Re: [ActiveDir] BDC upgrade
Title: Re: [ActiveDir] BDC upgrade Ive seen upromote used on a project to demote more than a hundred (yes, 100!!!) BDCs to member servers in preparation for an AD upgrade. Worked pretty darn close to flawlessly. On 10/20/04 7:53 PM, Ayers, Diane [EMAIL PROTECTED] wrote: Ditto. Used it once to demote a BDC that was also a time source in the NT 4.0 world. wanted to keep the server but didn't want it to be a BDC anymore. Best $99 bucks spent as far as saved time, etc. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Wednesday, October 20, 2004 4:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade We have used this tool on two occasions and it worked flawlessly both times. We went into it knowing the risks and ramifications. In the end it saved us days of work which was the alternative and well worth the risk. ~Brian From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade http://utools.com/UPromote.asp BR Rob From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise IT Sent: Wed 20/10/2004 23:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] BDC upgrade I think this is the one you are talking about Brian. It's formerly Aelita, but now is Quest. http://wm.quest.com/products/domainmigrationwizard/ They've got a a product that will demote a NT4 PDC/BDC. It's pretty slick. And totally not supported by MS. Dave David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, October 20, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade Have you looked into the File Server Migration Toolkit from MS? It's a utility for moving file servers and it includes a patch for 2003 that makes it so the old server name still works - utilizes aSP1 feature called DFS Consolidation Roots. That aside, I forget who (been awhile), but somebody makes a hundred dollar utility which will let you convert a BDC to a member server. It's totally unsupported by MS, so if stuff breaks, you may be out of luck. I'd look towards the migration kit mentioned above, myself. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Wednesday, October 20, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] BDC upgrade Hi all, I'm merging/upgrading some NT 4 domains together. Domain A and Domain B are both account and resource domains. I've upgraded Domain A to 2003, and am planning to migrate users and computers from Domain B into Domain A using ADMT v2. Domain B is small. In fact when I took over it consisted of a single PDC that had all files on it. I've since added a second DC and transfered the PDC role to it. So, to get to my question: The BDC in Domain B has all the files of the Users I am going to be transfering. Is there any way to upgrade this BDC to a 2003 member server without upgrading the domain to 2k3 AD first? I would then just move it to domain A as a member server using ADMT. From what I've read it seems the only way would be to upgrade the PDC to 2k3, then upgrade this bdc to 2k3 then dcpromo it down to a member server. Is this the route I have to take, or is there an easier way? Thanks in advance for the help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs ===
Re: [ActiveDir] Centralized vs. decentralized administration
Delegation in AD can be very very granular. Don¹t think of it as a need to decentralize administration think of it as giving those in the field the tools they need to do their jobs. I would never advocate handing out administrative privileges without sufficient reason, but I am in favor of giving folks the level of authoritative permissions they need to do what they need to do. Now, not having any knowledge of your environment, I¹d offer the suggestion that you figure out what sort of pseudo-admins you have in your organization, determine how many different types you have, and figure out exactly what sort of administrative tasks they will need to be doing to be successful. Determine, based on this list, where and what sort of delegation you need to do. Then you scope that out in a lab and try doing the work they need to do using a variety of test accounts. Don¹t forget to make sure that delegating one thing didn¹t break something else for your higher level admins! Also, can regular users do what they need to do? Ideally, develop MMC consoles specific to those roles. Finally, go back and evaluate your test results. I¹d suggest getting some of these field¹ or site¹ folks involved in the process to ensure that they (a) buy in to it and (b) validate what you are testing meets their needs. It¹s important to note that in AD, if you are overly permissive¹ it is WAY too easy for an admin to change something ³a² that breaks something else ³p² - and then troubleshooting that is a nightmare. Do you have Exchange? Don¹t forget about that integration and how changes to AD can inadvertently affect E2K or E2K3. Explaining this to an executive sponsor or high level manager can help give you the leverage to manage the delegation in the appropriate way. Too many times folks in the field are used to being admins at some level and so claim they can't do their job without being one again. In AD, nothing is further from the truth. Lastly, change control becomes so much more important than it was in NT4. Hold GPO editing rights close to the vest and document everything you do there. Hope that helps a little! Rick On 10/20/04 7:08 PM, Perdue David J Contr InDyne/Enterprise IT [EMAIL PROTECTED] wrote: Nathan, I think you made one of the best points, their own users have no AD admin experience. If you're in a single domain, obviously something done at one site will have a severe impact on another site. Possibly rendering multiple sites from being able to authenticate. I don't know what your environment is like or the issues that you are facing. It may be easier to use AD delegation and define what the sites will be allowed to do: Unlock Accounts, Change Passwords, modify some group memebership, Create Users, etc. But leave AD Administration, GPO Management, Network Infrastructure Services, etc to the central office. The rub is that you will really need a coordinating between the sites for service/support with the central office. If that doesn't work dissatisfaction and dissention will set in. What are you willing to let them do? Dave David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Wednesday, October 20, 2004 3:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Centralized vs. decentralized administration Anyone have a good argument against decentralized administration in a single domain, multi site AD environment. Currently all user, computer, group, etc admin is handled by the IT dept. Now, we need to justify why we should NOT let users at the sites admin their own users, computer, groups, etc. For the most part the users at the sites that want to admin their own users have no AD admin experience. Any suggestions would be helpful Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Group Export GUI?
