RE: [ActiveDir] Schema Extension
Title: Message And now I can honestly say that I can follow this thread and not be completely lostthanks chapter 3 of the book in the signature for a great schema refresh! ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 5:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Extension I would recommend starting here http://msdn.microsoft.com/library/default.asp?url=""> Or buying either the book in the signature or Inside Directory Second Edition by Sakari Kouti. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Monday, February 06, 2006 6:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Extension Does anyone know of a supported procedure to extend the schema in Windows 2003 SP1 FFL AD? This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
[ActiveDir] Active Directory Exchange Server
Dear All, As i am still new to the exchange Active Directly . Now, i have here in My Enviroment one exchange server One Main Domain Controller One Backup Domain Controller . All the servers are Windows server 2003 Enterprise Edition. Now, i want to know, how the exchange server knows that when a messages come to this user, this user mail box located on this Domain controller or located on this exchange server ? for example, i have 2 domain as the following :- A- KTA.com B- SUN.KTA.com Now, the users in KTA has the Domain Controller Named DC1, and we have the exchange server responsible about the 2 child domain . How now, the exchange server knows that ? Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MS Exchange
Title: MS Exchange Hi All, Does anyone have any good tips or links that talk about updating mail box information in exchange 5.5 with LDAP? Thanks Atila Firmino
[ActiveDir] Delegation of permissions
Dear All, I have been asked to delegate some permissions on user objects so that the users can update certain fields that are not self writable by default. Initially I thought just find the required attributes and add authenticated users read and write, but thinking about it I think this would enable all authenticated users to write to these attributes. So could some one please give me a pointer to enable only the user to update there own details and not everyone elses. Make sense? Mark Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation of permissions
Can you use the builtin security principle called SELF? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 09 Feb 2006 11:53 To: ActiveDir.org Subject: [ActiveDir] Delegation of permissions Dear All, I have been asked to delegate some permissions on user objects so that the users can update certain fields that are not self writable by default. Initially I thought just find the required attributes and add authenticated users read and write, but thinking about it I think this would enable all authenticated users to write to these attributes. So could some one please give me a pointer to enable only the user to update there own details and not everyone elses. Make sense? Mark Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Delegation of permissions
I was thinking of that but wanted clarification that is was correct and it did not do something stupid or this principle translated to me during delegation. Mark -Original Message- From: Wyatt, David [EMAIL PROTECTED] Date: Thu, 9 Feb 2006 12:24:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of permissions Can you use the builtin security principle called SELF? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 09 Feb 2006 11:53 To: ActiveDir.org Subject: [ActiveDir] Delegation of permissions Dear All, I have been asked to delegate some permissions on user objects so that the users can update certain fields that are not self writable by default. Initially I thought just find the required attributes and add authenticated users read and write, but thinking about it I think this would enable all authenticated users to write to these attributes. So could some one please give me a pointer to enable only the user to update there own details and not everyone elses. Make sense? Mark Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Schema Extension
Dean Wells wrote: I really don't agree in the confined scenario Ulf described. Can you explain your point further or is it merely an issue of Microsoft supporting it? OK, You've got me - when I think about it, it should not cause any trouble. Ulf procedure is not a attempt to do authoritative restore so it is not a case of schema recovery but ordinary failed DC recovery procedure. Nothing was replicated, nothing was broken already in the production environment so why not perform restore of DC and bring it back to the domain? This is the same case as when You are performing forest recovery from the backup. No I don't have any other point then my habits and the way I used to do such things, which obviously limited my point of view on proposed solution - that's a shame for me. I've never tried the procedure Ulf described in the lab and fortunately I haven't had to test it in the real life. I don't think that it this goes under unsupported category - this is simply DC recovery procedure. As Ulf said (...) don't write tired and exhausted. (...) or late in the evening. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MS Exchange
What? Other than upgrade to 2003? It can be done, but there are some code pieces that won't be the same in 5.5 as they are in 2003 FWIW. What exactly do you want to modify via LDAP? Is this something you want to write in house or use a third party tool to do? One gotcha (you can find information about it on MSDN) is that to see the hidden objects you'll need to login as an admin. And additional piece is that you'll often have to adjust the amount of objects returned in order to be functional in some actions. Sites are always fun. Come to think of it, it's WAY easier to do this in 2003/AD ;) -ajm On 2/9/06, Atila Firmino [EMAIL PROTECTED] wrote: Hi All, Does anyone have any good tips or links that talk about updating mail box information in exchange 5.5 with LDAP? Thanks Atila Firmino
