You can do an x-domain simple bind within the forest. You can not do it
x-forest.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Tuesday, January 23, 2007 3:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Who Am I" requ
I can think of a few in the 30's, 40's...maybe 50-75, I forget the exact
numbers. In production, that is. The bottom line is that we don't keep
track, so use 25-100 as a working range of what we've seen lately,
understanding that there are probably larger that we just haven't seen
for a while. (Tha
Exchange should not be in the business of patching kernels. It's just
bad form.
That said, it's not clear to me what the "right" answer is either. You
want to get people the fix that need it but you don't want to go out
there and start swapping kernel components on a user. That's just not
the righ
Can you give us some data? Like, when it dies, what do you see? Is death
a blue screen? Or something else?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Wednesday, December 13, 2006 10:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS Dies Twic
>From a pure LDAP perspective you can expect similar perf numbers on AD
vs. ADAM.
For medium sized directories (like 10M) I'm of the opinion that there
isn't a huge advantage to ADAM over AD. When you get larger (high tens
of millions to hundreds of millions or billions), ADAM gets more
interesting
Not that I really care if people say M$ or
not, but I thought I’d comment on one thing, in the name of full
disclosure….
My participation on this list has __nothing__
to do with money. I don’t get compensated on any level for this. Heck, I
don’t even work on AD anymore, so this is like
Title: Re: [ActiveDir] Need some advices
Right...I always forget what is released and what isn't.
From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 11/1/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need some advices
SP
SP2 fixed this and it should be back to 180 days. The r2 thing was a mistake.
~Eric
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 01, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Need some advice
ch of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y'
0 Objects returned
--- Eric Fleischman <[EMAIL PROTECTED]>
wrote:
> You can certainly kick GC off by hand to clear that
> up.
> If you have the problem on a GC though, how are you
> to blame a phantom?
> If you navigate to
or 4-6 show the user having a manager.
Around the time this happened back in 2003 there had
been some incorrect Infrastructure Master placements.
However, Domain2's IM appears to have been correctly
configured. Not sure if that is just a red-herring to
lead us down the phantom path.
--
If you want to do a secure bind, no work required...just put ADAM in the
domain where the users reside (or a trusted domain) and bind away.
If you want to do a simple bind, you probably want to create proxy users
for your AD users. There is no right way to do this, but adamsync is one
way: http://b
>From the data provided below it sounds like you have a lingering object
& a lingering link value...not tragic, pretty straight forward to clean
up. If you could be more specific as to domain layout & in which domain
each user resides we could likely provide steps to fix this up.
If you search KB
Turn logging down to 0.
I would note that there is no notion of
log generations, so your worst case here is 2* log size (where log size
defaults to 10MB), so worst case it should only be 20MB, and deleting the
archive is of course trivial.
More generally, we do reserve the right to
wri
cation was not
> possible.
> These did not suffer this poor design issue, but I wonder if I will
get
> such
> an app eventually. I suppose I am just trying to solve a problem, I
have
> not been forced to solve by this method, which means it cane wait.
>
> I could go into how it
One solution would be to ACL all objects such that SELF can read them,
then have the app, after it has authenticated as the user, try and read
something on the user itself. This way you know you are in fact that
user (or someone else that has read access, which presumably won't work
as anonymous).
In my own mind I've wrestled a lot with whether or not I like auth via
LDAP. I've come to the conclusion that it's ok, and that we should build
mechanisms to facilitate it. Things like tokenGroups on RootDSE speak to
this, but we should do more.
LDAP is easy. Anyone can write an LDAP-based applica
e a bug on the audit thing. I think that would be
nice,
even with ADAM in the mode to reject insecure simple binds, because you
could find out which clients are attempting it.
Joe K.
----- Original Message -
From: "Eric Fleischman" <[EMAIL PROTECTED]>
To:
Sent: Sunday, Sept
> I'd love to see an AD and ADAM option that would allow the DS to
> reject simple bind operations on non-SSL ports
We agree. That's why we built it in to the product. :) Well, in to ADAM
that is.
See object CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,CN={}. Check out the attri
gives us an idea that we
> shouldn't build our hopes too high for the multiple-password-policies
> feature at this stage in the LH development phase. But I'll keep
> hoping anyways.
