##CategoryRants ##CategoryComputers ---- (from RussellMUCK 07/30/2003) ---- ["Calin"] AARRRGS, and throws Windows 2000 WikiPedia:Active_Directory Domains out the freakin' window!!! ["Calin"] turns off his 'damage control' sirens for the moment. ["Akili"] rumbles, "Yikes!" ["Calin"] says, "Ok, so I have a story:" ["Akili"] settles in to listen. ["Calin"] says, "We were using two WikiPedia:Windows_NT domains (WORKGROUP and SNFLWR). Yes, WORKGROUP was named thus as a tribute to lazy admins." ["Akili"] snickers. "Okay." ["Akili"] thinks he remembers that, actually. ["Calin"] says, "We had one WikiPedia:Domain_controller for each domain, and SEATTLE, the WORKGROUP WikiPedia:Domain_controller, was running [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5 for email." ["Akili"] rumbles, "Okay." ["Calin"] says, "[wiki:WikiPedia:Microsoft_Exchange Exchange] on Seattle handled email for both domains. The domains trusted each other, so it was no trouble to tell [wiki:WikiPedia:Microsoft_Exchange Exchange] that the owner account for a mailbox is in the other domain." ["Calin"] says, "Now, in the last few months, [wiki:WikiPedia:E-mail_spam spam] has become a SERIOUS problem here." ["Akili"] rumbles, "Yeah, there's some of that at my office, too. Not everyone, but certain accounts are getting hammered." ["Calin"] says, "So I started looking around for a [wiki:WikiPedia:E-mail_spam spam] filter program to put in." ["Calin"] says, "Almost everything I found worked only for [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000, not [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5." ["Calin"] says, "Eventually we bought one that needed to run on WikiPedia:Windows_2000, but could forward all email to [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5." ["Calin"] says, "So that's what we did." ["Akili"] rumbles, "Okay." ["Calin"] says, "So anyway, it was running as our WikiPedia:Smtp gateway, and it filtered away." ["Akili"] rumbles, "Sounds good." ["Calin"] says, "We quickly realized though, that it was blocking many valid emails." ["Akili"] laughs. "Oops." ["Calin"] says, "So I turned down it's abilities, and turned them down, until it was hardly blocking anything." ["Calin"] says, "So then it only blocked based on the sender's email address, and we started a list." Cal says, "It wasn't the filtering." ["Calin"] says, "We still blocked hundreds of emails, but so many kept getting through." ["Calin"] says, "With a bit more exploring, I found a feature called 'auto white list.'" ["Akili"] rumbles, "Yeah. List filtering is only useful against valid advertisers, and those aren't the problem anyway." ["Calin"] says, "This was our savior." ["Akili"] rumbles, "Auto white list?" ["Calin"] says, "You see, any time we SENT an email, the recipient got added to the white list." ["Calin"] says, "Which means they'd never be blocked." ["Akili"] rumbles, "Ahh. Interesting." ["Calin"] says, "So I figured I'd run it that way for a while, only blocking by address but building a white list... and after the white list got to be pretty big, I'd turn on the other features again." ["Calin"] says, "I ran it for a week or two, and took a look at the white list. It sure was getting big." ["Calin"] says, "To my horror though, I saw a whole bunch of obviously [wiki:WikiPedia:E-mail_spam spam]my addresses in there." ["Calin"] says, "Well what the heck??" ["Akili"] raises a brow. ["Akili"] rumbles, "Ooh. I hope the [wiki:WikiPedia:E-mail_spam spam]s weren't automatically trying to send a delivery notification." ["Calin"] says, "A bit of investigation turned up the fact that any time the server sent an NDR (Non Delivery Reply) it was adding the recipient to the whitelist." ["Akili"] rumbles, "Ack!" ["Calin"] says, "That's what _I_ thought." ["Calin"] says, "So I emailed the maker of the filter, and asked them about it." ["Calin"] says, "They said it was a known bug, and to wait for the next build." ["Akili"] rolls his eyes. ["Calin"] says, "I got the next build a few days later." ["Calin"] says, "Then I cleared out the whitelist and started again." ["Calin"] says, "A week or so later I checked it, and found that once again, it was filled with [wiki:WikiPedia:E-mail_spam spam]my email addresses." ["Calin"] says, "Again, what the heck?" ["Calin"] says, "WELL." ["Calin"] says, "Here's the deal, sparky." ["Akili"] grins. "This should be good. In a really awful sort of way." ["Calin"] says, "Because it was only a gateway for [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5, and not integrated with it... it couldn't tell the difference between an NDR generated by [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5 and a valid email. The bug was apparently coincidental, and applied only to NDRs generated by the machine with the filter on it." ["Calin"] says, "So now we're left with a (mostly) useless email filter." ["Akili"] rumbles, "Wonderful." ["Akili"] rumbles, "Refund!" ["Calin"] says, "Time went by, and I dutifully added over 3000 emails to the junk senders list." ["Akili"] rumbles, "To little avail, I'd imagine." ["Calin"] says, "Eventually my boss asked me what we could do about it." ["Calin"] says, "Actually, it does block a good amount." ["Akili"] rumbles, "Really? That's surprising." ["Calin"] says, "Yeah. Lots more get through though." ["Calin"] says, "Anyway, what I told him was this: In order to get the best use of the filter, we need to use [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000." ["Akili"] rumbles, "Most senders I've seen that use the same address are generally pretty good about acknowledging unsubscription requests." ["Akili"] rumbles, "Of course." ["Calin"] says, "He asked what it would take to get that running, and I thought about it for a while..." ["Calin"] says, "We had a server available. This gave me some options." ["Calin"] says, "Firstly, [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000 NEEDS to run in a WikiPedia:Windows_2000 WikiPedia:Active_Directory domain, because it integrates with it." ["Akili"] rumbles, "Right. That's why we haven't upgraded at work either." ["Akili"] rumbles, "We're working on it, though." ["Calin"] says, "Right. So that means upgrading at least one of my domains to WikiPedia:Windows_2000 WikiPedia:Active_Directory." ["Akili"] rumbles, "Let the nightmare commence." ["Calin"] says, "So I figured I'd install WikiPedia:Windows_2000 Server on the machine I had available, and have it take over the Workgroup domain, as well as handle many of the functions of seattle, the current workgroup controller." ["Akili"] yodas, "Not ready are you. Of the WikiPedia:Dark_side it is." ["Calin"] says, "So, I install WikiPedia:Windows_2000 server. So far so good." ["Calin"] says, "The mouse doesn't work, and I have to install a 3rd party driver for it, but no big deal." ["Calin"] says, "I run DCPROMO, to promote it to a WikiPedia:Domain_controller." ["Calin"] says, "It tells me that it can't join WORKGROUP, because it cannot contact the current WikiPedia:Active_Directory controller." ["Akili"] rumbles, "Uh-oh." ["Calin"] says, "It tells me I cannot create a new domain with the NT compatible name WORKGROUP because it already exists." ["Calin"] says, "So I backtrack. I install NT server on the machine." ["Calin"] says, "During install I need to find and provide a SCSI driver, a network driver, and a mouse driver, but I finally get it installed and set up as a WikiPedia:Backup_Domain_Controller for WORKGROUP. " ["Akili"] rumbles, "You mentioned that you were having to rebuild an NT server, yeah." ["Calin"] says, "I use the Server Manager to promote the new machine to the WikiPedia:Primary_Domain_Controller. It works flawlessly, demoting Seattle to be the WikiPedia:Backup_Domain_Controller." ["Calin"] says, "And I'm thinking, 'Wow, this actually works!'" ["Calin"] says, "Who'd have thunk it." ["Calin"] says, "Then, I install patch 6 on the new machine." Cal says, "clunk." ["Akili"] rumbles, "Foom?" ["Calin"] says, "Nah, still going well here." ["Calin"] says, "Then, I upgraded it to WikiPedia:Windows_2000." ["Akili"] rumbles, "Falling flaming bits from the sky?" ["Calin"] says, "As soon as the upgrade was complete, it automatically ran DCPROMO, and created a new domain called WORKGROUP (for NT) and annams.com (for win2k)." ["Calin"] says, "Seattle continued to work just fine as a WikiPedia:Backup_Domain_Controller. Things were looking well." ["Calin"] says, "Again, I'm thinking, 'Wow, this works!'" ["Akili"] rumbles, "And is that when you accidently knocked the gearshift from 5th to 1st and flung engine parts across the freeway?" ["Calin"] says, "I installed [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000 on the new server, and joined it to the existing [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5 organization." ["Calin"] says, "Now I could view all the mailboxes on [wiki:WikiPedia:Microsoft_Exchange Exchange] 5.5, from the [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000 console." ["Calin"] says, "Looking good..." ["Calin"] says, "I dinked with it for a bit, and finally found the option to replicate data from the 5.5 server to the 2000 server." ["Calin"] says, "I ran it..." ["Calin"] says, "And found that it did horrible, horrible things." ["Akili"] rumbles, "System go down the hole?" ["Calin"] says, "It copied all the mailboxes from the old system..." ["Calin"] says, "And created user accounts for all the ones that didn't have one in WORKGROUP." ["Akili"] rumbles, "Uh." ["Calin"] says, "It seems that in [wiki:WikiPedia:Microsoft_Exchange Exchange] 2000, you cannot assign ownership of a mailbox." Cal says, "you did something they didn't think of." ["Calin"] says, "It's built into the WikiPedia:Active_Directory account of the owner." ["Calin"] says, "Yeah, that's the impression I get, Cal." ["Akili"] rumbles, "Well. That's messed up." ["Calin"] says, "It seems it never OCCURED to anyone that you'd use ONE [wiki:WikiPedia:Microsoft_Exchange Exchange] server for more than one domain." ["Akili"] rumbles, "Sounds like Microsoft." ["Calin"] says, "So anyway, I killed the win2000 server, promoted Seattle back to PDC, and deleted all the erroneously created accounts." ["Calin"] says, "I started over." ["Calin"] says, "I installed NT, took control of the domain, installed 2k." ["Calin"] says, "I figured I needed SNFLWR to be a win2k domain too, so it's users would be in the Active Directory." ["Calin"] says, "I didn't have a machine available, so I used VMware to make one." ["Akili"] rumbles, "Okay." ["Calin"] says, "On the annams.com active directory controller, I started a WikiPedia:Vmware, installed NT, took control of SNFLWR, and installed windows 2000." ["Akili"] shakes his head. "Just from what you've gone through already... I'm not looking forward to this project at my office." ["Calin"] says, "A pretty ballsy move, but I didn't see any reason it shouldn't work." ["Akili"] chuckles. "I'd agree." ["Calin"] says, "It did work. I created the snflwr.com domain as a peer to annams.com." ["Calin"] says, "It all seemed to be working just fine, but I noticed some odd things in the Event Logs." ["Akili"] raises a brow. - Error: You're doing something we don't like. You will be paying for it shortly. ["Calin"] says, "It seemed the snflwr.com controller couldn't communicate with the Global Catalog (whatever that is) on the annams.com controller." ["Calin"] says, "Users started coming to find me." ["Akili"] rumbles, "That's never good." ["Akili"] rumbles, "They almost never find the sysadmin to give him good news." ["Calin"] says, "It seems that the domain controllers couldn't talk to each other properly, so the trust between the domains was broken." ["Akili"] rumbles, "That's like a cop pulling you over to tell you how good a driver you are." ["Calin"] says, "So users in one domain could no longer access resources in the other." ["Akili"] rumbles, "That's bad." ["Calin"] says, "Yup." ["Calin"] says, "With some trouble, I was able to re-establish the trusts." ["Calin"] says, "But there were still problems. People stopped coming to find me though, so it was ok." ["Akili"] grins. ["Calin"] says, "I checked things out, and found that [wiki:WikiPedia:Microsoft_Exchange Exchange] (when installed on the annams.com controller) could do nothing with the accounts on the snflwr.com controller." ["Calin"] says, "This kind of made sense to me. It was because [wiki:WikiPedia:Microsoft_Exchange Exchange] had extended the directory to support it on one, but not the other." ["Calin"] says, "So I went about installing it on the snflwr.com controller." ["Calin"] says, "It wouldn't install." ["Calin"] says, "It said it didn't have access to modify the Schema." ["Calin"] says, "So I couldn't install it." ["Akili"] shakes his head. ["Calin"] says, "I figured perhaps there was something odd about the VM that was keeping it from working." ["Calin"] says, "So I took the win2k server that was currently running the [wiki:WikiPedia:E-mail_spam spam] filter (as a member server) and promoted it to a domain controller, adding it to the snflwr.com domain." ["Calin"] says, "It could communicate just fine with the VM server." ["Calin"] says, "Then I took the VM server offline, and tried to use just the new server as the snflwr.com controller." ["Calin"] says, "But it seems that the new server synchronized with the VM server, and inherited some 'out of sync' stuff. So it simply couldn't talk to the annams.com controller." ["Calin"] says, "Now I was in a quandary." ["Calin"] says, "This machine was neither working, nor could I take it offline (as it was still our SMTP gateway)." ["Akili"] rumbles, "Right." ["Calin"] says, "I tried to demote it, but it said 'Missing DSA' or something." ["Calin"] says, "So it was a server, and it was staying that way." ["Calin"] says, "Eventually I shut down all the services relating to netbios and netlogon, and left it running." ["Calin"] says, "So as far as the rest of the windows world was concerned, it wasn't there." ["Calin"] says, "I promoted the old NT server back to being the PDC." ["Calin"] says, "And I recreated the trust, which had gone bad again." ["Akili"] chuckles, recalling the server that wasn't there at TRS. ["Calin"] says, "I cobbled together some old parts, and got myself a new machine." ["Calin"] says, "I went through it all again, putting on NT, taking control of SNFLWR, and installing win2k." ["Akili"] shakes his head. "Man." ["Calin"] says, "The trusts immediately went bad." ["Calin"] says, "I recreated them. " ["Calin"] says, "Users started to come to me." ["Calin"] says, "It seems that when I recreated the trusts this time, it was only a trust the win2k servers could use." ["Calin"] says, "The two NT backup controllers could not talk to each other." ["Calin"] says, "And for some reason didn't want to trust the win2k controllers of the other domain." ["Calin"] says, "Thus any services that still lived on the NT servers became 'off limits' to users of the opposite domain." ["Calin"] says, "This included email." ["Calin"] says, "I struggled to fix it, and users kept coming to me." ["Akili"] covers his face with a hand, and continues shaking his head. "Jeez." ["Calin"] says, "Finally, I pulled the plug on both win2k servers, and promoted both NT servers to primary again." ["Calin"] says, "I re-established the trust." ["Calin"] says, "Things started working again, with one exception:" ["Akili"] rumbles, "Email?" ["Calin"] says, "Any windows 2000 machine that had been rebooted since the win2k servers came up had dutifully changed their domain membership from WORKGROUP to annams.com, or from SNFLWR to snflwr.com." ["Calin"] says, "They could no longer log in." ["Akili"] rumbles, "Arg." ["Calin"] says, "The computer accounts in the domain were now orphaned, and had to be deleted manually." ["Calin"] says, "The computers themselves had to be removed from the domain and readded." ["Calin"] says, "And that brings us to now. Two windows NT domain controllers, Zero windows 2k controllers...." ["Calin"] says, "And undoubtely a few computers just waiting for tomorrow morning before deciding that their machine accounts are bad." ["Akili"] rumbles, "What a mess." ["Calin"] leans out the window, and watches Active Directory smash to a million bits on the ground. ["Calin"] says, "At a guess, I would say that win2k domains can work with NT compatibility on." - The pieces liquify, start rolling together, and reform, shaking a furious fist at ["Calin"]. ["Calin"] says, "However, I think that if you have trust relationships between win2k domains, one of them MUST be in native mode." ["Calin"] says, "Which means no NT servers in the domain." ["Calin"] says, "Which means it's not going to work here." ["Calin"] says, "The other option would be to start a new win2k domain, and then upgrade the existing domains as children of the new native domain." ["Calin"] says, "That might work." ["Calin"] says, "however, I don't htink I'm going to do that just now." ["Akili"] rumbles, "I don't blame you." ["Calin"] shakes his head. ["Calin"] says, "I'm tired after just writing it all, much less doing it." ["Akili"] rumbles, "And this is why you have no spare time." ["Calin"] says, "This is EXACTLY why I have no spare time." ["Calin"] waves his hand in a lazy circular gesture. "That's it, I'm going back to bed."