what a fine english statement the astute will understand why... ;-)
had to get a dictionary to understand that one - but I can always say
I'm German for an excuse ;-))
agree on what you're getting at and that was my original order when I
wanted to reply - then I read Mayuresh's post again: from
Regular multivalue attributes still have a
limitation on size. In 2K that is approximately ~850 members and in K3 that is
approximately ~1300 members.
I'd call these "entries" instead of members to avoid
confusion...
Not sure if it was mentioned in another part of this
thread, but it
had me worried just the same when reading DLand
thinkingDistribution Lists ;-))
one thing that I don't understand is, why doesn't the token
only store the _RIDs_ of the DLGs - why are they stored with the full SID???
Makes no sense to me, as they are able to use theRID for GGs and UGs - and
Change the width of your command prompt window to be more than 80 (120
works) and you'll see it's not a random * - it's drawing a chart for you
and the * shows the offset:
[ * |]
[ * |]
[ * |]
[ * |
It's also worth to point out, that you have to distinguish heavily
between the OS version and the DIT size to expect. Other cleanup tasks
can also strongly impact DIT size.
At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled
the Distributed Link Tracking service on all DCs
Title: DC location queries
that default first site would only be used when promoting
new DCs to a domain if that DC has an IP address that's not
defined for any subnet/site. Naturally, I would fire anyone who even tries
to promote a DC without doing the necessary prep-work..., so you should
Well none of the actually DIT is cached (into the RAM), IMO. The engine
might cache regular/common lookups, indexes etc but none to the actually
DC's RAM. But then again you have to define but what you mean by into
RAM.
Nathan is quite right with Checking the working set size of LSASS is
not
Eric,
Granted but how much of that actual 100gb will be replicated over that
64k line? I can see the issue if you do a DC promo on a W2k3 server on
the other size and it's the first box and has to pull info over 64k, but
once established that traffic shouldn't even be close to 100mb.'
That said
Braggert. ;o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, April 14, 2005 11:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size
Well I've seen very very large in test on many occasions. The
LOL. But you are a very fine German Guido, don't let that be an excuse. eg
If that is their current sam name format, they could already be bumping into
the issue. :)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent:
Title: DC location queries
You know I remember reading this way back in 2000 (the
year, not the OS) and I NEVER saw that happen. New DCs that were promoted
without an appropriate subnet never landed in the default first site, they
landed in a semi-random location, usually (probably always
I am using VB.NET to create an application
that will configure the server from beginning to end without manual SysAdmin
intervention. Basically, once a server is installed, it must be
configured to our specifications.
I am aware of ADS and RIS and I am already
using these options. But
Good points. The link tracking was indeed a bite in the ass. I caught that
one pretty early on the game so it didn't give us significant growth though.
I was busy shutting down all of the services and I made MS tell me what that
one was for and I was like... I don't want that, and killed it in the
Yeah I questioned MS-Premier PSS on that several years ago
and it spawned a 3 week email conversation where Inevergot a good
answer and I submitted it as a bug to PSS and I think it got lost somewhere.
Mostly I think the issue was most of the people I spoke to about it didn't
really
I take it you mean the issue for the originating write, not
the replication correct? You can hit this even with a smaller originating write
based on the version store depletion on the DC in question, that applies to any
large updates I believe.
You can also bump against the default LDAP
And clobbered again but offline this time by someone else
who didn't even offer up a ;-).
I feel obligated to say that anyone working around the
"officially" correct mechanisms could jeopardize their entire forest. It is sort
of like going out into the water 10 minutes after you ate a
Hi Guido,
Can you provide us with some more information on moving the DNS data
into the DNS app partition?
Thanks!
Francis
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: 15 avril 2005 04:00
To: ActiveDir@mail.activedir.org
Or the reverse of that ;)
Welcome back Joe.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 8:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT Exchange question.
(Gotta love how many Exchange
You may additionally want to check the software running on the DC's in
question if the files are copied and then deleted. Until replication I
wouldn't expect the files to change on newly promoted dc.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Have you read the disaster recovery whitepaper about Exchange on Microsoft's
site yet?
My guess is that you don't have enough of the relevant information, but it's
possible you can salvage some of it. There are also utilities out there
that might be helpful if you really want that data.
Al
Title: DC location queries
Joe has summed it up well but if you want to do
some reading on it you should check out this chapter from theDistributed
Systems Guide.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_jevl.asp
Tim
-
Well Francis,
How is your DNS servers setup are they:
1. Windows DNS servers
2. Have you sepecified that your Zones are Active Directory Intergrated
Zones
If you haven't created the default DNS app partions right click on your
DNS server --- Create Default DNS application Partitions this will
I have a customer with small links and 1200+ wan sites. Problem I'm having
is that without local DC's GPO's aren't applied properly on the workstations
on logon, and the workstations are not locked down. The customer is not
willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the
Regarding DLs (Domain Local for Joe's sake) groups, I'm
not certain I've ready anything that states whether we do or we don't ... like
you Guido, I can initially see no reason to maintain any more than the RID alone
assuming the necessary components exist elsewhere to explode it to a full
Daniel, have to agree with Al. Depending on the state of these DB's you may
have absolute garbage.
