RE: [ActiveDir] fismos
Return Receipt Your RE: [ActiveDir] fismos document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 06/20/2003 07:01:25 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=1055854721/sr=2-1/ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
Agreed. The only issue I've seen with downlevel clients in our native mode deployments has been the password complexity issues I've noted before, where users with non-complex passwords prior to enabling enforced complexity cannot change their own passwords. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 8:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions Define your troubles. My guess would would be name res issues because people start to forget about WINS once they move to AD and W2K Machines. I have tens of thousands of Win9x and NT4 clients and hundreds of NT4 Servers that are functioning well in a Native mode domain environments and have been for a couple of years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: Thursday, June 19, 2003 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] A number of NT4.0 to AD upgrade questions I have had trouble with win98 and nt4 ws when I went to Native, and did not have an NT4 domain controller. What did I do wrong. -- -- - FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com - Original Message - From: W2K List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 19, 2003 7:17 AM Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions You can have NT 4 servers and still switch to Native mode. However, the servers cannot be Domain Controllers. Denny -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:45 AM To: [EMAIL PROTECTED] Correct about servers but clients are really irrelevant with regards to Native vs. Mixed mode. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:29 AM To: [EMAIL PROTECTED] You need to run in mixed mode until the last nt4 server or client leaves the network, also, if you run mixed mode, you can still roll-back, - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:21 AM Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions I have completed a rollback with Windows 2000 AD back to NT4 and had no problems with the W2K clients authenticating back to NT4. Maybe this was just look and something to do with the reasonings behind the rollback but thought it was worth a mention. J from:Ken Cornetet [EMAIL PROTECTED] date:Wed, 18 Jun 2003 21:42:27 to: [EMAIL PROTECTED] subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions Comments inline -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions All, I'm not convinced, after reading the Microsoft documentation, that we've all got our answers nailed down on an in-place upgrade. So, I'd like to submit these questions to you to get the real world answer. Since we lack sufficient budget to perform a proper migration we'll need to do in-place upgrades to our domains and then consolidate some of the rogue domains into our structure (as well as cleaning things up after upgrade). All domains will remain mixed mode until we're able to complete application testing. One of our main drivers is the need to consolidate domains as well as eventually eliminate our dependence on the SAM. 1. One of my concerns is following the upgrade of the PDC it will be the only AD domain controller in the domain. Our current DNS settings for servers and workstations are to our enterprise DNS servers, which are not AD-compatible. We anticipate creating a new DNS structure for AD and then using forwarders to the other DNS servers for non-AD-related address resolution. It's my expectation that NT4.0 clients w/o the AD client will not be impacted by this in any way. Is this correct? That's OK. Just make your AD DNS a subdomain of your existing DNS domain. For example, if your main DNS domain is acme.com and your NT domain is ACME, then create your AD forest as acme.acme.com. Put nameserver records in your existing DNS zone that delegates acme.acme.com to the DNS server running on your DC. Have your AD DNS server forward to your
RE: [ActiveDir] suggestions for OU delegation information sources
Is the scripting/cli information you're talking about here documented in either (or both) of these books? Looks like I might need to expand the library a bit... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Dude I am living E2K right now... Just wait though, I have some pretty cool scripts (well at least in my mind) I have worked out that I think others may eventually be interested in. Found a bug in the addon for DSA.MSC for E2K for displaying permissions on mailboxes with one of the permission displayer scripts I wrote, sent that one into MCS and Alliance. Also have a couple of KB articles I found that directly conflict with each other concerning mailbox delegation and what is required, also sent that one in. :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, June 19, 2003 10:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Oh, you are NOT EVEN gonna get this started again! Huh-uh! ;-D Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 19, 2003 8:00 PM To: [EMAIL PROTECTED] Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm
RE: [ActiveDir] suggestions for OU delegation information sources
Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=1055854721/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] suggestions for OU delegation information sources
Go to Border's and flip through Robbie/Richard's Managing book, so many scripts you can't shake a stick at them. Lots of perl so you know its got to be good. :op My one complaint to them concerning the book was why the hell they took so long to write it, I could have used it starting in Oct 1999 when I had to start working on this stuff in the first place. They would have saved me considerable time and energy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, June 20, 2003 7:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] suggestions for OU delegation information sources Is the scripting/cli information you're talking about here documented in either (or both) of these books? Looks like I might need to expand the library a bit... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] suggestions for OU delegation information sources
I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksfile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf
[ActiveDir] Export AD
I have just a quick question. What I am looking to do is make a mirror of AD on a new test network I am setting up. Is there a way to export all of the active directory setting and import them in a new network? Thanks Ryan McDonald Systems Administrator
RE: [ActiveDir] Export AD
Assuming you are using similar hardware, backup and restore a DC. You'll have to fix a lot of stuff at the first, but that's how we do our test network mirroring. Benton Chase Wink---Benton Chase Wink, CCNA MCSEThe University of Texas at AustinMcCombs School of BusinessEnterprise Server Teamofc: 512-471-9938cell: 512-619-9016 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, June 20, 2003 9:04 AMTo: [EMAIL PROTECTED] I have just a quick question. What I am looking to do is make a mirror of AD on a new test network I am setting up. Is there a way to export all of the active directory setting and import them in a new network? ThanksRyan McDonaldSystems Administrator
RE: [ActiveDir] Export AD
We use the MIRRORed disk to do this and a small script to delete all the other Domain Controllers and transfert the roles. From: Benton Wink {winkb} [mailto:[EMAIL PROTECTED] Sent: vrijdag 20 juni 2003 16:09To: [EMAIL PROTECTED] Assuming you are using similar hardware, backup and restore a DC. You'll have to fix a lot of stuff at the first, but that's how we do our test network mirroring. Benton Chase Wink---Benton Chase Wink, CCNA MCSEThe University of Texas at AustinMcCombs School of BusinessEnterprise Server Teamofc: 512-471-9938cell: 512-619-9016 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, June 20, 2003 9:04 AMTo: [EMAIL PROTECTED] I have just a quick question. What I am looking to do is make a mirror of AD on a new test network I am setting up. Is there a way to export all of the active directory setting and import them in a new network? ThanksRyan McDonaldSystems Administrator * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
RE: [ActiveDir] suggestions for OU delegation information sources
Late September or early October. The content is pretty much done now except for some final tech reviews (you know who you are :), but O'Reilly needs a full three months with it because it is going to be a 650-750 page book. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Anyone know when the AD cookbook is coming out? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 6:35 AM To: '[EMAIL PROTECTED]' I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksf ile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet.
