[ActiveDir] Problem: Using JNDI to add new entries
Hi there, I'm building and JAVA application, using JNDI to store and retrive objects in LDAP. I'm using Active Directory as the LDAP server and have modified the schema to match my needs. Has a test, I have created a new objectClass using MMC console and theActive Directory Schema snap-in. I called the new objectClass 'ee-teste' and set has it's mandatory attributes the attribute 'cn' and has it's optional atributes the 'mail' attribute. I have an organizationalUnit with the DN=OU=EExtender,DC=eextender,DC=pt and I'm trying to create a new entry of type 'ee-teste', but keep getting a SchemaViolationException. If I try to create a standard Active Directory object, like 'locality', my code works fine. But with my object it crashes. Can anyone help me. I'm stuck here and can't see the solution. Thx. Here's the code I'm using: String jndiURL = "ldap://192.168.65.199:389/";String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";String authenticationMode = "simple";String contextReferral = "ignore";//String securityProtocol = "ssl";//String principal = "cn=Directory Manager, ou=EExtender, dc=eextender, dc=pt";String principal = "[EMAIL PROTECTED]";String credentials = "password";Hashtable env = new Hashtable();env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);env.put(Context.PROVIDER_URL, jndiURL);env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);env.put(Context.SECURITY_PRINCIPAL, principal);env.put(Context.SECURITY_CREDENTIALS, credentials);env.put(Context.REFERRAL, contextReferral);//env.put(Context.SECURITY_PROTOCOL, securityProtocol);//env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");env.put("java.naming.ldap.version","3"); DirContext ctx = null; try {ctx = new InitialDirContext(env); BasicAttributes attrs = new BasicAttributes(); BasicAttribute ocs = new BasicAttribute("objectclass");ocs.add("ee-teste");attrs.put(ocs); BasicAttribute cn = new BasicAttribute("cn", "abrek");attrs.put(cn);BasicAttribute mail = new BasicAttribute( "mail", "[EMAIL PROTECTED]" );attrs.put(mail); ctx.createSubcontext("cn=abrek,OU=EExtender,DC=eextender,DC=pt", attrs); ctx.close();} catch (NameAlreadyBoundException nex) {System.out.println("User ID is already in use, please select a different user ID ...");} catch (Exception ex) {System.out.println("Failed to create user account... Please verify the user information...");ex.printStackTrace();} And the returned Exception: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 2099: UpdErr: DSID-03050BA2, problem 6002 (OBJ_CLASS_VIOLATION), data 0 Rafael M. Torres ([EMAIL PROTECTED])-Infopulse PortugalPr. dos Poveiros, 56, 2º4000-393 Porto, PortugalTel: +351 223 389 103Fax: +351 223 389 104ICQ: 86290812
RE: [ActiveDir] Authentication ?
Title: Message If you run DCPROMO on them and make them a DC they will. Which youll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Title: Message switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Title: Message Right - - but if he wants to keep what used to be his PDC and BDCs in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Justications to Migrate to Active Directory
Theres a lot of room there for all of us. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Bruce is just riding on my coat tails -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree with Martin Tuip. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip Sent: Wednesday, January 15, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree on that with you. Windows 2000 has been as stable as a rock. So besides that and the retiring of the support it should be an easy one. Martin Tuip MVP Exchange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 8:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory To date, I haven't found an instance where NT4 was more stable than Win2k. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jeremy Young [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I don't know if this will be of any importance, but I have seen several instances where windows 2000 is much more stable than NT4. Case in point, I was working for a defense contractor and we had 5 mail servers(exch. 5.5) and they notoriously went down. If we didn't reboot the servers once a week, they would go down. We took one of the lower tasked servers(500 users) and put it on windows 2000 and didn't have to reboot it for a month and it was still running like a champ. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 11:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Add to that the fact that Exchange 5.5 is end of support at the same time, and its pretty much a no brainer. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Van Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Cliff, I think that the link below says it all: http://microsoft.com/ntserver/ProductInfo/Availability/Retiring.asp No more support for NT4 after the end of this year. -Original Message- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Justications to Migrate to Active Directory I am currently compiling information and trying to find good justifications to migrate our Windows NT base network to Active Directory. We are a medium size company. We don't have any direct requirements to implement AD, like we must upgrade to Exchange2000(which requires AD). I can see a few benefits, but my management wants to see quantified justifications. For example, by migrating to AD you can save 1 hour in setting up a new user with RIS. Does anyone know I good website that would show time saved or something more concrete and specific than Microsoft's marketing jargon? Has anyone gone through a similar experience with their company? I would appreciate your insights and advice!!! Thanks!!! Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Authentication ?
