RE: [ActiveDir] Office deployments via GPO
Russ, first of all, I understand your problem with Office being reinstalled causing trouble, but remember that if you do not install Office on all your computers where you want it to run with GP, the computer that you leave out will not be managed, so if you later on want to apply an Office Service pack as an .msp file, uninstall etc you will have the same problem all over again having handle these computers separately. But maybe the problems you are talking about are so severe that it is impossible to reinstall and the fix the problems aftwards. Also another problem is the actual way of making GP determine if it should apply the GPO or not, even if you run a XP/2003 shop and have the possibility to use WMI filters. There is no way, as I know of, that makes it possible to figure out if a WMI instance is NOT present (e.g. Office is not installed) for WMI classes that can have multiple values using only WQL. It would be possible to check if Office is installed by using a WMI filter that looks something like this: SELECT * FROM Win32_Product WHERE IdentifyingNumber = '{90110409-6000-11D3-8CFE-0150048383C9}' But figuring out if it is NOT installed is not possible since for example changing the = to != would result in all applications NOT being Office 2003 being returned and the GPO would be applied, regardless if Office is installed or not, and WQL does not support the types of operators that would make this possible in for example normal SQL, and since you can only add WQL statements and not blocks of scripts to the WMI filter, negating the entire result is not possible either. So my advice would be, if you do not want to install on all computers, to create a small script that you could run from the startup script (synchronously) that verifies if Office 2003 is installed and then set a System variable, that you create, to true if it is not already installed. Then it is easy to use a WMI filter that looks something like this (depending on the name and value you select for the variable) SELECT * FROM Win32_Environment WHERE Name = 'Office2003NotInstalled' AND VariableValue = 'True' This would make the GPO apply on the computers where Office 2003 is not installed as you wanted. Of course if you run W2K on your clients, this will not work :( and you will need to figure something else out, perhaps install it from the Startup script where you check if it is installed with for example WMI and the install if it is not already installed. Happy hunting... Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, January 25, 2005 1:38 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Office deployments via GPO We have many desktops that we want to deploy Office 2003 to, and some of them already have Office 2003. Seperating which ones do and don't would be difficult, so we want to apply the GPO to a whole list of computers and let it deploy. The problem is, if they already have Office 2003 on the workstations, it deploys over top of it anyway, and this could cause Outlook or some other issues. Is there any way to get the GPO to detect if O2K3 is already installed and skip deployment if so? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites VS domains in a distributed global environm ent.
Mike, I am currently running a global AD and I have it broken up into a TLD and 4 regional child domains (NAFTA 5K users, EAME 12K users, LATAM 2K users, APAC 2K users). The main reason that I broke it up was to control replication traffic. I did not want to have my LATAM and APAC DCs have to replicate all of the details for the entire world on some pretty poor links. With your number of users and network situation a single domain under a TLD would probably work. However, there are a few things to think about... DNS - If you use AD integrated DNS for your AD domains (I did), make sure that each of your child DCs has a standard secondary of the TLD _msdcs zone and then have the clients use their site DC as their DNS server. This is related to the logon requirements for an AD account in a multi-domain forest. Be careful how you grab the secondary from the TLD zone because you can end up with SOA problems if the TLD DNS is AD integrated. Ous and delegation - In my case, I setup the OU structure to serve delegation and GPOs. I did not go down the business path because I did not want to try to keep up with the business as it constantly re-organized itself ;-). I organized on a physical site basis and this gave me the ability to easily hand out rights such as password reset and create computer accounts at the site level. Believe me, it will help to have the sites be able to do some of the daily work themselves, especially when you are trying to cover 24 time zones. On the other hand, I would hang onto the higher level rights (domain admin, ent admin, schema admin, etc) and only have a core group have these rights. My goal was to give the site admins the rights to do most (95%) of their daily job without having to call somebody while not allowing them to have enough rights in the AD to hurt anyone other than themselves ;-) Ous and objects - I have setup Ous for various types of objects (users, groups, computers, etc) and I only delegate the right to create the specific type of object in the proper OU. For example, the site guy does not have the right to create a user account in a OU dedicated to computers but he can create a computer account there. Infrastructure serevers - My central group controls all of the infrastructure servers (DCs, Exchange, SMS, DNS, etc) and these computer accounts, except for DCs, are in dedicated Ous that the site level admins do not have write access to. I left the DCs in the standard domain controllers OU. GPOs - I would run these out of the core. I consider GPOs to be a corporate object and I don't allow the sites to mess with them. If you plan the OU structure carefully, you can have one copy of a GPO hit all of the objects that require it. For example, your site level workstation Ous are under a parent workstations OU and the GPO is applied at the workstations level. Also, don't use GPOs attached to the site because site level GPOs are stored in the TLD sysvol. Migration - you will probably have to consider sidhistory when you consolidate. With you size, ADMT would probably be a good candidate. In my case I ended up writing my own for my NT4 - AD migration so it would scale properly and do the other stuff that I needed to handle. Resource Domains - I don't allow anyone to write to the default computers OU. I created a server OU for site level resource servers and give the site level guys the right to create computer accounts in that OU. This way they can add resource servers as needed but they are added where I want them in the OU structure. Of course, this means that they either have to pre-create the computer account or use an unattended.txt where they specify the target OU. Politics - This will be a change for the site level guys so you have to consider this angle. I found that if you get the delegation model right, they have enough rights to do what they really need to do on a dialy basis. If they don't have the rights, they probably should not be doing what they are trying to do anyway. FWIW - Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, January 24, 2005 11:21 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Sites VS domains in a distributed global environment. Hello, I have inherited an environment where all of the companies acquired by our parent company were migrated into the forest in their own domain under an empty root 2003 domain. Right now there are about 20 companies ranging from 20 to 250 employees needing to be migrated into our forest and I'm looking at changing the way we migrate them in. There are approximately 1200 employees total but we acquire a new company about every six months to a year. I'm thinking of consolidating all of the existing domains into one under the root and setting up sites. Then I would migrate the remaining companies into that domain. There would be a DC/GC in each location. Most will be accessing the Exchange 2003 server in the datacenter.