Where can I download csvde.exe to be run on Windows XP? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, September 17, 2004 12:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Group Export GUI? Investigate a utility called CSVDE utility, this hands-on is the best utility i've found doing CSV exports of AD data. I've exported 85k users in about 20 seconds to a text file from AD. watch for word-wrap http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=""> Steve Schofield [EMAIL PROTECTED] - Original Message - From: Harding, Devon To: [EMAIL PROTECTED] Sent: Thursday, September 16, 2004 4:47 PM Subject: [ActiveDir] AD Group Export GUI? Is there a GUI or easy way to export AD group members to a text or csv list? Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
Re: [ActiveDir] BDC upgrade
I looked into this a while ago. Like you, lots of people said they had very good experience with the product. Unfortunately, we weren't able to use it in our environment because of problems with the Compaq SMART RAID disk array controller. This is from the UPromote FAQ: Q: Is UPromote compatible with the Compaq SMART RAID disk array controller? A: The Compaq SMART RAID disk array controller has a known problem where it sometimes loses data when rebooting. This includes registry modifications. To prevent problems UPromote will warn you if it detects the presence of a Compaq SMART RAID disk array controller. For more information see Compaq SMART RAID. I also heard that MS won't support systems that have been demoted using Upromote. If this concerns you at all you might want to double-check with your Microsoft TAM. Tony -- Original Message -- From: Rick Boza [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 21 Oct 2004 09:02:21 -0400 I¹ve seen upromote used on a project to demote more than a hundred (yes, 100!!!) BDC¹s to member servers in preparation for an AD upgrade. Worked pretty darn close to flawlessly. On 10/20/04 7:53 PM, Ayers, Diane [EMAIL PROTECTED] wrote: Ditto. Used it once to demote a BDC that was also a time source in the NT 4.0 world. wanted to keep the server but didn't want it to be a BDC anymore. Best $99 bucks spent as far as saved time, etc. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Wednesday, October 20, 2004 4:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade We have used this tool on two occasions and it worked flawlessly both times. We went into it knowing the risks and ramifications. In the end it saved us days of work which was the alternative and well worth the risk. ~Brian From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade http://utools.com/UPromote.asp BR Rob From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise IT Sent: Wed 20/10/2004 23:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] BDC upgrade I think this is the one you are talking about Brian. It's formerly Aelita, but now is Quest. http://wm.quest.com/products/domainmigrationwizard/ They've got a a product that will demote a NT4 PDC/BDC. It's pretty slick. And totally not supported by MS. Dave David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, October 20, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade Have you looked into the File Server Migration Toolkit from MS? It's a utility for moving file servers and it includes a patch for 2003 that makes it so the old server name still works - utilizes aSP1 feature called DFS Consolidation Roots. That aside, I forget who (been awhile), but somebody makes a hundred dollar utility which will let you convert a BDC to a member server. It's totally unsupported by MS, so if stuff breaks, you may be out of luck. I'd look towards the migration kit mentioned above, myself. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Wednesday, October 20, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] BDC upgrade Hi all, I'm merging/upgrading some NT 4 domains together. Domain A and Domain B are both account and resource domains. I've upgraded Domain A to 2003, and am planning to migrate users and computers from Domain B into Domain A using ADMT v2. Domain B is small. In fact when I took over it consisted of a single PDC that had all files on it. I've since added a second DC and transfered the PDC role to it. So, to get to my question: The BDC in Domain B has all the files of the Users I am going to be transfering. Is there any way to upgrade this BDC to a 2003 member server without upgrading the domain to 2k3 AD first? I would then just move it to domain A as a member server using ADMT. From what I've read it seems the only way would be to upgrade the PDC to 2k3, then upgrade this bdc to 2k3 then dcpromo it down to a member server. Is this the route I have to take, or is there an easier way? Thanks in advance for the help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] AD Group Export GUI?