Re: [ActiveDir] Active Directory Exchange Server
You have mailboxes located on the domain controller? Your question is not really an Exchange question, but a SMTP routing question. Could be related in some distant way to DNS. Can you clarify what you are trying to do and what causes you to ask the question? That may help us understand what's going on. Al On 2/8/06, marwahashem [EMAIL PROTECTED] wrote: Dear All,As i am still new to the exchange Active Directly .Now, i have here in My Enviroment one exchange server One Main Domain Controller One Backup Domain Controller .All the servers are Windows server 2003 Enterprise Edition.Now, i want to know, how the exchange server knows that when a messages cometo this user, this user mail box located on this Domain controller or located on this exchange server ?for example, i have 2 domain as the following :-A- KTA.comB- SUN.KTA.comNow, the users in KTA has the Domain Controller Named DC1, and we have the exchange server responsible about the 2 child domain .How now, the exchange server knows that ?Thanks Best Regards,Marwa,List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS Exchange
Thanks. I need to update informations like phone number for examples. For many reasons we can´t migrate to exchangeW2K for now... So I will build a _vbscript_ to do this. What do you think? Atila Firmino From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: quinta-feira, 9 de fevereiro de 2006 11:12To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS Exchange What? Other than upgrade to 2003? It can be done, but there are some code pieces that won't be the same in 5.5 as they are in 2003 FWIW. What exactly do you want to modify via LDAP? Is this something you want to write in house or use a third party tool to do? One gotcha (you can find information about it on MSDN) is that to see the hidden objects you'll need to login as an admin. And additional piece is that you'll often have to adjust the amount of objects returned in order to be functional in some actions. Sites are always fun. Come to think of it, it's WAY easier to do this in 2003/AD ;) -ajm On 2/9/06, Atila Firmino [EMAIL PROTECTED] wrote: Hi All, Does anyone have any good tips or links that talk about updating mail box information in exchange 5.5 with LDAP? Thanks Atila Firmino
[ActiveDir] DR implementation planning
Hi all. We are finally getting our DR project going, and I'm looking for good resources for design/implementation. We have a small business; under 100 users. Running W2K3 AD (2 DCs in one location), E2K3, Cisco Unity VM, home-grown intranet on IIS, LOB app contained in-house. Around 30 remote SOHO users connecting via VPN. Current backup consists of Backup Exec 9.x running backup-to-disk and then copies to tapes which are moved and stored offsite. I have relatively complete design authority, and am starting with a clean slate. A couple of basic parameters. We will be building the DR site in our parent company's datacenter and currently have frame circuits to their corp net (not sure if we'll have direct to the data center or not). We want to utilize HP blade servers and VMWare as much as possible. The management goal is to virtualize the entire infrastructure, although it is recognized that this may not be entirely possible. We want the DR site to be fully vendor supported, so virtualization will depend largely on vendor support. The site will be required to support ~50% of our user base for up to 30 days. We would prefer to avoid utilizing 3rd party replication apps and stick with native tools if possible. This will be a warm DR site with once-per-day replication with production; recovery within 24 hours is the goal. Losing the current day's work is acceptable. We have ~6 weeks for design and ~10 weeks after that for build/test, including fire drill. We start the design meetings today. I'm interested in pointers to any good whitepapers, references, and recommendations. Also interested in what has worked (or failed!) for others with similar criteria. While there's no shortage of information on the net about DR planning and implementation, I'm interested in what the experts here have found to be valuable. I remember DEC a couple of years ago had some great DR stuff, but my event logs have overwritten most of that by now, and I don't remember if there was a proceedings DVD or anything on that. Plus, two years is a long time; methods and the like have changed since then. Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Exchange Server
Marwa, Check this site out: http://www.msexchange.org/tutorials/Using_SMTP_Connector_Internally.html It talks about routing and SMTP connectors. May it's what you're looking for. I don't understand the question well but let me say that since you have a DC, BDC, and Exchange, I am assuming that the exchange hasa public address to which mail from the internet is routed to, assuming that the domain is registered. -Nav From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, February 09, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Exchange Server You have mailboxes located on the domain controller? Your question is not really an Exchange question, but a SMTP routing question. Could be related in some distant way to DNS. Can you clarify what you are trying to do and what causes you to ask the question? That may help us understand what's going on. Al On 2/8/06, marwahashem [EMAIL PROTECTED] wrote: Dear All,As i am still new to the exchange Active Directly .Now, i have here in My Enviroment one exchange server One Main Domain Controller One Backup Domain Controller .All the servers are Windows server 2003 Enterprise Edition.Now, i want to know, how the exchange server knows that when a messages cometo this user, this user mail box located on this Domain controller or located on this exchange server ?for example, i have 2 domain as the following :-A- KTA.comB- SUN.KTA.comNow, the users in KTA has the Domain Controller Named DC1, and we have the exchange server responsible about the 2 child domain .How now, the exchange server knows that ?Thanks Best Regards,Marwa,List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Exchange Server