RE: [ActiveDir] Office deployments via GPO
I believe you can control this behavior via the Office 2003 Custom Installation Wizard, which is part of the o2k3 resource kit toolbox: http://download.microsoft.com/download/0/e/d/0eda9ae6-f5c9-44be-98c7-ccc 3016a296a/ork.exe. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, January 24, 2005 7:38 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Office deployments via GPO We have many desktops that we want to deploy Office 2003 to, and some of them already have Office 2003. Seperating which ones do and don't would be difficult, so we want to apply the GPO to a whole list of computers and let it deploy. The problem is, if they already have Office 2003 on the workstations, it deploys over top of it anyway, and this could cause Outlook or some other issues. Is there any way to get the GPO to detect if O2K3 is already installed and skip deployment if so? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Interactive logon: Message text for users attempting to log on
That is the way we did it before moving to AD. I was kind of hoping to use the GPO functionality (it is there, after all). I guess a call to PSS is in order as Google and Technet both turn up nothing. Jordan On Mon, 24 Jan 2005 13:20:03 -0800, Perdue David J Contr InDyne/Enterprise IT [EMAIL PROTECTED] wrote: Jordan, Create your logon banner by modifying the appropriate registry keys and send that out to your clients, instead of going through GP. Strangely enough, by the reg key it will work. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption And HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText Another way around it is to script the pop-up banner in something like Kixstart. Ours automatically logs the user off if they do not click on yes, signifying acceptance. Anything else and they are logged off automatically. Dave //SIGNED// David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt Sent: Monday, January 24, 2005 10:43 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Interactive logon: Message text for users attempting to log on Hi folks, Wondering if anyone has run into the situation described below, except it is happening on my Win2k3 servers and all my XP clients: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa rd/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2 003/standard/proddocs/en-us/577.asp (if ever there was a need for tinyurl to come to the rescue, this would be it...) http://tinyurl.com/3mxyb I created the policy with the Group Policy Management Console on an XP box. Only the first 512 characters are displaying on XP and 2k3. I don't have any 2000 clients, but I do have a couple of 2000 servers. I don't care if these servers display the message properly. Undefining and then defining this policy again, does not fix the problem. Anybody have any suggestions (Other than getting the message under 512 characters ;) ) Jordan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interactive logon: Message text for users attempting to log on
The functionality is there with GPOs. You just have to use a shorter message. I've never had any luck getting a longer message to work via GPO. //SIGNED// David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt Sent: Tuesday, January 25, 2005 07:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Interactive logon: Message text for users attempting to log on That is the way we did it before moving to AD. I was kind of hoping to use the GPO functionality (it is there, after all). I guess a call to PSS is in order as Google and Technet both turn up nothing. Jordan On Mon, 24 Jan 2005 13:20:03 -0800, Perdue David J Contr InDyne/Enterprise IT [EMAIL PROTECTED] wrote: Jordan, Create your logon banner by modifying the appropriate registry keys and send that out to your clients, instead of going through GP. Strangely enough, by the reg key it will work. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption And HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText Another way around it is to script the pop-up banner in something like Kixstart. Ours automatically logs the user off if they do not click on yes, signifying acceptance. Anything else and they are logged off automatically. Dave //SIGNED// David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt Sent: Monday, January 24, 2005 10:43 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Interactive logon: Message text for users attempting to log on Hi folks, Wondering if anyone has run into the situation described below, except it is happening on my Win2k3 servers and all my XP clients: http://www.microsoft.com/resources/documentation/WindowsServ/2003/stan da rd/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv /2 003/standard/proddocs/en-us/577.asp (if ever there was a need for tinyurl to come to the rescue, this would be it...) http://tinyurl.com/3mxyb I created the policy with the Group Policy Management Console on an XP box. Only the first 512 characters are displaying on XP and 2k3. I don't have any 2000 clients, but I do have a couple of 2000 servers. I don't care if these servers display the message properly. Undefining and then defining this policy again, does not fix the problem. Anybody have any suggestions (Other than getting the message under 512 characters ;) ) Jordan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Interactive logon: Message text for users attempting to log on
Do you know if the policy actually has the full string and is simply not being applied properly? Look at the text file with the notice in it and that will tell you if the issue is with the tool writing the policy or the clients in applying the policy. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt Sent: Monday, January 24, 2005 1:43 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Interactive logon: Message text for users attempting to log on Hi folks, Wondering if anyone has run into the situation described below, except it is happening on my Win2k3 servers and all my XP clients: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan dard/proddocs/en-us/577.asp (if ever there was a need for tinyurl to come to the rescue, this would be it...) http://tinyurl.com/3mxyb I created the policy with the Group Policy Management Console on an XP box. Only the first 512 characters are displaying on XP and 2k3. I don't have any 2000 clients, but I do have a couple of 2000 servers. I don't care if these servers display the message properly. Undefining and then defining this policy again, does not fix the problem. Anybody have any suggestions (Other than getting the message under 512 characters ;) ) Jordan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Clients Not Authenticating with Site DC