Copy it from a DC. %systemroot%\system32\csvde.exe Tony -- Original Message -- From: Harding, Devon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 21 Oct 2004 09:14:14 -0400 Where can I download csvde.exe to be run on Windows XP? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, September 17, 2004 12:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Group Export GUI? Investigate a utility called CSVDE utility, this hands-on is the best utility i've found doing CSV exports of AD data. I've exported 85k users in about 20 seconds to a text file from AD. watch for word-wrap http://www.microsoft.com/resources/documentation/WindowsServ/2003/datace nter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv /2003/datacenter/proddocs/en-us/csvde.asp Steve Schofield [EMAIL PROTECTED] - Original Message - From: Harding, Devon mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 16, 2004 4:47 PM Subject: [ActiveDir] AD Group Export GUI? Is there a GUI or easy way to export AD group members to a text or csv list? Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone with TSM experience with Active Directory
What do you mean by object level restore? Do you mean individual COM objects or file/folder/user objects? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 6:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone with TSM experience with Active Directory I'm being told that TSM can perform object-level restores. All I can see in literature and the actual backup/restor GUI is entire systemstate restore. Anyone have TSM and able to do anything different (better)? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Centralized vs. decentralized administration
There are a number of ways to keep track of and audit the changes in your environment without going to the extreme of moving back to a centralized administration model. Administration tools like Quests ActiveRoles or NetIQs DRA offer that sort of granular logging and auditing right out of the box. You can do alerting with MOM if you get into the nuts and bolts of auditing. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, October 20, 2004 7:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Centralized vs. decentralized administration I think the main reason which many companies are now facing is down to compliance. It is now becoming necessary for many companies to re-design AD to bring about a centralised model again. This is basically to ensure that head office knows about and has knowledge of details, such as - who is added to the domain, removed, etc. Rob From: [EMAIL PROTECTED] on behalf of Nathan Casey Sent: Wed 20/10/2004 23:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Centralized vs. decentralized administration Anyone have a good argument against decentralized administration in a single domain, multi site AD environment. Currently all user, computer, group, etc admin is handled by the IT dept. Now, we need to justify why we should NOT let users at the sites admin their own users, computer, groups, etc. For the most part the users at the sites that want to admin their own users have no AD admin experience. Any suggestions would be helpful Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone with TSM experience with Active Directory
Sorry, good point. I wasn't clear enoug. I'm wondering about granular restores of active directory objects or OU and child objects. We have one group pushing to purchase Quest's Aelita Recovery Manager for Active Directory and another pushing to use the TSM installation we are already using to backup and restore the file systems and just extend it to backup and restore Active Directory objects. If TSM can perform the granular AD object restores then we save a boatload of money. But it just doesn't appear to have that feature. What do you mean by object level restore? Do you mean individual COM objects or file/folder/user objects? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 6:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone with TSM experience with Active Directory I'm being told that TSM can perform object-level restores. All I can see in literature and the actual backup/restor GUI is entire systemstate restore. Anyone have TSM and able to do anything different (better)? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone with TSM experience with Active Directory
You need to read into how Directory Services Restore Mode works before moving further. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anyone with TSM experience with Active Directory Sorry, good point. I wasn't clear enoug. I'm wondering about granular restores of active directory objects or OU and child objects. We have one group pushing to purchase Quest's Aelita Recovery Manager for Active Directory and another pushing to use the TSM installation we are already using to backup and restore the file systems and just extend it to backup and restore Active Directory objects. If TSM can perform the granular AD object restores then we save a boatload of money. But it just doesn't appear to have that feature. What do you mean by object level restore? Do you mean individual COM objects or file/folder/user objects? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 6:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone with TSM experience with Active Directory I'm being told that TSM can perform object-level restores. All I can see in literature and the actual backup/restor GUI is entire systemstate restore. Anyone have TSM and able to do anything different (better)? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Centralized vs. decentralized administration
