Thanks Mark.
I'll take a look at that option...
As to why I feel this may be an issue - let's just say I work in a company that
has 4 autonomous infras today, which are all coming together soon under one new
infra. [I'm the poor sucker tasked with designing this new infra as well as the
new su
Good idea, but I think I am doing something wrong. It is not a matter
of the AL being displayed differently by the RUS on the hand or the AL
previeuw button on the other hand (at least in case of this company it
isnt:-).
The only thing I am looking at is the list which is displayed when
clicki
Title: AD lag sites and replication
Joe,
I thought" (and its a long time since I looked) that you needed to
be an enterprise admin to force replication in AD Sites and Services... You can
force replication in the domain context in replmon. I guess that this begs another question
1. Are y
I have made some progress and I think that this query should work:
(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!
(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)
(objectClass=user)(msExchHomeServerName=*/cn=AA*))(&
(objectCategory=person)(objectClass=con
Emm, it seems I just found it, might be usefull for anybody who didnt
already know it, (probably just me):
http://support.microsoft.com/default.aspx?scid=kb;en-us;312299
- Oorspronkelijk bericht -
Van: [EMAIL PROTECTED]
Datum: woensdag, mei 31, 2006 10:33 am
Onderwerp: Re: RE: [ActiveDir
Hi, I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function. I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time. Or does anyone know of a simpler way to ach
Sorry I should clarify, by User I mean an IT Helpdesk Account Creator Single Domain Windows 2003, FFL. I have delegated rights to various Security Groups for privileges in the domain. JamesJames Carter <[EMAIL PROTECTED]> wrote:Hi, I am thinking of making all the builtin groups apa
The Brains Trust,
I have a terminal server which when users log
on get a very restrictive view of the world, this is done via a GPO. I have
another company which we have a an external trust with wanting to log onto the
terminal sever to access specialist applications. I have created a Domain L
Okay, I have been working on getting this query right for an hour now,
tried several combinations but I believe it is not all that easy to
build an LDAP query, things like parentheses and ampersands...they are
driving me mad right now ;-)
I have now created 2 seperated address lists in Exchange
Victor,
There is a great little editor called Notepad2 that pairs up parentheses and
makes this type of work much easier. http://www.flos-freeware.ch/
I copied your earlier query string into Notepad2 and see that the
parentheses did not balance out.
Jerry
Jerry Welch
CPS Systems
US/Canada: 888-
Can anybody point me in the direction of a statement as to the effects of not
running sysprep - I know you have to and always do - but looking for hard (read
that as decent) documentation as to the effects of not running sysprep on a
server.
I don't like the fact that most of the infrastructure
Hi James...
There are a couple articles warning against using Domain Local groups for
policies.
Can you try having them put in a global group in their own domain, and
adding that directly to the read and apply section of the policy?
http://support.microsoft.com/kb/309172/en-us has some info.
Jo
Thanks for that, nice tool, it shows a lot of info.
In the mean time I got the query working, finally.
Does anybody know where I can find information about how to learn LDAP.
It would be nice if in the future I would not have to disturb the
people with LDAP query questions :-) but be able to fi
Return Receipt
Your RE: [ActiveDir] AD lag sites and replication
document:
wasJustin Leney/US/DCI
received
by:
at:05/31/2006 09:37:26 AM
NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.
FREE TRIAL AT HTTP://WWW.COSME
Hi,
I have a Windows 2000 based AD (empty root with 1 child domain) that I'm
in the process of upgrading to w2003r2 as a test for our production
domain (same configuration). The adprep went fine as well as the dcpromo
of the new DC. However when the new DC reboots I get the following
messages
Is DFS running?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: 31 May 2006 14:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] New DC can't find the machine account
Hi,
I have a Windows 2000 based AD (empty root with 1 chi
That's golden joe. You certainly gave a very detailed taste of what it looks like in a real-world environment. Couple of thoughts might also be warranted here:
1) If you're not monitoring GC performance and you're running Exchange, think again.