RE: [ActiveDir] suggestions for OU delegation information sources
Shhhweet! -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:19 AM To: '[EMAIL PROTECTED]' Late September or early October. The content is pretty much done now except for some final tech reviews (you know who you are :), but O'Reilly needs a full three months with it because it is going to be a 650-750 page book. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Anyone know when the AD cookbook is coming out? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 6:35 AM To: '[EMAIL PROTECTED]' I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksf ile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't
RE: [ActiveDir] DNS Replication
Title: Message I am setting up a new AD domain and I am seeing aslew of errors which I believe are DNS related, reading this thread has confused me somewhat... Here's my situation.. Empty forest root domain with 4 DC's with the Roles spread across them, all running AD integrated DNS. I then have a child domain with another 5 DC's which are also all running AD Integrated DNS. In the DNS settings I have set all servers to do Zone transfers only with servers listed on the name servers tab, and on the name servers tab I have listed all 9 DC's no matter if they were in the parent or child domain. Am I taking the wrong approach? The error that I keep getting is this: Event ID: 1265Source: NTDS KCCType: WarningCategory: Knowledge ConsistencyThe attempt to establish a replication link with parametersPartition: DC=yourinfo,DC=yourinfo,DC=yourinfo,DC=com Source DSA DN: CN=NTDS Settings,CN=NT5-PCI-20,CN=Servers,CN=GSCIntranet,CN=Sites,CN=Configuration,DC=child,DC=yourdomain,DC=comSource DSA Address: YourDomainController. YourDomain.comInter-site Transport (if any): failed with the following status:The DSA operation is unable to proceed because of a DNS lookup failure. The record data is the status code. This operation will be retried. I haveread MS KB article 319202 and tried what they suggested to no avail. When I run DCdiag I also get the same errors when it gets to the kccevent check. Theerrors appear on most but not all of the DC's. They are physically located in 4 different buildings on the same campus, and I seem to have no problem pinging one another. Thanks, -Tim From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:22 PMTo: '[EMAIL PROTECTED]' It is correct that they will not replicate as part of AD replication, but there is no reason you can't do normal DNS zone transfers to accomplish a similar end point. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Victor Hugo Naranjo [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS Replication Hi, DNS Zones configured as AD Integrated could not replicate between Parent and Child Domain, is it correct? Sincerely, Víctor Naranjo MCSE, MCSA
Re: [ActiveDir] DNS Replication
Title: Message have you tried? http://eventid.net/display.asp?eventid=1265source= - Original Message - From: Wright, T. MR NSSB To: '[EMAIL PROTECTED]' Sent: Friday, June 20, 2003 11:19 Subject: RE: [ActiveDir] DNS Replication I am setting up a new AD domain and I am seeing aslew of errors which I believe are DNS related, reading this thread has confused me somewhat... Here's my situation.. Empty forest root domain with 4 DC's with the Roles spread across them, all running AD integrated DNS. I then have a child domain with another 5 DC's which are also all running AD Integrated DNS. In the DNS settings I have set all servers to do Zone transfers only with servers listed on the name servers tab, and on the name servers tab I have listed all 9 DC's no matter if they were in the parent or child domain. Am I taking the wrong approach? The error that I keep getting is this: Event ID: 1265Source: NTDS KCCType: WarningCategory: Knowledge ConsistencyThe attempt to establish a replication link with parametersPartition: DC=yourinfo,DC=yourinfo,DC=yourinfo,DC=com Source DSA DN: CN=NTDS Settings,CN=NT5-PCI-20,CN=Servers,CN=GSCIntranet,CN=Sites,CN=Configuration,DC=child,DC=yourdomain,DC=comSource DSA Address: YourDomainController. YourDomain.comInter-site Transport (if any): failed with the following status:The DSA operation is unable to proceed because of a DNS lookup failure. The record data is the status code. This operation will be retried. I haveread MS KB article 319202 and tried what they suggested to no avail. When I run DCdiag I also get the same errors when it gets to the kccevent check. Theerrors appear on most but not all of the DC's. They are physically located in 4 different buildings on the same campus, and I seem to have no problem pinging one another. Thanks, -Tim From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:22 PMTo: '[EMAIL PROTECTED]' It is correct that they will not replicate as part of AD replication, but there is no reason you can't do normal DNS zone transfers to accomplish a similar end point. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Victor Hugo Naranjo [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS Replication Hi, DNS Zones configured as AD Integrated could not replicate between Parent and Child Domain, is it correct? Sincerely, Víctor Naranjo MCSE, MCSA