Your question is not very clear to me either, but I'll take a stab at it: 1- Mailboxes are NOT physically located on DC, but on Exchange server's Information Store. 2- Email is only an attribute of the user's AD account, not a separate entity. 3- When Exchange is set up initially, the domains it is responsible for handling the email for are defined. You can find this setting in the default policies of Exchange via system manager. 4- When Exchange receives an email for a user, via DNS, it queries and locates the domain controller on which the user's AD account is located. If an account exists and has that email address ASSOCIATED with it, it stores the email in that user's mailbox on the Exchange server. I hope this gives you the answer you were looking for. If not, let me know and I'll try to explain this further. Alex Alborzfard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marwahashem Sent: Wednesday, February 08, 2006 5:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Exchange Server Dear All, As i am still new to the exchange Active Directly . Now, i have here in My Enviroment one exchange server One Main Domain Controller One Backup Domain Controller . All the servers are Windows server 2003 Enterprise Edition. Now, i want to know, how the exchange server knows that when a messages come to this user, this user mail box located on this Domain controller or located on this exchange server ? for example, i have 2 domain as the following :- A- KTA.com B- SUN.KTA.com Now, the users in KTA has the Domain Controller Named DC1, and we have the exchange server responsible about the 2 child domain . How now, the exchange server knows that ? Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Merging Multiple AD Groups
I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses.
[ActiveDir] Who would have thunk it....
http://blogs.msdn.com/brettsh/archive/2006/02/09/528708.aspx -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
Re: [ActiveDir] Who would have thunk it....
sound of Susan falling on the floor joe wrote: http://blogs.msdn.com/brettsh/archive/2006/02/09/528708.aspx -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Who would have thunk it....
Are we truly sure it's him though? Not a rogue developer who hacked into his blog and posted? It could be a compromised blog. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: sound of Susan falling on the floor joe wrote: http://blogs.msdn.com/brettsh/archive/2006/02/09/528708.aspx -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Who would have thunk it....
On 2/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are we truly sure it's him though? Not a rogue developer who hacked into his blog and posted? It could be a compromised blog. I checked the date. It didn't say April 1st. -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Who would have thunk it....
It could confirm things ;) Martin - Original Message - From: AdamT [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, February 09, 2006 9:51 AM Subject: Re: [ActiveDir] Who would have thunk it On 2/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are we truly sure it's him though? Not a rogue developer who hacked into his blog and posted? It could be a compromised blog. I checked the date. It didn't say April 1st. -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DR implementation planning
Guido and I did a DR webinar a few months back, and an associated whitepaper... You can get the whitepaper at http://www.netpro.com/welcome/disasterrecovery/index.cfm. The last I looked, you had to register for it (email address, etc.) We recorded the webinar as well. You can get to it at http://www.netpro.com/forum/files/AD_Disaster_Recovery.wmv. Same registration requirements. We are also hosting an all-day DR pre-conference workshop for DEC this year. See www.dec2006.com. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 09, 2006 7:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DR implementation planning Hi all. We are finally getting our DR project going, and I'm looking for good resources for design/implementation. We have a small business; under 100 users. Running W2K3 AD (2 DCs in one location), E2K3, Cisco Unity VM, home-grown intranet on IIS, LOB app contained in-house. Around 30 remote SOHO users connecting via VPN. Current backup consists of Backup Exec 9.x running backup-to-disk and then copies to tapes which are moved and stored offsite. I have relatively complete design authority, and am starting with a clean slate. A couple of basic parameters. We will be building the DR site in our parent company's datacenter and currently have frame circuits to their corp net (not sure if we'll have direct to the data center or not). We want to utilize HP blade servers and VMWare as much as possible. The management goal is to virtualize the entire infrastructure, although it is recognized that this may not be entirely possible. We want the DR site to be fully vendor supported, so virtualization will depend largely on vendor support. The site will be required to support ~50% of our user base for up to 30 days. We would prefer to avoid utilizing 3rd party replication apps and stick with native tools if possible. This will be a warm DR site with once-per-day replication with production; recovery within 24 hours is the goal. Losing the current day's work is acceptable. We have ~6 weeks for design and ~10 weeks after that for build/test, including fire drill. We start the design meetings today. I'm interested in pointers to any good whitepapers, references, and recommendations. Also interested in what has worked (or failed!) for others with similar criteria. While there's no shortage of information on the net about DR planning and implementation, I'm interested in what the experts here have found to be valuable. I remember DEC a couple of years ago had some great DR stuff, but my event logs have overwritten most of that by now, and I don't remember if there was a proceedings DVD or anything on that. Plus, two years is a long time; methods and the like have changed since then. Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared
I want to thank everybody who contributed to this thread. The problem has been solved :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: woensdag 8 februari 2006 17:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared True execpt if you install the rdp client on windows 2000... :o)) Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve RochfordEnvoyé: mercredi 8 février 2006 16:59À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Not with Windows 2000 :-) Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 08 February 2006 13:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Hi, Just launch rdp client with the /console switch as this mstsc /console, this will give u interactive logon to your server. Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.Web: www.univ-lyon1.fr De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve RochfordEnvoyé: mercredi 8 février 2006 12:47À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared One tiny little point which might be worth adding dont try doing this using a remote desktop session as I did the other week. I sat there cursing the machine, confident that Id got the syntax etc right. It was only much later when I looked at the real console screen that I saw lots of cmd windows which had all opened and were running in the local system context Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: 06 February 2006 19:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists" disappeared Yes. 1)go to start - execute and type cmd.exe 2) Then will have to type this command "at your_local_time + 1mn /interactive cmd.exe" (without quote). Example: if your local time is 20:05, then you will type "at20:06 /interactive cmd.exe" This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the secondinstance of cmd.exe, launch ESM [1] or type DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO [1]:after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann
Re: [ActiveDir] Merging Multiple AD Groups
complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses.
Re: [ActiveDir] MS Exchange
I think that may be more work than is needed if it's an infrequent update cycle. CSV does this just fine via the admin utility. _vbscript_ will work for that however. Like I said, permissions and syntax are sometimes different but it can be done. There's a utility that may be of interest to you called GALMOD that you should have a look at for ideas of how to do some of this in addition to the MSDN references. Al On 2/9/06, Atila Firmino [EMAIL PROTECTED] wrote: Thanks. I need to update informations like phone number for examples. For many reasons we can´t migrate to exchangeW2K for now... So I will build a _vbscript_ to do this. What do you think? Atila Firmino From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: quinta-feira, 9 de fevereiro de 2006 11:12To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] MS Exchange What? Other than upgrade to 2003? It can be done, but there are some code pieces that won't be the same in 5.5 as they are in 2003 FWIW. What exactly do you want to modify via LDAP? Is this something you want to write in house or use a third party tool to do? One gotcha (you can find information about it on MSDN) is that to see the hidden objects you'll need to login as an admin. And additional piece is that you'll often have to adjust the amount of objects returned in order to be functional in some actions. Sites are always fun. Come to think of it, it's WAY easier to do this in 2003/AD ;) -ajm On 2/9/06, Atila Firmino [EMAIL PROTECTED] wrote: Hi All, Does anyone have any good tips or links that talk about updating mail box information in exchange 5.5 with LDAP? Thanks Atila Firmino
Re: [ActiveDir] Merging Multiple AD Groups
I have two existing groups:1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members)I created a new group to merge members of both groups above into the new group.3. USHR_PROJSAP_RO (0 members)Some users are members of groups 1 2.I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members.I tried the following command 1stdsget group "CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr then I tried the following commanddsget group "CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr but this does not work...does this make sense?Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared
Lets here what you did. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Thursday, February 09, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared I want to thank everybody who contributed to this thread. The problem has been solved :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: woensdag 8 februari 2006 17:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared True execpt if you install the rdp client on windows 2000... :o)) Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. Web: www.univ-lyon1.fr De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve Rochford Envoyé: mercredi 8 février 2006 16:59 À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Not with Windows 2000 :-) Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 08 February 2006 13:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Hi, Just launch rdp client with the /console switch as this mstsc /console, this will give u interactive logon to your server. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. Web: www.univ-lyon1.fr De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Steve Rochford Envoyé: mercredi 8 février 2006 12:47 À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared One tiny little point which might be worth adding dont try doing this using a remote desktop session as I did the other week. I sat there cursing the machine, confident that Id got the syntax etc right. It was only much later when I looked at the real console screen that I saw lots of cmd windows which had all opened and were running in the local system context Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 06 February 2006 19:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange - ESM - All Address Lists and All Global Address Lists disappeared Yes. 1)go to start - execute and type cmd.exe 2) Then will have to type this command at your_local_time + 1mn /interactive cmd.exe (without quote). Example: if your local time is 20:05, then you will type at20:06 /interactive cmd.exe This will open an other instance of cmd.exe 1 mn after your local time. This second instance of cmd.exe is running under the local system account, type whoami and u will see it. 3) at the secondinstance of cmd.exe, launch ESM [1] or type DSACLS CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com /N /G Authenticated Users:SDRCWDWOWPRPCALO [1]:after reading the whole KB, I will use the dsacls command suggested by the KB because , the command will do the job for u as resetting the good ACEs for Authenticated Users. Yann
RE: [ActiveDir] Merging Multiple AD Groups
Did you add c to the second command (continue despite errors)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Thursday, February 09, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Merging Multiple AD Groups I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
Re: [ActiveDir] Merging Multiple AD Groups
Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
Re: [ActiveDir] Merging Multiple AD Groups
dsmod failed:CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com:The specified account name is already a member of the local groupDan - I have also tried the -c switch to no avail.thanksAl Mulnick [EMAIL PROTECTED] wrote:Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups:1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group.3. USHR_PROJSAP_RO (0 members)Some users are members of groups 1 2.I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members.I tried the following command 1stdsget group "CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr then I tried the following commanddsget group "CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbrbut this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail.
RE: [ActiveDir] Merging Multiple AD Groups
I had a similar problem. It was solved by this syntax: dsget group DN of source group -members | dsmod group DN of destination group addmbr This way you are only going to add members that are not already there. Hth, Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Thursday, February 09, 2006 2:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Merging Multiple AD Groups dsmod failed:CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com:The specified account name is already a member of the local group Dan - I have also tried the -c switch to no avail. thanks Al Mulnick [EMAIL PROTECTED] wrote: Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail.
RE: [ActiveDir] Schema Extension
OK - what I ment is 1. If extending well known schemas on a fresh installed domain, I'd do it just like that b/c I don't care if I have issues (actually a failure would allow me to have another Latte Macchiate while the DC freshly installs) 2. If extending with a 3rd Party Schema Extensions (usually just a ldif-file) I'd prefer to pull the schema master out of the infrastructure really quick. The scenario Joe has mentioned is well known schema extension which does additional stuff - like exchange or other programmed extentions. I fully agree in his recommendation to slow down or interrupt replication if contact to other DCs or Servers is needed. Note that no matter what - I'm usually always testing 3rd-Party Schema Extensions first, meaning to verify OID, prefix, LinkIDs, document MapiIDs and consult the customer in the risk of those, and verify the Structure (classes, how they are added to existing objects) default permissions, and look at the migration path if needed. Next step is to pull the domain in a virtual environment and test the schema extension there. Then I start with the extension in production where I follow above mentioned steps. However I'm always curious for other suggestions ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Thursday, February 09, 2006 1:46 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] Schema Extension | |I really don't agree in the confined scenario Ulf described. |Can you explain your point further or is it merely an issue of |Microsoft supporting it? | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Wednesday, February 08, 2006 5:50 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Schema Extension | |Ulf B. Simon-Weidner wrote: | | Hi David, | | OK - as far as controlling the update of the schema I'd do |it that way: | | Do you really care - aka not frequently tested combination of schema | extensions: | 1. Put the schema master on a otherwise stale switch/hub (to |provide a | link but no connection to the network) 2. Backup Systemstate |(to file | would be fine) 3. Run the Schema Extensions 4. Verify Schema | Extensions 5. If error in 4, restore systemstate 6. Plug |back into the | production network | |Ulf ... I don't think that restoring the system state in the |case of schema extension failure is a proper thing. I would |suggest instead of that decommission of this DC and seizing |Schema FSMO to other DC in the forest. | | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema Extension