What specifically do the sites want to do? What problems are the sites facing that they are not currently able to perform? How long does it take the central site to respond to requrests? Is there anyway the response time can be shortened without giving them control of the users? In the envrionment I work in, User administration is centrally controlled. Controll of groups and users has been delegated down division level IT staff. (we only have one site, but various divisions within that one site.) We have established naming conventions for groups and we enforce the naming conventions. Initally I had to remind users of the naming conventions but they were quick to comply. Computer administration has been more of a problem. Computers go into AD, but are never removed. I have not found an effective way to address this problem yet. (Primarily because it has not yet become a pain point.) I could delete old computers from the OUSs, but I am reluctant to do this yet. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Wednesday, October 20, 2004 6:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Centralized vs. decentralized administration Anyone have a good argument against decentralized administration in a single domain, multi site AD environment. Currently all user, computer, group, etc admin is handled by the IT dept. Now, we need to justify why we should NOT let users at the sites admin their own users, computer, groups, etc. For the most part the users at the sites that want to admin their own users have no AD admin experience. Any suggestions would be helpful Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New to AD
Just wanted to thank everybody who added there two cents. I have a working script that does exactly what my boss wanted. It could be a little better but I'm not a coder. If anybody wants a copy let me know. From: Stauffer, Christopher Sent: Thursday, October 21, 2004 9:02 AMTo: '[EMAIL PROTECTED]'Subject: New to AD I'm new to AD. Our network is Finally migrating to Active Directory 2000. (yeah I know 2003 is better but is isn't our call) anyway during the migration when joining new Windows XP or Windows 2000 computers to the Windows 2000 domain, the computer name appears in Active Directory but the computer description that is on the computer does not show up in AD. Why does this happen? In network places I can see the computer description, but in AD it is just blank unless I manually add it. Is there a way to pull the computer description from the local box into AD when the computer joins the domain I was told this by guys on another news group Its two separate fields. When you give a description to a computer object in AD users and computers, you are applying the description to the object, and not the computer itself. When you logon to a workstation and add a description to it, you are adding the description to the machine itself, and not the object in AD. That is why you see the different behaviors. Unfortunately the 2 fields aren't tied together. As for how to fix it, I think if a script ran that read the description from the local machine, and then connected to AD to update the computer object with the same name, you would be good to go. So i guess my question is does anybody have a script that can do this. Thanks, CHRIS STAUFFER Distributive Systems Specialist IIBureau of Information Technology' : 1(717)783-9049 ext 244/ : [EMAIL PROTECTED] Chris 5.jpg
RE: [ActiveDir] New to AD
Return Receipt Your RE: [ActiveDir] New to AD document: wasJames Day/Contractor/NPS received by: at:10/21/2004 05:58:18 PM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New to AD
Just rename .zip Directions are inside Does anybody have a script that will display a computers full OU path? Like this Cn=computername,OU=blabla,DC=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Thursday, October 21, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD A copy of the script could come in handy if you are willing to send me a copy. Thanks _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stauffer, Christopher Sent: Friday, 22 October 2004 7:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just wanted to thank everybody who added there two cents. I have a working script that does exactly what my boss wanted. It could be a little better but I'm not a coder. If anybody wants a copy let me know. _ From: Stauffer, Christopher Sent: Thursday, October 21, 2004 9:02 AM To: '[EMAIL PROTECTED]' Subject: New to AD I'm new to AD. Our network is Finally migrating to Active Directory 2000. (yeah I know 2003 is better but is isn't our call) anyway during the migration when joining new Windows XP or Windows 2000 computers to the Windows 2000 domain, the computer name appears in Active Directory but the computer description that is on the computer does not show up in AD. Why does this happen? In network places I can see the computer description, but in AD it is just blank unless I manually add it. Is there a way to pull the computer description from the local box into AD when the computer joins the domain I was told this by guys on another news group Its two separate fields. When you give a description to a computer object in AD users and computers, you are applying the description to the object, and not the computer itself. When you logon to a workstation and add a description to it, you are adding the description to the machine itself, and not the object in AD. That is why you see the different behaviors. Unfortunately the 2 fields aren't tied together. As for how to fix it, I think if a script ran that read the description from the local machine, and then connected to AD to update the computer object with the same name, you would be good to go. So i guess my question is does anybody have a script that can do this. Thanks, CHRIS STAUFFER Distributive Systems Specialist II Bureau of Information Technology ' : 1(717)783-9049 ext 244 / : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ou.z.i.p Description: ou.z.i.p
