[ActiveDir] User cannot change password
Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the User cannot change password flag set. The filter I am using is: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for Password never expires does, e.g: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/ads_user_flag_enum.asp ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/user_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User cannot change password
Tony, When you change that checkbox in ADUC it actually goes to ACL and adds/removes an ACE with change password permission. And everything you described is 100% correct. There is no feasible way to search for an ACE in ACLs. Sorry. Vladimir. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] User cannot change password Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the User cannot change password flag set. The filter I am using is: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for Password never expires does, e.g: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/ads_user_flag_enum.asp ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/user_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User cannot change password
Thanks Vladimir. That's the conclusion I was coming to. It just seems strange that the userAccountControl attribute makes provision for it, even though it is not used. Tony -- Original Message -- From: Turin, Vladimir [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 11 Dec 2002 15:42:08 +0300 Tony, When you change that checkbox in ADUC it actually goes to ACL and adds/removes an ACE with change password permission. And everything you described is 100% correct. There is no feasible way to search for an ACE in ACLs. Sorry. Vladimir. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] User cannot change password Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the User cannot change password flag set. The filter I am using is: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for Password never expires does, e.g: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/ads_user_flag_enum.asp ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/user_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
There's a reasonably good whitepaper from Lucent. http://www.lucent.com/knowledge/documentdetail/0,1983,inContentId+0900940380004a2f-inLocaleId+1,00.html It's not recent, but many of the concepts are still applicable. Tony -- Original Message -- From: Pelle, Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 11 Dec 2002 09:05:00 -0500 Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I believe its in some of Microsoft's docs. The biggest reason to do it is to be able to protect the Enterprise Admins and Schema Admins groups. Any domain admin in the domain which houses those two groups could add themselves to the groups. Therefore, if you restrict who's in that domain to begin with, you're able to keep people from adding themselves. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Total Brainfart - -didn't even consider 3 domains (empty root - Faculty - Student) good advice. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I agree with Craig, however I would still stick with one domain and use the OU structure to the max. Maybe creating an OU for each campus and then dividing them down by departments or students and staff or whatever you find to work best. That is what I have found to work best because then you can have the departments do their own administration at their level. And one of the most difficult things that I have found on my campus is the politics and this kind of concept helps. But do what you must, chuck Thank you, Charles Carerros IS Network Specialist Center for International Education University of Wisconsin -- Milwaukee Garland Hall RM 117 [EMAIL PROTECTED] P: (414) 229-3604 F: (414) 229-3626 -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 8:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User cannot change password
Tony, There is no simple way to check that. When you check the box it applies a DENY ACE for the user to change their own password. To search for all users that have that box checked you need to write a short script that searches for all user objects that have that DENY ACE present. Hope that helps! -Joel -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 7:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User cannot change password Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the User cannot change password flag set. The filter I am using is: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for Password never expires does, e.g: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /ads_user_flag_enum.asp ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/u ser_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Title: Message Have you seen the Microsoft University Relations website? It's a site dedicated to issues for the University IT Pro. http://msruniv.corp.bcentral.com/ I've seen many Universities with multiple forest,Many peoplethinkthat a domain is a Security boundary, but if you need more than an Administrative boundary, multiple forests is the way to go. Regards, /Jimmy --Jimmy Andersson, Q Advice ABMicrosoft MVP - Active Directory www.qadvice.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wohlgehagen, Max WSent: Wednesday, December 11, 2002 2:20 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB "Spread Spectrum" Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville "Of all the things I've lost, it's my mind I miss the most." Wohlgehagen, Max (E-mail).vcf *** Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training.
Re: [ActiveDir] Back to Basics - Design Pros and Cons
Title: Message Jimmy - Thanks for the idea -I will check and get back to you. Jerry - Original Message - From: Jimmy Andersson To: [EMAIL PROTECTED] Sent: Wednesday, December 11, 2002 10:15 AM Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Have you seen the Microsoft University Relations website? It's a site dedicated to issues for the University IT Pro. http://msruniv.corp.bcentral.com/ I've seen many Universities with multiple forest,Many peoplethinkthat a domain is a Security boundary, but if you need more than an Administrative boundary, multiple forests is the way to go. Regards, /Jimmy --Jimmy Andersson, Q Advice ABMicrosoft MVP - Active Directory www.qadvice.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wohlgehagen, Max WSent: Wednesday, December 11, 2002 2:20 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB "Spread Spectrum" Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville "Of all the things I've lost, it's my mind I miss the most." Wohlgehagen, Max (E-mail).vcf *** Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training.
[ActiveDir] OT- Terminal Services/Remote Desktop Issue
Title: Message All, One of my coworkers has a laptop with Windows XP and wants to Remote Desktop into one of our servers. He upgraded the laptop from WIN 2k to WIN XP. We also put the Server on the domain. It seems as though his laptop is the only machine that cannot Terminal Service into the server. It doesnt even give it a chance, just gives the generic network problems message. He can Remote Desktop into our other Win 2k Servers on the domain. Does anyone have any ideas as to what is going on. I told him to just Remote Desktop into his PC and then from there Remote Desktop to the server, but he doesnt like that idea. J What is wrong with the connection?