There are precious few change to a domain when it goes native mode, the most important being that you can no longer have NT4 BDCs within that domain. It doesn't mean you can't have them in other mixed mode domains, just not in any Native Mode ones. You can have as many NT4 member servers as you want, though. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Justications to Migrate to Active Directory
Alrighty then -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I've known Roger for a few years now, so the answer is : Both g -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Is that a stroke cause Roger is so intelligent - - -- - - -or a crack cause you think he's a big guy and wears a giant coat? :o) -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Theres a lot of room there for all of us. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Bruce is just riding on my coat tails -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree with Martin Tuip. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip Sent: Wednesday, January 15, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree on that with you. Windows 2000 has been as stable as a rock. So besides that and the retiring of the support it should be an easy one. Martin Tuip MVP Exchange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 8:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory To date, I haven't found an instance where NT4 was more stable than Win2k. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jeremy Young [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I don't know if this will be of any importance, but I have seen several instances where windows 2000 is much more stable than NT4. Case in point, I was working for a defense contractor and we had 5 mail servers(exch. 5.5) and they notoriously went down. If we didn't reboot the servers once a week, they would go down. We took one of the lower tasked servers(500 users) and put it on windows 2000 and didn't have to reboot it for a month and it was still running like a champ. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 11:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Add to that the fact that Exchange 5.5 is end of support at the same time, and its pretty much a no brainer. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Van Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Cliff, I think that the link below says it all: http://microsoft.com/ntserver/ProductInfo/Availability/Retiring.asp No more support for NT4 after the end of this year. -Original Message- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Justications to Migrate to Active Directory I am currently compiling information and trying to find good justifications to migrate our Windows NT base network to Active Directory. We are a medium size company. We don't have any direct requirements to implement AD, like we must upgrade to Exchange2000(which requires AD). I can see a few benefits, but my management wants to see quantified justifications. For example, by migrating to AD you can save 1
RE: [ActiveDir] Justications to Migrate to Active Directory
I've known Roger for a few years now, so the answer is : Both g -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Is that a stroke cause Roger is so intelligent - - -- - - -or a crack cause you think he's a big guy and wears a giant coat? :o) -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Theres a lot of room there for all of us. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Bruce is just riding on my coat tails -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree with Martin Tuip. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip Sent: Wednesday, January 15, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree on that with you. Windows 2000 has been as stable as a rock. So besides that and the retiring of the support it should be an easy one. Martin Tuip MVP Exchange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 8:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory To date, I haven't found an instance where NT4 was more stable than Win2k. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jeremy Young [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I don't know if this will be of any importance, but I have seen several instances where windows 2000 is much more stable than NT4. Case in point, I was working for a defense contractor and we had 5 mail servers(exch. 5.5) and they notoriously went down. If we didn't reboot the servers once a week, they would go down. We took one of the lower tasked servers(500 users) and put it on windows 2000 and didn't have to reboot it for a month and it was still running like a champ. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 11:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Add to that the fact that Exchange 5.5 is end of support at the same time, and its pretty much a no brainer. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Van Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Cliff, I think that the link below says it all: http://microsoft.com/ntserver/ProductInfo/Availability/Retiring.asp No more support for NT4 after the end of this year. -Original Message- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Justications to Migrate to Active Directory I am currently compiling information and trying to find good justifications to migrate our Windows NT base network to Active Directory. We are a medium size company. We don't have any direct requirements to implement AD, like we must upgrade to Exchange2000(which requires AD). I can see a few benefits, but my management wants to see quantified justifications. For example, by migrating to AD you can save 1 hour in setting up a new user with RIS. Does anyone know I good website that would show time saved or something more concrete and specific than Microsoft's marketing jargon? Has anyone gone through a
RE: [ActiveDir] Justications to Migrate to Active Directory
