[ActiveDir] OT: SpecOps GPUPDATE tool
Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
Including bugs! :) Maybe should have been 2 emails - One here for any problems encountered and one to SpecOps for technical detail. Any users encountered any problems with this tool? :))) Kind regards Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 December 2006 14:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool I would expect specops to provide that info, if I were in your position. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
Hi Neil You were right, they did. It's no good for us as the tool won't work with non-windows DHCP, which I guess is used to retrieve the MAC addresses. Sould have though of this in the first instance, but to quote the parrot sketch, I have a cold. :) All the best Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 December 2006 14:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool I would expect specops to provide that info, if I were in your position. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems
Re: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777(Mobile : +31-(0)6-26.26.62.80 *E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Danny Sent: Tue 2006-11-07 18:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers nextThanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks,...DThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks,...D
Re: [ActiveDir] Active Directory Health Check tool - where can it run from?
On 10/31/06, Washington, Booker [EMAIL PROTECTED] wrote: Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation.Just curious.ThanksWhich tool are you specifically referring to? dcdiag? If so, I would check the documentation: http://technet2.microsoft.com/WindowsServer/en/library/5237db58-a1e8-40cd-ae8a-7f52848a90f21033.mspx?mfr=true ...D
[ActiveDir] ADMT v3 Profile cleanup options
Computer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...D
Re: [ActiveDir] How to grant administrator from trusted forest local PC Admin rights
Excellent - I will try it out. ThanksDOn 10/26/06, Chong Ai Chung [EMAIL PROTECTED] wrote: You can use restricted group feature in GPO for this. Please refer to following link for more detail: http://www.msresource.net/content/view/45/46/ On 10/27/06, Danny [EMAIL PROTECTED] wrote: Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration. Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] ADMT v3 Profile cleanup options
On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: * within the same forest -- no need to translate profiles (although different SID, GUID takes care of this)* between different forests -- profile translation is needed (different GUID and SID) Different forests.you can use ADMT or any third party tool Sorry, I am not familiar with what profile translation entails behind the scenes. Is profile translation when the new user simply has NTFS permissions to their old profile, but when they log into Windows a new empty/blank profile is created, and so if they wanted to all of their previous settings they would have to manually copy favourites, documents, etc. from their old profile to their new profile? as soon as users start to use their new account you need to translate the profile This will log the new user into the exisitng profile then?Thanks, JorgeD From: [EMAIL PROTECTED] on behalf of DannySent: Fri 2006-10-27 15:32To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT v3 Profile cleanup optionsComputer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...DThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] New server to replace DC and FP role - options for keeping the same name
Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name?Thanks,...D
Re: [ActiveDir] New server to replace DC and FP role - options for keeping the same name
Thanks, Susan - I'll have a go at it.On 10/26/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:www.sbsmigration.com In the SBS world this is what we do all the time when we are replacingour SBS box and we don't want to have to touch the workstations.Original server is sync'd up with a temp DC with the name of TempDC.Ensure replication occurs, cut the cord. Seize FSMO roles to that TempDC.Sync up with another server that is made an additional DC which has theexact same name as the original server. Ensure replication occurs, cutcord with the TempDC.Seize FSMO roles. TempDC can be a virtual PC image of Win2k3 server on a laptop used onlyto move that AD gunk from the one DC to the other.You now have the original server and a replica server ... same name..same domain that can be slid in place and the workstations are none the wiser.Danny wrote: Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name? Thanks, ...D--Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] How to grant administrator from trusted forest local PC Admin rights
Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration.Thanks,...D
Re: [ActiveDir] Seperate forest migration notes
I found some more information, however, in the Before using ADMT v3 help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,...DOn 9/5/06, Danny [EMAIL PROTECTED] wrote: Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Seperate forest migration notes
Thanks - I will try that out. Also, do you know if the Windows firewall needs any exceptions for the computer migration component to function?On 9/8/06, Chong Ai Chung [EMAIL PROTECTED] wrote: You can add your account to administrators group on all computers using restricted group in GPO. http://support.microsoft.com/Default.aspx?kbid=279301 On 9/9/06, Danny [EMAIL PROTECTED] wrote: I found some more information, however, in the Before using ADMT v3 help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks, ...D On 9/5/06, Danny [EMAIL PROTECTED] wrote: Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] AD object (User accounts) Permissions dissappearing
Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
You are right! Thanks!On 9/7/06, Williams, Robert [EMAIL PROTECTED] wrote: Maybe AdminSDHolder is biting you? Here's an article that talks about the Send-As specifically, but it's more than just that: http://support.microsoft.com/kb/907434/ If the user in question is a member of any of the following groups, then you could be seeing this: The following list describes the protected groups in Windows 2000: • Enterprise Admins • Schema Admins • Domain Admins • Administrators The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4: • Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Domain Admins • Schema Admins • Enterprise Admins • Cert Publishers Additionally the following users are also considered protected: • Administrator • Krbtgt The above was taken from: http://support.microsoft.com/kb/817433/ Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Danny Sent: Thursday, September 07, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D 2006-09-07, 13:03:30 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
No, but the user is part of a group that is part of a group that has Admin-type permissions on an OU for their site.On 9/7/06, Brian Desmond [EMAIL PROTECTED] wrote: This user isn't a domain admin or enterprise admin is he/she? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Danny Sent: Thursday, September 07, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] Unable to unpublish old ILS server and replace with new
Netmeeting is utilizing ILS for directory lookup, however, the original ILS server died, so I am trying to unpublish the old and publish the new one. However, I am receive error messages that our beloved search engines and help documentation are not helping much. When I restart all related (IIS and ILS) services, I do not see any error messages in the event log.Here is what is going on...c:\ilscfg ilsserver.example.org /publishRegister ILS service returned error: The system detected an invalid pointer address in attempting to use a pointer argument in a call.c:\ilscfg /listpubILS server: oldilsserver.example.org, Port:1002Found 1 service(s).c:\ilscfg oldilsserver.example.org /unpublish port 1002Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call.c:\ilscfg oldilsserver.example.org /unpublish 1002 Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call. c:\ilscfg oldilsserver.example.org /unpublish port:1002 Unregister ILS service returned error: The system detected an invalid pointer ad dress in attempting to use a pointer argument in a call. References:https://www.microsoft.com/windows2000/en/advanced/help/default.asp?url="" http://search.microsoft.com/results.aspx?mkt=en-USsetlang=en-USq=ilscfgSo, is there a way manually unpublish this information and publish the new ILS server in Active Directory? Thanks!-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: OT - RE: [ActiveDir] W. in hell
Title: Message More annoying, at least to me,are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. Irecently replied to a mail from a few months ago and re-launched a mini-debate. I'd reversed the chronological order while looking for a particular email,forgot tochange it back, spotted a subject I'd only just been reading about.I only noticed the date a wee while later! :))) Danny
Re: [ActiveDir] Seperate forest migration notes
Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] Seperate forest migration notes
A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
We should be good, then. Thanks, JoeDOn 8/29/06, joe [EMAIL PROTECTED] wrote: Nope youshould be good unless you have some special dependence on that DC. Normally youneed to worry once you start to approach the TSL which is usually 60 days for most places or if you don't know why the DC is down (i.e. Mr. BlackHat is hacking your server in an offline fashion). If the machine does approach the TSL time down, just whack it out of the directory and rebuild when it comes back up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of DannySent: Tuesday, August 29, 2006 10:50 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Weak AD passwords
Title: Message Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] Adding the first Win2003 R2 DC
On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do (i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Yes, run adprep from CD 2: http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
Thanks everyone for your feedback - much appreciated. I received a quote from Quest, and we are looking at minimum commitment of $40,000 CDN. Still working out the budget, but I think a business decision will be made by management to go the ADMT route. :) Please keep the opinions and experiences coming. I look forward to posting my experience as we move forward. :)...DOn 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] [EMAIL PROTECTED] wrote: I can vouch for the Aelta/Quest Migration tools and say they are pretty good for NT to AD migrations, and AD to AD migrations. There was a lot of innovation in the space a couple years ago, but I think most of the solutions today are pretty stable and offer comparable features. The value of third-party tools is that with some you can get around certain group limitations, password migration issues, and workstation provisioning. Here is a tip, when evaluating, ask what API's they use for achieving their migration functions. Some vendors just write Project Management Code around the MS API's, others take a more "unique" approach and develop their own API's to give you more flexibility. One more thing, several of the vendors only offer professional services instead of access to their software, due to the fact a lot of time you pretty much needed their expertise on site anyway. I encourage you to have an open mind about that, but also not just assume everything is magic. Good luck, Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Acqusition of 2003 Forest - options experiences I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
