RE: [ActiveDir] Domain rename and third party tool

Honestly? All the products I know of require some investments in time, planning, tests and efforts to get used to them. They are not really like "deploy-and-go" type of solutions. I mentioned that because you appear to be in a dire emergency, and it is usually emergencies like this that tend to c

RE: [ActiveDir] There must be an easier way...

The OP implied ownership of the Forest by stating: >>> we had set up as a site within our domain with its own pair of DC's has decided to break off from us So, apparently, they only need metadata, DNS and connection objects cleanup as far as mop-up is concerned. Sincerely, Dèjì Akómöláfé,

[ActiveDir] Domain rename and third party tool

Our company just changed its name including its domain, and would like to change also change our Active Directory domain. Currently we are using our AD just for Exchange. We will join our workstations which currently are using Novell Netware to AD soon. Our AD domain: - Current forest functional l

Re: [ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0 (should have been MOM can't find computers in AD after 2.0)

Sorry should have described that a bit better... MOM can't find computers in AD after 2.0 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6&displaylang=en

[ActiveDir] Unable to discover computers in AD after upgrading to .NET Framework 2.0

http://www.microsoft.com/downloads/details.aspx?familyid=f53f1ef3-a7a0-4c45-aefc-7c1ec5dccaa6&displaylang=en Unable to discover computers in AD after upgrading to .NET Framework 2.0 --

RE: [ActiveDir] AD - What to monitor?

So, does Intrust do these things: "OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts" Can you get granular and say show me all the changes to these groups, or th

RE: [ActiveDir] There must be an easier way...

I didn't get the drift he had a multidomain forest. If he does, and he doesn't have a forest root DC then he's SOL and will have to ADMT to a new domain/forest. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveD

Re: [ActiveDir] There must be an easier way...

Hello Larry, Unfortunately there is no way around doing a metadata cleanup against those 2 DCs that have been removed from your domain and are not going to come back. You would want to figure out the machines in that particular subnet where the 2 DCs were, have connectivity to an existing and fun

RE: [ActiveDir] There must be an easier way...

Brian, I never did this, but I guess I should try it if one domain tree established the forest, another domain tree is added, but then the initial tree is removed won't that cause problems for the other domain tree, even if they clean up the forest and seize the FSMO roles. The schem

RE: [ActiveDir] There must be an easier way...

Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industr

RE: [ActiveDir] There must be an easier way...

That is interesting Who established the forest? Cause if it was them, they have issues. If it was you all, then just do a AD Clean-up operation and remove the domain and domain controllers from your directory. Also be prepared to hear from them soon... :) Todd Myrick _

RE: [ActiveDir] Photos in AD

How would it do anyone any good to make an ID with my photo on it?  Wouldn't it be better for them to make the ID with my info & THEIR photo, if it's identity theft they're after? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 06, 2006 2

[ActiveDir] There must be an easier way...

Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewin

RE: [ActiveDir] AD - What to monitor?

Depends upon what you're organization's security/compliance requirements are but here are some things to think about: --excessive failed logons, password changes --account policy changes --changes to AD configuration objects (e.g. creation/deletion of sites, site links, AD-integrated DNS zones, sc

RE: [ActiveDir] OT : Query DNS using wildcards?

>>>Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for * records and delete them as they are being found. But as already indicated by other people, this is not available.. Why not? If it's a standard zone, you

RE: [ActiveDir] AD Lag Sites

I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Ex

RE: [ActiveDir] AD - What to monitor?

Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! A

Re: [ActiveDir] OT : Query DNS using wildcards?

Hi Al,   Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts!   We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we

RE: [ActiveDir] How Secure is a Domain Controller?

Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. T

Re: [ActiveDir] AD - What to monitor?

You may want to start by looking at some commercial products and see what functions they perform and what they monitor.  NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health

RE: [ActiveDir] Photos in AD

I’m thinking about security & privacy concerns.  There’s already a lot of personal information in the directory, much of it viewable by anybody.  Add a photo and viola:  instant ability to make a photo ID. Al Maurer Service Manager, Naming and Authentication Services IT | Information T

RE: [ActiveDir] Resolving SIDs

The SID is only a number which is issued on each DC to new security principles by first comes first serves, so if you create two users on the same DC you propably have two following SIDs. There's nothing encrypted or magic into the SID, so there are no more informations you can get just out o

RE: [ActiveDir] Dynamic Groups

And keep in mind that it only works when users are logging off and on (at least for domain groups) so that the token is recreated - so running it multiple times a day is propably not practical. Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tin

RE: [ActiveDir] Recommendations for spam issue

As you can see from the responses, you have lot of options. It just depends on your budget, time (setup & administration), and expertise which one is the best bet for you.     Alex Alborzfard   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ S

RE: [ActiveDir] Dynamic Groups

Bryan-   Just write a script which runs as a scheduled task which enumerates all the users in an OU and checks that they’re a member of the group. You’ll also need to remove users who don’t’ belong in there anymore. Depending on the scale of your AD deployment (in terms of number of DCs a

RE: [ActiveDir] Resolving SIDs

Adeel,   I was thinking that I read that without the account database, you could actually gain some information from the SID, using a formula of some type. I don’t know if that’s actually possible or not. I might have made it up in a dream.   Thanks for the info on sidtoname.exe, that m

[ActiveDir] Dynamic Groups

I know you can build a dynamic query based distribution group, but can you do the same for a security group?  What is the best way to accomplish making anyone who is in a particular OU a member of a security group on a dynamic basis (scheduled task frequency)?   Bryan Lucas Server Admini

RE: [ActiveDir] Resolving SIDs

Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Clay,

[ActiveDir] AD - What to monitor?

AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? R

RE: [ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.

No. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of M

[ActiveDir] Can I upgrade/Install IIS6 on windows 2000 advace server.

One of my application required IIS6 (or windows 2003 server) for its functionality.   I am running some windows 2000 Server and I need to run this application on these server. Is there any way to upgrade/Install windows 2000 IIS5 to IIS6?   Customer do not want to upgrade to windows 200

RE: [ActiveDir] Recommendations for spam issue

CommTouch http://www.commtouch.com/Site/Home/home.asp       -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 7:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue   If you were a 20 user

Re: [ActiveDir] How Secure is a Domain Controller?

Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstatio

RE: [ActiveDir] How Secure is a Domain Controller?

Hi Neil,   I think long passwords are primary necessary for priviledged accounts such as domain admins and especially service accounts. Having long, randomly generated passwords is not an issue for service accounts if you have a procedure in place to change them. If you need to provide the p

RE: [ActiveDir] AD Lag Sites

He does NOT "have to save the company money", he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be

RE: [ActiveDir] AD Lag Sites

I don’t really look at problems from the “Trying to Save Money Approach”….  I try to spend my money and use my time wisely.    I base all my value judgments on the following factors.    1. Does it value people? 2. Is it priced acceptably?  (I value dominate designs, but also feel tha

RE: [ActiveDir] How Secure is a Domain Controller?

To add my 2 cents.   Add Anti-virus and Anti-Spywear detection. Configure and backup your event logs.  At remote sites, I would recommend collecting the event logs on a faster rotation. Add monitoring, You want to monitor account lockout events and have notificatio

RE: [ActiveDir] How Secure is a Domain Controller?

  I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you.[Neil Ruston] You're welcome :)   I still personally beli

Re: [ActiveDir] Recommendations for spam issue

Exchange 2003? The Trend CSM 3 version isn't having a good rep these days in my space. Exchange SP2 includes IMF www.vladville.com click on Articles on how to set it up. www.techsoup.org btw... Rimmerman, Russ wrote: If you were a 20 user non-profit organization that were having a serious p

RE: [ActiveDir] How Secure is a Domain Controller?

I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. I still personally believe in the statement that if I can t

RE: [ActiveDir] How Secure is a Domain Controller?

You mis-understand :)   Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack.   In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the

Re: [ActiveDir] Recommendations for spam issue

Non Profit probably means you don't have a huge IT budget.  You may want to give SpamBayes a try.   The client plug-in does a decent job of filtering spam... and it's free.   http://spambayes.sourceforge.net/index.html  On 3/6/06, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: If you were a 20 user

RE: [ActiveDir] How Secure is a Domain Controller?

Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as t

RE: [ActiveDir] Recommendations for spam issue

Are you 2003 and dissatisfied with the IMF?  I’ve found for small businesses it is extremely effective when loaded with the right RBL’s, IP blocks and configured correctly.   Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED]

[ActiveDir] Resolving SIDs

I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I don’t mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID.   Thanks,   Justi

RE: [ActiveDir] Recommendations for spam issue

Russ, I've used two solutions for this issue, both of which I think turned out well: 1. Astaro Security Linux with mail protection subscription - available either as an appliance or a hardened Linux distro you can install on a decent PC 2. Sunbelt Software's IHATESPAM The 501c(3) I support, w

[ActiveDir] Recommendations for spam issue

If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was "filtering" and forwarding your e-mail but not doing a good job, what product or solution would you recommend?  The problem i

RE: [ActiveDir] SYSVOL and Junction Points

"Junction Points" are one implementation of the NTFS technology known as "Reparse Points". http://www.pcguide.com/ref/hdd/file/ntfs/filesReparse-c.html neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 06 March 2006 13:20 To:

Fw: [ActiveDir] SYSVOL and Junction Points

they are also known as reparse points and ris uses them for the single instance store > Original Message > From: [EMAIL PROTECTED] > Date: 06/03/2006 11:15 > To: ActiveDir@mail.activedir.org > Subj: RE: [ActiveDir] SYSVOL and Junction Points > > The same question was asked at an MS semina

RE: [ActiveDir] DC Lookup....

Title: Message   Brad- Have you seen this article?   http://support.microsoft.com/kb/306602   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, March 06, 2006 12:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Lookup

[ActiveDir] DC Lookup....

Title: Message My environment:  W2K FL, Mix of W2K and W2K3 DC's, One Forest, One Domain, 60 DC's, all DC's bar one are relatively well connected (smallest link is 256k).  One DC is poorly connected on a very highly utilised 1MB line  :-(   Does anyone know if there is a way to specify whi

RE: [ActiveDir] SYSVOL and Junction Points

The same question was asked at an MS seminar I went to about 3 or 4 years ago, and the MS rep explained that he didn't have a firm technical answer either, and that at some early point during the dev of AD, there was an intention to be able to host more than one AD on a DC and that junction points

RE: [ActiveDir] How Secure is a Domain Controller?

The use of >20 char passwords caught my eye.   In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement.   As a result, I have heard it suggested that in realit