Oh, no! I didn't know Rick would be attending :) Oh, well.now that it's too late to cancel, I guess I have to just learn to stay away from your CABANA :O)
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you
For the first part of this question, look at the TCP/IP properties of the new client you are trying to join to the Domain. Make sure that "Enable LMHosts lookup" is unchecked, then make sure you are pointing at the correct INTERNAL DNS server ONLY (no ISP DNS in there), reboot the machine and re
More likely DNS than WINS. Trying bouncing the new Server, then restart netlogon on it (in case the MS04-011 is hurting you), then check DNS for the relevant SRV records. I know you said you looked in DHCP, but I have to ask if you made sure that the dead DC is no listed as a DNS server in your
Try reading "Authentication Topology" by Gil Kirkpatrick. I am not sure if it's a member-only doc, but it's available at http://www.winnetmag.com/Articles/Print.cfm?ArticleID=37935
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
I've decided to break ranks and reveal to the world EXACTLY what the MVPs are up to when they pay their annual pilgrimage to Redmond.
Everyone of them comes and start mouthing "It's NDA", "I really can't tell you", "Yeah, I heard that's coming soon but I can't say anymore..", etc, etc. Eve
Maybe this will help
http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=33
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yes
The password will get replicated "out of band" [1] back to the PDC on apassword change. Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, specifically check the piece on "immediatereplication".
I missed this. Let's hope I don't get smacked t
You know me, Joe. If you say it's like this, I believe you. I have no doubt about what you see, but I'm telling you, I lived through this for the most part of early last year. It did not work as billed. I worked long hours with PSS before they came out with Alock and the rest. Now, things are mu
I think it would be better if you just clear the "Allow Logon to Terminal Service" attributes for all your users. Then you will come back and enable this attribute for any specific user you want to grant the right to. It's cleaner than trying to do this server-by-server. The problem with this, h
It would more likely be DNS if this were happening on boot-up. But he says this happens on resumption from a locked state. More likely to be AV or powersaving issue.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize
What can I say? I'm still jet-lagged, I guess :)
Thanks for the pointer.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Roger Seielsta
I don't remember telling you my middle name :p
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Rick KingslanSent: Mon 4/12/2004 9:19 PMTo
I don't have a Win9X to test this on, but Win2K/2K3/XP is fair game for this:
Set wshNetwork = WScript.CreateObject("WScript.Network")Set wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = "file://myserver/myShare2"str_BS_Share
Check them/verify them for what? Check if they exist or if they are good?
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: David AdnerSent
For Each the Computer In aryP1
If UCASE(theComputer) = UCASE(strComputer) Then
Printer1
End If
Next
I wonder why you have to put this in an array and do it this way. But then, you understand your requirement and setup better. Also, are the spaces "\\Local_Print_Server \P1 " and ot
>>So say an Exchange Server that is responding to pings but isn't handling mail at all or not very well is considered UP for availability numbers.
This you handle by using the Built-in Exchange monitoring tool. You can roll your own sink to monitor queue and send you an alert IF it reaches a c
Hate to make you do this, but it would help if you could explain some more about your config.
If you look in the ISA log at the time you are issuing the nslookup against your DNS server, what do you see?
I see you made references to . Does this mean that this server is multi-home?
If you could,
Carlos,
you did not mention your flavor of Windows. But I think what you described is a Win2K3 DNS behavior (EDNS-0) -especially since you mentioned ISA. Try http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ModifyEDNS.asp
HTH
Sincere
From where I'm sitting, Option 1 is out of the equation simply because I don't think you base OU design considerations on whether you search or query. OU is for "Administrative" convenience and I think it is best for your design to reflect your Organization structure, geography, and Administrati
http://www.joeware.net/win32/zips/OldCmp.zip
Hello, Juan. Where have been?
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Juan IbarraS
Man! You guys are good :) Thanks for digging this up.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Free, BobSent: Sun 2/29/2004 1:26 P
I, for one, would be VERY interested in that documentation. I hope it's true and that MS has reworked the whole "Restricted Group" thingy. I personally got so badly burned by the lack of thoughts/testing that went into the original design, I have so far been scared of even thinking about anythin
So, where's the DNS server for domain.net?
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Jennifer FountainSent: Wed 2/25/2004 8:35 AMTo
Title: Message
OK, just to explain, before anyone asks. I posted Jim's official email address only because it's publicly available. That notwithstanding, I still believe I was wrong to have posted it and I went "ps" just after I clicked "Send", so I feel the need to serously apologize for th
Title: Message
I'd ask Jim Harrison at MS ([EMAIL PROTECTED]). He has his own corner on isaserver.org, and if 2 people can help you, I think Jim would be one of the 2.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize
>>Will there be any problems in demoting all but dc01?
