lukeandmax

Forum Replies Created

Viewing 17 posts - 1 through 17 (of 17 total)
  • Author
    Posts
  • Avatar
    lukeandmax
    Member

    Re: Duplicating whole AD structure to another server with Export/Import utility

    Wow… some of them are really useful.
    I also found some interesting methods to catch information from AD by just taking a look at source code on those scripts :-)
    Thanks so much !!! :-D

    Avatar
    lukeandmax
    Member

    Re: Duplicating whole AD structure to another server with Export/Import utility

    Hello there
    I think I found the easiest way to export with no admin rights :-)
    Usually, the easiest solution is the best one ehhe

    Code:
    csvde -f outusers.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=user)”
    csvde -f outou.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=organizationalUnit)”
    csvde -f outgroups.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=group)”
    csvde -f outcomputers.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=computer)”

    and then reimport them in new domain.
    You don’t need admin right to export those fields from AD :-) This is the best thing
    Also, Exchange fields are not exported, so I don’t have to install E2K3 on destination domain.

    Avatar
    lukeandmax
    Member

    Re: Duplicating whole AD structure to another server with Export/Import utility

    Thanks for your help
    but you probably missed a “little” particular I wrote on my post
    quote: “I don’t have admin rights in domain”
    so No admin rights, No DCpromo :-)

    Avatar
    lukeandmax
    Member
    in reply to: Doubt regarding restore of Enterprise CA #236384

    Re: Doubt regarding restore of Enterprise CA

    jasonboche wrote:
    You should build your CA with redundancy meaning subordinate CA servers to handle the load and authentication if and when a CA server fails.

    Rebuild DC2 and restore the system?state there.

    Jas

    My question was slightly different.
    Don’t consider redundancy with SubCA.
    My question is: what if, for any reason, I cannot restore DC2 and restore its SystemState and I want to install CA to another server?
    The only possibilty is deleting all objects from Configuration Partition and reinstall CA on the new server?

    Avatar
    lukeandmax
    Member
    in reply to: Round Robin priority vs. MX preference. #236383

    Re: Round Robin priority vs. MX preference.

    guyt wrote:
    It is not Exchange only. To my understanding this is a normal DNS behavior, as the priority is the DATA part of the RR returned, while all the RRs are round-robined.
    I believe that it is actually up to the SMTP to look at the query results and select the destination based on Priority and not the order in which the records were returned.

    Yes, this is what Exchange is expected to do, I’m sorry to realize that it doesn’t!
    It seems that Exchange’s SMTP is not RFC Compliant

    Quote:
    Are you looking at the SMTP logs on the sending or receiving server ? Any mail-relays in transparent-bridge mode on the way ?

    SMPT Logs on the sender.
    Sending multple messages to different @repubblica.it recipients (in some cases also sending multiple mail to the same recpient) results in every single mail sent to a different MX record, regardless of MX preference.
    BTW, follow-up to http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1156796 where I started the same thread (I was using a different nickname but it’s always me :-) )

    Avatar
    lukeandmax
    Member
    in reply to: Forcing deletion of folder with ReadOnly files. #236382

    Re: Forcing deletion of folder with ReadOnly files.

    ahinson wrote:
    If you look at the MS documentation for the vbscript filesystem object you’ll see that what I submitted is the correct syntax to delete a folder with files that have the read-only file attribute set to true.

    If it’s not working the file may be in use or something else.

    I know, and that’s the reason why I told you I already tried.

    So now the intresting fact is: how the hell do I know which process is locking a file inside one user’s TEMP folder during computer startup???????? :-(

    Maybe I have to try another solution….. for example renaming TEMP folder during startup, so at user logon TEMP is created empty once again. Meanwhile I can run some executable in background which try do delete the renamed temp….
    If you have any idea, you’re welcome to suggest !! :-)

    Avatar
    lukeandmax
    Member
    in reply to: Forcing deletion of folder with ReadOnly files. #236381

    Re: Forcing deletion of folder with ReadOnly files.

    jasonboche wrote:
    UPHClean does not strictly apply to the deletion of an entire user profile and I did not suggest you were deleting or should delete the entire user profile.

