[ActiveDir] LogonServer
Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] LogonServer
Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] LogonServer
In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LogonServer
you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LogonServer
The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LogonServer
Absolutely, there no harm to make a another site. But my basic question is Why client desktop get authentication from DC other than their OWN site ? If I create another for building B then again same problem may occur. -Dinesh -Original Message- From: Michel SAKR [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] LogonServer
They will authenticate on the same DC that is on their site subnet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Monday, June 14, 2004 3:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Absolutely, there no harm to make a another site. But my basic question is Why client desktop get authentication from DC other than their OWN site ? If I create another for building B then again same problem may occur. -Dinesh -Original Message- From: Michel SAKR [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LogonServer
Workstations will follow a pre-defined set of checks to get authentication. You can't and I'd argue don't want to prevent them from being able to get authentication if they don't get it in their own site. This set of checks is dependent on the workstation version as well. What workstation versions are you running in these sites? As for sites, the site is the way to define the preferred DC to authenticate the workstations. It's not an absolute, but in your situation, having a site for building A and a site for building B sounds like what you want. If the workstations fail to authenticate in site A, then they'll go looking for other sites either via DNS else failing that, via broadcast depending on how you have them configured. Check out the reskit for workstations and Active Directory to see more information about how this process works. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Monday, June 14, 2004 8:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Absolutely, there no harm to make a another site. But my basic question is Why client desktop get authentication from DC other than their OWN site ? If I create another for building B then again same problem may occur. -Dinesh -Original Message- From: Michel SAKR [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] LogonServer
If I understand your original post, some of the workstations are authenticating to the DC in the other building (same site), and some are using a DC in a completely different site. The other responses answer the first issue (all DCs are treated the same within a site), but don't address the second issue, so here goes... Do all of your subnets have a corresponding subnet object in AD ? Are all of those subnet objects associated with the correct site object ? That's generally the key to ensuring that the clients know what site they belong to so they prefer the DCs in their own site. The above all assumes 'site-aware' clients, of course - Win2K or WinXP. I believe the AD Client add-on for NT4 is site-aware as well, but I've never used it so can't say for sure how it works. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tashildar, Dinesh (Cognizant) Sent: Monday, June 14, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Absolutely, there no harm to make a another site. But my basic question is Why client desktop get authentication from DC other than their OWN site ? If I create another for building B then again same problem may occur. -Dinesh -Original Message- From: Michel SAKR [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards, Dinesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] LogonServer
Many thanks for response to my query. Now All workstations (Windows 2000 prof) are getting authentication from correct DC's. Our previous system administrator made a big mistake. He has not defined subnets for building B workstations in Sites and subnets. After adding all subnets, all workstations are started getting authentication from their OWN sites. Apologies for making confusion.. But I had learned lot of good stuff out of this post. -Dinesh -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 6:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LogonServer Workstations will follow a pre-defined set of checks to get authentication. You can't and I'd argue don't want to prevent them from being able to get authentication if they don't get it in their own site. This set of checks is dependent on the workstation version as well. What workstation versions are you running in these sites? As for sites, the site is the way to define the preferred DC to authenticate the workstations. It's not an absolute, but in your situation, having a site for building A and a site for building B sounds like what you want. If the workstations fail to authenticate in site A, then they'll go looking for other sites either via DNS else failing that, via broadcast depending on how you have them configured. Check out the reskit for workstations and Active Directory to see more information about how this process works. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Monday, June 14, 2004 8:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Absolutely, there no harm to make a another site. But my basic question is Why client desktop get authentication from DC other than their OWN site ? If I create another for building B then again same problem may occur. -Dinesh -Original Message- From: Michel SAKR [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer The added site will not harm your configuration. site configurations are intended for problems like yours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 14, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer you can't change anything in the site-configuration itself (a site is meant to treat every DC basically the same way). What are your reasons for not wanting to change the site config (i.e. adding another site) - other than not having the permissions to do so? The other options tend to bite you later. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 09:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer Hi Guido, Thanks for reply, her are few more inputs. Both these DC's are in different subnet and I really don't want to change any property of other sites. Is there anything I can change in PUNE site ? -dinesh -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LogonServer In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. that's your problem = DCs in the same site will be treated the same - and if both buildings are in the same subnet, then there's not much that you can do about it (you can configure preferred DCs for the clients via registry/GPO, but that's a pain to manage). If the two buildings do have different subnets, then you could tune the priorities for the service-records in DNS, but it's likely easier to create and manage an extra site. This way you can most transparently differentiate the two buildings and your clients will automatically preferr the only DC in their site. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Montag, 14. Juni 2004 08:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] LogonServer Hi, we have a domain called cts.com and under these domain we have several sites. In a site called Pune we have 2 domain controllers which are physically located in 2 different buildings connected by 8mbps line. Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is located in building B. Practically if users are seating in building B then ctsinpuncfcc should authenticate it. But some of desktops are going to ctsinpuncfaa and some are out of site domain controllers. (from LOGONSERVER environment variable we are getting this information) How can I restrict users from Building B to get authentication from building B DC only ? Which DC server settings decide this factor ? Any help will be appreciated.. Regards,
RE: [ActiveDir] Child domain login.