In most scenerios the clients use dhcp and that registry entry is there by default. I don't think many people take the time to manually add the sitename entry for all of their clients, but it is good to know that there are 2 possibilities, especially the fact that the sitename overrides the dynamicsitename entry! It was kind of a basic answer to get them in the right direction. Thanks for the articles, good info! On Mon, 24 Jan 2005 16:21:31 -0500, Robert Williams (RRE) [EMAIL PROTECTED] wrote: Actually, if it were hard coded, it would be in the SiteName entry. The DynamicSiteName entry is for the dynamically discovered site as discovered by netlogon...check these links out: DynamicSiteName http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/55957.asp SiteName http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/55957.asp Rob From: [EMAIL PROTECTED] on behalf of Jeff Smith Sent: Mon 1/24/2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Clients Not Authenticating with Site DC Usually the problem is missing SRV Records or Sites and Services is misconfigured. Check the following registry location and see if that site is hard coded. You can write a script to reset this if needed. HKLM\SYSTEM\CCS\SERVICES\NETLOGON\PARAMETERS\DYNAMICSITENAME Also, check the NETLOGON.LOG on both the Client and the Server. You should be able to see what is going on there. On Thu, 20 Jan 2005 11:20:18 -0800, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think your problem is that you probably upgraded the DC at that site last and, before the upgrade, your XP and 2K clients had discovered the new 2K3 DCs at the remote site. Once XP and 2K clients discover and authenticate against a 2K or 2K3 DC, they usually don't go back. This may be what you are seeing now. Have you tried disjoining and rejoining one or two of those clients? This should help them rediscover their local DC. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacob Walker Sent: Thu 1/20/2005 5:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clients Not Authenticating with Site DC We are at the end of our migration from NT to AD 2003 and completing the PC moves. However, we are now receiving many reports that some PC's are authenticating against remote DC's. While many PC's in a location will respect the site configuration and authenticate against the local DC, some PC's are authenticating against DC's outside of the site. These are 2000 and XP machines, so we thought they should understand Active Directory sites. We do not have any network traces from any of these machines at this time, but we were wondering if they might be using WINS rather than DNS to locate a DC. But, why would this be happening? These newer OS clients should look for a DC using DNS, shouldn't they? We checked DNS, and it is correct. Any ideas? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Firewalls and VPN questions
Is anybody really familiar with the GPO settings that control the XP2 firewall on/off network configurations? What I'm trying to do: I'm trying to setup and test IPSEC vpn connectivity back to the corp network and use the XP2 firewall as the firewall of choice. Expected results: When I am off the network, I should have full shields up. When on the corp network, it should be the settings defined via GPO, permissions, exceptions, etc. What I've done: The on-network settings are fine. The results are exactly what was expected. The off-network settings are also fine. The results are exactly what was expected and GPO's were set to control this. Firewall is up and can't be modified etc. Perfect. Problem: What is supposed to happen, is that when you make a change to the network you're on, it's checked to see if it is on the same network that the last GPO applied was from. The key that's checked is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\Network Name If that value matches the connection-specific setting of any of your connections (that are not slip or ppp) then it should assume it's on the corporate network that it last got it's GPO from (i.e. it's native network). The problem I'm having is that the connection specific entry is getting set on the VPN interface, but it's not triggering the change in networks as far as the firewall is concerned. Questions: First off, is this what is expected? I realize that the doc also says that vpn's aren't considered in the algorithm if they're slip or ppp. Fair enough, but I can't tell which I'm using. It's blasted contivity crud that really doesn't give much information at all. In fact, it shows up as an Ethernet connection, similar to the nic. It does not however, show up in the network settings, which is odd. It's a mini-port driver on the nic. Second, if this is expected, should I expect that the firewall is up for the phys NIC and not engaged for the VPN interface? In other words, is the VPN interface unable to be firewalled? If anybody has any links or information or other newsgroups where somebody would know this I would appreciate hearing about it. Thanks, Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trust Problems
In the lmhosts file did you: rename it to not have any extension use the #PRE and #DOM entries From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, January 25, 2005 8:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Trust Problems So I have a 2 way external trust from a Windows 2000 forest to a Windows 2003 forest. Im in the process of migrating the 2000 forest to the 2003 forest because of a merger. Im using NETIQs domain Migration administrator to help in the migration. Im running DNS and WINS and the WINS have the Push/pull setup between the 2 domains controllers in the 2 domains. Also I can ping both domain controllers and domain names. I also have the DNS set to forward to each other Everything was working and I was able to copy over some test accounts and groups. Today from the windows 2000 side I can verify the trust account. From the Windows 2003 trusting side I keep getting There are currently no logon servers available to service the logon request. Ive used NETDOM to Query / Verify / and reset the Trust. I still get there are currently no logon servers available to service the logon request every time from the 2003 Side. I have rebooted both domain controlled and have added each domain and domain controllers in each servers Hosts and LMHOSTS files. Any idea on where to go next would be great! Im going to break and re-setup the Trust right now. Thanks Mike
[ActiveDir] AD - Modify Query Limits
Trying to use Softerra LDAP browser, nice tool, but running into LDAP query policylimiting access to only 1,000 objects. Can someone help with what it takes to change the ADQuery Policy to allow more returns? Thanks, Jerry
RE: [ActiveDir] AD - Modify Query Limits
Try this: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071sd=tech -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry WelchSent: Tuesday, January 25, 2005 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD - Modify Query Limits Trying to use Softerra LDAP browser, nice tool, but running into LDAP query policylimiting access to only 1,000 objects. Can someone help with what it takes to change the ADQuery Policy to allow more returns? Thanks, Jerry
RE: [ActiveDir] Office deployments via GPO
I think Dan has the right idea here. You should be able to create a transform that can detect whether Office is already installed. MSI supports so-called LaunchConditions that allow a variety of conditional statements, such as NOT Installed to be executed prior to the installation. You should be able to put this into the transform via the CIW. The challenge here is that it will only be true if the MSI product code is identical between the machines where Office has been installed and the package that you are deploying via GPO. Sometimes MSI product codes differ, even between the same versions of Office, so you might have an issue with that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, January 25, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Office deployments via GPO I believe you can control this behavior via the Office 2003 Custom Installation Wizard, which is part of the o2k3 resource kit toolbox: http://download.microsoft.com/download/0/e/d/0eda9ae6-f5c9-44be-98c7-ccc 3016a296a/ork.exe. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, January 24, 2005 7:38 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Office deployments via GPO We have many desktops that we want to deploy Office 2003 to, and some of them already have Office 2003. Seperating which ones do and don't would be difficult, so we want to apply the GPO to a whole list of computers and let it deploy. The problem is, if they already have Office 2003 on the workstations, it deploys over top of it anyway, and this could cause Outlook or some other issues. Is there any way to get the GPO to detect if O2K3 is already installed and skip deployment if so? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] fileacl.exe Replacement