>
> /Guido
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf
Administrator password policy
Eric,
can you already
state publicly, what the chance of this feature is to make it into Longhorn, if
at all? Or is this still NDA?
Thanks,
Guido
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, September 02
A few comments, in no particular order…
> I can visualize mechanisms to pull this off in the existing GPOs or
to do it outside of the GPOs
Well sure…it doesn’t take a
visionary to see how this could be done. ;) See LDAP policies for one such
example (though by no means the only choi
To be clear as your comments don’t
seem to indicate the “why” as much as Nathan’s did, we were
less interested in the bandwidth savings and more interested in the accuracy of
the list. Non-LVR link values have a value loss potential on conflicted write
across DCs.
~Eric
F
I haven’t read the entire thread which has
happened, but IF you managed to delete it, ping me offline and I can help you
recreate it. But I would be totally sure it is gone first….a database dump
sounds like a fine way to confirm.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EM
but after that amount of information from you, Dmitri and Guido,
I'd hate to leave that stone unturned.
I'll ping back if I get lost watching the traces. I appreciate the
offer and you guys taking the time to discuss this.
Al
On 7/28/06, Eric
Fleischman
ns about the branch environment and how autonomous it is.
Outside of "GP work" what else comes to mind that is
off-loaded to the local site that you can think of?
Perhaps I'm looking at this sideways?
On 7/28/06, Eric
Fleischman <[EMAIL PROTECTED]&
To add a bit more…
> The part that makes me
wonder about the "story" is if it stores no secrets is the server
doing anything for me?
The short answer is yes.
The bulk of the work that a DC does, even
in the auth code path, may not involve the secret. So even if the secret
checking
> The exception to this is the edge case of Eric's big DIT[1] in which
> he dumped 2TB of data into AD in a month at which point he did
> something that few people see, pushed the IOPS on the log drive
> through the roof.
Actually, log IOs were quite low, considering. I bet a single spindle
pair w
Taking offline.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, June 13, 2006 7:20
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] corrupt
vmware DC
Booted up VMware with DC (2003, SP1) on it yesterday
and got an
--Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, 9 June 2006 10:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Accounts
After this thread (I believe Dean asked what the error was at one point,
but I can'
r the next
few days.
~Eric
-Original Message-----
From: Eric Fleischman
Sent: Wednesday, April 19, 2006 7:39 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] User Accounts
> DNTs are reusable in ESE, however ADs implementation does not allow
DNTs
> to be rel
Very interesting.
Can we see the VHD before you blow it away? I can set up a place for you to
upload it to. Please let me now how large it isjust ping me offline and we
can coordinate.
~Eric
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirk
Correction: the GDO and I are tied. I posted again this morning, just to
spite you.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 01, 2006 6:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] Machine Pssw
If you are interested in doing this over LDAP, you are on the right
track. One way is to look for crossRefs in that container like you are,
but only look for those with flag FLAG_CR_NTDS_DOMAIN set in
systemFlags. You'll find that config and schema don't have this set, nor
do arbitrary app partitio
Title: RE: ADAM Schema Questions
1) Off the cuff, I’d speculate you hit init sync. If there is no
partner and you have not replicated, FSMO roles will reject operations that
leverage their FSMO-ness due to init sync requirements. The idea behind this
was to stop old FSMO role holders
The tool is not the property of anyone on this list. As such, making it
available on the list would be inappropriate.
The goal of this tool has never been to be a stand-alone AD monitoring
tool, nor even a snapshot tool. Rather, it was built specifically around
the field offering of an AD risk ass
> DNTs are reusable in ESE, however ADs implementation does not allow
DNTs
> to be released / reused on a single server, and the database will only
> "reuse" them if you recreate the DB by repromoting (cause the data is
> replicated from other servers into a virgin ESE, and DNTs are assigned
> from
44zcz> http://tinyurl.com/44zcz
|> Weblog: <http://msmvps.org/UlfBSimonWeidner>
|> http://msmvps.org/UlfBSimonWeidner
|> Website: <http://www.windowsserverfaq.org/>
|> http://www.windowsserverfaq.org
|> Profile:
|>
|<http://mvp.support.microsoft
rry, if this mail used too much lingo, it was aimed at the|super experts (Dean, joe, et al), I'll try to digest it into a|series of more edible blog posts that would explain the terms|as introduced ... :P||Anyway, all I'm saying, is the Garage Door Operator has never|heard of this 2
Title: User Accounts
Good thread.