    One of the items that UPHClean addresses is the proper closing of hung open file handles (which in your case may be open file handles on the temp directory which is why I suggested the UPHClean utility).

    Jas

    Sorry, probably I used wrong words. I meant: my need is delete that folder during STARTUP. I suppose during startup there are no files locked inside one user’s account TEMP folder… just because that user had not logged on yet.
    My doubt was: is there a way to force deletion of read-only files (talking about read-only flag attritbute, not ntfs permissions)? I asked also for deleting locked files because, if I cannot find a way to delete RO files, I have to find an alternate way during user logon which may imply deleting locked files.

    Hope to be clear now :-)

    Avatar
    lukeandmax
    Member
    in reply to: Forcing deletion of folder with ReadOnly files. #236380

    Re: Forcing deletion of folder with ReadOnly files.

    jasonboche wrote:
    In that case, Microsoft UPHClean may also be needed. Improperly unloaded User Profile Registry Hives will leave open files which cannot be deleted.
    Jas

    You missed the point
    I’m trying to delete only TEMP folder during computer startup (not entire profile, not during logon)

    Avatar
    lukeandmax
    Member
    in reply to: Forcing deletion of folder with ReadOnly files. #236379

    Re: Forcing deletion of folder with ReadOnly files.

    ahinson wrote:
    oFS.DeleteFolder(sTempPath),True

    Already tried :-(
    Didn’t work

    Avatar
    lukeandmax
    Member
    in reply to: Single Print server printers limits and IPP over NLB #236378

    Re: Single Print server printers limits and IPP over NLB

    >Usually Win 2003 support up to 50 printers without a problem

    Is there any official document from Microsoft that confirm this value of 50 printers?
    Thanks :-)

    Avatar
    lukeandmax
    Member

    Re: Disabling KCC for Large Enterprises: a phylosophical view [Long post]

    >You can do better than just this default config; see my previous post,
    >and more in particular: the branch office deployment guide for
    >Active Directory.

    I think you refer to this: “I referred to the possiblity to not publish certain SRV records anywhere but in its own site. So what you do is to have the hub site publish generally, so that ALL clients can find the hub, but publish branch DC’s only locally”

    I do not think it is a good practice, you loose fault tolerant features :-)
    BTW, if link briges are on, and obviously routing is on, why should I disable one branch to contact another’s branch DC in case needed?
    If KCC is correctly configured, and costs are correctly set, whenever one branch’s client need to find a DC and it cannot find its site’s DC, it will ask for central HUB dc; then if central hub DC is down, it will try to contact another branch DC. What’s wrong with this?

    Avatar
    lukeandmax
    Member

    Re: Disabling KCC for Large Enterprises: a phylosophical view [Long post]

    wkasdo wrote:
    > Not so. The hub-spoke topology (just one hub?)

    Yes, just one Hub

    wkasdo wrote:
    make sure that all branches will create connection objects to the hub, and vice versa. The bridge-all-she ite-links setting makes it possible to create co’s between branches IF the hub is down.

    Sorry to tell you’re wrong :-)
    Or, at least, what I see now is that KCC is creating connectors between one branch and another branch, not only between branch and central hub. This is quite unexplainable.

    wkasdo wrote:
    I admit I would have disabled that setting with such a simple topology to exclude accidents.

    And that’s what we usually do.

    wkasdo wrote:
    If you put all sites in a single sitelink, the resulting topology is onpredictable (at least, undocumented). The chances of it generating the correct hub-spoke topology is basically zero, of course.

    Yes, but the fact I am remarking is that currently, in this configuration, KCC is NOT creating hub-n-spoke connectors! It is creating a mesh topology. So that’s where my doubts come from.

    wkasdo wrote:
    You can increase KCC logging to see how much time a KCC cycle takes. You probably can also see it in the taskmanager.

    That’s a good point.

    wkasdo wrote:
    With W2003, yes. Push it to the limits.

    So we are not so crazy at the end :-D

    wkasdo wrote:
    Another interesting question: did they optimize DNS to make sure that branche offices will never log on to each other?

    Well, this is an easy question, as you can imagine the only work you have to do to grant correct DC auth, is ensuring that sites, subnets and SRV records are correctly registered. You just need at least 1 DC+DNS at each site (and that’s the current configuration) and subnets correctly mapped in AD Sites.

    Avatar
    lukeandmax
    Member
    in reply to: Converting ldap date formats in AD #236375

    What the F*#? of algorithm…. starts from 1601 ??? :?
    I read about it on WinMagPro site or something like that, 4 months ago, but never found the exact start date!

    Very useful
    Max

    Avatar
    lukeandmax
    Member
    in reply to: A good reason for upgrading your servers to SP1 #236374
    Quote:
    I think we need to separate this to sub-topics:

    Of course, in fact, the LSASS problem came suddenly out while we were doing something completely apart of it! Indeed 99.9% of bugs are discovered this way

    Quote:
    1) To my understanding the crash of LSASS has nothing to do with Exchange (as outlined in the KB wkasdo has pointed to). The cause is the conflict between the user right of helpdesk to do anything with the object (as they are the owners of the object) and the Deny ACE in the DACL.

    Of COURSE it hasn’t!!! it’s related to AD ACLs

    Quote:
    a. Proxy the creation of user accounts via an external process that does not make the helpdesk staff the owners of the user objects

    Yes this may be a good and reasonable fact, but as we wrote, this way delegation become more complex process and Microsoft Delgation Wizard becomes useless (please, avoid comments like “as 90% of microsoft tools” ehehe)

    Quote:
    c. Not allow deletion of user objects to Helpdesk (I would let them only only disable the accounts) and proxy the deletion via the same external process (can be easily done via web). This will give you the level of control that prevents most of accidental deletions and f#$k ups…

    Mmhhh. this may be a real problem. A great enterprise has a great turnover with users, so every week there may be the need to create and/or delete hundreds of user accounts!…. I think you know what I’m talking about ;-)

    Quote:
    The point ? as long as someone can pull your plug, you do not really own the show

    Great!!!! :D
    I completely agree with this!!!

    Have fun!
    Max

    Avatar
    lukeandmax
    Member
    in reply to: A good reason for upgrading your servers to SP1 #236373

    Hi all,
    just another point about delegating. In the test we did we used the default “Create, delete and manage user accounts” in the Delegation Wizard.. This settings enable the delegated user/group to create user inside the OU but also grant FC an all user objects..
    This could be OK if your organization doesn’t use Exchange, since the delegated user/group has the Send AS permission on all user objects.

    Users need to trust their administrators but there are many organization where this could not be applied.. Moreover, users have no way to protect themselves againist a bad administrator.. So next time we will talk about security, we should say “administrator is God, can do whatever he/she wants and no one can block him/her”: the real owner any company is the IT Admin!

    Have a nice day

    Avatar
    lukeandmax
    Member
    in reply to: A good reason for upgrading your servers to SP1 #236372

    Luke suggests if it is possible to rename the topic to “A good reason to upgrad your servers to SP1”, in order to avoid some stupid people to damage their DCs….. well… I think it may be a good idea…
    Of course our post was not intended for stupid admins who means to make damages, I think you understand :-)

    Is it possible?

    Avatar
    lukeandmax
    Member
    in reply to: A good reason for upgrading your servers to SP1 #236371

    Hi there

    Let’s start with some comments :-)

    1) Guyt is right, it’s a good practice delegating only write properties but this way, the delegation work becomes tedious, and you loose all AD potential.

    2) Guyt, ASAP we’re gonna pm you, as you can see we changed our nick; last topics were written only by one of us, now are writing toghether, so we use a common account (if you wan you can write us, our email address is public)…we’re very curious!!!! :-)

    3) We noticed that SP1 resolved this, we just have not tested this on w2000

    4) The real problem stands still. FC delegated to HD dept is too dangerous if Exchange is present on the Enterprise!

Viewing 17 posts - 1 through 17 (of 17 total)