"List in the Directory" permission

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Docs Redirect and Administrator permissions Hi all, I want to make sure I've done this right. I am working on a server in which redirects were applied for My Documents. The option in Group Policy to make access Exclusive was checked. I needed to setup a robocopy script to move files nightly to another folder for backup redundancy. (It's a temporary measure.) I followed the instructions here: http://support.microsoft.com/kb/q288991/ I allowed a particular account in and given them full control. (In my case, the parent folder I applied the permissions to is D:\Redirects) In order to reapply permissions on all objects, I had to take ownership of the files and folders. Subfolders (the user folders) are not inheriting permissions from D:\Redirects) Here's where I'm confused: Creator Owner is set to Full Control on D:\Redirects, but even though I've reapplied ownership for each user on those objects in their folders, Effective Permissions doesn't show them to have full control on the objects. My goal: Allow Administrators FC to ALL user's redirected folders and their contacts and to allow each uesr FC access to their own folder and objects. Cheers, Mike.... Tag: "List in the Directory" permission Tag: 132194
  - 2
    - Merge / consolidate GPO's Hi, I need to consolidate multiple group policies into one. However I would like to avoid having to do this manually and was wondering if a tool existed which could merge policy settings. The import functionality within GPMC doesn't do it, it just overwrites any existing settings. I've looked into powershell scripts and 3rd party tools and cannot fins anything. Any help would be greatly appreciated. Regards, Dunc. Tag: "List in the Directory" permission Tag: 132186
  - 3
    - watch actress profile and photo watch actress priyamani photo watch actress profile and photo watch actress priyamani photo http://priyamaniforyou.blogspot.com/ Tag: "List in the Directory" permission Tag: 132183
  - 4
    - Outlook office 2003 + Group policy I need my users to use the same signature fomart. I have been able to disable the the signatures but now to link the required signature to the GP is the problem -- Any job can always be better done, when pple share ideas Tag: "List in the Directory" permission Tag: 132181
  - 5
    - A SHOCKING NEWS from Microsoft....... It's really a hot news for everyone http://polticsinfs.blogspot.com/ Tag: "List in the Directory" permission Tag: 132180
  - 6
    - watch actress sexy photo from movie clips and watch actress profile watch actress sexy photo from movie clips and watch actress profile http://priyamaniforyou.blogspot.com/ Tag: "List in the Directory" permission Tag: 132173
  - 7
    - finding out client name for a user logging in to a remote server I have a requirement to display last successful logon for an account and the location from which that logon occurred. When a user logs on to a workstation the location would of course be the hostname of that workstation. I'm using Visual Basic Scripting to do this. It was working fine until today while I was of course showing it to our security person. Even though I took into account when the user logs on to a workstation and the %CLIENTNAME% environment variable is not set, it seems that for some reason when logging onto a server %CLIENTNAME% can be set to "console" sometimes. This is strange considering I'm not asking for the Session Name which can be "console". I'm asking for the Client Name. When %CLIENTNAME% equals "console" when running my script or when running the 'set' command, if I look at the Users tab in Task Manager the Client Name is still the hostname of the maching I'm using to remote into the server. Strangely, I thought that on the Users tab the Session Name would be listed as "console" when I use Remote Desktop to logon to the console of the server. I'm using Win2k3 R2. The Session name is always a RDP session # whether I connect to the console or not. But that's not something I'm worrying about at the moment. Can anyone explain to me the circumstances that cause %CLIENTNAME% to be set to "console" as opposed to the user's workstation? I could test for it in my script if I knew the conditions under which it occurs. I'm currently using the following to grab the variable: strFromHost = objShell.ExpandEnvironmentStrings("%CLIENTNAME%") Thanks Brandon Tag: "List in the Directory" permission Tag: 132167
  - 8
    - Windows XP Mini-Setup not joining computers to existing account in We have a Win XP SP2 standard image we deploy onto a lot of our computers. The image has been sysprep'd and when booted, it goes through XP's Mini Setup using sysprep.inf to answer all questions except Computer Name. What we've tried doing is creating machine accounts in Active Directory (2003 Mixed Mode) in the OUs that we want the computers to end up in, and then (days later) booted the machines and allowed them to join the domain during Mini Setup. However, instead of joining the existing accounts, Mini Setup is creating a NEW account in the Computers OU in the root of AD. So now I have two machine accounts in AD with the same name. I have to track down the other account, delete it, and move the computer into that container a few minutes later after replication has finished. As far as I'm aware, this isn't the way its meant to work, is it? In Windows XP, if you join a computer to the domain by hand (outside of Mini Setup), it joins the existing account. Shouldn't the same happen in Mini Setup, or is there something I'm missing? TIA Tag: "List in the Directory" permission Tag: 132166
  - 9
    - Loggin on in determinate DC Hi, I have 3 Domain Controllers. Two in Site A and one in Site B. Is ther possible set a numeber of users to log on in a DC of Site A, being that users from Site B? Thanks. Luiz Tag: "List in the Directory" permission Tag: 132158
  - 10
    - Setting File -- Open Dialog box to a default location All, How can I through GP setting the default location for the File -- Open Dialog box to My Computer? We restricted C drive, it it defaults to that, so everytime they go to file -- Open, it gives them an error saying that its restricted. Thanks! Tag: "List in the Directory" permission Tag: 132152
  - 11
    - Certificate Help Hello, I've just installed our first Enterprise Root CA on one of our DC's running W2K3 Standard SP2. On another DC I'm trying to request a computer certificate, but am having trouble. When I go to the web page to request an advanced cert I am given the option of Administrator/Basic EFS/EFS Recovery Agent/User/Subordinate CA/Web Server. Am I missing something? I need a computer certificate becuase this DC is also my RADIUS server and I need a cert inorder to setup PEAP. Thanks! Tag: "List in the Directory" permission Tag: 132150
  - 12
    - AD Replication Monitor I ran the AD Replication Monitor. Under Current Transitive Replication Partner Status I am showing 7 "Partner Name: **DELETED SERVER #7". What exactly is this telling me? Is this a previous dc that didn't get deleted properly? I am fairly new to this organization so I don't have a lot of history on this domain. Thanks! Tag: "List in the Directory" permission Tag: 132149
  - 13
    - Adding Domain Controller Hi. I'm adding an additional domain controller (2k3) to an existing domain, which has only one DC that is also a 2k3 server. I ran dc promo on the new server and chose to copy active directory from an an existing DC. I received an error stating the forest was not ready, and to run adprep against the existing DC. I checked the functional level of the domain and forest in the existing DC and found it was set to 2000 level. I raised it to 2003 and thought that would help. It didn't. I also got an errors when trying to run adprep against the existing DC. I didn't think adprep was necessary when there weren't any 2000 servers on the domain. Any ideas? thanks Tag: "List in the Directory" permission Tag: 132134
  - 14
    - Moving FSMO roles I plan to install a new DC w/gc on new hardware and transfer all the FSMO roles from the existing DC. What are the best practices for moving them? Is there a certain order, waiting period between moving roles, etc.? Very simple environment - 2 dc's, default site config, 1 domain. The old and new servers will be in the same vlan, same physical location. The other dc (not a gc) will be in a different office (25mi.) - GigE 100Mb WAN connection. Thank you! Tag: "List in the Directory" permission Tag: 132133
  - 15
    - Event ID 1030's I'm seeing a number of 1030's on the clients, and this in GPMC: Group Policy Infrastructure failed due to the error listed below. Overlapped I/O operation is in progress. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available I've verified the admin name and passowrd in DHCP manager, and checked for cached passwords to the server on the clients, and still no luck. Any other ideas? Tag: "List in the Directory" permission Tag: 132128
  - 16