A few corrections, for the sake of keeping
the search engines fresh….
The underlying store used
by AD supports a theoretical maximum of 4.2 billion rows (limited by the
32 bit DNT or distinguished name tag)
Actually, you can only have 2^31 DNTs.
If you turn up internal processing, do you get any more data about this
condition?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, April 12, 2006 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication issues on
Can you be more specific? Can
you show us a specific query you wanted to issue that failed?
Seeing a specific search might let us know
a bit better what you are really after.
~Eric
From: [EMAIL PROTECTED] on
behalf of Bart Van den WyngaertSent: Wed 3/1/2006 6:42
AMTo: ActiveDir@mail.a
The client wants to get a cert back with a
name that matches the resource it connects to. Else, you connected to a
resource but got a cert for a non-matching resource, so perhaps there was
something like DNS spoofing that tricked you in to going there. This is
potentially bad.
Set up ea
Also, the AD management pack for MOM is in
this category. Further, they documented everything that the ADMP does so that
you could roll your own, or port it to another mgmt platform if you so choose.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alm
put
it
down in words why. I just don't. :)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, December 06, 2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption
I would genera
etstress I would
not
> > use that box in production.
> >
> > If you do reproduce the issue several times (several times is key,
as you
> > want a trend before you start playing the variable game), some
things
> > you might vary (one at a time):
> >
> > - Try making s
Title: [ActiveDir] Ntds.dit file corruption
Going back to the original
post, I'm not sure I fully understand the problem yet.
Susan, can you define "ntds.dit file
corruption" for us? What sort of corruption? What errors/events lead you to
believe this? Specifically, I'm interested in error
preety benign and trivial(well, aside from all the logs on
DC's)?
i won't be in work till Monday to get and apply the fix. Will it hurt
anything to wait till then?
Thanks alot.
On 12/3/05, Eric
Fleischman <[EMAIL PROTECTED]>
wrote:
We have observed thi
We have observed this in the past on many
systems. It may not be the same issue, but it is very likely the same.
It was cleared with a QFE we built as
there was a Windows issue at play.
We have had threads on this previously: http://www.mail-archive.com/activedir@mail.activedir.org/msg249
I would have SWORN there was an issue in
this code path, but the details escaped me.
So I pinged Steve offline who remembered
the details…..basically, it’s this: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395
So that could be what you’re
hitting.
With some more deta
Since you are saying the file is there but netdiag can't see it.
If I were a betting man, I would say for some reason the context under
which netdiag is running does not have perms to read the file. The code
in question does an fopen() on it with parameters "rt". I suspect,
though don't know, t
I think you need to consider that the export to XML is far less
difficult than the import back in to the directory on the other side.
Joe raised onethe ACL problems. And there are other problems you
need to fix too.
For example, you have a user and a group, the user is in the group. You
need
Sudhir do you have a network sniff of the original problem? I think
that's likely the easiest way to diagnose this. That way we see the
problem itself.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, October 10, 2005 9:04 A
And please be sure to note the part of Michael's mail below here he said
"stable". I once talked to a customer who was syncing DCs to an external
clock that rolled back ~20 years. I assure you that was not the best day
ever for this admin. :)
~Eric
-Original Message-
From: [EMAIL PROTECT
Actually better would probably be dumpDatabase.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 21, 2005 11:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Hidden objects
Well on reflection, the answer to this regardl
Title: RE: [ActiveDir] cloning DC's
I'm not equating it with
cloning in the impact to the directory nor steps followed, only in the typically
desired result of most who try and clone (most who try and clone typically do so
to bring up a DC fast, which is effectively what IFM gives you, jus
There is a way to have your cake and eat it too, however.