Yes - exactly - rolling back a single DC which was the only one with the new bad schema doesn't hurt, but it' also able to forcefully demote, metadata cleanup, dcpromo again, or reinstall fully with metadata-cleanup in between, or just flush it and seize the schema master. Result will always be a non-updated schema. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Thursday, February 09, 2006 1:46 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Schema Extension | |Dean Wells wrote: | I really don't agree in the confined scenario Ulf described. | Can you | explain your point further or is it merely an issue of Microsoft | supporting it? | |OK, You've got me - when I think about it, it should not cause |any trouble. Ulf procedure is not a attempt to do |authoritative restore so it is not a case of schema recovery |but ordinary failed DC recovery procedure. | |Nothing was replicated, nothing was broken already in the |production environment so why not perform restore of DC and |bring it back to the domain? This is the same case as when You |are performing forest recovery from the backup. | |No I don't have any other point then my habits and the way I |used to do such things, which obviously limited my point of |view on proposed solution - that's a shame for me. |I've never tried the procedure Ulf described in the lab and |fortunately I haven't had to test it in the real life. | |I don't think that it this goes under unsupported category - |this is simply DC recovery procedure. | |As Ulf said (...) don't write tired and exhausted. (...) or |late in the evening. | | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Merging Multiple AD Groups
Hmm.. the -c should have worked. Wonder why it didn't in your case? Can you post that syntax that you used? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: dsmod failed:CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com:The specified account name is already a member of the local group Dan - I have also tried the -c switch to no avail. thanksAl Mulnick [EMAIL PROTECTED] wrote: Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail.
Re: [ActiveDir] Merging Multiple AD Groups
dsget group "CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr -cThe fact that some users are in both Group 1 2 wouldn't cause a problem would it?cheers AlAl Mulnick [EMAIL PROTECTED] wrote:Hmm.. the -c should have worked. Wonder why it didn't in your case? Can you post that syntax that you used? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: dsmod failed:CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com:The specified account name is already a member of the local groupDan - I have also tried the -c switch to no avail.thanksAl Mulnick [EMAIL PROTECTED] wrote: Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups:1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members)I created a new group to merge members of both groups above into the new group.3. USHR_PROJSAP_RO (0 members)Some users are members of groups 1 2.I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members.I tried the following command 1stdsget group "CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr then I tried the following commanddsget group "CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com" -members | dsmod group "CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com" -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about existing users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] Merging Multiple AD Groups
Hi Frank, Ignore my previous post; no enough sleep I guess. I posted a solution to this newsgroup on 7/3/2005. Check the archives. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Thursday, February 09, 2006 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Merging Multiple AD Groups dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr -c The fact that some users are in both Group 1 2 wouldn't cause a problem would it? cheers Al Al Mulnick [EMAIL PROTECTED] wrote: Hmm.. the -c should have worked. Wonder why it didn't in your case? Can you post that syntax that you used? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: dsmod failed:CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com:T he specified account name is already a member of the local group Dan - I have also tried the -c switch to no avail. thanks Al Mulnick [EMAIL PROTECTED] wrote: Can you give us an example of the error you're getting? Al On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two existing groups: 1. USAT_HR_RO (24 members) 2. USNY_HR_RO (45 members) I created a new group to merge members of both groups above into the new group. 3. USHR_PROJSAP_RO (0 members) Some users are members of groups 1 2. I want to copy the users from groups 1 2 into the new group 3 so this would contain 69 members. I tried the following command 1st dsget group CN=USAT_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr then I tried the following command dsget group CN=USNY_HR_RO,OU=GGroups,dc=Intara,dc=com -members | dsmod group CN=USHR_PROJSAP_RO,ou=GGroups,dc=Intara,dc=com -addmbr but this does not work...does this make sense? Al Mulnick [EMAIL PROTECTED] wrote: complains? Can you give more detail? On 2/9/06, Frank Abagnale [EMAIL PROTECTED] wrote: I have two global groups which I need to merge the users in both into one new group. What is the best way to do this, I have used DSGET DSMOD but it complains about e xisting users any ideas? Yahoo! Mail - Helps protect you from nasty viruses. Relax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
Re: [ActiveDir] Schema Extension