    - repadmin /removelingeringobjects Hi, i'm getting an error message on a mailserver. event id 2042 "it has been too long since this machine last replicated with the named source machine etc etc. looking at the dates mention further down the message, the tally up to a date when a previous DC failed and was removed from the domain. hardware failed from within the DC and dcpromo was never run to remove it from the domain, and as a result a lot of messages have been appearing around the servers relating to the missing dc. The 2042 message gives 3 options, and the only relvant one refers to using repadmin to clear up any residue following the servers demise. my question is that reading up on repadmin, I'm being told that 2003 server needs to be running on "both" servers....the problem is that only one server is running and i want to clear up the mess following the server dying in the first place. Or is it just a case of repadmin actually being able to determine what and where the issue is and clearing it automatically? cheers Tag: "List in the Directory" permission Tag: 132127
  - 17
    - Setting the home page for all users Hi, I have the IE7 AD template installed on our DC's and am trying to set the home page, but the users IE7 is having none of it! I have gone to User Configuration > Administrative Templates > Windows Explorer > Disable changing home page settings > enable http://intranet DC - gpupdate /force User - gpupdate /force No http://intranet page any ideas? Tag: "List in the Directory" permission Tag: 132126
  - 18
    - Policy (GPO) Order Hi, one question about Policy (GPO) Order applying: - I have 3 policies: one enabled, the second disabled and the third disabled. The disabled policy will predominate, ok? Thanks. Luiz Tag: "List in the Directory" permission Tag: 132120
  - 19
    - Creating New Domain Tree in Existing Forest We just bought a company that I have to integrate into our active directory. They currently have Windows 2000 AD and I have Windows 2003 AD. How do I bring their Windows 2000 AD into my AD as a domain tree without losing their users? If you could point me to instructions on how to make this possible I would appreciate it. thanks -- dee Tag: "List in the Directory" permission Tag: 132117
  - 20
    - problems with single level dns name (domain) Hi a new customer has a w2k3 server on location vienna with a single level domain "intern" and no "intern.local" as normally used. we have to install a second AD-Controller an location linz (connected with vienna via a 2 MBit VPN-Tunnel). after using KB 300684 we could move the second server in the domain as member. then we installed AD on the sec. server, tested dns with nslookup, all works fine. Our problem: the user locally in linz cann't access to the local shares on the sec. AD-Controller, they get the message access denied. when i remove the AD on the second server and chance the dns entry to the vienna dns-server all works fine. workstation systemlog: source: BROWSER, err: 8021, no list from Browser, source: BROWSER, err: 8032, read fails, applicationlog: source: userenv, err: 1058, gpt.ini access denied can you help me ? Tag: "List in the Directory" permission Tag: 132111
  - 21
    - problem with steadystate and restricting rights from administrator I have a domain Active directory on a windows 2000 Server and I moved the rights I made on a pc with steadystate to the server with the active directory with SCTSettings.adm. Then I did some changes in the group policy at the All Windows Steadystate restrictions hopping that this will affect only to users that also have Steadystate restricting the right click on desktop, the access on C:\, and in all windows programs but this affected on the privilages of the administrator rights too!!! Now I can't have access to c:\, not to administrative programs not even right click to the workspace!!! Is there other way to have access to the gpedit (group policy editor) to change the policy again ? cause even the administrator doesn't have any rights now and... I think... this is a HUGE bug!!!! nomater what administrator shouldn't affect on any change of GROUP policy... Pls I need help imidiatly not to setup the server again cause I have 200 users to put again in active directory one by one... Tag: "List in the Directory" permission Tag: 132110
  - 22
    - Re: Site link configuration question.. again my bad... this should be: adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f "objectCategory=siteLink" siteList have not had coffee yet ;-( -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * How to ask a question --> http://support.microsoft.com/?id=555375 ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test ANY suggestion in a test environment before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message news:... > my bad... > > this should be: > adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f > "objectCategory=siteLink" siteObjectBL > > -- > > Cheers, > (HOPEFULLY THIS INFORMATION HELPS YOU!) > > # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # > > BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx > BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx > ------------------------------------------------------------------------------------------ > * How to ask a question --> http://support.microsoft.com/?id=555375 > ------------------------------------------------------------------------------------------ > * This posting is provided "AS IS" with no warranties and confers no > rights! > * Always test ANY suggestion in a test environment before implementing! > ------------------------------------------------------------------------------------------ > ################################################# > ################################################# > ------------------------------------------------------------------------------------------ > "Kent" <Kent@discussions.microsoft.com> wrote in message > news:7278BC24-A71C-4CFF-8533-48BF0FC49AD3@microsoft.com... >> post the IP of the client you used >> ---------------------------------- >> 192.168.1.22 >> >> >> post NLTEST /DSGETSITE >> ---------------------- >> C:\Documents and Settings\administrator>nltest /dsgetsite >> Client >> The command completed successfully >> >> >> post NLTEST /DSGETDC:<DOMAIN> >> ----------------------------- >> C:\Documents and Settings\administrator>nltest /dsgetdc:contoso.com >> DC: \\hq-con-dc-03.contoso.com >> Address: \\192.100.0.2 >> Dom Guid: 6de92f82-4b65-4711-9abc-2e86c0ade8ed >> Dom Name: contoso.com >> Forest Name: contoso.com >> Dc Site Name: AsiaPacific >> Our Site Name: Client >> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN >> DNS_FOREST >> CLO >> SE_SITE >> The command completed successfully >> >> >> post NLTEST /DSGETSITECOV >> ------------------------- >> C:\AdFind>nltest /dsgetsitecov >> DsGetDcSiteCoverage failed: Status = 50 0x32 ERROR_NOT_SUPPORTED >> >> >> adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL >> ------------------------------------------------------------------- >> C:\AdFind>adfind -config -rb "CN=Sites" -f "objectCategory=Site" >> siteobjectBL >> >> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007 >> >> Using server: hq-con-dc-01.contoso.com:389 >> Directory: Windows Server 2003 >> Base DN: CN=Sites,CN=Configuration,DC=contoso,DC=com >> >> dn:CN=Europe,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=10.0.0.0/8,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC= >> com >> >> dn:CN=AsiaPacific,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=192.100.0.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> dn:CN=America,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=138.169.0.0/16,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> dn:CN=Client,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=192.168.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> 4 Objects returned >> >> >> adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >> "objectCategory=Site" siteObjectBL >> -------------------------------------------------------------------------------------------------- >> C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >> "objec >> tCategory=Site" siteobjectBL >> >> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007 >> >> Using server: hq-con-dc-01.contoso.com:389 >> Directory: Windows Server 2003 >> Base DN: CN=IP,CN=Inter-Site >> Transports,CN=Sites,CN=Configuration,DC=contoso,DC= >> com >> >> 0 Objects returned >> >> "Jorge de Almeida Pinto [MVP - DS]" wrote: >> >>> >>> >>> * post the IP of the client you used >>> * post NLTEST /DSGETSITE >>> * post NLTEST /DSGETDC:<DOMAIN> >>> * post NLTEST /DSGETSITECOV >>> * adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL >>> * adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >>> "objectCategory=Site" siteObjectBL >>> >>> ADFIND can be downloaded from joeware.net >>> >>> -- >>> >>> Cheers, >>> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # >>> >>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> ------------------------------------------------------------------------------------------ >>> * How to ask a question --> http://support.microsoft.com/?id=555375 >>> ------------------------------------------------------------------------------------------ >>> * This posting is provided "AS IS" with no warranties and confers no >>> rights! >>> * Always test ANY suggestion in a test environment before implementing! >>> ------------------------------------------------------------------------------------------ >>> ################################################# >>> ################################################# >>> ------------------------------------------------------------------------------------------ >>> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> news:7A167365-80B5-4300-8246-D8326440E443@microsoft.com... >>> > Yes, there are currently 2 site links configured. >>> > >>> > First Site Link with the cost of 50 are configured to contain 2 HUB >>> > sites >>> > (SITEA & SITEB). >>> > Second Site Link with the cost of 80 is configured to contain 1 BO >>> > (SITEC) >>> > & >>> > 1 nearest HUB site (SITEB). >>> > >>> > I've tried with nltest and set command, the logon server for a client >>> > at >>> > SITEC is going to DC at SITEA & SITEC randomly. By right, it should >>> > only >>> > goes >>> > to DC at SITEB right as there is already a Site Link configured? >>> > >>> > Thanks. >>> > >>> > >>> > "Jorge de Almeida Pinto [MVP - DS]" wrote: >>> > >>> >> it should not matter what the costs is because the site link between >>> >> the >>> >> BO >>> >> and the HUB is always the cheapest!. Do you have other site links >>> >> configured? >>> >> use can also use NLTEST on both the client and the DC to test >>> >> configurations >>> >> >>> >> -- >>> >> >>> >> Cheers, >>> >> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >> >>> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services >>> >> # >>> >> >>> >> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> >> ------------------------------------------------------------------------------------------ >>> >> * How to ask a question --> http://support.microsoft.com/?id=555375 >>> >> ------------------------------------------------------------------------------------------ >>> >> * This posting is provided "AS IS" with no warranties and confers no >>> >> rights! >>> >> * Always test ANY suggestion in a test environment before >>> >> implementing! >>> >> ------------------------------------------------------------------------------------------ >>> >> ################################################# >>> >> ################################################# >>> >> ------------------------------------------------------------------------------------------ >>> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> news:B7DFA04D-45B2-4E35-9FB6-D6C3574E2DE6@microsoft.com... >>> >> > Hi Jorge, >>> >> > Thanks for your advice below. >>> >> > >>> >> > I've tested out the 1st solution in virtual environment (without >>> >> > site >>> >> > aware >>> >> > apps), and it's working perfectly. >>> >> > >>> >> > However, when i test out the 2nd solution it seems that the >>> >> > authentication >>> >> > is not consistent. Let me brief you on my virtual setup. >>> >> > >>> >> > - 3 sites = SiteA (with 1 domain controller), SiteB (with 1 domain >>> >> > controller), SiteC (clients without domain controller) >>> >> > - SiteA & SiteB is in the same Site Link with a cost of 20 >>> >> > - SiteB & SiteC is in the same Site Link with a cost of 50 >>> >> > >>> >> > When a XP machine from SiteC is logging on to the domain, it should >>> >> > be >>> >> > authenticating to domain controller at SiteB but sometimes it's >>> >> > going >>> >> > to >>> >> > domain controller at SiteA. >>> >> > >>> >> > But when changing the Site Link cost of 50 to 15 (SiteB & SiteC), >>> >> > authentication is constantly going to domain controller at SiteB >>> >> > (which >>> >> > is >>> >> > what i want). So, my question is whether is it correct to have >>> >> > lower >>> >> > cost >>> >> > between Branch and HUB than HUB to HUB? >>> >> > >>> >> > Appreciate your advice on this. >>> >> > Thanks again. >>> >> > >>> >> > >>> >> > "Jorge de Almeida Pinto [MVP - DS]" wrote: >>> >> > >>> >> >> in that case I would: >>> >> >> * create an AD site for each HUB >>> >> >> * create an AD site link and put the HUBs in it >>> >> >> * create an AD subnet for each subnet at one HUB and link it to >>> >> >> the AD >>> >> >> site >>> >> >> of the corresponding HUB >>> >> >> * create an AD subnet for each subnet at the branch offices and >>> >> >> link >>> >> >> it >>> >> >> to >>> >> >> the AD site of the nearest HUB >>> >> >> >>> >> >> this way client at a branch office will use the nearest HUB >>> >> >> >>> >> >> if you were to have site aware apps in the branch office site I >>> >> >> would: >>> >> >> * create an AD site for each HUB >>> >> >> * create an AD site for each branch office (BO) >>> >> >> * create an AD subnet for each subnet at one HUB and link it to >>> >> >> the AD >>> >> >> site >>> >> >> of the corresponding HUB >>> >> >> * create an AD subnet for each subnet at one BO and link it to the >>> >> >> AD >>> >> >> site >>> >> >> of the corresponding BO >>> >> >> * create an AD site link for each BO and its nearest HUB >>> >> >> in this last scenario the DCs in the HUB will register SRV records >>> >> >> in >>> >> >> the >>> >> >> linked BOs and therefore service those BOs as you want >>> >> >> >>> >> >> -- >>> >> >> >>> >> >> Cheers, >>> >> >> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >> >> >>> >> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory >>> >> >> Services >>> >> >> # >>> >> >> >>> >> >> BLOG (WEB-BASED)--> >>> >> >> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> >> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> * How to ask a question --> >>> >> >> http://support.microsoft.com/?id=555375 >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> * This posting is provided "AS IS" with no warranties and confers >>> >> >> no >>> >> >> rights! >>> >> >> * Always test ANY suggestion in a test environment before >>> >> >> implementing! >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> ################################################# >>> >> >> ################################################# >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> >> news:4CC9443D-62AC-4307-AF6B-B71ADBEB8539@microsoft.com... >>> >> >> > Hello, >>> >> >> > Yes, subnets are defined correctly and linked to the correct >>> >> >> > sites. >>> >> >> > Branch sites does not have any DC and no apps like DFS, MSMQ, >>> >> >> > etc is >>> >> >> > installed. >>> >> >> > >>> >> >> > So are there any good ideas for me get the logon authentication >>> >> >> > to >>> >> >> > work >>> >> >> > correctly? >>> >> >> > Thanks >>> >> >> > >>> >> >> > >>> >> >> > "dave m" wrote: >>> >> >> > >>> >> >> >> I assume, and hate to, that there is only a single domain >>> >> >> >> involved >>> >> >> >> here. >>> >> >> >> >>> >> >> >> dave Admin >>> >> >> >> >>> >> >> >> >>> >> >> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> >> >> news:1CCC2FC3-6F2E-4F58-92B3-7A858F054CFC@microsoft.com... >>> >> >> >> > Hi All, >>> >> >> >> > I would like to seek some opinions from AD experts regarding >>> >> >> >> > my >>> >> >> >> > scenario >>> >> >> >> > below: >>> >> >> >> > >>> >> >> >> > Scenario: >>> >> >> >> > --------- >>> >> >> >> > 1. Active Directory contains 8 domain controllers (all >>> >> >> >> > configured >>> >> >> >> > as >>> >> >> >> > GC), >>> >> >> >> > 4 >>> >> >> >> > located at UK data centre and 4 more located at Singpapore >>> >> >> >> > data >>> >> >> >> > centre. >>> >> >> >> > 2. There are around 20 sites created on AD which are located >>> >> >> >> > at >>> >> >> >> > Asia >>> >> >> >> > Pacific >>> >> >> >> > region and around 40 sites created on AD which are located at >>> >> >> >> > Europe >>> >> >> >> > & >>> >> >> >> > America region. >>> >> >> >> > 3. I want to ensure computers at sites located at Asia >>> >> >> >> > Pacific >>> >> >> >> > will >>> >> >> >> > authenticate to domain controllers at Singapore data centre >>> >> >> >> > and >>> >> >> >> > computers >>> >> >> >> > at >>> >> >> >> > sites located at Europe/America to authenticate to domain >>> >> >> >> > controllers >>> >> >> >> > at >>> >> >> >> > UK >>> >> >> >> > data centre. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > Current setup: >>> >> >> >> > -------------- >>> >> >> >> > 1. Site link between Singapore DC and UK DC is having a cost >>> >> >> >> > of >>> >> >> >> > 10. >>> >> >> >> > 2. A site link is configured to contain multiple sites from >>> >> >> >> > Asia >>> >> >> >> > Pacific >>> >> >> >> > to >>> >> >> >> > Singapore DC with a cost of 50. This is the same to >>> >> >> >> > Europe/America >>> >> >> >> > site >>> >> >> >> > link >>> >> >> >> > but it's configured to UK DC instead of Singapore one (with a >>> >> >> >> > cost >>> >> >> >> > of >>> >> >> >> > 50 >>> >> >> >> > as >>> >> >> >> > well). >>> >> >> >> > 3. The problem with this setup is users are authenticating to >>> >> >> >> > different >>> >> >> >> > domain controllers, sometime to Singapore then UK. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > My suggestion is to: >>> >> >> >> > -------------------- >>> >> >> >> > 1. Configure 2 site links for 1 site with different costing. >>> >> >> >> > Example: >>> >> >> >> > Site >>> >> >> >> > A >>> >> >> >> > is located at Asia Pacific, computers at Site A must >>> >> >> >> > authenticate >>> >> >> >> > to >>> >> >> >> > domain >>> >> >> >> > controllers at Singapore data centre so i will create a Site >>> >> >> >> > Link >>> >> >> >> > to >>> >> >> >> > Singapore DC site with cost of 40 and another Site Link to UK >>> >> >> >> > site >>> >> >> >> > with >>> >> >> >> > cost >>> >> >> >> > of 80. This would ensure the logon authentication will go to >>> >> >> >> > the >>> >> >> >> > correct >>> >> >> >> > domain controllers. >>> >> >> >> > 2. Site Link betwenn Singapore DC and UK DC will have a cost >>> >> >> >> > of >>> >> >> >> > 10. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > But i'm not sure whether is this solution practical because >>> >> >> >> > it'll >>> >> >> >> > create >>> >> >> >> > alot of Site Links on Active Directory. >>> >> >> >> > Anyone can give some suggestions? >>> >> >> >> > >>> >> >> >> > Thanks in advance. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >>> >> >> >>> >> >>> >> >>> >>> > Tag: "List in the Directory" permission Tag: 132108
  - 23
    - watch actress sexy photo from movie clips and watch actress profile watch actress sexy photo from movie clips and watch actress profile http://priyamaniforyou.blogspot.com/ Tag: "List in the Directory" permission Tag: 132100
  - 24
    - How to remove\add workstation from\to domain remotely? How to remove\add workstation from\to domain remotely? Tag: "List in the Directory" permission Tag: 132098
  - 25
    - Unable to create Domain on Server 2008 When running 'dcpromo' I receive the following error: 'The new domain cannot be created because the local Administrator account password does not meet requirements.' I have tried multiple passwords using 6 or more Upper case, Lower case, & Special characters. This is a new server setup with no existing domains. Tag: "List in the Directory" permission Tag: 132094
- Next
  - 1
    - Restricting Trusted Domain user login hour Hi there, I was wondering if there is anyway to limit user's logon hour by configuring AD Domain A while the user account is in a trusted Domain B please? What I have got is a computer lab with all computers and network resources belonging to Domain A. Domain A trusted Domain B (with the same forest), hence users from Domain B can log onto computers in the lab. Now we want to limit users from using the lab after hour. I know I can set the logon hours for the users in AD User and Computer in Domain B but I only want to limit their access to computers in Domain A, not the entire organization/AD forest. Is there a way to control that within Domain A please? Thanks, Edmond. Tag: "List in the Directory" permission Tag: 132093
  - 2
    - Password policy We have Windows 2003 domain and we are in the process of implementing password policy across the domain. What will be the suggested/ recommended pathway to exclude administrator/ special purpose admin related accouts from this password policy? Thanks Tag: "List in the Directory" permission Tag: 132078
  - 3
    - Automate home directory for a new user All, How can I automate the creation of a users home directory, when the user is created in AD? I am not wanting to use the my documents folder redirection, but rather still with standard drive mappings. Thanks! Tag: "List in the Directory" permission Tag: 132077
  - 4
    - LDAP Bind Is it possible to remove anonymous bind in Active Directory? Tag: "List in the Directory" permission Tag: 132073
  - 5
    - LDAP Bind Can you disallow Anonymous Bind in AD? Tag: "List in the Directory" permission Tag: 132072
  - 6
    - idlist error I am thinking this is a possible account error. I have a user who gets the following error no matter what computer she logs onto on our domain : Cannot find/ idlist,:216:4800,//dc01/netlogon/ If other users log onto her computers they dont get this error but this error seems to follow the user. Any ideas ? Cant see anything obvious wrong with the account in AD. Thanks Tag: "List in the Directory" permission Tag: 132067
  - 7
    - Best method for moving 2003 sp2 Domain controller to new hardware. Hi, I need to move a domain controller to faster better hardware. The new hardware will have different drive controllers and most likely a different storage layout. What are best practices to ensure minimum disruption to the network? Max Tag: "List in the Directory" permission Tag: 132066
  - 8
    - Role based administration for password resets Hello, We have a Windows 2003 domain.We are in the process of implementing password policy on the domain. Currently we add helpdesk staff to server operators group for AD administration. Is there a role based administration model in Windows 2003 so that I can add some helpdesk staff to just reset password and not server operators? Thanks Tag: "List in the Directory" permission Tag: 132061
  - 9
    - Get localhost AD folder Hi, I would like to put a row in users loginscript todetermine which OU the localhost is located in. Any idea? Regards Magnus Tag: "List in the Directory" permission Tag: 132048
  - 10
    - Failure login to domain or losing domain membership Server information of each site Site A (Production) Server A1 (Application server - Window cluster) Server B1 (Database Server - Windows/MS SQL cluster) Server C1 (Database Server â?? Windows/MS SQL cluster) Server F0 (Existing Domain controller), F1 (New Domain controller) OS (Windows 2003 server enterprise R2/SP2) OS for Server A1, B1, and C1 are on external SAN volumes OS for Server F1 are on internal disks. Site B (DR â?? Disaster Recovery) Server A2 (Application Server â?? Windows cluster) Server B2 (Database Server â?? Windows/MS SQL cluster) Server C2 (Database Server â?? Windows/MS SQL cluster) Server F2 (Domain Controller â?? Fresh installation OS only) Server D (Fax Server) Server E (Citrix Server) OS (Windows 2003 Server enterprise R2/SP2) OS for Server A2, B2, and C2 are on external SAN volumes. The OS for these servers is replicated from OS of servers (A1, B1& C1). Hence the configuration of server (A2, B2 & C2) is exactly same as servers (A1, B1 & C1). OS for Server F2, D & E are on internal disks. Server F2 is configured with basic OS with the same IP address and Host name as of server F1. Setup & Configure Step (1st time) Site A Configure Server F1 at site A as additional domain controller along with existing domain controller. These domain controllers serves domain â??XYZ.comâ??. The server F1 holds all the FSMO roles except Infrastructure role. Configure Server A1,B1 and C1 server and join to domain â??XYZ.comâ?? Bring servers D & E to Site A(Production) from Site B(DR) Setup and configure servers D & E and join to domain â??XYZ.comâ?? at Site A After joining domainâ??XYZ.comâ?? for servers D & E, move back both servers to Site B(DR). Perform a full or system state backup at site A from existing AD server F1 using â??ntbackupâ?? and copy backup file(.bkf) from domain controller(F1) at site A to domain controller(F2) at site B. Site B Restore backup file (.bkf) on domain controller (F2) at site B. Now server F2 becomes new independent Active Directory server at site B. Replicate OS (using IBM SVC) of servers A1, B1, and C1 at Site A to servers A2, B2 and C2 at site B respectively. Bring up Server A2, B2, and C2 On boot, servers are able to login as domain member. Servers D & E (Fax & Citrix) which were joined at Site A and brought back to site B are now boot up at Site B. Servers D & E (Fax & Citrix) are also ble to login as domain members. Periodic restore (Perform DR restore & Testing â?? Daily or weekly) Note: At DR Site all servers D, E, F2, A2, B2 and C2 were already able to join and login as domain member when first time setup & configuration was done. But to keep the Active Directory server at site B up to date as Active Directory server at site A, we are backing up the Active Directory server (F1) at site A and restoring it on Active Directory server (F2) at site B periodically. Perform a full or system state backup at Site A from existing AD server F1 by using â??ntbackupâ?? and copy backup file(.bkf) from site A to site B. Perform restore on AD at site B using latest backup file. Boot up servers A2, B2, C2 and try to login as domain member, but login fails. Boot up servers D & E server, try to login as domain member, but login fails. It is not necessary that it will fail on second restore. Sometimes it work even if we restore Active Directory server several times in 3-4 days, but after 3-4 days or 1 week when we backup and restore only Active Directory, some of the servers (A2,B2,C2,D & E) are not able to login as domain members. But since OS of servers A2, B2 & C2 are on external SAN disks, we can replicate the OS of servers A1, B1 & C1 to servers A2, and B2 & C2. In this case these servers (A2, B2 & C2) are able to login as domain members. But OS for servers D & E is not on external disk and we can not replicate OS for these two servers. For example, the servers (A2, B2, C2, D & E) were able to login as domain member on 30th June with the backup file of Active Directory also of the same date. So for next few days (1st July and 2nd July) we performed backup of Active Directory server (F1) and restored it on Active Directory server (F2) at site B. We booted the member servers and the servers could join as domain members. But later after few days say 4 th July, we performed backup again of Active Directory (F1) at site A and restored it on Active Directory server(F2) at site B. This time we boot the member servers, but these servers could not login as domain members. So to check whether the newly restored AD server (F2) also requires the OS of servers at the same moment or close to some range of time, we replicated OS of only A2, B2 and C2 on 4th July and boot these servers. Then these serves were able to login as domain members. We have tested the above cycle several times and our observation is same every time. Question: Why servers (A2, B2, C2, D & E) are not able to login as domain members after 3-4days? Why servers A2, B2 & C2 after replicating OS are able to login as domain members? Any permanent solution? Tag: "List in the Directory" permission Tag: 132040