I am inferring from this that you are on a Win2K domain :). I would say leaving ONLY dc01 is not a "good thing" for Single Point of Failure reasons. However, you can "do it", although I recommend that you leave 2 DCs. To answer your question
You want to be looking for "ListenAddress" and "PublishAddress" in these 2 articles. You can only resolve this issue by doing the Reg Hack for those 2 entries. You want to be sure that both NICs are using the Internal address for DNS and that only the external NIC has a Default Gatewy specified.
First take a look at this: http://support.microsoft.com/default.aspx?scid=%2fservicedesks%2fwebcasts%2fwc031803%2fwcblurb031803.asp
Like they say, there are many ways to skin a cat (apologies to all animal lovers :)).
Starting with one DC.
Add a BDC, make sure this machine is a good one beca
I don't know if anyone has mentioned this or not, but it appears to me that you are a victim of the SP4-Single-labelled-domain-name "bug", which is not really a bug. Read more on it here:
http://support.microsoft.com/default.aspx?kbid=300684
Then follow discussions about it here:
http://www.mc
I just posted this from my archives http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=30 .
Not pretty, but works.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you w
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were w
>>will we end up having to re-point all of our e-mail clients, or is that all automatic?
It depends. It "should" be transparent, but my personal experience is that Office XP and above clients tend to auto-discover the changes very seamlessly. Older clients have more often than not required manua
That's a very interesting take. Very intriguing indeed . The voices in my head ... :)
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
F
In case anyone here is having difficulties justifying (to management) the "urgent" need patch systems against this new vulnerability, here's one for your ammunition:
There is now a "Proof of Concept" exploit code that exploits this vulnerability. The clock is now ticking in the race for another
Title: Active Directory Design Issues
You will find most of what you need for your project planning here:
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
and here
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp
Sincere
>>Unfortunately a decision was made to start using IBM.the service is worse than Dell's service and we didn't think it was possible to get worse service than what we got from Dell.
>>Actually had a problem last week where the response is, ok we will see you tomorrow morning. This was when th
Title: Message
>>Anyway, whenever I’ve set up DNS separately from DCPROMO, set up my forward and reverse zones, then pointed my soon-to-be DC at it and run DCPROMO
Is there a special reason for your doing it this way, instead of:
".point my soon-to-be-DC at one (or 2) of my existing DNS
Let me guess... you are doing a "find" in ADUC, and you are then looking at the object's properties from the result of the "find". Correct? Try drilling down to where the account is located and then looking at the properties directly, you will very likely see the "additional account info" tab th
>> IADs: Interface for Active Directory Services
Mind you, the referenced page does not "define" the acronym, and that's what he was looking for. but IF it comes from you, I'll buy it any day :). I just haven't seen it defined that way until now, and I've been using it since it came out of Redmo
H...I think this belogs in the class of the "what is the meaning/origin of life?" questions :). I never bothered to ask.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
Before you set it to "Not Define", remove the Notice and, after it's all propagated, then set it to "Disabled". You can then set it to "Not Defined" after a while. What's happening is that the clients are already tattooed with the setting and you need to clear it out first. Another way is to jus
>>I removed admin from all but 5 people, we became stable and secure and had 55 pissed off people.
Are you talking about me again? :)
jk. You are superb, you know that.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorr
you are bot alone ;) but, still I rate dsacls high up there with most other tools from MS. For the things you can do with it, after getting the syntax down pat, dsacls is the next best thing since Portable Milk Shake :
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.c
dsacls /I(uppercase i):T should work for you.
I have a short blurb on dsacls here: http://www.akomolafe.com/docs/dsacls.htm
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -ano
Then that would be openfileS.exe, and it does not run on anything older than XP.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent:
Title: Upgrade to Win2k
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.asp
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Sudhir K
When we had a similar project, the intention was not so much to prevent "the user" from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not
er.
Hope that helps.
Olly
-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED]
Sent: 15 January 2004 07:18
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster
I usually refrain from adding to a thread more than once, except to occasionally concur. I have
You most likely have the "Logon as a Service" user rights defined on one of your Group Policies (most likely the Default Domain Policy). This is located under Computer Configuration -> Windows Settings -> Local Policies ->User Rights Assignment.