RE: [ActiveDir] dsadd user exchmbx
Yar. That should work quite well Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, October 21, 2004 6:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] dsadd user exchmbx Just so I am clear: if I want to create a bunch o users from a simple batch file, I can use the dsadd command and THEN use the exchmbx tool to create their mailboxes. I can even do this from within the same simple batch file. Do I have this correct? As always, beaucoup de thanks, Joe. -- nme
RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC
Al, Thank you for your input on this matter. I did not haul off and implement. I further researched, called Microsoft and spoke to several others. They all said to try alternative ways before trying this and then use it in a test environment first. Well, I had tried everything that Microsoft had told me, seriously considered Za's suggestion and looked at all other sites etc that anyone referred me to and came up empty. I then used the utility on our live environment - not the smartest move I know but it was the only one I had left. All went fine with using the utility and accessing Group Policy. Unfortunately - numerous other problems occurred with our Exchange5.5 (due to the migration not yet complete), tape backup software lost privileges and some services would not start on both the current and only DC and services would not start for Exchange5.5 I had to change several permissions within Group Policy to allow the Admin Account and other Accounts to have access to certain policy / security settings. After a few hours of working on this the network was fully functional again - I tried another dcpromo and received a different error but that is a post for another time. This was just to say thank you and explain the problems I ran into when resetting the Group Policy. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, 14 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues. Deleting the default policy is not necessarily what you want to do, but rather it's the file system you are working on. Re-read that article and see if it makes better sense today. If not, let us know. Meanwhile, is this a single domain environment? Al -Original Message- From: [EMAIL PROTECTED]
[ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials)
This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New to AD
Did you want to enter a computer name and have it dump the path, or have the script dump the path for all computers in a given OU? -Original Message- From: Stauffer, Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 5:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just rename .zip Directions are inside Does anybody have a script that will display a computers full OU path? Like this Cn=computername,OU=blabla,DC=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Thursday, October 21, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD A copy of the script could come in handy if you are willing to send me a copy. Thanks _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stauffer, Christopher Sent: Friday, 22 October 2004 7:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just wanted to thank everybody who added there two cents. I have a working script that does exactly what my boss wanted. It could be a little better but I'm not a coder. If anybody wants a copy let me know. _ From: Stauffer, Christopher Sent: Thursday, October 21, 2004 9:02 AM To: '[EMAIL PROTECTED]' Subject: New to AD I'm new to AD. Our network is Finally migrating to Active Directory 2000. (yeah I know 2003 is better but is isn't our call) anyway during the migration when joining new Windows XP or Windows 2000 computers to the Windows 2000 domain, the computer name appears in Active Directory but the computer description that is on the computer does not show up in AD. Why does this happen? In network places I can see the computer description, but in AD it is just blank unless I manually add it. Is there a way to pull the computer description from the local box into AD when the computer joins the domain I was told this by guys on another news group Its two separate fields. When you give a description to a computer object in AD users and computers, you are applying the description to the object, and not the computer itself. When you logon to a workstation and add a description to it, you are adding the description to the machine itself, and not the object in AD. That is why you see the different behaviors. Unfortunately the 2 fields aren't tied together. As for how to fix it, I think if a script ran that read the description from the local machine, and then connected to AD to update the computer object with the same name, you would be good to go. So i guess my question is does anybody have a script that can do this. Thanks, CHRIS STAUFFER Distributive Systems Specialist II Bureau of Information Technology ' : 1(717)783-9049 ext 244 / : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials)
Putting the machine in a workgroup before dcpromo'ing generally resolves this. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Thursday, October 21, 2004 8:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS 6.0 AGAIN...