  - 11
    - "Memory Hierarchy Error" from "Microsoft WHEA Logger" after migrating Hello, since we reinstalled our domain Controller in Windows 2008, we have every few minutes a warning from the "Microsoft-Windows-WHEA-Logger", concerning a "Memory Hierarchy Error". The server is a HP DL380 with 4 gigs of RAM, 32 gigabyte SCSI-disk,... I already ran the Memory Diagnostics Tool included in Windows 2008, but it showed me no errors Here is the detail about the event, perhaps some idea what could be the cause: Error Source: Corrected Machine Check Error Type: Memory Hierarchy Error Processor ID Valid: Yes Processor ID: 0x6 Bank Number: 0 Transaction Type: Generic Processor Participation: N/A Request Type: Snoop Memory/Io: N/A Memory Hierarchy Level: Level 1 Timeout: N/A Event Xml: <Event xmlns=3D"http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name=3D"Microsoft-Windows-WHEA-Logger" Guid=3D"{c26c4f3c-3f66-4e99-8f8a-39405cfed220}" /> <EventID>19</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime=3D"2008-07-08T04:45:38.589Z" /> <EventRecordID>3051</EventRecordID> <Correlation ActivityID=3D"{DBC18E92-DD0E-4B8F-9E77-39CE5828C6B7}" / > <Execution ProcessID=3D"1412" ThreadID=3D"3020" /> <Channel>System</Channel> <Computer> name </Computer> <Security UserID=3D"S-1-5-19" /> </System> <EventData> <Data Name=3D"ApicIdValid">1</Data> <Data Name=3D"ApicId">0x6</Data> <Data Name=3D"MCABank">0</Data> <Data Name=3D"MciStat">0xcc00001f20040189</Data> <Data Name=3D"MciAddr">0x1824100</Data> <Data Name=3D"MciMisc">0x1400002d012a0</Data> <Data Name=3D"ErrorType">9</Data> <Data Name=3D"TransactionType">2</Data> <Data Name=3D"Participation">256</Data> <Data Name=3D"RequestType">8</Data> <Data Name=3D"MemorIO">256</Data> <Data Name=3D"MemHierarchyLvl">1</Data> <Data Name=3D"Timeout">256</Data> <Data Name=3D"Length">1730</Data> <Data Name=3D"RawData">435045520102FFFFFFFF03000200000002000000C2060000242D040008= 0708140000000000000000000000000000000000000000000000000000000000000000BDC40= 7CF89B7184EB3C41F732CB57131FE6FF5E89C91C54CBA8865ABE14913BBB5739B183AE0C801= 00000000000000000000000000000000000000000000000058010000C000000001020000010= 00000ADCC7698B447DB4BB65E16F193C4F3DB00000000000000000000000000000000020000= 00000000000000000000000000000000000000000018020000920200000102000000000000D= 5560F3986CA494695C473A408AE583400000000000000000000000000000000020000000000= 000000000000000000000000000000000000AA040000180200000102000000000000E95412E= 7B9C14049AB76909703A4320F00000000000000000000000000000000020000000000000000= 000000000000000000000000000000FF01000000000000000001000C010000250F000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000006000000000000000000000000000000000000000= 000000000000000000000000000000000000000070100000000000006000000000000000B08= 020600440000FFFBEBBFB045828100000000000000000000000000000000000000000000000= 00000000000000000F50157A5EFE3DE43AC72249B573FAD2C03000000000000009F00622000= 000000004182010000000000000000000000000000000000000000000000000000000001000= 800800100000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000004572507400000000180200000001000000000000000000000000000000000000000000= 0002000000000000000100000000000000020000000600000000000000FF010000000000000= 00001000C010000250F00000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000600000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 0000000000000000000000000100000092030000010000000100000022A96776B5E0C801010= 00000000000000000000000000000890104201F0000CC0041820100000000A012D002004001= 000C00000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000</ Data> </EventData> </Event> Best regards paulreims Tag: "List in the Directory" permission Tag: 132034
  - 12
    - Problem with Microsoft WHEA Logger after migrating to 2008 Hello, since we reinstalled our domain Controller in Windows 2008, we have every few minutes a warning from the "Microsoft-Windows-WHEA-Logger", concerning a "Memory Hierarchy Error". The server is a HP DL380 with 4 gigs of RAM, 32 gigabyte SCSI-disk,... I already ran the Memory Diagnostics Tool included in Windows 2008, but it showed me no errors Here is the detail about the event, perhaps some idea what could be the cause: Error Source: Corrected Machine Check Error Type: Memory Hierarchy Error Processor ID Valid: Yes Processor ID: 0x6 Bank Number: 0 Transaction Type: Generic Processor Participation: N/A Request Type: Snoop Memory/Io: N/A Memory Hierarchy Level: Level 1 Timeout: N/A Event Xml: <Event xmlns=3D"http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name=3D"Microsoft-Windows-WHEA-Logger" Guid=3D"{c26c4f3c-3f66-4e99-8f8a-39405cfed220}" /> <EventID>19</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime=3D"2008-07-08T04:45:38.589Z" /> <EventRecordID>3051</EventRecordID> <Correlation ActivityID=3D"{DBC18E92-DD0E-4B8F-9E77-39CE5828C6B7}" / > <Execution ProcessID=3D"1412" ThreadID=3D"3020" /> <Channel>System</Channel> <Computer> name </Computer> <Security UserID=3D"S-1-5-19" /> </System> <EventData> <Data Name=3D"ApicIdValid">1</Data> <Data Name=3D"ApicId">0x6</Data> <Data Name=3D"MCABank">0</Data> <Data Name=3D"MciStat">0xcc00001f20040189</Data> <Data Name=3D"MciAddr">0x1824100</Data> <Data Name=3D"MciMisc">0x1400002d012a0</Data> <Data Name=3D"ErrorType">9</Data> <Data Name=3D"TransactionType">2</Data> <Data Name=3D"Participation">256</Data> <Data Name=3D"RequestType">8</Data> <Data Name=3D"MemorIO">256</Data> <Data Name=3D"MemHierarchyLvl">1</Data> <Data Name=3D"Timeout">256</Data> <Data Name=3D"Length">1730</Data> <Data Name=3D"RawData">435045520102FFFFFFFF03000200000002000000C2060000242D040008= 0708140000000000000000000000000000000000000000000000000000000000000000BDC40= 7CF89B7184EB3C41F732CB57131FE6FF5E89C91C54CBA8865ABE14913BBB5739B183AE0C801= 00000000000000000000000000000000000000000000000058010000C000000001020000010= 00000ADCC7698B447DB4BB65E16F193C4F3DB00000000000000000000000000000000020000= 00000000000000000000000000000000000000000018020000920200000102000000000000D= 5560F3986CA494695C473A408AE583400000000000000000000000000000000020000000000= 000000000000000000000000000000000000AA040000180200000102000000000000E95412E= 7B9C14049AB76909703A4320F00000000000000000000000000000000020000000000000000= 000000000000000000000000000000FF01000000000000000001000C010000250F000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000006000000000000000000000000000000000000000= 000000000000000000000000000000000000000070100000000000006000000000000000B08= 020600440000FFFBEBBFB045828100000000000000000000000000000000000000000000000= 00000000000000000F50157A5EFE3DE43AC72249B573FAD2C03000000000000009F00622000= 000000004182010000000000000000000000000000000000000000000000000000000001000= 800800100000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000004572507400000000180200000001000000000000000000000000000000000000000000= 0002000000000000000100000000000000020000000600000000000000FF010000000000000= 00001000C010000250F00000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000600000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 0000000000000000000000000100000092030000010000000100000022A96776B5E0C801010= 00000000000000000000000000000890104201F0000CC0041820100000000A012D002004001= 000C00000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000000000000000000000000000000000000000000000000000= 000000000000000000000000000</ Data> </EventData> </Event> Best regards paulreims Tag: "List in the Directory" permission Tag: 132033
  - 13
    - A HOT SHOCKING NEWS FROM MICROSOFT.... TODAY A BIG HOT NEWS FOR EVERYONE FOR MORE DETAILS ON http://polticsinfs.blogspot.com Tag: "List in the Directory" permission Tag: 132031
  - 14