Hi I have been using fileacl.exe to show me permissions on various directories. It does the job, but I recall a few graphical tools that gave nicer reports and easier interfaces. I have searched the archives and Google to no avail (except a reference to some expensive enterprise tools and a perl script that Joe wrote which I could not find either). Can someone point me in the right direction for such tools? (Freeware or shareware only, please) Thanks. -- nme
RE: [ActiveDir] AD - Modify Query Limits
Gil, Thanks for the quick reply. I will give this a shot and let you know. Regards, Jerry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, January 25, 2005 2:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD - Modify Query Limits Try this: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071sd=tech -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry WelchSent: Tuesday, January 25, 2005 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD - Modify Query Limits Trying to use Softerra LDAP browser, nice tool, but running into LDAP query policylimiting access to only 1,000 objects. Can someone help with what it takes to change the ADQuery Policy to allow more returns? Thanks, Jerry
RE: [ActiveDir] fileacl.exe Replacement
Try SomarSoft's DumpSec (formerly known as DumpAcl) http://www.somarsoft.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Noah Eiger Sent: Tuesday, January 25, 2005 1:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] fileacl.exe Replacement Hi I have been using fileacl.exe to show me permissions on various directories. It does the job, but I recall a few graphical tools that gave nicer reports and easier interfaces. I have searched the archives and Google to no avail (except a reference to some expensive enterprise tools and a perl script that Joe wrote which I could not find either). Can someone point me in the right direction for such tools? (Freeware or shareware only, please) Thanks. -- nme
RE: [ActiveDir] Sites VS domains in a distributed global environm ent.
With apologies to the original poster, I would like to hijack this thread and respond to Frank's idea on this: quote DNS - If you use AD integrated DNS for your AD domains (I did), make sure that each of your child DCs has a standard secondary of the TLD _msdcs zone and then have the clients use their site DC as their DNS server. This is related to the logon requirements for an AD account in a multi-domain forest. Be careful how you grab the secondary from the TLD zone because you can end up with SOA problems if the TLD DNS is AD integrated. /quote I am somewhat confused on this point, especially considering that you agreed that a single domain would suffice for the requirements of the scenario under discussion. If he has only one domain, then this is mooot, no? Aside from that, I am still confused about the reasoning behind creating secondary zones of the TLD in child domains where there is a child-parent relationship. The rationale you mentioned (This is related to the logon requirements for an AD account in a multi-domain forest) can be easily accomplished by simply configuring the child DNS servers to forward to the TLD DNS servers. This will avoid the need to manage secondary zones and requires no on-going maintenance whatsoever. I know that Frank is not alone in making this recmmendation, but I still can't grasp (or agree with) the technical rationale. I have been known to be slow at times. Is this one of those times? What are the advantages of secondarying parent zones from children or child zone from parent (or even inter-children zone secondaries) over configuring Parent-to-child delegation and child-to-parent forwarding? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Seperating two domain controllers with in the same domain
Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Actually, creating two separate domains in one forest should work just fine. Access to resources will work just fine due to the two-way transitive trusts, and the replication will be much less of an issue. However, what you might want to investigate first if the reason that the synch capabilities are lost.. if the connection between the locations is unreliable, consider using SMTP replication instead of IP replication, as that is more suitable, using a store-forward method for replication, for unreliable connections. I'd advise trying that first, before you restructure your entire forest. With two separate domains, replication traffic will decrease, so you are less dependent on the lines between the sites, and the issue of not being able to add machines to the domain will also be gone. And if it turns out that the lines are so unreliable that replication becomes an issue, than actually, yes, I would advise creating two separate domains. Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Information Store Size question
Hey all... is the size of my store the sum total of the .stm and .edb files? Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Hi Aric, I think you've been deceived slightly by the topic-title. The title suggests separating the DCs while they stay in the same domain, the content suggests creating two domains. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] fileacl.exe Replacement
Thats the one. Thanks. From: Peck, John C SITI-ITIPAD [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] fileacl.exe Replacement Try SomarSoft's DumpSec (formerly known as DumpAcl) http://www.somarsoft.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Noah Eiger Sent: Tuesday, January 25, 2005 1:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] fileacl.exe Replacement Hi I have been using fileacl.exe to show me permissions on various directories. It does the job, but I recall a few graphical tools that gave nicer reports and easier interfaces. I have searched the archives and Google to no avail (except a reference to some expensive enterprise tools and a perl script that Joe wrote which I could not find either). Can someone point me in the right direction for such tools? (Freeware or shareware only, please) Thanks. -- nme
RE: [ActiveDir] Information Store Size question
The size of your public store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. I do presume youre talking about Exchange here, right.. ? :o) Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Tuesday, January 25, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Information Store Size question Hey all... is the size of my store the sum total of the .stm and .edb files? Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Seperating two domain controllers with in the same domain
I am not sure how it suggests that - maybe my skull is thicker today than normal. Hopefully Robert will elaborate. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van Geldrop Sent: Tuesday, January 25, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Hi Aric, I think you've been deceived slightly by the topic-title. The title suggests separating the DCs while they stay in the same domain, the content suggests creating two domains. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Information Store Size question
Yes. That answers my question... Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message-From: Paul van Geldrop [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 25, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Information Store Size question The size of your public store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. I do presume youre talking about Exchange here, right.. ? :o) Regards, Paul -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Tuesday, January 25, 2005 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Information Store Size question Hey all... is the size of my store the sum total of the .stm and .edb files? Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Seperating two domain controllers with in the same domain