[ActiveDir] Acqusition of 2003 Forest - options experiences
A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Higher Education web access
Title: Message We use it here (Glasgow Caledonian) to an extent, without issue. And I believe it's used very successfully and extensively at Strathclyde (much bigger uni than we are). Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: 20 June 2006 16:32To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Higher Education web access All you're "taking away" is the limitation of 1 file at a time. (OK, the interface is different but for Windows users it's going to be much more like what they use when they're working with local files) Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: 20 June 2006 14:13To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher Education web access I myself would be more than happy with this scenario. However, when I discuss this with the VP he says we can't take away anything they have now. So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages. Paul On 6/20/06, Steve Rochford [EMAIL PROTECTED] wrote: We use webdav and publish instructions for staff/students to just add their home folder as a "my network place" on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken*** -- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken *** Email has been scanned for viruses by Altman Technologies' email management service
RE: [ActiveDir] FRS/DFS woes
Is the DNS configuration of this server pointing to itself for DNS resolution? Are the other server resolving against the same DNS? Cheers Danny The root of the DFS is located on our PDC emulator, which is also a DNS server itself. If I go into the dfs root on the PDC emulator I see the file I copied to the \\domain.com\dfs\software directory, it's just not replicating to any of the other links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FRS/DFS woes
Hi Russ Try pointing the server to itself for DNS resolution. This is the problem I had with one replica in a similar situation and it resolved the problem for me. BTW, It only affected DFS replication, SYSVOL was fine. Cheers Danny No, PDC emulator (which is also the root target) is not pointing to itself for DNS. Other servers are resolving against their local DNS which is replicated from the same DNS as the root target. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Thursday, June 15, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Is the DNS configuration of this server pointing to itself for DNS resolution? Are the other server resolving against the same DNS? Cheers Danny The root of the DFS is located on our PDC emulator, which is also a DNS server itself. If I go into the dfs root on the PDC emulator I see the file I copied to the \\domain.com\dfs\software directory, it's just not replicating to any of the other links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary
RE: [ActiveDir] Group membership question
Title: Message Thank you. Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 13 June 2006 17:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group membership question No it is a value in an attribute. A child object would be an object that has a group as its parent... I.E. cn=group,ou=someou,dc=dom,dc=com and the child object of cn=somethingelse,cn=group,ou=someou,dc=com,dc=com In the default schema, the only objectclass that can be instantiated as an object under a group is objectClass classStore. You can determine that by looking at the possibleInferiors attribute of the group object. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Tuesday, June 13, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group membership question Sorry if this is a daft question, but I can't find an answer anywhere: Is a User considered a Child object of a Group to which it is a member? Cheers Danny Email has been scanned for viruses by Altman Technologies' email management service
[ActiveDir] Group membership question
Title: Group membership question Sorry if this is a daft question, but I can't find an answer anywhere: Is a User considered a Child object of a Group to which it is a member? Cheers Danny
RE: [ActiveDir] FRS/DFS woes
Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] sample vbs script
Hi Antonio Here's a link to one of the microsoft script centre repositories. You may want to look at some of the other sections to see how to set passwords, etc. There are lots of other sites out there which will supply more sophisticated scripts, but this is a good start for picking up the building blocks. http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/usmgvb05.mspx Cheers Danny -Original Message- From: [EMAIL PROTECTED] on behalf of Antonio Aranda Sent: Tue 06/06/2006 20:28 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems winmail.dat
Re: [ActiveDir] Forcing Kerberos to use TCP instead of UDP
On 4/26/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Many times! What is your concern? Turns out the firewall admins had to explicitly allow TCP 135 on their Checkpoint firewall, and the AD trust between the IPSec sites is working. Thank you to all of your for your assistance. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
On 4/25/06, Douglas M. Long [EMAIL PROTECTED] wrote: Some suggestions: Look into the differences between 2000 and 2003 AD integrated DNS. I believe in 2000 they are stored in the domain partition and in 2003 they are stored in the application directory partition. http://support.microsoft.com/?id=817470 http://support.microsoft.com/default.aspx?scid=kb;en-us;825036 Netdiag usually gives some useful information If you do delete the zone and recreate it, you can then run netdiag /fix to get things going again. