Now the real challenge is to build a relatively simple filter that will select
only the server SKUs or just the client SKUs. It looks like you can do it for
Vista/Longhorn but it progressively nastier as you go back to XP and W2K.
Wook
-Original Message-
From: [EMAIL PROTECTED]
If you can view the event logs remotely, then you should be able to run DCDIAG
remotely as well as REPADMIN.
DCDIAG /S:remoteDCname
REPADMIN /showrepl remoteDCname
Wook
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, January 17,
For the edification of some on the list who might not be familiar with tracking
down the perpetrators of an object deletion: You should take a look at the
object metadata for those deleted computer accounts. The DC where the deletion
occurred will be listed as the DC where the name attribute
I've seen errors like this on a server that either had a back NIC, bad drivers
or was connected to a bad port on a switch. The only way I was able to correct
it was to switch the primary IP address to another NIC in the server what was
connected but not configured. It was an interesting
Assuming the servers are at least Windows 2000 or newer, the administrative
tools can be installed using adminpak.msi which is found in
%systemroot%\system32 which is usually c:\winnt\system32 or c:\windows\system32.
It is also possible to delegate control in the AD over a couple of servers
Even tools that would help with this sort of thing just in the AD would be
welcomed. As far as I know, there's no GUI for finding out all the places just
in AD where a particular security principal is asserted. I'd like to be able to
find any (non-inherited) ACE that refers directly to a user
Another difference is that you still have the potential for inter-site data
compression though it will not happen as often since the changes may not reach
the compression threshold as often. It all depends on how big the replication
packets are. At one point the threshold was something like
I should point out that you can get dangling SIDs even when the relevant user
or group is still in the AD. The scenario involves SID History and the
migration of security principals from one domain to another.
Suppose a security principal, say user X with SID X is migrated from domain A
to
Also, replication metadata would only should when the last change was made. If
an account is disabled, re-enabled then disabled again, the metadata timestamp
on the UAC attribute would only show a change at the time of the final
disabling and then only if we assume that no other changes were
When are you planning on increasing the functional levels of the domain
and the forest? There are several features of Windows 2003 AD that you
do not get even if you've upgraded the DCs unless you also bump up the
functional levels.
When you bump the forest functional level, I believe there will
.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion
I thought
]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion
I wasn't claiming that it would pick the DC for regular replication. We
were
talking GC promotion and I did throw in the weasel words about PAS
in. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion
I wasn't
Querying using the MemberOf is the only
way to do that in any LDAP-based utility. There is no way to get a result set
of objects by querying an attribute of an object. You can get the list of DNs
by returning the member attribute in the base-object search of a group, but
thats not the same
PROTECTED] On Behalf Of Lee, Wook
Sent: Monday, May 01, 2006 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Saved
queries
Querying using the MemberOf is the only
way to do that in any LDAP-based utility. There is no way to get a result set
of objects by querying an attribute
I thought that if there is a writable NC in the same site, it would try
to use that, but maybe that's just for PAS replication.
Wook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To:
have no
clue :)
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: 20 April 2006 19:37
To: ActiveDir@mail.activedir.org
Subject: RE: going wyyy OT [ActiveDir] stupid ldap queries
So would the correct Latin be viri? We used
to post your
creative work so everyone is in on the joke, I am sure some folks would really
appreciate it. :)
joe
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent
So would the correct Latin be viri? We used to sometimes refer to more
than one VAX as VAXen using the ox/oxen model. Multiple facsimiles would
then be faxen.
Wook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Thursday, April 20, 2006 9:22
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid
ldap queries
I never understood why Microsoft chose not
to index objectclass by default. I indexed
In general, I would make the decision based on who needed to be allowed
access and who needed to control that access.
Assuming that you want to have a point of control to be in the domain
where the OU and groups are, then here's what I'd do.
Admins can only be from the same domain as the OU: use
I never understood why Microsoft chose not
to index objectclass by default. I indexed it in our directory as soon as we
got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Up to this point, all we've talked about really is storing these
puppies. For me, the real question is whether all of these user objects
can actually be made use of. For example, if you wanted to use these for
authentication and authorization, you presumably have to start adding
them to groups
the schema
Do you have any specific examples of the
domain-wide ACLs I can keep an eye out for? Unfortunately we don't have
much say in this, the 'powers that be' want it implemented, and quickly.
From:
[EMAIL PROTECTED] on behalf of Lee, Wook
Sent: Tue 4/11/2006 7:01 PM
Well, if it's going to be in Asia, then joe and Dean should set up an AD
Dojo or Xaolin temple so they can teach the young grasshoppers how to
walk on rice paper without leaving a trace. Or they can continue to
strain their relationship with George Lucas :) and set up a real AD Jedi
Knight
I certainly hope so!
Wook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, March 30, 2006 7:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?
What happens in Henderson, stays in Henderson ;)
I've always thought that gambling in general was a tax on those who don't
understand probability by those who do understand brain chemistry. I lost $0.
Though it was sometimes fun watching other people support the Las Vegas
economy. What's lost in Lost Wages stays in Lost Wages. :)
Wook
I also want to thank Gil and Christine and Stella and all the rest of the folks
at NetPro for another great DEC conference, even Kevin Hickey who seems to
enjoy putting me on the spot every year. I like to extend my own special
appreciation to Pamela Dingle who so brave-heartedly stepped up to
://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, March 31, 2006 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?
I've always thought that gambling in general
Title: ldifde question
Just add member to the list of attributes.
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, March 24, 2006 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldifde
question
Hi,
Using
The sequence is of course to export the users and import them first.
Then export the groups then import them. If you're doing a big
directory, you have to watch out for adds/modifies/deletes that occur
for users while you are dumping the groups. Generally not a problem if
you export during a lull
You can't. The delegate wizard is write only. You have to look at the security
descriptor on the OU and figure out what changes were made.
Wook Lee
AD Architect - HP IT
From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Fri 3/17/2006 10:52 AM
To:
I find that it’s much better to add
DNS afterward. Metadata clean up is not too bad these days and should get even
better. DNS cleanup is a royal pain in the backside especially if you have a
large number of sites. Scavenging can help if you have the time to let it kick
in,
Dare I suggest a shrubbery? ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename
And remember we are a single
: Wednesday, March 08, 2006 2:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename
And not too expensive.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, March 08, 2006 3:05 PM
To: ActiveDir
There are still situations in Windows 2003
where a single bridgehead can be configured even when there are multiple
available. Let me know if youre curious.
Wook
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Bernard, Aric
Sent: Wednesday, February 08, 2006
Title: Limitations and issues with domain local groups and GC replicated data
One ramification of this behavior is that
if you have an outbound trust relationship and want to grant read access to a
security principal in the trusted domain, you have to either refer to it
directly or via a
Sorry, I already did that one. My first
DEC presentation was entitled When Bad Things Happen To Good Directories.
J
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 19, 2006
8:02 AM
To: ActiveDir@mail.activedir.org
Yea, with a caveat. You need to be careful
when mixing DNS implementations. Weve seen cases where forwarding of
dynamic updates breaks because of bugs in one or both implementations. The
moral of the story is to test, test, test, then deploy and keep your fingers
crossed because theres no
Title: Message
You can have collisions between a domain
controller SID
and a member server SID
when two machines have duplicate SIDs and one is DCPROMOd and the other
is joined to the new domain. The error messages that are logged say something
to the effect that the domain and the member
Just because there is a link defined doesnt
mean that a connection object will necessarily be generated. For example, if
there are three sites SiteA, SiteB and SiteC all with links to each other and
all at the same cost, the ISTG may only create connection objects linking SiteA
to SiteB
understand.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Thursday, January 12, 2006 10:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Here are some of my ADUC pet peeves and wish-list
Here are some of my ADUC pet peeves and wish-list items.
Let's have an expert's mode where we don't change the names of the
attributes things that are user-friendly like calling samAccountName
User logon name (pre-Windows 2000), Kind of a cross between ADUC and
ADSIedit or like that E55 admin
FYI: Heres the Microsoft KB article
for using LDP
to find deleted objects in AD.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q258310
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Tuesday, January 10, 2006
9:05 AM
Ah, now we're really dragging out the old war horses. My first job at
DEC was writing CBI courses for the DECmate WPS+ list processing module.
They gave me a Robin (think VT100 with a processor and dual 5.25 floppy
disks) to use at home (a little basement studio next to the laundry room
in the
In LDP you have to set the Return
Deleted Objects predefined control (OID 1.2.840.113556.1.4.417) on the
query.
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, January 10, 2006
8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re:
Is there a reason why you cant just
put an ipconfig/flushdns into the login script? :)
You can also disable the DNS cache
altogether by stopping the DNS CLIENT service. Be aware that doing so also
causes your clients to generate more DNS resolver traffic. Stopping and
restarting the
How about using some kind of one-time
passcode associated with a PKI-based login? If some
central authority held the passcode generator and only handed out the passcodes
on request, that might get you to the behavior youre looking for. Still,
its not trivial to set up something like that.
Title: RE: [ActiveDir] OT: DEC 2006
Im doing my regular lounge act at
DEC. I dont know if Ill be able to make it to DEC 07 if I have to
pay to play (the DEC that will live in Infamy if they make us pay, haha). Maybe
theyll let me come if I volunteer to help set up or maybe do janitorial
Windows 2000 AD is wide open compared to
Windows 2003. The lack of anonymous access is most likely the reason why your
app cant read group memberships. This is assuming that its trying
to query the AD using LDAP. It would probably have more success if it used
Windows API
calls to list
] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, April 13, 2005
2:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to
determine which is the default site
From the tests Ive run so far,
its been pretty consistent that the first site has a USNCreated of 4112
Title: How to determine which is the default site
The default first site is usually one of
the first objects created after the sites container itself. The USNCreated
attribute should be pretty small. For Windows 2000 it should be less than 3500.