I agree with Aric... I don't think creating a new domain and adding DCs is going to resolve the end-point mapper error. Some questions you might want to consider: What's that patch level on the DCs? Do you have AV-software running on the DCs? Anything interesting in the event logs? Does DCDIAG shed any light on the situation? What does the DNS setup look like? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Apparently either Paul or myself I confused as to your desire. Maybe you can elaborate. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van Geldrop Sent: Tuesday, January 25, 2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Actually, creating two separate domains in one forest should work just fine. Access to resources will work just fine due to the two-way transitive trusts, and the replication will be much less of an issue. However, what you might want to investigate first if the reason that the synch capabilities are lost.. if the connection between the locations is unreliable, consider using SMTP replication instead of IP replication, as that is more suitable, using a store-forward method for replication, for unreliable connections. I'd advise trying that first, before you restructure your entire forest. With two separate domains, replication traffic will decrease, so you are less dependent on the lines between the sites, and the issue of not being able to add machines to the domain will also be gone. And if it turns out that the lines are so unreliable that replication becomes an issue, than actually, yes, I would advise creating two separate domains. Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Information Store Size question
Ahem.. that, of course, should be: The size of your private store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van Geldrop Sent: Tuesday, January 25, 2005 9:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Information Store Size question The size of your public store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. I do presume youre talking about Exchange here, right.. ? :o) Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Tuesday, January 25, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Information Store Size question Hey all... is the size of my store the sum total of the .stm and .edb files? Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Well, at a first glance, the title ' Seperating two domain controllers with in the same domain' is deceiving, in my opinion, making it seem as if you'd want to have two DCs in the same domain while not communicating. The content, however, makes me believe otherwise: ' I would like to seperate two servers, and create two seperate domains.' Dunno, maybe I'm reading it differently.. Robert, mind providing us with some more details on your predicament ? Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain I am not sure how it suggests that - maybe my skull is thicker today than normal. Hopefully Robert will elaborate. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van Geldrop Sent: Tuesday, January 25, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Hi Aric, I think you've been deceived slightly by the topic-title. The title suggests separating the DCs while they stay in the same domain, the content suggests creating two domains. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewalls and VPN questions
We are having exactly the same issue. We have an open call with PSS on this. For the short term, we make our standard settings the same as the domain settings. Not real wonderful, but what can we do? One of the PSS guys mentioned a trick involving unhiding the ipsecshm connectiod via a registry setting. He is supposed to be providing more information. Please let me know if you get any resolution on this. I'll do likewise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 25, 2005 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Firewalls and VPN questions Is anybody really familiar with the GPO settings that control the XP2 firewall on/off network configurations? What I'm trying to do: I'm trying to setup and test IPSEC vpn connectivity back to the corp network and use the XP2 firewall as the firewall of choice. Expected results: When I am off the network, I should have full shields up. When on the corp network, it should be the settings defined via GPO, permissions, exceptions, etc. What I've done: The on-network settings are fine. The results are exactly what was expected. The off-network settings are also fine. The results are exactly what was expected and GPO's were set to control this. Firewall is up and can't be modified etc. Perfect. Problem: What is supposed to happen, is that when you make a change to the network you're on, it's checked to see if it is on the same network that the last GPO applied was from. The key that's checked is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\Network Name If that value matches the connection-specific setting of any of your connections (that are not slip or ppp) then it should assume it's on the corporate network that it last got it's GPO from (i.e. it's native network). The problem I'm having is that the connection specific entry is getting set on the VPN interface, but it's not triggering the change in networks as far as the firewall is concerned. Questions: First off, is this what is expected? I realize that the doc also says that vpn's aren't considered in the algorithm if they're slip or ppp. Fair enough, but I can't tell which I'm using. It's blasted contivity crud that really doesn't give much information at all. In fact, it shows up as an Ethernet connection, similar to the nic. It does not however, show up in the network settings, which is odd. It's a mini-port driver on the nic. Second, if this is expected, should I expect that the firewall is up for the phys NIC and not engaged for the VPN interface? In other words, is the VPN interface unable to be firewalled? If anybody has any links or information or other newsgroups where somebody would know this I would appreciate hearing about it. Thanks, Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD - Modify Query Limits
You really don't want to do this to be quite honest. The tool should support paged queries because you can't keep just cranking up the number of values that can be returned arbitrarily because it can impact the performance and stability of your DCs. If it doesn't support paged queries, beat softerra about the ears about it. I expect that if they don't do paging they probably have other issues like not supporting ranging, etc. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry WelchSent: Tuesday, January 25, 2005 2:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD - Modify Query Limits Gil, Thanks for the quick reply. I will give this a shot and let you know. Regards, Jerry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, January 25, 2005 2:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD - Modify Query Limits Try this: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071sd=tech -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry WelchSent: Tuesday, January 25, 2005 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD - Modify Query Limits Trying to use Softerra LDAP browser, nice tool, but running into LDAP query policylimiting access to only 1,000 objects. Can someone help with what it takes to change the ADQuery Policy to allow more returns? Thanks, Jerry
RE: [ActiveDir] Sites VS domains in a distributed global environment.