Is anything else listening on port 80? (you can use this app from sysinternals to check: http://www.sysinternals.com/ntw2k/source/tcpview.shtml) Cheers Ken - Original Message - From: Za Vue [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 10:46 PM Subject: RE: [ActiveDir] IIS 6.0 AGAIN... : NO I forgot to mention in my previous posts that I am only running FTP, port : 21 and the main web site on port 80. : : Thanks, : -Z.V : : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer : Sent: Wednesday, October 20, 2004 11:39 PM : To: [EMAIL PROTECTED] : Subject: Re: [ActiveDir] IIS 6.0 AGAIN... : : a) Are you running multiple applications listening on port 80 (eg if you : have multiple IP addresses, and are running multiple webservers) : : b) Check your web site identities - you could have a conflicting set of web : site identities (each active website must have it's own, unique, web site : identity. A website identity consists of an IP address, TCP port and : optional host-header name) : : Cheers : Ken : : - Original Message - : From: Za Vue [EMAIL PROTECTED] : Subject: [ActiveDir] IIS 6.0 AGAIN... : : :: Hi all. Has anyone seen the error below? I am running IIS 6.0 on a Windows :: 2003 server. Every time this error comes on my website asked for a : username :: and password. I restart IIS services and things are fine afterward. :: :: Event Type: Error :: Event Source: W3SVC :: Event Category: None :: Event ID: 1007 :: Date: 10/19/2004 :: Time: 3:59:49 PM :: User: N/A :: Computer: WebServer :: Description: :: Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary :: network binding may already be in use. The site has been deactivated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials)
Rodney, If you used DCPROMO /FORCEREMOVAL ex DC should be on a workgroup if not put it on one...rename the server... Look at Q216498: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion. Clear up any entries pertaining to the old server. Then add server to the domain and then do a dcpromo. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New to AD
The TechNet Script Center of full of scripts: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx Also, check out the WMI Scriptomatic tool -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Coleman, Hunter Sent: Thursday, October 21, 2004 6:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Did you want to enter a computer name and have it dump the path, or have the script dump the path for all computers in a given OU? -Original Message- From: Stauffer, Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 5:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just rename .zip Directions are inside Does anybody have a script that will display a computers full OU path? Like this Cn=computername,OU=blabla,DC=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Thursday, October 21, 2004 7:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD A copy of the script could come in handy if you are willing to send me a copy. Thanks _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stauffer, Christopher Sent: Friday, 22 October 2004 7:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] New to AD Just wanted to thank everybody who added there two cents. I have a working script that does exactly what my boss wanted. It could be a little better but I'm not a coder. If anybody wants a copy let me know. _ From: Stauffer, Christopher Sent: Thursday, October 21, 2004 9:02 AM To: '[EMAIL PROTECTED]' Subject: New to AD I'm new to AD. Our network is Finally migrating to Active Directory 2000. (yeah I know 2003 is better but is isn't our call) anyway during the migration when joining new Windows XP or Windows 2000 computers to the Windows 2000 domain, the computer name appears in Active Directory but the computer description that is on the computer does not show up in AD. Why does this happen? In network places I can see the computer description, but in AD it is just blank unless I manually add it. Is there a way to pull the computer description from the local box into AD when the computer joins the domain I was told this by guys on another news group Its two separate fields. When you give a description to a computer object in AD users and computers, you are applying the description to the object, and not the computer itself. When you logon to a workstation and add a description to it, you are adding the description to the machine itself, and not the object in AD. That is why you see the different behaviors. Unfortunately the 2 fields aren't tied together. As for how to fix it, I think if a script ran that read the description from the local machine, and then connected to AD to update the computer object with the same name, you would be good to go. So i guess my question is does anybody have a script that can do this. Thanks, CHRIS STAUFFER Distributive Systems Specialist II Bureau of Information Technology ' : 1(717)783-9049 ext 244 / : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials)
simply do a net use * /delete /y and you are good to go Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Blair, James Sent: Thu 10/21/2004 7:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) Rodney, If you used DCPROMO /FORCEREMOVAL ex DC should be on a workgroup if not put it on one...rename the server... Look at Q216498: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion. Clear up any entries pertaining to the old server. Then add server to the domain and then do a dcpromo. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Creden tials Supplied C onflict with an Existing set of credentials)