All that work with Swiss-boy-ardee for that? That's the best you got? -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Andy David [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 8:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Theres a lot of room there for all of us. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Bruce is just riding on my coat tails -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree with Martin Tuip. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip Sent: Wednesday, January 15, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I agree on that with you. Windows 2000 has been as stable as a rock. So besides that and the retiring of the support it should be an easy one. Martin Tuip MVP Exchange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 8:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory To date, I haven't found an instance where NT4 was more stable than Win2k. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Jeremy Young [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory I don't know if this will be of any importance, but I have seen several instances where windows 2000 is much more stable than NT4. Case in point, I was working for a defense contractor and we had 5 mail servers(exch. 5.5) and they notoriously went down. If we didn't reboot the servers once a week, they would go down. We took one of the lower tasked servers(500 users) and put it on windows 2000 and didn't have to reboot it for a month and it was still running like a champ. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Wednesday, January 15, 2003 11:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Add to that the fact that Exchange 5.5 is end of support at the same time, and its pretty much a no brainer. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Van Donk, Fred [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Justications to Migrate to Active Directory Cliff, I think that the link below says it all: http://microsoft.com/ntserver/ProductInfo/Availability/Retiring.asp No more support for NT4 after the end of this year. -Original Message- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Justications to Migrate to Active Directory I am currently compiling information and trying to find good justifications to migrate our Windows NT base network to Active Directory. We are a medium size company. We don't have any direct requirements to implement AD, like we must upgrade to Exchange2000(which requires AD). I can see a few benefits, but my management wants to see quantified justifications. For example, by migrating to AD you can save 1 hour in setting up a new user with RIS. Does anyone know I good website that would show time saved or something more concrete and specific than Microsoft's marketing jargon? Has anyone gone
RE: [ActiveDir] AD 2 AD Migration
Have a look at Fastlane Migrator...awesome but a bit pricey Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Original Message- From: Mulder, Joeri (NL - Amsterdam) [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 16. Januar 2003 16:05 To: [EMAIL PROTECTED] Subject: [ActiveDir] AD 2 AD Migration Hello, Does anyone have experience migrating users and groups from one forest to another? Is ADMT v2.0 the best tool to do this? Greets, --Joeri--.+-wȆi0g-튺+Yb�mPi0潳-튺+bᳲڪf.+-j!硶0j!墊or戠yثI⚊V+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD 2 AD Migration
It's a great tool. http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.asp http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mulder, Joeri (NL - Amsterdam) Sent: Thursday, January 16, 2003 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD 2 AD Migration Hello, Does anyone have experience migrating users and groups from one forest to another? Is ADMT v2.0 the best tool to do this? Greets, --Joeri--i .i jívҕ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Authentication ?
Title: Message The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDCs in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Title: Message Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: He already HAS Win2K Srv and a few 2k servers on the wire He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don we havent heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just dont translate well via email - - - my apologies if it appears as if Im yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDCs in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Title: Message Let me clear upmy question! I have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: He already HAS Win2K Srv and a few 2k servers on the wire He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message-From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Correct - there should be no impact. Tony -- Original Message -- From: Don Murawski (Lenox) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 16 Jan 2003 11:29:23 -0500 Let me clear up my question! I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1. He already HAS Win2K Srv and a few 2k servers on the wire 2. He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig mailto:[EMAIL PROTECTED] Cerino To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Authentication ?
Title: Message We had no issues when we went native...similar situation: Single domain, lots of NT4 clients and member servers, as well as W2K clients and member servers. A month or so afterthe last of the NT4 BDCs was removed, we made the switch with no complaints. This domain had been upgraded from NT4 back in 2000, so there's all kinds of old stuff on it. YMMV if your old stuff is not similar to our old stuff, but that was our experience. Dave -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 10:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? Let me clear upmy question! I have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: He already HAS Win2K Srv and a few 2k servers on the wire He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message-From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
I agree -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Correct - there should be no impact. Tony -- Original Message -- From: Don Murawski (Lenox) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 16 Jan 2003 11:29:23 -0500 Let me clear up my question! I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1. He already HAS Win2K Srv and a few 2k servers on the wire 2. He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig mailto:[EMAIL PROTECTED] Cerino To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Authentication ?