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any
RE: [ActiveDir] Back to Basics - Design Pros and Cons
True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable
RE: [ActiveDir] Back to Basics - Design Pros and Cons
That brings up a great point - universities are very different environments from corporate environs. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I agree with Craig, however I would still stick with one domain and use the OU structure to the max. Maybe creating an OU for each campus and then dividing them down by departments or students and staff or whatever you find to work best. That is what I have found to work best because then you can have the departments do their own administration at their level. And one of the most difficult things that I have found on my campus is the politics and this kind of concept helps. But do what you must, chuck Thank you, Charles Carerros IS Network Specialist Center for International Education University of Wisconsin -- Milwaukee Garland Hall RM 117 [EMAIL PROTECTED] P: (414) 229-3604 F: (414) 229-3626 -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 8:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info :
RE: [ActiveDir] Back to Basics - Design Pros and Cons
The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would
[ActiveDir] AD installation - permissions
I'm upgrading an NT4 PDC and the installation wizard is asking me to select default permissions, permissions compatible with pre-Windows 2000 servers and permissions compatible only with Windows 2000 servers. We don't use RAS and this is going to be native-mode. Is there any other reason why I should choose pre-W2k permissions? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Back to Basics - Design Pros and Cons
I would disagree with the point that you need to be Domain Admin in order to administer servers in a domain. This is not true - I would strongly recommend against granting Domain Admin to a server administrator in a domain solely for that purpose. The user only needs to be an Administrator of that server - this is not the same as, nor does it require, Domain Admin priviledge. This can be done with a gpo which adds a particular server admin group to the local admin group on the relevant server. I would however still agree with the point that an empty root should be as empty as possible. As above, to keep rights at a minimum requires a significant admin overhead which could easily be overlooked compromising the security of the root domain. my 2p worth... - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 11, 2002 6:23 PM Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A.
RE: [ActiveDir] OT- Terminal Services/Remote Desktop Issue
Title: Message Might have something to do with the "generic network problems message" Or it might have something to do with the network configuration. Or with any firewalls that might be present. Is the Server configured to allow terminal services. Does the Server have a static IP address and is it listed in the DNS server. Does the laptop have the correct DNS server listed. Are you trying to cross subnets, if so do you have WINS servers up. When you use the RDC do you enter IP addresses or computer names. Is the server name mistyped. The connection probably isn't the issue. Maybe a little more information might help. chuck -Original Message-From: Kevin Felker [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 10:24 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT- Terminal Services/Remote Desktop Issue All, One of my coworkers has a laptop with Windows XP and wants to Remote Desktop into one of our servers. He upgraded the laptop from WIN 2k to WIN XP. We also put the Server on the domain. It seems as though his laptop is the only machine that cannot Terminal Service into the server. It doesnt even give it a chance, just gives the generic network problems message. He can Remote Desktop into our other Win 2k Servers on the domain. Does anyone have any ideas as to what is going on. I told him to just Remote Desktop into his PC and then from there Remote Desktop to the server, but he doesnt like that idea. J What is wrong with the connection?
[ActiveDir] read user-defined attribute with ADSI
Hi all, I installed an Active Directory and use ADSI to access it. I defined some extented attributes and objectClass in Active Directory. Then a new object with type of extened objectClass is created, and the new object has attribute of cn and some extented attributes. I can use ADSI to retreive this object, but the problem is: when binding with the object with anonymous user, use IADs.Get( ) to retreive extented attributes causes an error: The Active Directory datatype cannot be converted to/from a native DS datatype. However, with anonymous bind, IADs.Get(cn) can get the cn attribute of the object. If I bind the object with administrator's username and password, then I can also use IADs.Get( ) to get the value of extended attributes. So I guess it's some problem with permissions. I checked ACEs in cn and extended attributes, they looks the same. And I also grants read permission on the object to Everyone. May anybody give some hints on this? Thanks a lot. Regards, Jingyu List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD installation - permissions
I'm upgrading an NT4 PDC and the installation wizard is asking me to select default permissions, permissions compatible with pre-Windows 2000 servers and permissions compatible only with Windows 2000 servers. We don't use RAS and this is going to be native-mode. Is there any other reason why I should choose pre-W2k permissions? No. And you can always change your mind later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] read user-defined attribute with ADSI
Dim x As IADs x = GetObject(LDAP://CN=My-Attribute-Name,CN=Schema,CN=Configuration,DC=paramail,DC=com;) x.GetInfo() x.Get(cn) ' ok x.Get(attributeSyntax) ' error: The Active Directory datatype cannot be converted to/from a native DS datatype The codes above doens't work for attributeSyntax but works for cn, any idea? I guess this is related with the problem below. I have to use anonymous access since I need to parse LDAP message, if using username and password, all messages are encrypted and cannot be parsed. Thanks a lot. Jingyu -Original Message- From: Jingyu liu Sent: Wednesday, December 11, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] read user-defined attribute with ADSI Hi all, I installed an Active Directory and use ADSI to access it. I defined some extented attributes and objectClass in Active Directory. Then a new object with type of extened objectClass is created, and the new object has attribute of cn and some extented attributes. I can use ADSI to retreive this object, but the problem is: when binding with the object with anonymous user, use IADs.Get( ) to retreive extented attributes causes an error: The Active Directory datatype cannot be converted to/from a native DS datatype. However, with anonymous bind, IADs.Get(cn) can get the cn attribute of the object. If I bind the object with administrator's username and password, then I can also use IADs.Get( ) to get the value of extended attributes. So I guess it's some problem with permissions. I checked ACEs in cn and extended attributes, they looks the same. And I also grants read permission on the object to Everyone. May anybody give some hints on this? Thanks a lot. Regards, Jingyu List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
If I understand the theory correctly, a brand new installation would include the first domain controller with an empty root and then one or more servers acting as child domain controllers. Is that essentially correct? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For