guyt

Forum Replies Created

Viewing 30 posts - 1 through 30 (of 1,707 total)
  • Author
    Posts
  • Avatar
    guyt
    Member
    in reply to: cannot register to domain #193996

    Re: cannot register to domain

    labradorg13;269315 wrote:
    my netseuplog

    01/18 09:43:40


    01/18 09:43:40 NetpValidateName: checking to see if ‘WORKGROUP’ is valid as type 2 name

    THIS PART IS ABOUT JOINING WORKGROUP. NOT INTERESTING. PROBABLY PART OF SETUP

    01/18 09:44:02 NetpDoDomainJoin: status: 0x0

    01/18 09:59:44


    01/18 09:59:44 NetpValidateName: checking to see if ‘DVO-MATINA.LOCAL’ is valid as type 4 name < –this is the start of the domain join
    01/18 09:59:44 NetpValidateName: ‘DVO-MATINA.LOCAL’ is not a valid NetBIOS domain name: 0x7b
    01/18 09:59:47 NetpCheckNetBiosNameNotInUse for ‘DVO-MATINA.LOCAL’ [MACHINE] returned 0x0
    01/18 09:59:47 NetpCheckDomainNameIsValid [ NON-Existant ]for ‘DVO-MATINA.LOCAL’ returned 0x0
    01/18 09:59:47 NetpValidateName: name ‘DVO-MATINA.LOCAL’ is valid for type 4
    no errors till here…

    Now where is the rest of the log ?

    Avatar
    guyt
    Member
    in reply to: cannot register to domain #193995

    Re: cannot register to domain

    Can you share the netsetup.log located under c:windowsdebug please ? It contains the detailed information about the domain join attempt.

    Avatar
    guyt
    Member
    in reply to: DNS can not load zone #193994

    Re: DNS can not load zone

    Can you please share the output of the following commands:

    repadmin /showconn
    repadmin /showrepl

    Avatar
    guyt
    Member
    in reply to: cannot register to domain #193993

    Re: cannot register to domain

    What records are registered for “matinaserver.dvo-matina.local” name in DNS ?
    Can you ping the DC by that name/IP ?

    Avatar
    guyt
    Member

    Re: do you need to define an AD Site if there is no DC in that site?

    In your specific case, you do not need to create a new AD site, but you should define the subnet in Sites and Services and assign the subnet to your primary office AD site.

    As for location of the DCs, the DNS is a passive infrastructure – it does not perform any decision for the client, it is an information store of various records that the client uses to locate DCs (between other things). The exact process of locating a DC is outlined here: http://support.microsoft.com/kb/314861
    Bottom line: if the client’s subnet is not defined in AD, the client might end up authenticating/using a random DC from its domain.

    Avatar
    guyt
    Member
    in reply to: AD 2008 Allow LDAP Auth via Email address #193991

    Re: AD 2008 Allow LDAP Auth via Email address

    There is no need to add UPN suffix (this is required only for UPN suffix routing across forest trusts). UPNs can have arbitrary suffixes. It is the ADUC limitation to display in the dropdown box only the configured UPN suffixes. If you edit the userPrincipalName attribute directly (ADSIEDIT/etc…), you can write there a UPN with any suffix you want.

    Avatar
    guyt
    Member

    Re: How to document delegations (delegated access) in Active Directory?

    Take a look at checkdsacls.exe: http://activedirectoryutils.codeplex.com/releases/view/20704

    Avatar
    guyt
    Member

    Re: Disable Active Directory change event notifications to other applications

    I guess you were referring to DirSync: http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx

    DirSync is an LDAP control supported by AD which allows to poll for incremental changes from AD.

    Avatar
    guyt
    Member

    Re: Disable Active Directory change event notifications to other applications

    Change notications can not be slowed down or buffered on the server side.
    It’s up to the client to deal with the change rate. The way the client can control the amount of data recieved is to limit the list of attributes returned in the change notification request (see explanation of “Attributes” at the following link: http://msdn.microsoft.com/en-us/library/aa772153(VS.85).aspx)

    If you have an application that can not deal with the change rate of AD (and frankly speaking 3K/hour is less than 1 notification/sec and is not that high), the application vendor should really be looking at his code quality (“buffering” anyone ?)

    Another approach is to switch to DirSync control which is based on polling. This way the application can poll for changes when it is idle or has the required resources to process the changes.

    In any case, the techniques of tracking changes in AD are well documented on MSDN: http://msdn.microsoft.com/en-us/library/ms677625(VS.85).aspx

    Avatar
    guyt
    Member
    in reply to: downgrade or downlevel ntlm (you heard) #193987

    Re: downgrade or downlevel ntlm (you heard)

    Take a look at the following KB: http://support.microsoft.com/kb/942564

    Avatar
    guyt
    Member
    in reply to: Trouble authenticating after username rename #193986

    Re: Trouble authenticating after username rename

    LSA maintains a local cache of SID resolution on the member servers/clients.
    http://support.microsoft.com/kb/946358

    Avatar
    guyt
    Member
    in reply to: Create domain under root domain or leaf domain? #193985

    Re: Create domain under root domain or leaf domain?

    Garen;185626 wrote:
    buy yea, make a new child under the root and change the trusts to a one-way between the two child domains.

    This is not supported – trusts between domains in forest have to be bi-directional.

    If the requirement is to have one-way access, new forest with unidirectional trust is the way to go.

    Avatar
    guyt
    Member
    in reply to: can I force an AD user to login once at a time #193984

    Re: can I force an AD user to login once at a time

    Not without 3rd party or custom written scripts/application that tracks the interactive logons.