2) Size doesn't matter; what I mean by that is tha
see if the following helps:
http://www.eventid.net/display.asp?eventid=1097&eventno=2126&source=Userenv&phase=1
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindho
Is this joe joe or joe someoneelse? It occured to me, I've NEVER seen joe
joe's last name ...
-B
On Wed, 31 May 2006, McNicholas, Joe wrote:
>
>
> Is DFS running?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
> Sent: 31 May 2
McNicholas, Joe wrote:
Is DFS running?
Yep.
Meant to include that below. DFS and netlogon are both running.
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: 31 May 2006 14:38
To: ActiveDir@mail.activedir.org
Subject:
Next time you operate that garage door, check the pass. joe is not the same as "McNichols, Joe" Need a picture? https://mvp.support.microsoft.com/profile=""
for the link [1]
[1] sorry joe, couldn't help it. I still crack up when I see the pic.
On 5/31/06, Brett Shirley <[EMAIL PROTECTED]> w
This msg chain sums it up.
http://groups.google.com/group/microsoft.public.windowsxp.setup_deployme
nt/browse_thread/thread/1e82dbc6cb7480d0/655cafc92cb89c97?lnk=st&q=why+n
ot+use+sysprep&rnum=1&hl=en#655cafc92cb89c97
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Every joe is someones joe, but Joe McNicholas <> Joe "joeware" Richards
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windo
Almeida Pinto, Jorge de wrote:
see if the following helps:
http://www.eventid.net/display.asp?eventid=1097&eventno=2126&source=Userenv&phase=1
I had run across that page last night.
Time is ok (ntp to local time source)
I don't think that both computer accounts are corrupt as they were ok as
A bit confused here... you said:
"All that I see in there is netlogon pausing."
and then
"DFS and netlogon are both running."
thanks!
steve
- Original Message -
From: "Al Lilianstrom" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, May 31, 2006 7:03 AM
Subject: Re: [ActiveDir] New DC ca
Netlogon is paused on the server. 0x14
please check the following:
* sc query netlogon -> is it paused?
* repadmin /options -> are the options "DISABLE_INBOUND_REPL" and
"DISABLE_OUTBOUND_REPL" shown?
if both answer = YES -> see directory services event log for event ID 2095 and
2103 ->
steve patrick wrote:
A bit confused here... you said:
"All that I see in there is netlogon pausing."
This is in the netlogon.log file.
and then
"DFS and netlogon are both running."
Both are set to automatic and are running when I log in after the system
boots.
thanks!
steve
- O
Almeida Pinto, Jorge de wrote:
Netlogon is paused on the server. 0x14
please check the following:
* sc query netlogon -> is it paused?
No.
C:\>sc query netlogon
SERVICE_NAME: netlogon
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
...
It only
So after you boot and wait for a bit- if you run gpudate /force , it comes
back successful yes?
And netlogon is only paused for a time. Do the DC's point to themselves for
DNS?
If so - you probably are hitting the behavior where we have some delay due
to waiting for an initial AD sync...
Im su
Thanks Joe,
That's a little bit further than I want to go ;-)
I wrote a GetMemberShip( DirectoryEntry ) method that finds all the
domains in the forest and then connects to a GC in each and grabs
tokenGroups for each and combines them into one string[]
That seems to work fine ( until the day whe
Dear collective,
I was wondering if there was a way to have a .MSC file (eg to show the
event log) of a computer in another domain, which has no trust set up
with the one I'm using.
Unfortunately, setting up a trust is not an option - as the other
domain is sitting on an SBS box.
I had hoped I
steve patrick wrote:
So after you boot and wait for a bit- if you run gpudate /force , it
comes back successful yes?
Yes.
New policies apply without a /force.
And netlogon is only paused for a time. Do the DC's point to themselves
for DNS?