Thanks Brian and Guido, I really appreciate the help. A single domain under an empty root makes sense to me in my environment but I really like to get other opinions before I start a project of this size. I have only been here 11 months and I haven't seen or heard of any company being divested. The most I've seen is companies being merged so I'm not sure the overhead and added complexity of a multi forest environment would be worth it but I'll definitely keep it in mind. Thanks again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 24, 2005 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites VS domains in a distributed global environment. Fully agreed - there is no benefit of giving all those companies a child-domain under your root. No Problem putting them in a single domain - the work involved to get there will pay off soon. If you were to say that besides aquiring approx. 1 company every 6 month you were also divesting maybe 1 per year, then it could be worth to think about a multi-forest deployment, as once the company/users are in the same forest (regardless of single domain or in a child-domain of the same forest), you can't easily take them out of the forest. Naturally, a multi-forest scenario involves some extra planning and other tools to manage the infrastructure as one - especially to make it work smoothly with your single Exchange Org. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 25, 2005 5:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites VS domains in a distributed global environment. This sounds like a damn good candidate for a single domain empty root (given your current arrangement). Having a domain for 20 to 250 people is really a waste of resources unless you have some political or technical requirement. You can easily have hundreds of thousands of users in a domain without much problem if managed properly, so you're not going to be in the danger zone for quite a while. Just my two cents. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, January 24, 2005 10:21 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Sites VS domains in a distributed global environment. Hello, I have inherited an environment where all of the companies acquired by our parent company were migrated into the forest in their own domain under an empty root 2003 domain. Right now there are about 20 companies ranging from 20 to 250 employees needing to be migrated into our forest and I'm looking at changing the way we migrate them in. There are approximately 1200 employees total but we acquire a new company about every six months to a year. I'm thinking of consolidating all of the existing domains into one under the root and setting up sites. Then I would migrate the remaining companies into that domain. There would be a DC/GC in each location. Most will be accessing the Exchange 2003 server in the datacenter. Each company is subject to the same group policies and each has a high speed connection with a permanent VPN to the datacenter. So my question is, aside from the amount of work involved, is there a downside to having a large global corporation on a single domain with sites set up with a DC/GC in each office? Are there benefits to having multiple domains in a forest when all of the companies are subject to the same group policies? Again, any advice is appreciated. Mike Newell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites VS domains in a distributed global environm ent.
Deji, The way that I read the original post, he was going to consolidate into a single child domain under a Top Level Domain (i.e. he ends up with a forest that consists of a TLD placeholder domain and a single child domain under that). If that is the secnario, all of the forest locator information is going to end up in the _msdcs zone of the TLD (_msdcs.tld.com). If he ends up in a true single domain forest and on AD integrated DNS then he does not need to worry about moving secondaries around and I mis-read the original post. Given that the assumption is that the site does not have a TLD DNS server on-site: In the perfect world of no network outages it would be acceptable to have the child DCs/DNS servers forward to the TLD DCs/DNS servers and that would be where the client eventually gets their forest locator records from via the forwarding relationship. The downside to this is that if the network link goes down and the DNS server at the child site cannot reach a TLD DNS server the client is going to logon with cached credentials. This is bad in a kerberos environment. The alternative to this is to place a DC/DNS server for the TLD on each child site. This would ensure that even if the link is down the child DNS server would be able to forward to a TLD DNS server and get the forest locator records. Of course, this would mean buying more boxes. The trick with the secondaries is mostly to cover network outages when there is not a TLD DNS server on the child site. Even with the secondary, you would still forward DNS traffic from the child DC/DNS server to the TLD DC/DNS server to get the rest (non _msdcs.tld.com) of the DNS info for the TLD. In addition, in my specfic case, my TLD forwards to a legacy DNS backbone and ultimately to a split DNS to get Internet DNS resolution back to the client. The tradeoff here is that you cover the possibility of a network outage by creating the secondaries on the child DNS server (admittedly also creating a little more admin work). Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm ent. With apologies to the original poster, I would like to hijack this thread and respond to Frank's idea on this: quote DNS - If you use AD integrated DNS for your AD domains (I did), make sure that each of your child DCs has a standard secondary of the TLD _msdcs zone and then have the clients use their site DC as their DNS server. This is related to the logon requirements for an AD account in a multi-domain forest. Be careful how you grab the secondary from the TLD zone because you can end up with SOA problems if the TLD DNS is AD integrated. /quote I am somewhat confused on this point, especially considering that you agreed that a single domain would suffice for the requirements of the scenario under discussion. If he has only one domain, then this is mooot, no? Aside from that, I am still confused about the reasoning behind creating secondary zones of the TLD in child domains where there is a child-parent relationship. The rationale you mentioned (This is related to the logon requirements for an AD account in a multi-domain forest) can be easily accomplished by simply configuring the child DNS servers to forward to the TLD DNS servers. This will avoid the need to manage secondary zones and requires no on-going maintenance whatsoever. I know that Frank is not alone in making this recmmendation, but I still can't grasp (or agree with) the technical rationale. I have been known to be slow at times. Is this one of those times? What are the advantages of secondarying parent zones from children or child zone from parent (or even inter-children zone secondaries) over configuring Parent-to-child delegation and child-to-parent forwarding? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Information Store Size question
That's how I read it the first time. The mind plays tricks with information we already know,I suppose ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van GeldropSent: Tuesday, January 25, 2005 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Information Store Size question Ahem.. that, of course, should be: The size of your private store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van GeldropSent: Tuesday, January 25, 2005 9:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Information Store Size question The size of your public store is the sum of the priv1.stm and priv1.edb files. Your public store size is the same, but with the pub1.stm and pub1.edb files. I do presume youre talking about Exchange here, right.. ? :o) Regards, Paul -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Tuesday, January 25, 2005 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Information Store Size question Hey all... is the size of my store the sum total of the .stm and .edb files? Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Sites VS domains in a distributed global environm ent.