Title: Message As long as all DCs on the wire are 2k ---by definition - - -youll be ok -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? We had no issues when we went native...similar situation: Single domain, lots of NT4 clients and member servers, as well as W2K clients and member servers. A month or so afterthe last of the NT4 BDCs was removed, we made the switch with no complaints. This domain had been upgraded from NT4 back in 2000, so there's all kinds of old stuff on it. YMMV if your old stuff is not similar to our old stuff, but that was our experience. Dave -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 10:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? Let me clear upmy question! I have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1. He already HAS Win2K Srv and a few 2k servers on the wire 2. He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
[ActiveDir] ISA Server/Security
Hello, I was wondering if anyone has read or looked at ISA Server and Beyond: Real World Security Solutions for Microsoft Enterprise Networks by Tom Shinder and had comments about the book, or maybe recommendations for other ISA books that are worth purchasing. I am also interested books and/or mailing lists concerning network security in general if anyone has suggestions there. Thank you, Travis
RE: [ActiveDir] Authentication ?
Tony is correct; there is no impact on legacy clients and applications. If you are all W2K DC's now, you are using the same existing authentication mechanism you will be using in native mode. Most gained benefit - Universal Groups Newsworthy Side note - no down-level NT 4.0 DC's Jason -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Correct - there should be no impact. Tony -- Original Message -- From: Don Murawski (Lenox) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 16 Jan 2003 11:29:23 -0500 Let me clear up my question! I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1. He already HAS Win2K Srv and a few 2k servers on the wire 2. He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig mailto:[EMAIL PROTECTED] Cerino To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem: Using JNDI to add new entries
Title: Message Rafael, If you could post the complete schema definition for your new class it would help. Some things to look at: If your new class is derived from something other than "top", there may be additional mandatory attributes. What did you define for "possSuperiors" and "systemPossSuperiors" for your new class? These define what class of container you may create your new objects in. -gil -Original Message-From: Rafael Torres [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Problem: Using JNDI to add new entries Hi there, I'm building and JAVA application, using JNDI to store and retrive objects in LDAP. I'm using Active Directory as the LDAP server and have modified the schema to match my needs. Has a test, I have created a new objectClass using MMC console and theActive Directory Schema snap-in. I called the new objectClass 'ee-teste' and set has it's mandatory attributes the attribute 'cn' and has it's optional atributes the 'mail' attribute. I have an organizationalUnit with the DN=OU=EExtender,DC=eextender,DC=pt and I'm trying to create a new entry of type 'ee-teste', but keep getting a SchemaViolationException. If I try to create a standard Active Directory object, like 'locality', my code works fine. But with my object it crashes. Can anyone help me. I'm stuck here and can't see the solution. Thx. Here's the code I'm using: String jndiURL = "ldap://192.168.65.199:389/";String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";String authenticationMode = "simple";String contextReferral = "ignore";//String securityProtocol = "ssl";//String principal = "cn=Directory Manager, ou=EExtender, dc=eextender, dc=pt";String principal = "[EMAIL PROTECTED]";String credentials = "password";Hashtable env = new Hashtable();env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);env.put(Context.PROVIDER_URL, jndiURL);env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);env.put(Context.SECURITY_PRINCIPAL, principal);env.put(Context.SECURITY_CREDENTIALS, credentials);env.put(Context.REFERRAL, contextReferral);//env.put(Context.SECURITY_PROTOCOL, securityProtocol);//env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");env.put("java.naming.ldap.version","3"); DirContext ctx = null; try {ctx = new InitialDirContext(env); BasicAttributes attrs = new BasicAttributes(); BasicAttribute ocs = new BasicAttribute("objectclass");ocs.add("ee-teste");attrs.put(ocs); BasicAttribute cn = new BasicAttribute("cn", "abrek");attrs.put(cn);BasicAttribute mail = new BasicAttribute( "mail", "[EMAIL PROTECTED]" );attrs.put(mail); ctx.createSubcontext("cn=abrek,OU=EExtender,DC=eextender,DC=pt", attrs); ctx.close();} catch (NameAlreadyBoundException nex) {System.out.println("User ID is already in use, please select a different user ID ...");} catch (Exception ex) {System.out.println("Failed to create user account... Please verify the user information...");ex.printStackTrace();} And the returned Exception: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 2099: UpdErr: DSID-03050BA2, problem 6002 (OBJ_CLASS_VIOLATION), data 0 Rafael M. Torres ([EMAIL PROTECTED])-Infopulse PortugalPr. dos Poveiros, 56, 2º4000-393 Porto, PortugalTel: +351 223 389 103Fax: +351 223 389 104ICQ: 86290812