Right, it was the you dont have rights to log on interactively From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 04, 2004 8:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Child domain login. Yeah let me correct something I said down below as I was obviously on crack I ran out the door after this and the other group posting and came back to a note from Dean letting me know I was smoking something that he sent within seconds of me sending out this mistake... I think he gets notes from this list that are from me with screwups delivered to a special paging mailbox or something... No mode of the domain will allow you to add a user from another domain to a global group. I had just responded to an email about adding child admins to the Enterprise Admins group and how come that wasn't working and my mind got stuck there I guess. Anyway there used to be a bug where you could sneakin other domain members into GGs via group nesting. At least if you manuallychased the group memberships it would look like someone from another domain was in a global group but it wouldn't work properly. They fixed that possibilityin SP2. You can't add Uni's to globals. You can only add globals and users from the same domain to globals. I am curious when you say the UPN worked... What exactly is the error message when trying to log on? I assumed it was the old you don't have rights to logon interactively error. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Friday, June 04, 2004 6:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Child domain login. All domains are in Native mode, I have created (to test my problem) a global group in the root Domain and nested it in a Universal Group in the root domain. I then placed the Universal group in a global group and a DL group in the child domain. Still no login with root account, except for using a UPN [EMAIL PROTECTED] that did let me in... Mike -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 04, 2004 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Child domain login. Are your domains in Native Mode?[Mike Hogenauer] If not, you will not be able to add a userid from the root domain to the child domain's domain admins. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Friday, June 04, 2004 1:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Child domain login. So I created a child domain to my root domain, my account is in the Enterprise admins group. The install of the child domain completed successfully and I can login to that domain with an account local to that domain, also when I select a domain from the domain list it sees my Forest root and child domain but I cannot login to my child domain with my account. Im running windows 2000, the root domain hosts all DNS, there are no DNS servers in the Child domain, and they all point to the root domain for DNS. I tried to add my account to a local group in the child domain but I cant pull back a list of users. Thanks in advance for any help!!! Mike
[ActiveDir] SID question
Title: Message Can a SID be "copied" from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be "copied" from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] SID question
Title: Message If you are talking about the user's domain account it is a guid, global unique id, the domain version of a sid. There can be only one of these in a domain. Copying it would give you two of the same at the same time: Forbidden. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Monday, June 14, 2004 3:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SID question Can a SID be "copied" from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be "copied" from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] SID question
Title: Message I guess I should clarify a little better. The "planner" is looking to copy the SIDhistory info from the migrated account to a fresh, clean account in the root domain. So, it would be an NT4-2003 child domain migration, and then a copy of the SIDhistory info to the root domain account that is pushed over from an LDAP repository. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce ClingamanSent: Monday, June 14, 2004 3:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SID question If you are talking about the user's domain account it is a guid, global unique id, the domain version of a sid. There can be only one of these in a domain. Copying it would give you two of the same at the same time: Forbidden. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Monday, June 14, 2004 3:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SID question Can a SID be "copied" from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be "copied" from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] SID question
Title: Message Depending on your C++ skills, there is an API call: http://msdn.microsoft.com/library/default.asp?url=""> From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 1:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SID question I guess I should clarify a little better. The planner is looking to copy the SIDhistory info from the migrated account to a fresh, clean account in the root domain. So, it would be an NT4-2003 child domain migration, and then a copy of the SIDhistory info to the root domain account that is pushed over from an LDAP repository. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Monday, June 14, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SID question If you are talking about the user's domain account it is a guid, global unique id, the domain version of a sid. There can be only one of these in a domain. Copying it would give you two of the same at the same time: Forbidden. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Monday, June 14, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] SID question Can a SID be copied from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be copied from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] SID question