Take a backup of the DC, then use the install from media (IFM) feature
to dcpromo more machines in to the environment using the backup taken as
a seed for the dataset. This will allow you to rapidly bring up new DCs
without having to re-sou
t it
being the case, I'll take a look at the source again and see if I can't
solidify this. Thanks for the input.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Slight modification inline.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 13, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] trust question
My apologies if I appeared to be yelling earlier, tha
When it comes to auditing, the question really is what are you going to
do with the data, not should you collect it.
I'd encourage you to pick some questions you want to answer, then figure
out what data you need to answer them. Then wrap it up with how to
collect the data. Really, it's hard to ans
Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, July 12, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking
for a list of SP1 changes? I think it was
> > ~Eric wrote:
> > We actually block all base schema elements if I remember correctly.
> No you don't. Of the 1070 base schema attributes, you only block the
1007
> ones that are marked as category 1. The remaining 63 attributes, such
as
> msDS-ExternalKey, are not marked and therefore don't hav
information,
Eric. You've only mentioned sidHistory - does the same apply for the
password?
/Gudo
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Montag, 11. Juli 2005 16:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attri
Title: RE: [ActiveDir] Keep existing attributes from users restored.
> BTW, Win2003 SP1 has updated some
search flags, so as to add the SIDhistory and Password attributes to the
tombstone (I believe this
> is only valid for new installation
of AD).
Actually, not quite. For sidHistory,
nkId=45972.
>
> The link takes you to a document from March 28, 2003 which I highly
doubt has more info about confidential attributes. This is something
that actually requires you to make changes to use, not like saying hey
we also keep SID Histories in the tombstone objects now which doe
Can you dump the SDDL string of the domain
head security descriptor for us and share it out?
(feel free to send it to me offline if you
are more comfy that way)
You can do this with ldp or maybe dsacls
(I forget if dsacls can show you the raw string or not, but I know LDP can).
~Er
] Recursive
serach on Root domain failed.
Eric,
I would blog it and
then those that are interested can pull the blog post. What is your blog
address?
Chris Haaker
ITS Infrastructure
x7841
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric
ations !!!
But I noticed that for php scripts, the error still
remaining... any thoughts ?
Thank u very much eric for the invaluable help u provided me
:-)
Cheers,
Yann
De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman
Envoyé : dimanche 26 juin
2005
So I am writing a longer note about the
history of VLV fixes we’ve thrown at it and why, but haven’t
finished yet, and am trying to decide if it is best done in a blog post or an
email to this list (it’s 2 pages so far).
In the interim, a couple of thoughts….
From the DSID you’re getti
But as has been said in the past on this list, this approach is probably
going to be thwarted by more crafty admins who know how to obtain the
password anyway.
So fundamentally, there is a security issue here.
So long as you're willing to live with that issue, the approach will
work I'm sure.
~Er
I also posted to this dl once before on MaxPageSize. The same argument
could be made for MaxValRange as I made for MaxPageSize.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 17, 2005 11:15 AM
To: ActiveDir@ma
AD itself shouldn't care (if
it will care, I can't think of why right now, but then again it's only 8:32am,
far before I am usually able to recall much). But someone who does broadcast, or
maybe WINS gets mucked up as a resultthey very well might care that a domain
they think has some
Rename it?
I will admit, I’ve never actually
tried this, but I know people who say it works. I think you should try this
procedure, on a test box first, and report back. Maybe you should do it to an
BDC you bring up just to test, isolated, and see how it goes.
http://support.microsoft.
performance
Importance: Low
... and you wonder why people criticize MS
documentation ;-) LOL! (just teasing)
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent
@mail.activedir.org
Subject: RE: [ActiveDir] LDAP
performance
You did a "*" the first time!
:-)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, June 14, 2005 5:04
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP
p
790.0
shp 31,744 03-25-2003 netstat.exe
Windows XP sp2
C:\>filever
c:\windows\system32\netstat.exe
- W32i APP ENU 5.1.2600.2180
shp 36,864 08-04-2004 netstat.exe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, June 14, 200
Title: LDAP performance
Netstat -* will yield this info.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, June 14, 2005 9:24
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP
performance
Great article joe. I
It's hard to really give any sort of analysis with the data provided.
Do you have any network traces of entering "failure" state that we could see?
With that hopefully we can provide more guidance.