RE: [ActiveDir] AD 2 AD Migration
Try DMA from Net IQ Really good http://www.netiq.com/products/migrate/default.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mulder, Joeri (NL - Amsterdam) Sent: Thursday, January 16, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD 2 AD Migration Hello, Does anyone have experience migrating users and groups from one forest to another? Is ADMT v2.0 the best tool to do this? Greets, --Joeri--i .i jívҕ
RE: [ActiveDir] Problem: Using JNDI to add new entries
I'm not a JNDI expert, but here's a thought...are you able to create an entry of your new objectclass via any other means ? For example, can you successfully create one by making an LDIF file and importing it with LDIFDE or ldapmodify ? If so, then at least you know your schema definitions are OK and you can concentrate on your code. If not, you'll have to look harder at your definition to make sure, for example, that that it's OK to put an object of that type into that OU, etc. If you've already tried all that, then nevermind. Dave -Original Message-From: Rafael Torres [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 6:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Problem: Using JNDI to add new entries Hi there, I'm building and JAVA application, using JNDI to store and retrive objects in LDAP. I'm using Active Directory as the LDAP server and have modified the schema to match my needs. Has a test, I have created a new objectClass using MMC console and theActive Directory Schema snap-in. I called the new objectClass 'ee-teste' and set has it's mandatory attributes the attribute 'cn' and has it's optional atributes the 'mail' attribute. I have an organizationalUnit with the DN=OU=EExtender,DC=eextender,DC=pt and I'm trying to create a new entry of type 'ee-teste', but keep getting a SchemaViolationException. If I try to create a standard Active Directory object, like 'locality', my code works fine. But with my object it crashes. Can anyone help me. I'm stuck here and can't see the solution. Thx. Here's the code I'm using: String jndiURL = "ldap://192.168.65.199:389/";String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";String authenticationMode = "simple";String contextReferral = "ignore";//String securityProtocol = "ssl";//String principal = "cn=Directory Manager, ou=EExtender, dc=eextender, dc=pt";String principal = "[EMAIL PROTECTED]";String credentials = "password";Hashtable env = new Hashtable();env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);env.put(Context.PROVIDER_URL, jndiURL);env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);env.put(Context.SECURITY_PRINCIPAL, principal);env.put(Context.SECURITY_CREDENTIALS, credentials);env.put(Context.REFERRAL, contextReferral);//env.put(Context.SECURITY_PROTOCOL, securityProtocol);//env.put("java.naming.ldap.factory.socket","javax.net.ssl.SSLSocketFactory");env.put("java.naming.ldap.version","3"); DirContext ctx = null; try {ctx = new InitialDirContext(env); BasicAttributes attrs = new BasicAttributes(); BasicAttribute ocs = new BasicAttribute("objectclass");ocs.add("ee-teste");attrs.put(ocs); BasicAttribute cn = new BasicAttribute("cn", "abrek");attrs.put(cn);BasicAttribute mail = new BasicAttribute( "mail", "[EMAIL PROTECTED]" );attrs.put(mail); ctx.createSubcontext("cn=abrek,OU=EExtender,DC=eextender,DC=pt", attrs); ctx.close();} catch (NameAlreadyBoundException nex) {System.out.println("User ID is already in use, please select a different user ID ...");} catch (Exception ex) {System.out.println("Failed to create user account... Please verify the user information...");ex.printStackTrace();} And the returned Exception: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 2099: UpdErr: DSID-03050BA2, problem 6002 (OBJ_CLASS_VIOLATION), data 0 Rafael M. Torres ([EMAIL PROTECTED])-Infopulse PortugalPr. dos Poveiros, 56, 2º4000-393 Porto, PortugalTel: +351 223 389 103Fax: +351 223 389 104ICQ: 86290812
[ActiveDir] LDAP
