact the Microsoft Clearinghouse.
Annoying is the least severe term that I'd use, but I try to hold those
words... Mom said it wasn't nice.
It has caused such a ruckus that MS is looking to change the
functionality, but the only question is when and how.
Seems everything these
Return Receipt
Your RE: [ActiveDir] Master Browser
document
:
Adfind -b dc=domain,dc=com -f EmployeeID=somenumber displayName
sAMAccountName
As to the other - take a look at IISADMPWD on support.microsoft.com or
any number of scripting books.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent:
I have always thought that rebuilding (or updating) the Recipient Update
Services after a reconfiguration of Recipient Policies is a normal,
non-destructive procedure. I am just now learning that rebuilding RUS is a
no-no and must be avoided at all cost. I have not spoken directly to the
source of
How odd, I responded to this yesterday right after the
original post came in, wonder why it didn't hit the list...
joe
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, November 15, 2004 3:10 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] adfind and
-excl
Sure. Just name them on the
You know I think the bad thing about this is simply that you are forcing
the RUS to look at every single object again which is costly. During that
time, it isn't, I believe, processing normal day to day stuff (i.e.
changes).
I could be wrong though. :o)
-Original Message-
From: [EMAIL
You need Windows 2003 Domain controllers (STD edition is Ok) and a CA
with Windows 2003 Enterprise edition to do this.
Martin.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick
T.
Sent: Tuesday, November 16, 2004 1:04 PM
To: [EMAIL
I would be very interested to know what they perceive the adverse impact as
being.
While RUS can certainly be a PITA, and it's slow and expensive, I can't think
of any reason why it must be avoided at all cost.
There is (yet another) bug
I would say the latter part of your question the answer is ADUC...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, November 16, 2004 11:20 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] adfind
How to I return only
Thank you. We appreciate your feedback. These are great ideas.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Tuesday, November 16, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services licenses
Yep.
I prefer it to be say the Swiss Army Reading Glasses of AD
Tools. You can't hurt anything (including cutting yourself) with adfind, no
matter how good or bad you are. :o)
Admod I am working on being the Swiss Army Knife of AD
Tools. You specify you want to cut yourself and it asks you "how
A no-no? Hmmm.. Depends on the environment and the circumstances and
expected results.
If it's not a good idea, somebody should mention that to Microsoft and have
them update their procedures for troubleshooting to include a warning ;)
I don't think I would say that the SAM is more secure than
it is with NT.
The issue of being hackedis still there and still
fairly trivial. The syskey can maybe help depending on the tools used to crack
the server and whether it is an attempt to brute force passwords (or Rainbow
crack) or
It *should* process all changes when you rebuild vs. update. Rebuilding
causes the RUS to process every account in AD as noted. Updating works
with the USN's and is just a manual run of what is otherwise running every
60 seconds IIRC meaning that it looks for the USN's and processes those that
Thanks, all. I got in touch with the source of this mandate and all I could
get was the concern that rebuilding will require people to re-download
offline address books.
At this point, I regret to inform you that the concern appears to be more
political (turf protection) than technical. I know I
I would agree, the issue I would see is that you are in the middle of a
rebuild of 250k user objects.
Say you are 150k into it, I would expect any changes in the first 150k will
not be touched until after the final 100k have been updated.
Once the rebuild is complete, it will then start going
Well that's why I did the ping. :o)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Monday, November 15, 2004 3:37 PMTo: joe;
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not
return modifyTimeStamp attribute...
3 words: blah, blah and
blah
:)
Oh. No kidding. I learned something else then... It won't
use the attribute because it doesn't exist...
Maybe I am even more confused now though... How is member
or homeMDB not a real attribute? I could understand if the BL wasn't considered
a real attribute, but the FL?
joe
From:
Excellent news Jackson. I have to admit, I knew you were on the list so I
tossed that one up in the air for you. I was hoping you would spike it and
happy that you indeed do so.
Please keep my MOM story to heart as well. You want to make it so SQL for
IIFP/MIIS is just like the file system, it
Define real I guess.
Both are real in the sense
that you can read them and for the forward link you can modify it. Neither are
single columns in the main data table where non-linked attrs are stored.
They are both built on the fly out of the link value table.
We should take this part
Ok, ~Eric took a clue by 4 to me in IM - I have a headache
but am otherwise ok. I was dumba, I understand now.
For some reason I was visualizing single value linked
attributes residing in the main data table and only multi-value linked
attributes residing in the link table. This is
Hi,
That's true if you first setup ADC to replicate all mailboxes and
distribution lists to AD. The object that are created by the ADC are
disabled user accounts that have rights to the mailboxes on Exchange 5.5 and
universal distribution groups if the Exchange DLs are NOT USED for assiging
1. Loop through all USN's from zero for all objects. I.E. the current USN
is
23000, it asks for a query to return all objects with a USN less than or
equal to 23000. At the end of that processing, it can easily pick up and
gather changes that occurred since the start of the rebuild (i.e. any
This is what Im doing for keeping
record of login / logouts in our domain. We use this for finding problems
and for providing stats on usage for our campus computer labs. Seems to work
ok, although Im sure there are better ways to do it.
We Run
this Bat file on login as part of the
I have the same expectation in terms of processing.
The update button is the manual kick similar to replicate now option. It
starts the same process that would normally occur every 60 seconds if left
alone. :)
Should be similar to the old 5.x technology that used USN numbers to keep
track and
As if they wouldn't have to anyway? An update shouldn't cause anything
different than normal operations. Rebuild could trigger a full download.