    Avatar
    guyt
    Member
    in reply to: Banner #193983

    Re: Banner

    Doh ! It’s Google AdSense

    Avatar
    guyt
    Member
    in reply to: vBulletin security update released #193982

    Re: vBulletin security update released

    Done. As always, please let me know if you notice any issues.

    Avatar
    guyt
    Member
    in reply to: ASA VPN with LDAP Authentication #193981

    Re: ASA VPN with LDAP Authentication

    have no idea how ASA works, but if you can specify an LDAP filter for looking up the user accounts AND the users are direct members of “VPN Users” group (aka not members via nesting), then you can alter the filter to something like:

    “(&(sAMAccountname=)(memberOf=cn=VPN Users,cn=Users,DC=domain,DC=local))”

    Avatar
    guyt
    Member
    in reply to: how to run Server 2008 R2 as a DC in Windows 2003 domain #193980

    Re: how to run Server 2008 R2 as a DC in Windows 2003 domain

    Appendix B: How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2:
    http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

    P.S.: restoring DCs from image in multi-DC environment is not supported and actually causes USN rollbacks. NEVER EVER do it.

    Avatar
    guyt
    Member
    in reply to: vBulletin security update released #193979

    Re: vBulletin security update released

    I will be patching tomorrow during off-peak hours.

    Avatar
    guyt
    Member
    in reply to: User Account Lock Out Oddity #193978

    Re: User Account Lock Out Oddity

    stamandster;183836 wrote:
    Let’s say a user logs into a workstation and the user get’s locked out of the domain they can still access network resources without issue (email, shares, printers). If they lock their workstation they can still unlock it.

    What Os are you testing on ? Any chance your are still on XP SP2 or below ?
    If you are on XP SP2, does the hotfix from the following KB http://support.microsoft.com/kb/939850 change the behavior ?
    (ignore the title of the article – IIRC this is the latest kerberos.dll for XP SP2)

    Avatar
    guyt
    Member
    in reply to: LDIFDE Import issue #193977

    Re: LDIFDE Import issue

    Have you deployed Exchange schema extensions in your test forest ?
    Are you aware that not all attributes can be imported/exported ?

    What commands are you using to export and to import ?

    Avatar
    guyt
    Member
    in reply to: Make Description field non optional #193976

    Re: Make Description field non optional

    I would aviod at any cost trying to enforce it via schema. Just thnk about applications that during installation create service accounts – all those will fail.

    I’d implement some provisioning system for account creation with it’s own logic and would proactively scan the AD for user objects lacking the attribute.

    Why would you want something like this ?

    Avatar
    guyt
    Member
    in reply to: AD replication question #193975

    Re: AD replication question

    There are chances of introducing duplicate SIDs in the environment when restoring a DC that used to be a RID Master.

    If Initial Sync is disabled on RID Master that is restored, this can happen quite easily: http://support.microsoft.com/kb/305476

    Avatar
    guyt
    Member

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    You can enable LDAP query logging and analyze the logs:
    http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/41/Default.aspx

    Avatar
    guyt
    Member

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    dbutch1976;182957 wrote:
    However… Wouldn’t it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn’t that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?

    This will break authentication for LDAP clients that are using Kerberos authentication and have hard-coded DNS name of the DC

    Avatar
    guyt
    Member
    in reply to: Manually Undeleting Objects in AD – LDP error message #193972

    Re: Manually Undeleting Objects in AD – LDP error message

    00002089 = ERROR_DS_NO_PARENT_OBJECT

    You need to first reanimate the OU/container the object was deleted from.
    take a look at lastKnowParent attribute of the tombstone to figure out which one it is.

    Avatar
    guyt
    Member
    in reply to: Server 2008 vs Server 2008 R2? #193971

    Re: Server 2008 vs Server 2008 R2?

    dugn alias exists in our GAL and his title is Program Manager, which makes this quite credible ;)

    Couple non-NDA bits:

    1. W2K3 and W2K3 R2 had the same kernel. W2K8 R2 has a lot of kernel changes in the performance, stability, scalability and power savings areas

    2. W2K3 R2 did not change the functionality of W2K3 OS components. W2K3 R2 only introduced new features. W2K8 R2 introduces changes to existing OS components (Hyper-V v2, Cluster Shared Volumes, new AD domain/forest functional levels, major TS changes, etc…)

    Avatar
    guyt
    Member
    in reply to: MVP spotted, #193970

    Re: MVP spotted,

    All done.

    1. working on public holidays and attending a online course from home while the office is closed sucks
    2. Looks like I’ll be compensating myself in January with a long vacation at Thailand :)

    Avatar
    guyt
    Member
    in reply to: Help with Site Link issue #193969

    Re: Help with Site Link issue

    You have 2 options:

    1) Disable “Bridge all site links” on the IP transport – not recommended, as this also disables DFS site costing ability.

    2) Turn on the option on site B not to generate connection objects with sites to which there is no explicit site link using the following syntax:

    repadmin /siteoptions /site:”B” +W2K3_BRIDGES_REQUIRED
    [/CODE][CODE]
    repadmin /siteoptions /site:”B” +W2K3_BRIDGES_REQUIRED
    [/CODE]

    Avatar
    guyt
    Member
    in reply to: When you need Sites and Services? #193968

    Re: When you need Sites and Services?

    VWA4;176037 wrote:
    Just one other thing to throw out there… If you have sites created but do not have DC’s within them you could look at enabling Universal Group Caching as to aid in the speed of the log on process.

    And who will be caching the Universal groups if there are no DCs in the site ???

    UG caching is for sites with DCs that are not GCs…

    Avatar
    guyt
    Member
    in reply to: Problem installing SP2 2008 x64 #193967

    Re: Problem installing SP2 2008 x64

    Can you post the %windir%LogsCBSCBS.log log from a server having the issue ?

Viewing 30 posts - 1 through 30 (of 1,707 total)