I apologize if this is received twice. Scenario: AS400 system with username restriction of 10 characters. Considering installing a card with W2k AD installed. Specifically we will be running Windows 2K server on an Integrated xSeries server. This will allow us to enroll existing AS400 users groups on a W2k server. This allows us one point for administration of both AS400 and W2k set of users. We currently have a domain controller, or W2k w/AD installation. We did not restrict the usernames to 10 characters on this system. Other systems that will be authenticating their usernames against it are also not limited to 10 characters. Our goal is single sign on. We would like to have the users on the AS400/W2K system to authenticate or replicate to our current W2k AD installation. The problem is the limitation of usernames. My question is, is there anyway around having to change all the usernames on the other systems to match the 10 character limitation? Can I have the usernames on the AS400 W2K installation link to the current W2k server? I thought with LDAP you could have numerous names linked to one. If so, how can I do this? Your help is greatly appreciated. * Sincerely, Stacey Davis Wan Technician Network Services Department Anderson News Company Phone (865) 584-9765 ext. 1566 Email [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ISA Server/Security
Sunbelt hosts a Windows security list and a Windows firewall list. http://lyris.sunbelt-software.com/scripts/lyris.pl?site=www.ntsoftdist.comid=201224565 -Original Message-From: Travis Riddle [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 9:01 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] ISA Server/Security Hello, I was wondering if anyone has read or looked at ISA Server and Beyond: Real World Security Solutions for Microsoft Enterprise Networks by Tom Shinder and had comments about the book, or maybe recommendations for other ISA books that are worth purchasing. I am also interested books and/or mailing lists concerning network security in general if anyone has suggestions there. Thank you, Travis
RE: [ActiveDir] Authentication ?
Title: Message Ditto for us. Heavily mixed environment (~20K users) with no impact from going native. Go for it :-) Diane -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 8:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? We had no issues when we went native...similar situation: Single domain, lots of NT4 clients and member servers, as well as W2K clients and member servers. A month or so afterthe last of the NT4 BDCs was removed, we made the switch with no complaints. This domain had been upgraded from NT4 back in 2000, so there's all kinds of old stuff on it. YMMV if your old stuff is not similar to our old stuff, but that was our experience. Dave -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 10:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? Let me clear upmy question! I have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: He already HAS Win2K Srv and a few 2k servers on the wire He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message-From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that
[ActiveDir] LDAP messy situation
I posted a request for help last week, but have more information today... Scenario: An AS400 system, which holds user profiles limited to 10 character usernames. This system will have a card installed with W2k server installed. Specifically, we will be running a Windows server on an integrated xSeries server which will allow us to enroll existing AS400 users and groups on a Windows server. This should allow for a single point of administration for both AS400 and Windows users. From what I understand, the AS400 will propagate the W2k server that exists on the box with username and passwords. These users will have the same username and password limitations as on the AS400. We also have a AD server used for domain authentication. This server has the same users only is used in the windows environment. When we setup this server, we set it up with out limiting the usernames. We didn't foresee this possible problem. Our goal is to move towards single sign on. We have certain applications using this system for authentication currently, none of which are restricted by username limits. Has anyone done this before? Can you make the W2k server on the AS400 system, a child of the current domain controller? If so, can you link the limited usernames to the unlimited usernames on the existing W2k server through AD LDAP? Or will I need to change each username on each system to match the restricted usernames? I guess, is there any way around changing all the usernames? The goal is for all users to exist on one server for a single point of administration, and to achieve single sign on. To change usernames on all the systems involved could be a huge problem. Your help is greatly appreciated. * Sincerely, Stacey Davis Wan Technician Network Services Department Anderson News Company Phone (865) 584-9765 ext. 1566 Email [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP
You asked this a week ago - the answer hasn't really changed. Either change the user names in AD to be 10 or less characters, or open up the checkbook and buy an SSO product that will handle it for you. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 1:04 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: [ActiveDir] LDAP I apologize if this is received twice. Scenario: AS400 system with username restriction of 10 characters. Considering installing a card with W2k AD installed. Specifically we will be running Windows 2K server on an Integrated xSeries server. This will allow us to enroll existing AS400 users groups on a W2k server. This allows us one point for administration of both AS400 and W2k set of users. We currently have a domain controller, or W2k w/AD installation. We did not restrict the usernames to 10 characters on this system. Other systems that will be authenticating their usernames against it are also not limited to 10 characters. Our goal is single sign on. We would like to have the users on the AS400/W2K system to authenticate or replicate to our current W2k AD installation. The problem is the limitation of usernames. My question is, is there anyway around having to change all the usernames on the other systems to match the 10 character limitation? Can I have the usernames on the AS400 W2K installation link to the current W2k server? I thought with LDAP you could have numerous names linked to one. If so, how can I do this? Your help is greatly appreciated. * Sincerely, Stacey Davis Wan Technician Network Services Department Anderson News Company Phone (865) 584-9765 ext. 1566 Email [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP
Roger, Wouldn't it be possible to make the CN of the user object a 10 character name and the sAMAccountName and/or UPN the longer form? That way the LDAP-based app can authenticate using the user DN (which is what it will do if it does an LDAP simple bind), and the users can login using the longer name form. No SSO product needed. The only downside is that I don't think you can do this using the MMC to add users, you'd have to use a script or some such. -gil -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 1:18 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP You asked this a week ago - the answer hasn't really changed. Either change the user names in AD to be 10 or less characters, or open up the checkbook and buy an SSO product that will handle it for you. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 1:04 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: [ActiveDir] LDAP I apologize if this is received twice. Scenario: AS400 system with username restriction of 10 characters. Considering installing a card with W2k AD installed. Specifically we will be running Windows 2K server on an Integrated xSeries server. This will allow us to enroll existing AS400 users groups on a W2k server. This allows us one point for administration of both AS400 and W2k set of users. We currently have a domain controller, or W2k w/AD installation. We did not restrict the usernames to 10 characters on this system. Other systems that will be authenticating their usernames against it are also not limited to 10 characters. Our goal is single sign on. We would like to have the users on the AS400/W2K system to authenticate or replicate to our current W2k AD installation. The problem is the limitation of usernames. My question is, is there anyway around having to change all the usernames on the other systems to match the 10 character limitation? Can I have the usernames on the AS400 W2K installation link to the current W2k server? I thought with LDAP you could have numerous names linked to one. If so, how can I do this? Your help is greatly appreciated. * Sincerely, Stacey Davis Wan Technician Network Services Department Anderson News Company Phone (865) 584-9765 ext. 1566 Email [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Authentication ?
Possibly incorrect. If some of those legacy applications use the NT4 API you may have some issues. For instance in my enviornment I have a legacy application Crystal Enterprise - it is using an NT4 API for determining group membership for security. As you know there is a large change in groups from NT4 to Win2k/AD. So native mode and nested groups would be an obvious No - No. You should examine your applications and try to determine how they might be affected. This situation could be one way. In general though, most environments should have no problem moving to native mode. Jim Katoe Mindshare Directory Services Manager MCSE,MCSA,PCLP,CCNA,CCDA,CNA Worldwide IT Infrastructure Team 825 8th Avenue, NY, NY 10019 email: [EMAIL PROTECTED] Office: 646.756.4587 Fax: 646.756.5951 Don Murawski (Lenox) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/16/2003 11:29 AM Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Authentication ? Let me clear up my question! I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1.He already HAS Win2K Srv and a few 2k servers on the wire 2.He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message- From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message- From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate. Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Authentication ?
Title: Message Jim, I'd like to hear more (and, if others want to chime in, please do) about legacy apps and sec groups. If myproduction environment and experience is correct, going to native mode is not going to have an effect on security groups. (Except for the obvious Universal group, nesting, etc.) Consider: You have upgraded all of your BDC to Win2k DCs. You switch tonative mode, but all of a sudden realize that you have over 500 Windows NT 4.0 and Windows3.1 (Not NT, Win 3.1)workstations with appllications written for that platform. So the workstations and applications cease to interoperate with the rest of the environment? The answer is an emphatic NO. They operate fine, work with the Domain Local, Global and Universal groups. I will, however,agree that there may be the application here and there that has a real issue with the SID format or API calls to Windows 2000 groups. As you said - test your apps. But, these should fail before going to Native - not necessarily, after. Comments?? Anyone want to visit a site in Virginia where they can see these 500 Windows 3.1 machines in a native mode domain??? ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 16, 2003 3:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? Possibly incorrect. If some of those legacy applications use the NT4 API you may have some issues. For instance in my enviornment I have a "legacy application" Crystal Enterprise - it is using an NT4 API for determining group membership for security. As you know there is a large change in groups from NT4 to Win2k/AD. So native mode and nested groups would be an obvious No - No. You should examine your applications and try to determine how they might be affected. This situation could be one way. In general though, most environments should have no problem moving to native mode. Jim Katoe MindshareDirectory Services ManagerMCSE,MCSA,PCLP,CCNA,CCDA,CNA Worldwide IT Infrastructure Team825 8th Avenue, NY, NY 10019 email: [EMAIL PROTECTED]Office: 646.756.4587Fax: 646.756.5951 "Don Murawski (Lenox)" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/16/2003 11:29 AM Please respond to ActiveDir To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Authentication ?Let me clear up my question! I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ?Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: 1. He already HAS Win2K Srv and a few 2k servers on the wire 2. He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message-From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed...
RE: [ActiveDir] AD 2 AD Migration
Joeri, We are in the final phases of a complete migration from one forest to another. We have migrated 25k plus machines, 11k plus users, and some number of groups. All of this was done with ADMT ver 2.0. Though not perfect, it did an absolutely fantastic job for our needs. ADMT does require that the destination domain be in native mode. The upside is that you can now migrate the user password. Jimmy provided you with links on this, so have at it. The price - clearly, is right. ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mulder, Joeri (NL - Amsterdam) Sent: Thursday, January 16, 2003 9:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD 2 AD Migration Hello, Does anyone have experience migrating users and groups from one forest to another? Is ADMT v2.0 the best tool to do this? Greets, --Joeri--i .i jívҕ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Call for papers - Directory Experts Conference for Active Directory 2003
Greetings, The second Directory Experts Conference for Active Directory will be held in Scottsdale, Arizona from April 28 through May 1, 2003. Although we have not officially announced the conference (that will happen in a few days), I would like to solicit the experts on the list for presentations on Active Directory projects and issues. This year's DEC will focus on two topics: security and directory integration, i.e., doing more with AD than just logging in. I'm looking for real-world discussions that have fairly broad appeal to the AD experts community. Problem-and-solution stories are great, as are in-depth discussions of some of the dustier corners of AD that don't get much discussion, e.g. integration with non-Microsoft systems. Topics that I'm *not* interested in include this is how we designed our directory (unless it's mind-bogglingly unusual), NT4-to-AD migration stories, and vendor sales pitches, veiled or otherwise. Presentations should run about 45 minutes with 15 minutes of discussion, although we can go longer for meatier topics. I'm also taking suggestions for birds-of-a-feather type breakout sessions. The DEC is a technical conference targeted toward directory architects, engineers, and consultants with more than six months of production Active Directory experience under their belts... attendees can generally list the top level command options in NTDSUTIL and diagram the DNS namespace created by a DC from memory :) This means that you can focus on the interesting bits of your topic without having to explain things like what FSMO role owners are and why having more than one of each is a bad thing. So if you think you may have an interesting story to tell, please contact me via email at mailto:[EMAIL PROTECTED]. And if you're just interested in attending, watch this space; I'll post the official conference annoucement to the list as soon as its released. Thanks, -gil Gil Kirkpatrick CTO, NetPro Author of Active Directory Programming from MacMillan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/