[ActiveDir] Group Policy Cconnect.adm
Hey, We are trying to install the Cconnect.adm to limit the number of logins per user through Group Policy. It appears to have installed and is configured to limit the connection numbers, but it does not work. Also the icon when editing the Group Policyis red instead our normal blue, I don't know is that means anything. Has anyone used this successfully? Thanx Don
RE: [ActiveDir] DNS Replication
Title: Message I looked at eventid previously and I have tried most of the stuff listed for the error that I have been seeing. I have actually narrowed it down a little further.. For some reason certain servers in the parent domain are unable to replicate with certain servers in the child domain... For example Server1, Server2, and Server3 are in the parent domain, when I go to Sites and Services and force replication they have no problem replicating with each other but they all have problems replicating with Server6 which is in the child domain. But they can replicate with server4 and server5 which are also in the child domain. I think I have narrowed it down to two servers that are having issues, I am going to try to manually build my replication objects and see where that gets me. Thanks, -Tim From: David N. Precht [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 12:59 PMTo: [EMAIL PROTECTED] have you tried? http://eventid.net/display.asp?eventid=1265source= - Original Message - From: Wright, T. MR NSSB To: '[EMAIL PROTECTED]' Sent: Friday, June 20, 2003 11:19 Subject: RE: [ActiveDir] DNS Replication I am setting up a new AD domain and I am seeing aslew of errors which I believe are DNS related, reading this thread has confused me somewhat... Here's my situation.. Empty forest root domain with 4 DC's with the Roles spread across them, all running AD integrated DNS. I then have a child domain with another 5 DC's which are also all running AD Integrated DNS. In the DNS settings I have set all servers to do Zone transfers only with servers listed on the name servers tab, and on the name servers tab I have listed all 9 DC's no matter if they were in the parent or child domain. Am I taking the wrong approach? The error that I keep getting is this: Event ID: 1265Source: NTDS KCCType: WarningCategory: Knowledge ConsistencyThe attempt to establish a replication link with parametersPartition: DC=yourinfo,DC=yourinfo,DC=yourinfo,DC=com Source DSA DN: CN=NTDS Settings,CN=NT5-PCI-20,CN=Servers,CN=GSCIntranet,CN=Sites,CN=Configuration,DC=child,DC=yourdomain,DC=comSource DSA Address: YourDomainController. YourDomain.comInter-site Transport (if any): failed with the following status:The DSA operation is unable to proceed because of a DNS lookup failure. The record data is the status code. This operation will be retried. I haveread MS KB article 319202 and tried what they suggested to no avail. When I run DCdiag I also get the same errors when it gets to the kccevent check. Theerrors appear on most but not all of the DC's. They are physically located in 4 different buildings on the same campus, and I seem to have no problem pinging one another. Thanks, -Tim From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:22 PMTo: '[EMAIL PROTECTED]' It is correct that they will not replicate as part of AD replication, but there is no reason you can't do normal DNS zone transfers to accomplish a similar end point. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Victor Hugo Naranjo [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS Replication Hi, DNS Zones configured as AD Integrated could not replicate between Parent and Child Domain, is it correct? Sincerely, Víctor Naranjo MCSE, MCSA
RE: [ActiveDir] Group Policy Cconnect.adm
Title: Message Have you installed the cconnect.exe on each client computer? That is required as well. The red icon in the GP editor indicates that the policy is a preference, rather than a policy. Policies don't tattoo the registry--preferences do. Its not a huge concern--just need to be aware that if you need to undo that policy, you need to set the policy items to do the opposite of what they do now instead of just removing the GPO. -Original Message-From: Don L. Hollingshead [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 10:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Group Policy Cconnect.adm Hey, We are trying to install the Cconnect.adm to limit the number of logins per user through Group Policy. It appears to have installed and is configured to limit the connection numbers, but it does not work. Also the icon when editing the Group Policyis red instead our normal blue, I don't know is that means anything. Has anyone used this successfully? Thanx Don
[ActiveDir] Has anyone ever seen this file?
SYSVOL\fully_qualified_domain_name\Policies\{Policy_Guid}\Adm\GptTmpl.tmp