No. External DNS.
al
If so - you probabl
If you have not already, have you run dcdiag on those machines? I'm curious what it says about dns and updating records etc
Al
On 5/31/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
steve patrick wrote:> So after you boot and wait for a bit- if you run gpudate /force , it> comes back successf
How about:
Runas /netonly /user:target_computer\username "eventvwr.exe
/auxsource=target_computer"
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, May 31, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: [Active
Sorry for the last incorrect answer. Try this:
runas /netonly /user:domain_or_target_computer\username "mmc.exe
eventvwr.msc /computer=target_computer"
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, May 31, 2006 11:3
On 31/05/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
How about:
Runas /netonly /user:target_computer\username "eventvwr.exe
/auxsource=target_computer"
Interestingly - that prompts for the password, and launches
eventviewer - but it's pointed at the logs of the local machine :-(
Thanks
That's done it!
Thanks - you've saved me from 'Remote Desktop Rage' - that situation
where there's too many people in need of an RDP session to a box with
insufficient licenses ;-)
On 31/05/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
Sorry for the last incorrect answer. Try this:
runa
I bet you one crate to a bottle of German beer that your DNS is out to lunch.
Every time when I've seen this, it always goes away by kicking a DNS server
somewhere. Check your DNS servers.
Sincerely,
_
(, / | /) /) /)
/---| (/_
WMI is deprecated in E12. EMS (the Exchange Management Shell,
today’s “official” name for the Exchange version of PowerShell/Monad) gives one
access to lots and lots of information. So does the next version of .
Further this deponent sayeth not, not being exactly clear which vers
I suspect you are making this overly complicated. Can you state your
query in words?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 31, 2006 7:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP quer
Reading the last paragraph this is expected behaviour (feature).
Mark
SNIP/
832215
You receive event ID 1097 and event ID 1030 error events when you restart a
Windows Server 2003-based domain controller
This issue may occur if one or more of the following conditions are true:
Only one other
I have a sub OU with 60 users and I wish to apply a group policy to 55
of the users. I assume the easy way is to deny read permissions to the
policy for the handful of employees I do not want the policy to apply
to. I have gpmc open and looking under security filtering and can't
seem to figure o
That was indeed the case. In the mean time I got the query working, see my
earlier reply to Jerry Welch.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: woensdag 31 mei 2006 22:42
To: ActiveDir@mail.activedir.org
Subject: RE: [Acti
Anthony-
Unfortunately, the GPMC does not expose Deny ACEs in the same neat way that
it exposes Allow. What you have to do is go into the Advanced view on
Security Filtering, and essentially add the Deny ACE manually for that group
using the good old ACL Editor. The easiest way to do a GP deny is t
Why not just create a sub OU and put the 55 people in there?
To deny rights to apply, you need to be on the Delegation tab and click
on Advanced. Add a group and deny them the right to Apply Group Policy.
Deny permissions tend to make things difficult to understand, so I think
a better option wou
On the Scope tab of the GPO in the GPMC look at the Security Filtering
section. The default is to have the policy applied to "Authenticated
Users". Probably the easiest option for you is to:
- Create a group and add the 55 users as members.
- Remove "Authenticated Users" from the Security Filter
Sorry for the somewhat late response.
Clear answer Joe, The fact that you need something constant
really makes sense and explains a lot.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: woensdag 24 mei 2006 2:55To:
ActiveDir@mail.activedir.orgSubject: RE: [Act
6) I write and use scripts all of the time. Mostly all perl
that leverage joeware tools, usually I am wrapping up adfind in this that or the
other script. In a very rare case I will write some _vbscript_.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Wedn
Yeah I "chatted" with the EHLO blog guys over the whole
MONAD thing in their comments. From what it sounded like, they still forget that
people run more than one Exchange Server on a single Gbit subnet so assume
unlimited bandwidth between the management stations and the Exchange Servers.
Th
Does this rate as cooler?
(&(objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2))
In adfind, you would do something like
adfind -config -rb cn=partitions -bit -f
"&(objectcategory=crossRef)(systemflags:AND:=2)" -flagdc ncname systemflags
F:\DEV\cpp\MemberOf>adfind -config -rb cn=partit
If you are interested in doing this over LDAP, you are on the right
track. One way is to look for crossRefs in that container like you are,
but only look for those with flag FLAG_CR_NTDS_DOMAIN set in
systemFlags. You'll find that config and schema don't have this set, nor
do arbitrary app partitio
Hey I like that pic, that is why I posted it.