James, Thanks for the advise - my concern is that it has been working as part of the domain for some time now. 1. When forced removed it simply became a member server of the domain. It was never taken right off of the domain back to being only a work group. 2. All our user shares are currently on this server that I wish to promote to be a DC and do not want to take it off the domain all together, change its name and then add it back to the domain with another name as all login scripts and drive mappings to this server would need updating. - Is there a way around this so that I can keep the same server name and not have to change login scripts and re-create shares again? 3. I have already used KB216948 to cleanup on the remaining DC. Does this need to be done on the failed DC as well? Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Friday, 22 October 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) Rodney, If you used DCPROMO /FORCEREMOVAL ex DC should be on a workgroup if not put it on one...rename the server... Look at Q216498: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion. Clear up any entries pertaining to the old server. Then add server to the domain and then do a dcpromo. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Creden tials Supplied C onflict with an Existing set of credentials)
Rodney, Try Deji's solution...do you have any mapped network drives on the server? http://support.microsoft.com/?kbid=106211 James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 2:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Creden tials Supplied C onflict with an Existing set of credentials) James, Thanks for the advise - my concern is that it has been working as part of the domain for some time now. 1. When forced removed it simply became a member server of the domain. It was never taken right off of the domain back to being only a work group. 2. All our user shares are currently on this server that I wish to promote to be a DC and do not want to take it off the domain all together, change its name and then add it back to the domain with another name as all login scripts and drive mappings to this server would need updating. - Is there a way around this so that I can keep the same server name and not have to change login scripts and re-create shares again? 3. I have already used KB216948 to cleanup on the remaining DC. Does this need to be done on the failed DC as well? Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Friday, 22 October 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) Rodney, If you used DCPROMO /FORCEREMOVAL ex DC should be on a workgroup if not put it on one...rename the server... Look at Q216498: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion. Clear up any entries pertaining to the old server. Then add server to the domain and then do a dcpromo. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Creden tials Supplied C onflict with an Existing set of credentials)
Thanks for that. I thought that it might have been the case but was not sure if there would be any ramifications of doing this. Then I was informed another way of doing it as explained below and it sounded like a more sound way. I will do this and see what happens when I try and promote. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, 22 October 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) simply do a net use * /delete /y and you are good to go Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Blair, James Sent: Thu 10/21/2004 7:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) Rodney, If you used DCPROMO /FORCEREMOVAL ex DC should be on a workgroup if not put it on one...rename the server... Look at Q216498: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion. Clear up any entries pertaining to the old server. Then add server to the domain and then do a dcpromo. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, 22 October 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Promoting 2nd Domain Controller in AD (The Credentials Supplied C onflict with an Existing set of credentials) This is further to my previous problem about promoting but the Group Policy is fixed. I am now trying to promote the server that I forced removed as explain in my previous post and receive the error The Credentials Supplied Conflict with an Existing set of credentials I checked all drive mapping etc to see if there was a mapping to cause this error and there were none Well none visible. I used NET USE in a command prompt and it showed the following:- Status = OKLocal = Remote = \\VLSEXCH2000.VANGUARD.COM.AU\SYSVOL Network = Microsoft Windows Network I have been told that this is because this particular server believes that it is still part of AD. I was also informed that there is a post on this site that explains how to do a registry hack to change a setting to make the server believe that it is just part of the domain and not part of AD. Once this change has been made I then has been informed to delete SYSVOL and NTDS folders. Not sure if a restart was required after this and then try the dcpromo and all should be fine. I can not find this post so can anyone please help me. Rodney P.S. I am now able to successfully promote other Win2000 Servers to be part of AD since the Group Policy has been fixed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/