Ulf B. Simon-Weidner wrote: (...) Note that no matter what - I'm usually always testing 3rd-Party Schema Extensions first, meaning to verify OID, prefix, LinkIDs, document MapiIDs and consult the customer in the risk of those, and verify the Structure (classes, how they are added to existing objects) default permissions, and look at the migration path if needed. Next step is to pull the domain in a virtual environment and test the schema extension there. Then I start with the extension in production where I follow above mentioned steps. However I'm always curious for other suggestions ;-) Not much to add ... I'm following the same rules for schema extension. First some kind of review - even for standard extensions delivered with Windows 2003 or Exchange I'm performing a check of the elements You mentioned (OID etc) against the current schema because there can be something introduced by third party in the schema which may interfer with this extensions. Then lab and after testing in the lab schema update procedure as well as DR procedures I'm going with schema upgrade in the real environment - separated network segment with DCs in it and operation is performed on these DCs. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Link Question
There are still situations in Windows 2003 where a single bridgehead can be configured even when there are multiple available. Let me know if youre curious. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, February 08, 2006 12:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Question Keep in mind that this recommendation was specific to Windows 2000. Windows 2003 automatically distributes links amongst several DCs (if more than one exists) in a hub site. Also you can use the ADLB to more formally balance the load amongst available DCs. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, February 08, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Question You can do it a couple ways: Have your network people split up the subnet your DCs at the hub are on or move them to a dedicated subnet thats easily broken down (e.g. a /24 can break to two /25s or four /26s). Or, create /32 subnets in AD for each DCs IP. Hub Site A has the /32 for the DC serving it and other DCs in the site, and then the remote site subnets associated with it, same for the other sites. FWIW I have 50 sites reporting into a very busy hub site and there is no issue so far, and it just continues to get busier (My estimate is about 20K PCs authenticate against the two DCs in the hub site in addition to 50 or so DCs replicating out every couple hours). CPU is 30% peak and NIC is about 35mb/sec during the day on them. DL 380 G4s 4GB RAM Dual Proc, separate RAID1s for OS, DB, logs, etc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Wednesday, February 08, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Link Question All, I have abouta few hub sites with 100+ site link. I found following from M$ website : Make sure that no site is directly connected to more than 20 other sites This condition can occur in large hub-and-spoke deployments where most sites are branch sites that communicate with a centralized hub site. If this condition exists and there are more than 20 site links from the hub site to branch sites, the hub site can be divided into multiple sites to provide additional bridgehead servers to handle the replication volume. In a site, a single bridgehead server is active per domain. If the site has more than 20 site links, the bridgehead servers can become overloaded. http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#EFAA Can someone please explain what steps do I need to take to divide the hub sites? Regards, Adeel
[ActiveDir] Dean and Joe double act at DEC 2006
http://www.gilsblog.com/index.cfm?commentID=60 Well, it made me laugh. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Site Link Question
Wook, Id be interested in hearing those situations. J :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, February 09, 2006 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Question There are still situations in Windows 2003 where a single bridgehead can be configured even when there are multiple available. Let me know if youre curious. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, February 08, 2006 12:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Question Keep in mind that this recommendation was specific to Windows 2000. Windows 2003 automatically distributes links amongst several DCs (if more than one exists) in a hub site. Also you can use the ADLB to more formally balance the load amongst available DCs. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, February 08, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Question You can do it a couple ways: Have your network people split up the subnet your DCs at the hub are on or move them to a dedicated subnet thats easily broken down (e.g. a /24 can break to two /25s or four /26s). Or, create /32 subnets in AD for each DCs IP. Hub Site A has the /32 for the DC serving it and other DCs in the site, and then the remote site subnets associated with it, same for the other sites. FWIW I have 50 sites reporting into a very busy hub site and there is no issue so far, and it just continues to get busier (My estimate is about 20K PCs authenticate against the two DCs in the hub site in addition to 50 or so DCs replicating out every couple hours). CPU is 30% peak and NIC is about 35mb/sec during the day on them. DL 380 G4s 4GB RAM Dual Proc, separate RAID1s for OS, DB, logs, etc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Wednesday, February 08, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Link Question All, I have abouta few hub sites with 100+ site link. I found following from M$ website : Make sure that no site is directly connected to more than 20 other sites This condition can occur in large hub-and-spoke deployments where most sites are branch sites that communicate with a centralized hub site. If this condition exists and there are more than 20 site links from the hub site to branch sites, the hub site can be divided into multiple sites to provide additional bridgehead servers to handle the replication volume. In a site, a single bridgehead server is active per domain. If the site has more than 20 site links, the bridgehead servers can become overloaded. http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#EFAA Can someone please explain what steps do I need to take to divide the hub sites? Regards, Adeel
