The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: [gptalk] Problems with resolution of accounts from mgmt domain

Prev Next

You are not authorized to post a reply.

Page 2 of 2

Author

Messages

Shanzao

Posts:45

09/24/2010 11:18 AM
Ok, Following my conversation this morning with MS… GPMC the intelligent side, resolves SIDs by contacting the DC that is in the Managed Domain, GPE tries to resolve SIDs by contacting the local DC, which does not forward the request to the Managed DC. This has been raised and the MS Consultant is kindly going to complete a Business Case for a change to GPE, my point was that MS recommend the use of Resource and Accounts domains for secure environments, yet the Native tools do not support this recommendation. Who would have thought that one GPO project would have raised two flaws in GPO management! Now for a new Detailed Design and to inform the Project that an extra 8 servers will be required ☹ Thanks for all your input peeps, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 20:45 To: xxxxxxxxxxxxxxxx Subject: Re: [gptalk] Problems with resolution of accounts from mgmt domain I think he verified dns outside of gpmc but I may be wrong. It might be worth at this stage running a net trace to see if the app us even trying to resolve the names and what server it's using to do this Regards, Darragh O'Shaughnessy IT Services Department E-Mail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Ext: 2562 Direct Dial In: 01-7994028 Web Site: www.vhi.ie<http://www.vhi.ie> Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses. On 23 Sep 2010, at 18:49, "Omar Droubi" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote: After the patch you have to do some manual editing of files- did you do that? One thing I was wondering as I looked through this thread—has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed? In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids. Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven’t come across this yet. Can you detail the domain/forest configuration of the environment a bit. Are there multiple forests? Single forest multiple trees? All domains in the same forest- and if so- what are the domain relationships? I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests? I would start with DNS review 1st on the DCs in both domains and the clients as well. DNS forwarding, DNS search suffixes, etc. Omar From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Thursday, September 23, 2010 3:53 AM To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain No Joy after applying the fix ☹ Looks like its going to be a GPA console in each of the domains… Unless by some kind of Magic GPA stops using MS native tools in there next patch… hummm From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:34 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain And did you say all the well known SIDS resolve ok? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:30 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 – 2003 Domains as well, all DC OS’s are 2003 and terminal servers are either W2K8 R2 or W2K3 R2 Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:23 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Also, one last thing, what’s the forest/domain functional levels at in the domains/forest? Are there a mixture of \|DC OS’s. if so, what os holds the FSMO roles or PDC role? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:17 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain It does this from W2K3 as well, but is definitely worth a try, Will get back to you with some hopefully good news ☺ From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:14 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain So authenticated users do not have this right at that DC Similar issue for windows 7: http://support.microsoft.com/kb/974639 Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:09 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Was not added, I have just added both Terminal Server and GPO MGMT group to no avail… not good at all! From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:44 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Hmmm, does your computer have the right: "Access this Computer from the Network" permission at the validating domain controller? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain User Rights Assignment ;-) Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Excuse my acronym ignorance but what is URA?! Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:37 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Im never going to do live this down :-O ☺ Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works/// Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:35 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain HI, Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like? Darragh (aka Darren) O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:31 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!! The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE? ☹ Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 22 September 2010 17:52 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Yea, I was wondering how I had gotten onto the thread without contributing . Also, are the security principals that aren’t resolving in the management domain or resource domain? Darren From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: Wednesday, September 22, 2010 9:51 AM To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Its Darragh actually (Irish name!) ☺ What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 16:54 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain That’s correct Darren, this is a very strange occurance!!! Connected to the PDC emulator which is also a GC From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 22 September 2010 15:40 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain i.e. when connected into GPMC and clicking ‘Edit’ on the context menu, the SID are present in the GPO editor as opposed to the names? What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 15:29 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: [gptalk] Problems with resolution of accounts from mgmt domain Hi all, I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain. When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID’s has anyone seen this before? Thanks, Sean McCarthy Technical Services AXA Tech MESD Region (UK) eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Int: 748 4805 Tel: +44 (0) 1253 684805 P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

DarraghOShaughnessy User is Offline

Posts:177

09/24/2010 12:30 PM
Wow! That is pretty head wrecking! I remember working in a place that had 10 forests and over 40 domains! I wasn’t doing AD stuff at the time thank god! You could always start memorizing the SIDS Sean ! Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 24 September 2010 11:15 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Ok, Following my conversation this morning with MS… GPMC the intelligent side, resolves SIDs by contacting the DC that is in the Managed Domain, GPE tries to resolve SIDs by contacting the local DC, which does not forward the request to the Managed DC. This has been raised and the MS Consultant is kindly going to complete a Business Case for a change to GPE, my point was that MS recommend the use of Resource and Accounts domains for secure environments, yet the Native tools do not support this recommendation. Who would have thought that one GPO project would have raised two flaws in GPO management! Now for a new Detailed Design and to inform the Project that an extra 8 servers will be required :-( Thanks for all your input peeps, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 20:45 To: xxxxxxxxxxxxxxxx Subject: Re: [gptalk] Problems with resolution of accounts from mgmt domain I think he verified dns outside of gpmc but I may be wrong. It might be worth at this stage running a net trace to see if the app us even trying to resolve the names and what server it's using to do this Regards, Darragh O'Shaughnessy IT Services Department E-Mail: xxxxxxxxxxxxxxxx Ext: 2562 Direct Dial In: 01-7994028 Web Site: www.vhi.ie Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses. On 23 Sep 2010, at 18:49, "Omar Droubi" <xxxxxxxxxxxxxxxx> wrote: After the patch you have to do some manual editing of files- did you do that? One thing I was wondering as I looked through this thread—has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed? In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids. Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven’t come across this yet. Can you detail the domain/forest configuration of the environment a bit. Are there multiple forests? Single forest multiple trees? All domains in the same forest- and if so- what are the domain relationships? I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests? I would start with DNS review 1st on the DCs in both domains and the clients as well. DNS forwarding, DNS search suffixes, etc. Omar From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Thursday, September 23, 2010 3:53 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain No Joy after applying the fix :-( Looks like its going to be a GPA console in each of the domains… Unless by some kind of Magic GPA stops using MS native tools in there next patch… hummm From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:34 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain And did you say all the well known SIDS resolve ok? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:30 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 – 2003 Domains as well, all DC OS’s are 2003 and terminal servers are either W2K8 R2 or W2K3 R2 Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:23 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Also, one last thing, what’s the forest/domain functional levels at in the domains/forest? Are there a mixture of \|DC OS’s. if so, what os holds the FSMO roles or PDC role? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:17 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain It does this from W2K3 as well, but is definitely worth a try, Will get back to you with some hopefully good news :-) From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:14 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain So authenticated users do not have this right at that DC Similar issue for windows 7: http://support.microsoft.com/kb/974639 Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:09 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Was not added, I have just added both Terminal Server and GPO MGMT group to no avail… not good at all! From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:44 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Hmmm, does your computer have the right: "Access this Computer from the Network" permission at the validating domain controller? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain User Rights Assignment ;-) Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Excuse my acronym ignorance but what is URA?! Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:37 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Im never going to do live this down :-O :-) Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works/// Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:35 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain HI, Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like? Darragh (aka Darren) O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:31 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!! The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE? :-( Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 22 September 2010 17:52 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Yea, I was wondering how I had gotten onto the thread without contributing . Also, are the security principals that aren’t resolving in the management domain or resource domain? Darren From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: Wednesday, September 22, 2010 9:51 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Its Darragh actually (Irish name!) :-) What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 16:54 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain That’s correct Darren, this is a very strange occurance!!! Connected to the PDC emulator which is also a GC From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 22 September 2010 15:40 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain i.e. when connected into GPMC and clicking ‘Edit’ on the context menu, the SID are present in the GPO editor as opposed to the names? What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 15:29 To: xxxxxxxxxxxxxxxx Subject: [gptalk] Problems with resolution of accounts from mgmt domain Hi all, I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain. When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID’s has anyone seen this before? Thanks, Sean McCarthy Technical Services AXA Tech MESD Region (UK) eMail: xxxxxxxxxxxxxxxx Int: 748 4805 Tel: +44 (0) 1253 684805 P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

dmarelia

Posts:441

09/24/2010 3:35 PM
All I can say is that I’m shocked that this is just being discovered now. I mean, this seems like it would have been a common enough scenario over the past x number of years GPE has been around. Thanks for sharing Sean. Darren From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: Friday, September 24, 2010 4:25 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Wow! That is pretty head wrecking! I remember working in a place that had 10 forests and over 40 domains! I wasn’t doing AD stuff at the time thank god! You could always start memorizing the SIDS Sean ! Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 24 September 2010 11:15 To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Ok, Following my conversation this morning with MS… GPMC the intelligent side, resolves SIDs by contacting the DC that is in the Managed Domain, GPE tries to resolve SIDs by contacting the local DC, which does not forward the request to the Managed DC. This has been raised and the MS Consultant is kindly going to complete a Business Case for a change to GPE, my point was that MS recommend the use of Resource and Accounts domains for secure environments, yet the Native tools do not support this recommendation. Who would have thought that one GPO project would have raised two flaws in GPO management! Now for a new Detailed Design and to inform the Project that an extra 8 servers will be required ☹ Thanks for all your input peeps, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 20:45 To: xxxxxxxxxxxxxxxx Subject: Re: [gptalk] Problems with resolution of accounts from mgmt domain I think he verified dns outside of gpmc but I may be wrong. It might be worth at this stage running a net trace to see if the app us even trying to resolve the names and what server it's using to do this Regards, Darragh O'Shaughnessy IT Services Department E-Mail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Ext: 2562 Direct Dial In: 01-7994028 Web Site: www.vhi.ie<http://www.vhi.ie> Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses. On 23 Sep 2010, at 18:49, "Omar Droubi" <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote: After the patch you have to do some manual editing of files- did you do that? One thing I was wondering as I looked through this thread—has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed? In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids. Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven’t come across this yet. Can you detail the domain/forest configuration of the environment a bit. Are there multiple forests? Single forest multiple trees? All domains in the same forest- and if so- what are the domain relationships? I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests? I would start with DNS review 1st on the DCs in both domains and the clients as well. DNS forwarding, DNS search suffixes, etc. Omar From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Thursday, September 23, 2010 3:53 AM To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain No Joy after applying the fix ☹ Looks like its going to be a GPA console in each of the domains… Unless by some kind of Magic GPA stops using MS native tools in there next patch… hummm From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:34 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain And did you say all the well known SIDS resolve ok? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:30 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 – 2003 Domains as well, all DC OS’s are 2003 and terminal servers are either W2K8 R2 or W2K3 R2 Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:23 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Also, one last thing, what’s the forest/domain functional levels at in the domains/forest? Are there a mixture of \|DC OS’s. if so, what os holds the FSMO roles or PDC role? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:17 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain It does this from W2K3 as well, but is definitely worth a try, Will get back to you with some hopefully good news ☺ From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 10:14 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain So authenticated users do not have this right at that DC Similar issue for windows 7: http://support.microsoft.com/kb/974639 Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 10:09 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Was not added, I have just added both Terminal Server and GPO MGMT group to no avail… not good at all! From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:44 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Hmmm, does your computer have the right: "Access this Computer from the Network" permission at the validating domain controller? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain User Rights Assignment ;-) Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:41 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Excuse my acronym ignorance but what is URA?! Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:37 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Im never going to do live this down :-O ☺ Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works/// Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 23 September 2010 09:35 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain HI, Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like? Darragh (aka Darren) O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 23 September 2010 09:31 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!! The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE? ☹ Sean From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 22 September 2010 17:52 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Yea, I was wondering how I had gotten onto the thread without contributing . Also, are the security principals that aren’t resolving in the management domain or resource domain? Darren From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: Wednesday, September 22, 2010 9:51 AM To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain Its Darragh actually (Irish name!) ☺ What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 16:54 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain That’s correct Darren, this is a very strange occurance!!! Connected to the PDC emulator which is also a GC From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy Sent: 22 September 2010 15:40 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain i.e. when connected into GPMC and clicking ‘Edit’ on the context menu, the SID are present in the GPO editor as opposed to the names? What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue? Darragh O’Shaughnessy From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: 22 September 2010 15:29 To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Subject: [gptalk] Problems with resolution of accounts from mgmt domain Hi all, I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain. When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID’s has anyone seen this before? Thanks, Sean McCarthy Technical Services AXA Tech MESD Region (UK) eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> Int: 748 4805 Tel: +44 (0) 1253 684805 P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.