Not to confuse the issue but what I would end up with is a root domain with Exchange and SQL in it (already set up this way) and a separate domain tree, not a child domain of the root. I don't really have much choice regarding Exchange unless I want to rebuild in a different domain. Its setup this way now, the only difference would be I'd only have one domain and the root, instead of 25 or 30 separate domain trees for each company we own. DNS is AD integrated. Again, I inherited this and I am looking for a better way to build our environment. Would a child domain of the root be a better option? Again, I appreciate the input. Thanks. Mike Newell Information Systems Manager OSI Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm ent. Deji, The way that I read the original post, he was going to consolidate into a single child domain under a Top Level Domain (i.e. he ends up with a forest that consists of a TLD placeholder domain and a single child domain under that). If that is the secnario, all of the forest locator information is going to end up in the _msdcs zone of the TLD (_msdcs.tld.com). If he ends up in a true single domain forest and on AD integrated DNS then he does not need to worry about moving secondaries around and I mis-read the original post. Given that the assumption is that the site does not have a TLD DNS server on-site: In the perfect world of no network outages it would be acceptable to have the child DCs/DNS servers forward to the TLD DCs/DNS servers and that would be where the client eventually gets their forest locator records from via the forwarding relationship. The downside to this is that if the network link goes down and the DNS server at the child site cannot reach a TLD DNS server the client is going to logon with cached credentials. This is bad in a kerberos environment. The alternative to this is to place a DC/DNS server for the TLD on each child site. This would ensure that even if the link is down the child DNS server would be able to forward to a TLD DNS server and get the forest locator records. Of course, this would mean buying more boxes. The trick with the secondaries is mostly to cover network outages when there is not a TLD DNS server on the child site. Even with the secondary, you would still forward DNS traffic from the child DC/DNS server to the TLD DC/DNS server to get the rest (non _msdcs.tld.com) of the DNS info for the TLD. In addition, in my specfic case, my TLD forwards to a legacy DNS backbone and ultimately to a split DNS to get Internet DNS resolution back to the client. The tradeoff here is that you cover the possibility of a network outage by creating the secondaries on the child DNS server (admittedly also creating a little more admin work). Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm ent. With apologies to the original poster, I would like to hijack this thread and respond to Frank's idea on this: quote DNS - If you use AD integrated DNS for your AD domains (I did), make sure that each of your child DCs has a standard secondary of the TLD _msdcs zone and then have the clients use their site DC as their DNS server. This is related to the logon requirements for an AD account in a multi-domain forest. Be careful how you grab the secondary from the TLD zone because you can end up with SOA problems if the TLD DNS is AD integrated. /quote I am somewhat confused on this point, especially considering that you agreed that a single domain would suffice for the requirements of the scenario under discussion. If he has only one domain, then this is mooot, no? Aside from that, I am still confused about the reasoning behind creating secondary zones of the TLD in child domains where there is a child-parent relationship. The rationale you mentioned (This is related to the logon requirements for an AD account in a multi-domain forest) can be easily accomplished by simply configuring the child DNS servers to forward to the TLD DNS servers. This will avoid the need to manage secondary zones and requires no on-going maintenance whatsoever. I know that Frank is not alone in making this recmmendation, but I still can't grasp (or agree with) the technical rationale. I have been known to be slow at times. Is this one of those times? What are the advantages of secondarying parent zones from children or child zone from parent (or even inter-children zone secondaries) over configuring Parent-to-child delegation and child-to-parent forwarding? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory
RE: [ActiveDir] Trust Problems
Yes,,, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, January 25, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trust Problems In the lmhosts file did you: rename it to not have any extension use the #PRE and #DOM entries From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, January 25, 2005 8:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Trust Problems So I have a 2 way external trust from a Windows 2000 forest to a Windows 2003 forest. Im in the process of migrating the 2000 forest to the 2003 forest because of a merger. Im using NETIQs domain Migration administrator to help in the migration. Im running DNS and WINS and the WINS have the Push/pull setup between the 2 domains controllers in the 2 domains. Also I can ping both domain controllers and domain names. I also have the DNS set to forward to each other Everything was working and I was able to copy over some test accounts and groups. Today from the windows 2000 side I can verify the trust account. From the Windows 2003 trusting side I keep getting There are currently no logon servers available to service the logon request. Ive used NETDOM to Query / Verify / and reset the Trust. I still get there are currently no logon servers available to service the logon request every time from the 2003 Side. I have rebooted both domain controlled and have added each domain and domain controllers in each servers Hosts and LMHOSTS files. Any idea on where to go next would be great! Im going to break and re-setup the Trust right now. Thanks Mike
RE: [ActiveDir] Trust Problems