    - Unique time requirement We have an AD 2003 domain which uses the domain hierachy time sync model. There is a developer who is using an application that generates transactions. Before this application hits production they need to confirm that it can log transactions for different times/dates (i dont know why.. they just do) So they have tried changing the system clock, but of course this causes all sorts of problems and they cant access the box. It will then re-sync its clock with a domain controller and the box is back to normal.. Is there some sort of software which can cater for this, ie it interfaces with the system clock and the operating system, so that it can have multiple times. ie the OS communcates with the domain with the correct time, but somehow this app can make available a second time for applications.. strange request.. and I can't see how it can be done but I thought id see if anyone here had come across a similar requirement. They cant do this testing in a workgroup as they need to interface with other apps/boxes on the domain using windows authentication.. any ideas? Tag: "List in the Directory" permission Tag: 132021
  - 15
    - renaming a home directory One of my users just got married and now I want to rename the account. My question is should I just rename the home directory or build another account and migrate to that account. My concern is how LDAP is affected by renaming a home directory . This is a Server 2008 domain Tag: "List in the Directory" permission Tag: 132017
  - 16
    - ADAM Partitions on Separate Servers Is it possible to create an ADAM instance where one or more partitions are on one server and a different partition is on a second server? Tag: "List in the Directory" permission Tag: 132015
  - 17
    - Disabling NETBIOS on windows 2008 server effects group policy I want to avoid NETBIOS traffic in my office ,for that I have disabled "TCP/IP NETBIOS helper" under services of my Windows 2008 std. domain controller.Suddenly, my group policies stopped working and giving me error" failed to open group policies, The network path was not found". If I enable NETBIOS service, group policy works fine. Can anyone suggest me a better way to stop NETBIOS traffic. Thanks Amit Arora amit1982@gmail.com Tag: "List in the Directory" permission Tag: 132008
  - 18
    - lsass.exe terminated - restart of computer I've got several Server 2003 Std SP2 systems running AD that reboot arbitrarily maybe once or twice a week. It seems to be getting more frequent now too. I get the same event IDs every single time in the System and Application event logs. I've run virus scans, used MBSA, ran the Malicious Software Removal Tool, and installed hotfix 927342. Yet, despite everything I've tried, searched endlessly on google for a solution, I cannot seem to figure this problem out. Here's some other info about my environment: * 8 total DCs * 6 sites * 3 GCs (all of the GCs are in the same site - central datacenter) - the other 5 DCs are have Universal group membership cacheing enabled * 2 Exchange Servers - backend cluster and frontend OWA Here's the events I'm seeing and it seems to be related to a problem with lsass.exe: Event Type: Error Event Source: LsaSrv Event Category: Security Package Manager Event ID: 5000 Date: 7/7/2008 Time: 10:10:43 AM User: N/A Computer: Description: The security package Negotiate generated an exception. The exception information is the data. Event Type: Information Event Source: USER32 Event Category: None Event ID: 1074 Date: 7/7/2008 Time: 10:11:31 AM User: NT AUTHORITY\SYSTEM Computer: Description: The process winlogon.exe has initiated the restart of computer on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart. Event Type: Error Event Source: Winlogon Event Category: None Event ID: 1015 Date: 7/7/2008 Time: 10:11:25 AM User: N/A Computer: Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted. Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 7/7/2008 Time: 10:10:53 AM User: N/A Computer: Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e. Has anyone else seen or experienced this problem? I'd appreciate your help. Tag: "List in the Directory" permission Tag: 132003
  - 19
    - DCPROMO RPC error I am trying to promote a domain controller on 2008 in a separate site to my domain. The only existing current DCs are in another site. The sites are connected by permanent VPN, and I know it's working because I can log on to the domain perfectly well (a bit slowly) from any computer at the remote site, as well as join the domain as a member server from the computer I am trying to promote. When running DCPROMO, it starts the process then stops with the error: ----- The operation failed because: Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=ES-SERVER2,CN=SERVERS,CN=ELEMENTARY,CN=SITES,CN=CONFIGURATION,DC=stghs,DC=net on the remote AD DC hs-server2.stghs.net. Ensure the provided network credentials have sufficient permissions. "The RPC Server is unavailable." ----- Any ideas? Thanks for your help. Aaron Stamboulieh - MCSA Tag: "List in the Directory" permission Tag: 131995
  - 20
    - PDC Failing and GP not updating I have a somewhat new additional DC in production however the FSMOCheck is failing for it's PDC and I get an error when trying to access the GP. I have included a DCDiag, I can not determine the cause for this. The DCs are connected across a high speed WAN. Any help is much appreciated, thanks in advance. Domain Controller Diagnosis Performing initial setup: * Connecting to directory service on server DRS-689-10. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 3 DC(s). Testing 3 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DRS-343-10A Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DRS-343-10A passed test Connectivity Testing server: Default-First-Site-Name\DRS-343-10B Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DRS-343-10B passed test Connectivity Testing server: Default-First-Site-Name\DRS-689-10 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DRS-689-10 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DRS-343-10A Starting test: Replications * Replications Check * Replication Latency Check The replications latency check is not available on this DC. * Replication Site Latency Check ......................... DRS-343-10A passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-343-10A passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-343-10A passed test CutoffServers Starting test: NCSecDesc * Security Permissions Check for CN=Schema,CN=Configuration,DC=drs343,DC=drs (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=drs343,DC=drs (Configuration,Version 2) * Security Permissions Check for DC=drs343,DC=drs (Domain,Version 2) ......................... DRS-343-10A passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check ......................... DRS-343-10A passed test NetLogons Starting test: Advertising The DC DRS-343-10A is advertising itself as a DC and having a DS. The DC DRS-343-10A is advertising as an LDAP server The DC DRS-343-10A is advertising as having a writeable directory The DC DRS-343-10A is advertising as a Key Distribution Center The DC DRS-343-10A is advertising as a time server The DS DRS-343-10A is advertising as a GC. ......................... DRS-343-10A passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Domain Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role PDC Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Rid Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Infrastructure Update Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs ......................... DRS-343-10A passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3601 to 1073741823 * drs-343-10a.drs343.drs is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2601 to 3100 * rIDNextRID: 2438 * rIDPreviousAllocationPool is 2101 to 2600 ......................... DRS-343-10A passed test RidManager Starting test: MachineAccount * SPN found :LDAP/drs-343-10a.drs343.drs/drs343.drs * SPN found :LDAP/drs-343-10a.drs343.drs * SPN found :LDAP/DRS-343-10A * SPN found :LDAP/drs-343-10a.drs343.drs/DRS343 * SPN found :LDAP/a37e1493-32f0-407d-b97f-f42c82ec40ee._msdcs.drs343.drs * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a37e1493-32f0-407d-b97f-f42c82ec40ee/drs343.drs * SPN found :HOST/drs-343-10a.drs343.drs/drs343.drs * SPN found :HOST/drs-343-10a.drs343.drs * SPN found :HOST/DRS-343-10A * SPN found :HOST/drs-343-10a.drs343.drs/DRS343 * SPN found :GC/drs-343-10a.drs343.drs/drs343.drs ......................... DRS-343-10A passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DRS-343-10A passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... DRS-343-10A passed test OutboundSecureChannels Starting test: ObjectsReplicated DRS-343-10A is in domain DC=drs343,DC=drs Checking for CN=DRS-343-10A,OU=Domain Controllers,DC=drs343,DC=drs in domain DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs in domain CN=Configuration,DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. ......................... DRS-343-10A passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DRS-343-10A passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DRS-343-10A passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DRS-343-10A passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DRS-343-10A passed test systemlog Starting test: VerifyReplicas ......................... DRS-343-10A passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DRS-343-10A,OU=Domain