Behavior is more dependent on the choice of update and the client used
anyway. Sounds like you need a LART or a clue-by-four to help adjust the
Rick,
That's correct. In fact we once tried having two policies at the domain
level with different values for the password length. We then changed
filtering so that one Domain controller got one policy and an other Domain
controller got a different policy.
We then tested how each behaved when
How do I do this for all users in the Forest. Lets say I only want to list the names of
the users, thats it. How is this done?
-Devon
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, November 16,
Have you integrated this with AD? Know anyone who can point me in the
right direction on how to do so?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell
Sent: Tuesday, November 02, 2004 11:01 AM
To: [EMAIL PROTECTED]
Subject: RE:
adfind -root -f
"((objectclass=user)(objectcategory=person))"
name
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding,
DevonSent: Tuesday, November 16, 2004 3:23 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] adfind and
-excl
How do I do this for
all users in
I have implemented it with AD and it works just fine.
If you need help with it check out their forums at:
http://www.liberum.org/snitz/default.asp
HTH,
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, November 16,
TIMTOWTDI
But one way...
adfind -gc -b "" -f
"(objectcategory=person)(samaccountname=*)" name
And if you want to filter out everything but the names...
adfind -gc -b "" -f
"(objectcategory=person)(samaccountname=*)" name |grep -i
"name:"
[Tue 11/16/2004
Ok, adfind works well, BUT I need this info in csv format.
How do I get csvde.exe to run against the ENTIRE forest, instead of the
connected domain?
Devon Harding
Windows Systems Engineer
Southern Wine Spirits
- GSD
954-602-2469
Pst, that will just get the root forest domain... You want
to ping it off a GC. If you have a single domain tree this will then work. If
you have multiple trees you will need to use a search base of "".
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
This would be extremely unstable.
Not only is the policy being changed by the GPO replicated through FRS, it
is also being changed by the values replicating around for the Domain NC
head though AD replication. I.E. The machine that got say a value of 10 for
bad hits for lockout would replicate
You da man. :-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, November 16, 2004 4:06 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] adfind and
-excl
Pst, that will just get the root forest domain... You want
to ping it off a GC. If you have a single
Return Receipt
Your RE: [ActiveDir] OT: helpdesk software
document:
Anybody know what group I need to assign
a user so they can log on locally to a single Domain Controller and start /
stop services on the machine without being able to modify any part of active
directory?
Thanks,
--
Matt Brown
[ SELECT * FROM users WHERE clue 0 ]
Information
There is none. Don't let people log onto DCs unless you
don't care if they arein a position totake over yourforest.
I.E. Only domain admins should be allowed to log onto DCs.
You
can delegate off services via GPO or subinacl and then the delegated person can
remotely manipulate them.
I have a box
which is god knows where not even mine doing some work for
somebody thus dont have access to it physically. I was dcpromoing
it down to a member server over a VPN when I lost my DSL line for a few. When
the connection came back up I couldnt log back in b/c dcpromo had of
I had a similar problem in the past.
Have you tried logging into the local administrator account? Then you
could set the Net Logon service to Automatic within the Services Snap-In and
then attempt to log into the domain after a server reboot. I did this in
the past and everything was good
Well its
a member sever in a workgroup so the only account is the local admin account.
Are you saying that this error will not be an issue if someone tries to log on
at the console rather than via TS?
Thanks.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on the
web! www.wpcp.org
v
Yes. Local logon should still work.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
I just VNC'ed the box - equivalent to local logon. It has a log on to dropdown
- the dropdown is empty though, no local machine name or domain - when you
click the down arrow it just sorta sits there. Still whines about netlogon not
being stated.
Thanks.
--Brian Desmond
[EMAIL PROTECTED]
VNC'ing to a machine is no different than connecting to the machine via
pcAnywhere, RDP or the local desktop except to say that it allows a remote
connection. During login, you must differentiate between a domain account
login and the local system login regardless of what method is used to
Its not joined to a domain. It's in its own workgroup, so I don't think this is
a DNS thing. The dropdown is flat out empty - no local machine, no domain, none
of that.
How would I go about logging in with the SYSTEM account? I've never tried to do
such a thing - didn't know it was possible.
You are correct - its all about enumerating NetBIOS shares.
My current employer rather likes personal shares - rather there's no
resistence to having them.
Roger Seielstad
E-mail Geek MS-MVP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
I believe you'll see that Joe (of joeware.net) himself
offered a good answer yesterday
Roger SeielstadE-mail Geek MS-MVP
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding,
DevonSent: Tuesday, November 16, 2004 5:38 AMTo:
[EMAIL
Sounds like your firewall isn't configured to allow inbound
UDP/53 to your empty root DNS serves.
Now - if you're running a non-contiguous empty root (ie
domain.com and domain.net for instance), I'd reverse your design. Have the main
domain DNS servers resolve to the net and have th empty
TCP shouldn't be an issue - since most firewalls will do some sort of state
management for those connects.
My money's on the fact there ISN'T an an inbound firewall rule allowing
UDP/53 to his DNS servers and tangental to that the fact that there is no
static NAT enabled for the DNS servers
I haven't heard that in at least a week! Then again, the Product Group I
most often work with these days has much shorter release cycles...
Roger Seielstad
E-mail Geek MS-MVP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Kingslan,
Title: RE: [ActiveDir] DNS Issues
We experienced the same exact problem , when we upgraded to W3K DNS. Check out kb828731. It deals with Extension Mechanisms for DNS (EDNS0) .
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]]
Sent: 16. november 2004 16:41
To: [EMAIL
Return Receipt
Your RE: [ActiveDir] OT: helpdesk software
document
:
87 matches
Mail list logo