If you have to resort to lmhosts and hosts files in a 2K3/2K environment, something wrong with DNS. Ahem... now that I have demonstrated that I am a genius at stating the obvious. :-p Let's comment out the entries you put in those files and configure the DCs to not use lmhosts (in TCP/IP properties). Since the problem is manifesting itself on the 2K3 side, let's create a stub zone of the 2K domain on the 2K3 DNS servers. Let's make sure that DNS is functioning correctly on the 2K side and that no obvious errors are screaming at you in the event log. Then let's ensure that the DC(s) we will be using in the stub zone configuration can actually resolve records (especially SRV ones) without problems. Above all, we want to ensure that all DNS servers configured in TCP/IP are local - no ISP (I'm sure you know this already, but, remember, I'm a genius :)). Then let's restart DNS and netlogon on both side and see if we accomplish anything. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike Hogenauer Sent: Tue 1/25/2005 5:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trust Problems Yes,,, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, January 25, 2005 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trust Problems In the lmhosts file did you: 1. rename it to not have any extension 2. use the #PRE and #DOM entries From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, January 25, 2005 8:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Trust Problems So I have a 2 way external trust from a Windows 2000 forest to a Windows 2003 forest. I'm in the process of migrating the 2000 forest to the 2003 forest because of a merger. I'm using NETIQ's domain Migration administrator to help in the migration. I'm running DNS and WINS and the WINS have the Push/pull setup between the 2 domains controllers in the 2 domains. Also I can ping both domain controllers and domain names. I also have the DNS set to forward to each other Everything was working and I was able to copy over some test accounts and groups. Today from the windows 2000 side I can verify the trust account. From the Windows 2003 trusting side I keep getting There are currently no logon servers available to service the logon request. I've used NETDOM to Query / Verify / and reset the Trust. I still get there are currently no logon servers available to service the logon request every time from the 2003 Side. I have rebooted both domain controlled and have added each domain and domain controllers in each servers Hosts and LMHOSTS files. Any idea on where to go next would be great! I'm going to break and re-setup the Trust right now. Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Bert and Paul, Thank you for all your help, my priory is to sync two DCs but if the link keeps failing, I have to separate two DCs. I have just restarted both servers seems like they are synchronizing again. But I really need a detailed documentation to separate two DCs and place them in two separate domains. I was unable to locate such doc. If you find it please let me know. Thank you again. Robert Oytun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 12:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ NOD32 1.982 (20050125) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seperating two domain controllers with in the same domain
Robert, as far as I can see, if you have only one domain, only root domain in the forest, and you think you will newer connect these DC: 1) make both DC global catalog servers, 2) disconnect them, so you would be able on both of them seize FSMO roles which they are missing - the KB article is here: http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 (you should be certain, that they are disconnected before you begin) 3) Then remove the disconnected DC on the both sides, like if they were failed. There is a KB article, how to remove DC after unsuccessful demotion: http://support.microsoft.com/default.aspx?scid=kb;en-us;216498 Note, I never did this myself, so check every my suggestion. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Oytun Sent: Wednesday, January 26, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Bert and Paul, Thank you for all your help, my priory is to sync two DCs but if the link keeps failing, I have to separate two DCs. I have just restarted both servers seems like they are synchronizing again. But I really need a detailed documentation to separate two DCs and place them in two separate domains. I was unable to locate such doc. If you find it please let me know. Thank you again. Robert Oytun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, January 25, 2005 12:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating two domain controllers with in the same domain Robert, My guess is that know one on this list will recommend doing what you suggest. Creating to stove pipes of similar data would not be desired by any organization especially when the data does not have a specific technical need (e.g. security) to be separated. Is it possible? Yes I suppose, so long as you never want those two DCs to communicate together again and the clients supported by one DC will never have to access the resources supported by the other DC. Also keep in mind that the two DCs, and separate domains/forests they create, will never be able to trust the same third party nor will they be able to share the same DNS or WINS infrastructure. Quite honestly the only safe way to do this is to ensure that the networks they sit on are completely isolated from each other. More importantly it is not likely that this solution will solve you endpoint mapper issues. I would suggest working to solve the endpoint mapper issues instead. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roberto Sent: Tuesday, January 25, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating two domain controllers with in the same domain Folks, I have a quick question, I have two DCs on in Los Angeles, one in San Diego. The one in LA is the catalog server, the one in SD is the DC, and they are both running Windows 2000 servers. I would like to seperate two servers, and create two seperate domains. The reason is DC are loosing sync capebilities, for example somethimes we can not join new computers to domain, we get an end point mapper is not available error, when we get this error we restart servers, everything goes back to normal. We have to do tabove restart procedires almost every week. So I would like to seperate two DC,s and create two new ones without loosing the AD data, user info ect. Is this possible? Thank you, RObert Oytun Sent via the WebMail system at oytun.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ NOD32 1.982 (20050125) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remote Desktop functionality on Windows 2003
Hi all from sunny South Africa Does anyone know if its possible to turn on Remote Desktop for Windows 2003 by GPO? We are rolling out a whole lot of W2K3 servers and always seem to forget to turn on this feature J ;( Regards Peter Johnson
Re: [ActiveDir] Remote Desktop functionality on Windows 2003
computer configuration, Administrative templates, Windows Components, terminal services. Enable allow users to connect remotely using terminal services Nathan Casey Network Analyst WGS-ISD County of Sonoma [EMAIL PROTECTED] (707) 565-3519 [EMAIL PROTECTED] 01/25/05 10:46 PM Hi all from sunny South Africa Does anyone know if it's possible to turn on Remote Desktop for Windows 2003 by GPO? We are rolling out a whole lot of W2K3 servers and always seem to forget to turn on this feature :-) ;( Regards Peter Johnson List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/