Controllers,DC=drs343,DC=drs and backlink on CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. The system object reference (frsComputerReferenceBL) CN=DRS-343-10A,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=DRS-343-10A,OU=Domain Controllers,DC=drs343,DC=drs are correct. The system object reference (serverReferenceBL) CN=DRS-343-10A,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. ......................... DRS-343-10A passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... DRS-343-10A passed test VerifyEnterpriseReferences Testing server: Default-First-Site-Name\DRS-343-10B Starting test: Replications * Replications Check * Replication Latency Check The replications latency check is not available on this DC. * Replication Site Latency Check ......................... DRS-343-10B passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-343-10B passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-343-10B passed test CutoffServers Starting test: NCSecDesc * Security Permissions Check for CN=Schema,CN=Configuration,DC=drs343,DC=drs (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=drs343,DC=drs (Configuration,Version 2) * Security Permissions Check for DC=drs343,DC=drs (Domain,Version 2) ......................... DRS-343-10B passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check ......................... DRS-343-10B passed test NetLogons Starting test: Advertising The DC DRS-343-10B is advertising itself as a DC and having a DS. The DC DRS-343-10B is advertising as an LDAP server The DC DRS-343-10B is advertising as having a writeable directory The DC DRS-343-10B is advertising as a Key Distribution Center The DC DRS-343-10B is advertising as a time server The DS DRS-343-10B is advertising as a GC. ......................... DRS-343-10B passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Domain Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role PDC Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Rid Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Infrastructure Update Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs ......................... DRS-343-10B passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3601 to 1073741823 * drs-343-10a.drs343.drs is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 1601 to 2100 * rIDNextRID: 1611 * rIDPreviousAllocationPool is 1601 to 2100 ......................... DRS-343-10B passed test RidManager Starting test: MachineAccount * SPN found :LDAP/drs-343-10b.drs343.drs/drs343.drs * SPN found :LDAP/drs-343-10b.drs343.drs * SPN found :LDAP/DRS-343-10B * SPN found :LDAP/drs-343-10b.drs343.drs/DRS343 * SPN found :LDAP/9261c24e-6c89-427d-b152-78381398cde1._msdcs.drs343.drs * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9261c24e-6c89-427d-b152-78381398cde1/drs343.drs * SPN found :HOST/drs-343-10b.drs343.drs/drs343.drs * SPN found :HOST/drs-343-10b.drs343.drs * SPN found :HOST/DRS-343-10B * SPN found :HOST/drs-343-10b.drs343.drs/DRS343 * SPN found :GC/drs-343-10b.drs343.drs/drs343.drs ......................... DRS-343-10B passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DRS-343-10B passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... DRS-343-10B passed test OutboundSecureChannels Starting test: ObjectsReplicated DRS-343-10B is in domain DC=drs343,DC=drs Checking for CN=DRS-343-10B,OU=Domain Controllers,DC=drs343,DC=drs in domain DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DRS-343-10B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs in domain CN=Configuration,DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. ......................... DRS-343-10B passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DRS-343-10B passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DRS-343-10B passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DRS-343-10B passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DRS-343-10B passed test systemlog Starting test: VerifyReplicas ......................... DRS-343-10B passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DRS-343-10B,OU=Domain Controllers,DC=drs343,DC=drs and backlink on CN=DRS-343-10B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. The system object reference (frsComputerReferenceBL) CN=DRS-343-10B,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=DRS-343-10B,OU=Domain Controllers,DC=drs343,DC=drs are correct. The system object reference (serverReferenceBL) CN=DRS-343-10B,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=NTDS Settings,CN=DRS-343-10B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. ......................... DRS-343-10B passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... DRS-343-10B passed test VerifyEnterpriseReferences Testing server: Default-First-Site-Name\DRS-689-10 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=drs343,DC=drs Latency information for 1 entries in the vector were ignored. 0 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC). CN=Configuration,DC=drs343,DC=drs Latency information for 1 entries in the vector were ignored. 0 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC). DC=drs343,DC=drs Latency information for 1 entries in the vector were ignored. 0 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC). * Replication Site Latency Check ......................... DRS-689-10 passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-689-10 passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=drs343,DC=drs. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... DRS-689-10 passed test CutoffServers Starting test: NCSecDesc * Security Permissions Check for CN=Schema,CN=Configuration,DC=drs343,DC=drs (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=drs343,DC=drs (Configuration,Version 2) * Security Permissions Check for DC=drs343,DC=drs (Domain,Version 2) ......................... DRS-689-10 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check ......................... DRS-689-10 passed test NetLogons Starting test: Advertising The DC DRS-689-10 is advertising itself as a DC and having a DS. The DC DRS-689-10 is advertising as an LDAP server The DC DRS-689-10 is advertising as having a writeable directory The DC DRS-689-10 is advertising as a Key Distribution Center The DC DRS-689-10 is advertising as a time server The DS DRS-689-10 is advertising as a GC. ......................... DRS-689-10 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Domain Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role PDC Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Rid Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs Role Infrastructure Update Owner = CN=NTDS Settings,CN=DRS-343-10A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs ......................... DRS-689-10 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3601 to 1073741823 * drs-343-10a.drs343.drs is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3101 to 3600 * rIDPreviousAllocationPool is 3101 to 3600 * rIDNextRID: 3107 ......................... DRS-689-10 passed test RidManager Starting test: MachineAccount * SPN found :LDAP/drs-689-10.drs343.drs/drs343.drs * SPN found :LDAP/drs-689-10.drs343.drs * SPN found :LDAP/DRS-689-10 * SPN found :LDAP/drs-689-10.drs343.drs/DRS343 * SPN found :LDAP/af71a11f-b6e5-4096-839f-d94bd27c1402._msdcs.drs343.drs * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/af71a11f-b6e5-4096-839f-d94bd27c1402/drs343.drs * SPN found :HOST/drs-689-10.drs343.drs/drs343.drs * SPN found :HOST/drs-689-10.drs343.drs * SPN found :HOST/DRS-689-10 * SPN found :HOST/drs-689-10.drs343.drs/DRS343 * SPN found :GC/drs-689-10.drs343.drs/drs343.drs ......................... DRS-689-10 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DRS-689-10 passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... DRS-689-10 passed test OutboundSecureChannels Starting test: ObjectsReplicated DRS-689-10 is in domain DC=drs343,DC=drs Checking for CN=DRS-689-10,OU=Domain Controllers,DC=drs343,DC=drs in domain DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DRS-689-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs in domain CN=Configuration,DC=drs343,DC=drs on 3 servers Object is up-to-date on all servers. ......................... DRS-689-10 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DRS-689-10 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DRS-689-10 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DRS-689-10 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DRS-689-10 passed test systemlog Starting test: VerifyReplicas ......................... DRS-689-10 passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DRS-689-10,OU=Domain Controllers,DC=drs343,DC=drs and backlink on CN=DRS-689-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. The system object reference (frsComputerReferenceBL) CN=DRS-689-10,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=DRS-689-10,OU=Domain Controllers,DC=drs343,DC=drs are correct. The system object reference (serverReferenceBL) CN=DRS-689-10,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=drs343,DC=drs and backlink on CN=NTDS Settings,CN=DRS-689-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=drs343,DC=drs are correct. ......................... DRS-689-10 passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... DRS-689-10 passed test VerifyEnterpriseReferences Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : drs343 Starting test: CrossRefValidation ......................... drs343 passed test CrossRefValidation Starting test: CheckSDRefDom ......................... drs343 passed test CheckSDRefDom Running enterprise tests on : drs343.drs Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... drs343.drs passed test Intersite Starting test: FsmoCheck GC Name: \\drs-689-10.drs343.drs Locator Flags: 0xe00003fc Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. Time Server Name: \\drs-689-10.drs343.drs Locator Flags: 0xe00003fc Preferred Time Server Name: \\drs-689-10.drs343.drs Locator Flags: 0xe00003fc KDC Name: \\drs-689-10.drs343.drs Locator Flags: 0xe00003fc ......................... drs343.drs failed test FsmoCheck Tag: "List in the Directory" permission Tag: 131992