If the DB shutdown in a dirty state and you don't have logs to replay -
problem, means a hard recovery.
If a hard recovery works you may only loose a little data. If a hard recover
fails you have
All I have in the inetpub/wwwroot folder
is a folder called aspnet_client, iisstart.htm and pageerror.gif
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, April 09, 2005
2:04 AM
To: ActiveDir@mail.activedir.org
What do you mean by GPO's aren't applied properly on the workstations?
Are you using slow WAN link detection settings for GPO's? That would cause
the clients to not process all GPO settings . Even in that scenario the
majority of GP Settings apply except for those that are bandwidth intensive.
I don't remember and I did not save the capture.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 10:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SLOWW Logons
Which packets?
Kerberos?
Are you using this as your guide?
http://support.microsoft.com/default.aspx?kbid=555126
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Salandra, Justin A.
Sent: Friday, April 15, 2005 9:48
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SSL on
Thanks to all those that replied. It turned out that I was backing up the
Information store and the information store files (like regular files). It
seems to me that if you back the information store up correctly that it should
flush the logs, even if you also back those files up incorrectly
What is the GPO threshold setting? Is it default? Change threshold
settings and try Gpupdate again.
Santhosh
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX
On 4/15/05, Tim Hines [EMAIL PROTECTED] wrote:
What do you mean by GPO's aren't applied properly
I kind of thought the idea of only having
one password policy per domain was that you are theoretically protecting the
domain admin accounts (when enforcing complexity) from an escalation type
attack from a user account. Or for that matter, protecting the
whole domain with more complex
Oh I am not saying don't have complex passwords for users.
If you can pull it off in a secure way, go for it. One issue you have to keep in
mind is that the more complex/long your passwords are that you require, the more
likely someone is going to document it in some other localtion with the
Trick question? The parts of the 100gb that will replicate are the parts
that change. (not counting dcpromo of new boxes)
How much is changing? Who knows. Different for everyone.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Better yet:
http://search.msn.com/results.aspx?q=DNS+2003+%22application+partition%2
2FORM=QBHP
I would point out, moving to app partitions does not _shrink_ the size
of the data you have to store in the aggregate as has been eluded to.
Rather, it does two things:
1) It lets you control the scope
Just to clarify, it is the parts that change and are tagged to replicate
that replicate. You could have shitloads of changes occuring that never
leave the DC.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, April 15,
If it helps, here is how each CSE responds, by default, when a slow link
is detected:
CSEProcesses on Slow Link?
SecurityYes
IP Security Yes
EFS Recovery
Thanks this helps.
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Friday, April 15, 2005 10:03
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SSL on
OWA to change password
Are you using this as
your guide?
Sure. There is a good chunk of the db that doesn't replicate because it
is outside of the AD object model (example: indexes) or marked to not
replicate (ex: some attributes). But in the aggregate, for most objects,
a fair statement...without clouding the issue with the nuances.
~Eric
Just a related thought to this, you might
want to be aware of the following change that was put into W2K3/SP1:
http://support.microsoft.com/kb/832572/
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dean Wells
Sent: Thursday,
Oh excellent, I was completely unaware of that. Wonder why
it hasn't made it to MSDN yet... Time to start emailing people.
;o)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael
M.Sent: Friday, April 15, 2005 12:31 PMTo:
ActiveDir@mail.activedir.orgSubject:
I have done something similar but I used a
third party program called GPAnywhere by Fullarmor. It allows you to create a
policy or import from AD. You can then edit that policy and best of all you
can export it into and executable file. This has been great in creating
policies that we
Not why we use this but it will do what
your wanting also.
http://www.anixis.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of ASB
Sent: Wednesday, April 13, 2005
9:27 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password
complexity
We have a computer running Windows XP SP2 that all folders are listed as read
only. I know that the read only attribute is typically ignored on folders, but
the user is no longer able to save any files to the computer.
We have followed the steps in KB326549 with no luck. Has anyone else run
Couple of reasons, primary one at the top of my head is in response to the
question, what is the max length of sAMAccountName attribute? Do you do any
sending of mailslot messages to userids - if so what is the max length for
the netbios name portion of the 03 record? Or maybe you like checking to
yep, that's what I meant - but I was too lazy to add these details ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Freitag, 15. April 2005 17:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size
Hi Edwin,
I'm not very good in VB script but I can help you out with
some procedures. Just not sure if you can write a script for
this.
The complexity depends on which system you are trying
Server 2000 or 2003. In 2003 it is quite simple put Microsoft group policy
manager on both machines
47 matches
Mail list logo