You need to either NOT define this right, or add
IF I were troubleshooting this, I'd remove the bridgehead designations and let everything go over any available server, then wait for the problem to go away. After that, examine your bridgehead designations closely again. You will likely find out that the DC in LEX site that you've designated as
For importing, try ADModify http://hellomate.info/exchange/admodify_1.5.zip
For auto account creation, try
http://www.microsoft.com/technet/treeview/default.asp?url="">
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomor
eielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster
your protection against this "CYA" type
Congrats, Tony. And to everyone who have been filling my head with so much "techie" stuffs since I joined this list, I say thank you for your selfless contributions. I know I have personally benefitted from your contributions.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.i
your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a
Something like:
Const ADS_PROPERTY_CLEAR = 1
Use ADO to query you AD for the users' DistinguishedName
Then do:
objUserDN = objRecordSet.Fields("distinguishedName").Value
Set ObjPath = getObject("LDAP://" & objUserDN) objPath.PutEx ADS_PROPERTY_CLEAR, "profilePath", 0 objPath.SetInfo 'Do It N
What would be the purpose? Maybe letting us in on your line of thoughts would make it easier for someone to help you with this or recommend an alternative.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worrie
though I haven't used dsquery this way before, i think I can hazard a simple theory as to why you are getting inconsistent reports. Since pwdLastSet is not replicated among DCs, the values will be DIFFERENT across all you DCs. There is no magical way to determine which DC has the most current va
Clay, EventCombMT is actually part of the SECOPS tools and it's publicly available for download.
http://download.microsoft.com/download/c/e/3/ce3fd3de-ae44-4c10-858c-67df0b06771e/secops.exe
I personally think dumpevt (http://www.systemtools.com/somarsoft/) kicks butt.
HTH
Sincerely,Dèj
Excuse my confusion, but I have noticed a seemingly confusing directives from some MS literature that I need help clarifying.
Q109626 states:
Windows 2000 Server VersionsThe version of Netlogon.dll that has tracing included is installed by default. To enable debug logging, set the debug fla
Title: Message
>>every 90 minutes plus or minus 30 minutes.
>>every 90 minutes with an offset of up to 30 minutes
In the sense that "plus or minus" can literally mean "up to", I'd say you are both saying the same thing, but in different tongues :)
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iw
Title: Message
Your plans seem OK to me, with a couple of comments. See inline
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED]Sent: Tue 12/2/2003 2:
Nothing more to do, as long as the FSMO transfer and demotion completes successfully. Otherwise, you will have to dig into ntdsutil to clean out the retired DC and seize the roles BEFORE you install and DCPromo the new one. In your scenario, SystemState backup will be unnecessary.
Depending
# 3 is a VERY VALID reason for a separate Domain or even a Forest. If they argue with you, tell them to re-read their Active Directory manual :)
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yes
Title: Message
This is one classic reason why a vendor should try as much as possible to go beyond the first step of "closing the sale". I swore off this vendor a long time ago, and I have never looked back since. The technical difficulties we encountered with their products are just too numerou
No, they are not compatible.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Fri 11/14/2003 2:06 PMTo: [EMAIL PROTECTED]Subject:
what do you mean? did you look for it on MS' website and not find it? Did you google it?
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tom
Guido, John.
I (personally) don't think the biggest consideration in this "roll-back" plan is whether or not it can be done, or which methodology is more "supported" than the other. In my selfish opinion, the consideration should be what it will break. What it will break depends greatly on the
It's a tough question to respond to in one sitting. So, I hope these references help you along the way:
VPN on W2Khttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpnsol.asphttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpnscen.asphttp://
on, I'd love to use it. Enlighten me... :-)
**Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083**
-Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PMTo: [EMAIL PR
Title: Message
The bug lies in the "FIX up". It's a "known" PIX issue and most truthful Cisco TAC personnel will admit to that. I went back and looked in the DNS Debug log that Miles sent last week. The "SERVFAIL" portion of the response packet is a good symptom of a "FIXED UP" anomaly.
Si
I figured it would help to include this link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
HTH
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were w
"Best Practice" is not a constant, you know. Reality and feedbacks from the trenches sometimes conspire to alter "best practices" every now and then. Some auditors forget this salient truth. 5 is not practical, for various reasons, one of which is the "fast user switch" bug of WinXP.
Anyways,
they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere < = 5. I wager that this is the problem, barring the obvious multiple wrong password of course.
I know there is a Q article regardi
Title: Message
Rick, I actually run MBSA/SP4 in my test Lab. One of the things it couldn't find today was a directx hotfix on XP Corp Edition. granted, it's much better than the one in my production environment, still . those whacky stuffs are not entirely gone - at least not from my Lab.
Title: Message
Actually, looking "solely" in the registry would make this exercise "worse than useless". It is this same reliance on registry entries that makes me hate Windows Update and some other Patch Mgt Tools I would not like to mention here. The registry check is a 50-50 hit or miss as fa
Title: Message
Say, Joe, what do you do to protect against the share-burrowing Worms/Virii?
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: JoeSent: Tue 9/2/2003 4:02 PMT
The more I read this original question, the more I keep thinking that there is likely to be a low-level answer to the problem. I am not so sure anymore, especially given all that you've tried so far :).
Being that as it may, I would like to fly this low-level kite anyway, in the hope that it m
77 matches
Mail list logo