Title: Message how about first _MOVING_ the accounts from the child domain to the root domain (can be done via ADMT or the movetree command) - then update these from your LDAP source afterwards. = user will keep GUID and UG/DLG memberships and will be dropped from GGs= user will keep same PW and other attributes (does not require PES)= user will get a new SID in and the old SID will be added to the SIDhistory of the user= local user profiles on Win2k/XP clients usually continue to work for the users (via GUID referrals), but not for NT4 (which only relies on SID to resolve profile path) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Montag, 14. Juni 2004 22:02To: [EMAIL PROTECTED]Subject: [ActiveDir] SID question Can a SID be "copied" from one account to another between domains in the same forest? The scenario is this: account is migrated using ADMT from NT4 domain into child domain in 2003 forest. An account with the same username is going to be copied into the root from an external LDAP source. One of the higher ups here wants to have the account in the root domain be what the user uses. So, he wants to know if the SID can be "copied" from the account in the child OU, and then have the child OU account deleted. I'm thinking no, but I wanted to make sure before telling him that. Thanks in advance. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
[ActiveDir] Uninstallation
Title: Message Our new PDC from Dell turns out to be physically damaged inside, so were sending it back. I want to remove AD from the system (for security reasons) but DCPROMO isnt working because this DC is now off the LAN. Its off the LAN because I successfully cloned (via NTbackup) its behavior to the replacement PDC which now has its same name and IP address. Is there a quick and easy way to wipe out AD without actually reformatting the system? Thanks! Mal
[ActiveDir] Export Permissions List
Hi- I think I saw this flash by on the list recently I am looking for a tool to create a report of the NTFS security permissions on folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C C:\C Permissions.txt but that does not seem to work. Is that a Unix command? Any help appreciated. nme -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 [EMAIL PROTECTED]
[ActiveDir] User timeouts
Title: Message Im trying to get users to automatically log out after a certain timeout setting. Ive read all over setting the timeout settings in under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options: Amount of idle time required before suspending session Is the way to go. I set it to 15 minutes, but alas it appears to make no difference. Any suggestions?
RE: [ActiveDir] Uninstallation
Title: Message Try dcpromo /forceremoval. This will remove AD from the server and turn it back into a standalone. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Malachi Burke Sent: Monday, June 14, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Uninstallation Our new PDC from Dell turns out to be physically damaged inside, so were sending it back. I want to remove AD from the system (for security reasons) but DCPROMO isnt working because this DC is now off the LAN. Its off the LAN because I successfully cloned (via NTbackup) its behavior to the replacement PDC which now has its same name and IP address. Is there a quick and easy way to wipe out AD without actually reformatting the system? Thanks! Mal
RE: [ActiveDir] Export Permissions List
xcacls C:\*.* /Cc:\Perm_Reports.log will create such a "huge" report file. depending on how many objects you have in the folder, the report may be so large you'd need a crowbar to open it. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah EigerSent: Mon 6/14/2004 5:50 PMTo: Active Directory ListSubject: [ActiveDir] Export Permissions List Hi- I think I saw this flash by on the list recently I am looking for a tool to create a report of the NTFS security permissions on folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C "C:\C Permissions.txt" but that does not seem to work. Is that a Unix command? Any help appreciated. nme -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 [EMAIL PROTECTED]
RE: [ActiveDir] Export Permissions List
Thanks. This does not seem to be in the Windows Server 2003 RK. Know where I can get it? Or is there something else (that does not require a crowbar) to do the job? From: Deji Akomolafe [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 8:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export Permissions List xcacls C:\*.* /Cc:\Perm_Reports.log will create such a huge report file. depending on how many objects you have in the folder, the report may be so large you'd need a crowbar to open it. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah Eiger Sent: Mon 6/14/2004 5:50 PM To: Active Directory List Subject: [ActiveDir] Export Permissions List Hi- I think I saw this flash by on the list recently I am looking for a tool to create a report of the NTFS security permissions on folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C C:\C Permissions.txt but that does not seem to work. Is that a Unix command? Any help appreciated. nme -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 [EMAIL PROTECTED]
RE: [ActiveDir] Export Permissions List
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp what, you are scared of crowbars? ;) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah EigerSent: Mon 6/14/2004 9:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Export Permissions List Thanks. This does not seem to be in the Windows Server 2003 RK. Know where I can get it? Or is there something else (that does not require a crowbar) to do the job? From: Deji Akomolafe [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 8:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Export Permissions List xcacls C:\*.* /Cc:\Perm_Reports.log will create such a "huge" report file. depending on how many objects you have in the folder, the report may be so large you'd need a crowbar to open it. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services http://www.readymaids.com/ - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah EigerSent: Mon 6/14/2004 5:50 PMTo: Active Directory ListSubject: [ActiveDir] Export Permissions List Hi- I think I saw this flash by on the list recently I am looking for a tool to create a report of the NTFS security permissions on folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C "C:\C Permissions.txt" but that does not seem to work. Is that a Unix command? Any help appreciated. nme -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 [EMAIL PROTECTED]