~Eric
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
I've set up iSCSI several times.
Do you have an error to cite?
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, May 31, 2005 12:44 PM
To: [ExchangeList]; ActiveDir@mail.activedir.org
Subject: [ActiveDir] Microsoft ISCS
Fix: Q826925, or SP1.
~Eric
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 20, 2005 10:07 PM
To: ActiveDir@mail.activedir.org
Cc: Eric Fleischman
Subject: RE: [ActiveDir] LDAP Operations Error when running LDAP / GC
Searches
What operating system and service
ter list.
~Eric
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 20, 2005 10:07 PM
To: ActiveDir@mail.activedir.org
Cc: Eric Fleischman
Subject: [OT] Password changing and Microsoft Network - was RE: [ActiveDir] GPO
not applied - thinks it is empty
Hey ~Eric.
>
F I find out).
How does MS IT do it?
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] o
Changing MaxPageSize as the solution to “the
max # of objects you can retrieve” is almost always a bad idea. You
should use paged searches.
Here’s a bit I wrote in a mail to an
alias internally just yesterday on this very topic:
For MaxPageSize……tweaking this might be ok today, or
ev
http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B1B6-3659B92B2CDE&displaylang=en
I didn’t read it for completeness, but spot checked,
and many are there. Though certainly not every one I’m sure.
~Eric
der
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, May 09, 2005 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to
enumerate scanners in a domain using ADSI/WMI
So this data would not be available in AD.
You’d need to call down
domain using ADSI/WMI
I am sorry for not being clear. I meant
scanners that scan photos. Also I am interetesed in then knowing the attributes
like if scanner is colored or not?
Thank You
Manbinder
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent
Scanners? Like scanners that scan your
photos?
Or like network sniffers (which some
people call scanners)?
Or something else?
Can you clarify Manbinder?
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh
Sent: Saturday, May 07,
Next time, taking a dump of winlogon at
100% (actually a couple a few seconds apart) would be interesting. With that we
can see what it is chewing on, and perhaps get root cause.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark
Sent: Thursda
If I could ask what might be the obvious,
from a security perspective….
If you have a policy out there resetting
the local admin password, how are you storing the new password in the script?
Hopefully you have something very clever in place, else I can get the local
admin password out o
are though. The docs you referenced indicate a configuration that
would be a PITA to manage in terms of reliability and effort IMHO.
Al
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, May 03, 2005 3:20
AM
To: ActiveDir@mail.activedi
More generally, AD doesn't care who the client is, it only cares that
the client can play by the rulesLDAPv2/3, for password ops a secure
LDAP connection, etc. In fact, there isn't really a good way for AD to
know what OS/client side LDAP API/etc. a given LDAP client is running.
We just service
Title: RE: [ActiveDir] Ocra
I know someone doing auth from Solaris 9
and 10 against AD via Kerberos in production. I don’t know how they are
populating /etc/passwd but can find out.
I’ve never used NIS against AD so
couldn’t say what’s going on here.
~Eric
From:
[EMAIL P
could
> > give a _rough_ idea for a paticular query, but remember latches
> > aren't unique references, so if a single query internally has to
> > read a page several times, that will be several latch counts.
> >
> > ...
> >
>
Correcting myself inline (full of that today aren't I?).
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cach
al reasons but I, at least, would find
that
info interesting.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 8:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached
see this, holler, and we can provide steps to
clear this. It's a trivial fix.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much
TECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as much as we c
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as much as we can fit, assuming 1) we don't run out of memory to use 2)
we don't have pressure to back off. And we try and pick the best pages
to cache ("best" definition omitted for no
> Is this expected? Or should I be getting a different output?
Expected.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, April 24, 2005 4:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 Native - gp
I would point out.the presence of the objects Guido cited does not
say that forest/domain prep has been run, it says it completed
successfully. If you ran forest/domain prep and it failed, that object
would not be present, but instead you'd only have the operational GUIDs
for each of the operat
I IM'd with Dean about this and found the DCR where we took this. Then
confirmed the checkin...SP3 is the first SP that adds it.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Wednesday, April 20, 2005 10:43 AM
To: ActiveDir@mail.
1 - 100 of 365 matches
Mail list logo