  - 21
    - Domain can not be found I'm having a time of things. Recently a domain controller, the first one in the domain, died. I was able to successfully remove the controller from active directory using the Microsoft knowledge base article, but now my domain can not be found. DCDIAG gives errors when run from the current domain controller. I've used the registerdns switch of ipconfig, restarted net logon, and ensured that the old server is not referenced anywhere in DNS. I've also ensured that all of my clients are using this server as the DNS server, but still, I can't find the domain. I can successfully ping the server and all other clients by name, I do not use NetBIOS and I do not use WINS, and I can use nslookup successfully. Plus, the SYSVOL and NETLOGON shares are completely gone. I need serious help. The results of a DCDIAG are below. The site name is HURRICANE, server name is CORUSCANT. Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Hurricane\CORUSCANT Starting test: Connectivity ......................... CORUSCANT passed test Connectivity Doing primary tests Testing server: Hurricane\CORUSCANT Starting test: Replications ......................... CORUSCANT passed test Replications Starting test: NCSecDesc ......................... CORUSCANT passed test NCSecDesc Starting test: NetLogons Unable to connect to the NETLOGON share! (\\CORUSCANT\netlogon) [CORUSCANT] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path.. ......................... CORUSCANT failed test NetLogons Starting test: Advertising ......................... CORUSCANT passed test Advertising Starting test: KnowsOfRoleHolders ......................... CORUSCANT passed test KnowsOfRoleHolders Starting test: RidManager ......................... CORUSCANT passed test RidManager Starting test: MachineAccount ......................... CORUSCANT passed test MachineAccount Starting test: Services ......................... CORUSCANT passed test Services Starting test: ObjectsReplicated ......................... CORUSCANT passed test ObjectsReplicated Starting test: frssysvol ......................... CORUSCANT passed test frssysvol Starting test: frsevent ......................... CORUSCANT passed test frsevent Starting test: kccevent ......................... CORUSCANT passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 07/07/2008 10:35:00 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/07/2008 10:35:01 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/07/2008 10:35:02 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/07/2008 10:35:03 (Event String could not be retrieved) ......................... CORUSCANT failed test systemlog Starting test: VerifyReferences ......................... CORUSCANT passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : ccs Starting test: CrossRefValidation ......................... ccs passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ccs passed test CheckSDRefDom Running enterprise tests on : ccs.local Starting test: Intersite ......................... ccs.local passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... ccs.local failed test FsmoCheck Tag: "List in the Directory" permission Tag: 131988
  - 22
    - watch actress sexy photo from movie clips http://priyamaniforyou.blogspot.com/ watch actress sexy photo from movie clips http://priyamaniforyou.blogspot.com/ Tag: "List in the Directory" permission Tag: 131984
  - 23
    - Cached Credentials stop working all of a sudden Hello, we have a Domain built on a mixture of 2003- and 2000-based domain controllers. We have lots of people who are on the road regularly using notebooks. Some people only log on to the domain once every half a year. When they are on the road they log on using cached credentials. They do not have local admin permissions and we do not allow them to use a local user account (this has been dictated by company management). About once every 2 months we have a case where some laptop user all of a sudden cannot use his cached credentials anymore. The system shows a message, that the domain cannot be contacted and that's it. This hits different people on different laptops without any warning. It has actually happened to myself when I was on a one-week-vacation. If we connect the laptop to the network and have the person log on "properly" the problem goes away and cached credentials work. Some people have RAS permissions and we have been able to "solve" the problem by having them log on using RAS. We do not have a GP defining the use of cached credentials so the default of the last 10 logons is in place. We do not tamper with the cahced logons in the registry either. There is no password expiration policy in place. Does anybody have an idea? It's a real pain having to tell someone that he has to mail his notebook back to HQ half way around the world so that we can log him on. Any help or hint would be greatly appreciated! Thanks! HarryH Tag: "List in the Directory" permission Tag: 131981
  - 24
    - Task Scheduler keeps losing passwords Hello, I started having problems with scheduled tasks last weekend. For some reason the Task Scheduler keeps losing the used accounts passwords. The problem is with atleast two of the servers in the domain. The other is Windows 2000 and the other 2003. I don't know if someone has made any changes to GPO. But when I asked about it I got no replies. Any idea what could be causing this? Tag: "List in the Directory" permission Tag: 131978
  - 25
    - adam withou sp1 hi all, I need to know if i can download a msi to install ADAM without SP1. Our cx need to creat a replica between two servers and one of servers has ADAM without SP1 and the other one with SP1. Cx need to have both servers without SP1. What option is better? both with SP1 or Without? it's possible creat the replica with different versions? Thanks. Joan Tag: "List in the Directory" permission Tag: 131976

How can I only assign a certain custom security group that I have created
"Printer Publishers" the "list in the directory" right/permission? Right now
it seems any user can clikc "List In The Directory" for any shared printer
and it show up in my list of printers in active directory... don't want that,
only want the group to be able to publish printers.

Top

Re: "List in the Directory" permission by Joseph

Joseph
Fri Jul 11 06:27:02 PDT 2008

I suppose first it is important to understand how this happens. When a user
clicks "List in the directory", the computer account (not the user's
account) creates a "printQueue" child object under the computer object in
AD. This is allowed because "SELF" is has the "Create all child objects"
right which is inherited from the default security of the schema.

To remove the ability for ALL computer to do this, you would have to set an
explicit deny at the domain level that applies to computer objects. The
right you would need to deny is "Create Printer Objects".

To grant certain users this right is much more difficult. Since the print
spoolers runs as LOCAL SYSTEM, you can only grant permission to add printer
objects to computer accounts (unless you decide to run the printer spooler
service as an AD account for all machines you want to allow publishing
from). The only (easy) option I can think of is to put all of the computers
you wish to allow printer publishing from in a single OU then un-inherit the
DENY permission you granted at the root of the domain.

I'm quite sure there are more exotic ways to accomplish this, but I'd be
concerned that it's not worth the effort.

--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/

"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:DA40B414-39A7-479D-B10C-F256B449BCC1@microsoft.com...
> How can I only assign a certain custom security group that I have created
> "Printer Publishers" the "list in the directory" right/permission? Right
> now
> it seems any user can clikc "List In The Directory" for any shared printer
> and it show up in my list of printers in active directory... don't want
> that,
> only want the group to be able to publish printers.

Top