For a fresh Windows 2003 AD, it should be
Title: How to determine which is the default site
From the tests Ive run so far, its
been pretty consistent that the first site has a USNCreated of 4112 for an
fresh Window 2003 AD. For forests that started life as Windows 2000, Ive
been seeing 3493, but at least one forest has it at 1171.
Did you really expect anything less from joe?
Wook
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Tuesday, March 22, 2005 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have fun at DEC
Ok its official, my head
Title: RE: [ActiveDir] Have fun at DEC
I also had a blast, in spite of the
intense pressure and the $%*( anagram challenge that took me all night to
put together. J
I was thinking that maybe next time for
the AD UP-All-Nighter we could disaster-recover a screwed up forest of two or
We use a couple of delayed replication sites
to help us fix screw ups more quickly. Dont have to restore from backup
if you catch the problem soon enough. There are security implications though,
so it may not be for everyone. Its helped on any number of occasions.
Who watches the
Title: RE: [ActiveDir] PTR records - why?
NSLOOKUP uses PTR records to verify resolvers and will skip resolvers that don't have a PTR registered if it can use one that does have a PTR registered. You only need to do that for the DNS servers though.
Wook
From: Douglas M. LongSent: Thu
Joe, (or is that joe) brings a good point. What exactly are you trying to prevent? Are you trying to prevent people from logging onto other people's workstations?
The casual user usually has no rights to log on interactively on a server unless they are on the list of local administrators.
Lana,
I'm going to go out on a limb here and say that it's probably a good idea to demote the Win2K3 DC and repromote while making sure that the DNS resolver is pointed at a Win2K DC/DNS server that host the _msdcs zone for the forest. I think that server is in a sufficiently weird state that
6, 9, what's a few timezones among friends
Interesting that lDAPDisplayName is optional in the classSchema class but mandatory in the attributeSchema class. I suppose it's possible for an object and an attribute to have the same name, but why would you other than to sow mayhem and mischief
Is it just me or does this sounds like a replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but they never get out.)
Wook
From: Svetlana KouznetsovaSent: Wed 5/19/2004 11:58 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Well,
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.
Justwant to point outthat what Joe is suggesting will work, but your mileage may vary. Remember that the domain A record will be resolved via whatever DNSservers areconfiguredas your resolvers. If that's
"Cat People and Dog People: Differing Approaches to Managing Active Directory"
From: joeSent: Sun 5/16/2004 6:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Cats dogs (was A root dc question)
Wow I just reread this and thought I need to stop writing like this or I
am going to be
I thought SYSVOL is a better candidate for the ole stanky thang. That is where we find the turds.
Wook
From: joeSent: Sun 5/16/2004 7:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Cats dogs (was A root dc question)
Oh this is probably going too far but.
No, that three-day old
Great news. The script uses the RootDSE method for clobbering lingering objects. This capabillity is what is now available in Windows 2003 repadmin with the removelingeringobjects switch. It's more automated than the RootDSE method and doesn't require you to go fishing for a lot of GUIDs. We've
You'll notice I also avoided using the F-word as well. We include waving a rubber chicken (preferably one that screams) alongwith hiding behind a tree in the troubleshooting guide. If that doesn't work we recommend Sonar and Ultrasound (I think).
Wook
"Use the F-word
If you're able,
But be
3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?
Thanks Wook for the additional feedback.
I wish we had 2003 deployed so I could have used the repadmin method.
Todd
From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 3:02 PM
Just to clarify a bit, there is a race condition when the DC boots where netlogon starts before some other services, e.g. the KDC, are available. Netlogon thinks the DC no longer hosts those services and deregisters the corresponding SRV records. If the deregistration fails for some reason,
Don't blame me. Guido's been twisting my arm for months to wade in on this list..
Wook
"If you think
There's no forever,
Add a class
Or add an attr."
"Schema Change"
P.S. Crazy hat? What's wrong with my hat? It's a perfectly good hat. Wide brim keeps that sun off; side clips up when I
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.
Sounds to me like you need to hardcode a domain account and password in an ADSI bind, then do a dsgetdc. Not sure whether you can do that in VB or VBscript, but I believe that's what the domain join and
The problem with trying to patch remote systems via GP is that simple things like ICMP blocking can prevent GP from applying. And it only works for W2K and XP clients that are members of the forest. It's not uncommon for remote users to be on systems that are just workgroup members.
Wook
71 matches
Mail list logo