:)
See how observant Brett is?? I actually sat down and had a
burger and a drink with him and he didn't catch my last
name
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Wednesday, May 31, 2006 10:44 A
Title: AD lag sites and replication
You can look at the ACLs on your NC Head objects to see who
can do what, but last I checked, it didn't even take domain admins to force
replication, a normal administrator account could do it.
Anyway, an admin or a domain admin could always escalate to
e
> Probably more than you ever wanted to know
> about machine account password changes.
No not at all, all of the technical detail you can share is always good
Steve.
Thanks!
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent:
Sorry for the delayed response.
Yes, all of my tools are written with Borland Builder C++
Pro, mostly version 5.0 but I am slowly converting to version
6.0
While I don't do it much, I find the RAD dev environment
for unmanaged C++ completely missing in VS... mostly because it is. For some
It depends on what info you have captured for the objects,
what info is scrubbed in the tombstone, and how you personally feel about
it.
I personally prefer to reanimate objects over restoring
them. When you do a restore there is always a possibility you can hurt yourself
pretty bad. Reani
:o)
I can imagine
Something I like to recommend to folks is to monitor
password changes. Depending on how big you are you may even want to do it daily.
It is a great way to keep an eye open for various issues. For instance if
passwords aren't being changed in the normal periods at t
Did this end up being a problem with DNS?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, May 25, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Slow Boot Up
Morning everyone,
Recently all my wkstns are taking
FWIW... I haven't seen a blank message in some time now...
Did you change something Tony?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Saturday, May 06, 2006 7:56 AMTo:
I was going to say the same thing. Also, if you are using .NET 2.0, the new
S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in
a forest, DCs in a domain (and by site), etc. The domain enumeration code
uses very similar LDAP searches under the hood. The DC enumeration
BTW.. to Brett... Joe is like "Cher".. he doesn't need a last name
joe wrote:
Two directories doesn't mean you
are doing it for two auth domains. You did this in E55, the Exchange
forest is simply for holding resources and the "real" directory handles
the auth.
I don't have
I am not aware of any limits in the size of DLs specific to
Exchange. There is a recommendation to keep your DLs less than 1000 members.
However, I expect that this is due to attribute ranging which in Windows 2000
was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. Th
I.E. This is easy money for the company, please don't distribute the tool
that collects the data as that is really the whole ADRAP for the most part
unless the people getting it really haven't a clue what they are doing with
AD at all at which point you should be looking at spending money on gettin
admod -b "" schemaupdatenow::1
Or put this in an LDIF file and execute it with LDIFDE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
The quality of AD admins in even very large orgs varies more than the
engineers delivering the RAPs. I've seen "AD administrators" that literally
had no clue what DSRM was, how data is transferred between DCs (doesn't FRS
replicate users, too? Or, AD replication is broken so SYSVOL isn't
replicat
There is no hidden setting... However, here is something
that might help you
http://blog.joeware.net/2006/06/01/392/
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr
OteeceSen
Title: AD lag sites and replication
1)
We are talking about blocking
the replication to and from a lag-site, and the good thing about using a
firewall is that we are able to block users and memberservers authenticating against
the lag-site. You do not want anyone to authenticate again
> Probably more than you ever wanted to know about machine account password
changes.
Not at all - my brain sucks that stuff in. To be complete: was it the same
with NT4, or was there such a thing as half-time renewal? What's the
required level of netlogon-debug-logging? 1 enough?
Don't you want t
Nice Picture Joe!
Mine is at www.sjpc.org/~medeiros
Jose
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 31, 2006 4:11
PM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir][OT] New DC
can't find the machine account
He
Agreed I have many things that need to go into a blog and that is likely
something I will be working on in the near future. I just hate to set
one up on technet and then not post, like someone else we know who took
forever to get their first post up and happens to open the garage doors
on campus.
70 matches
Mail list logo
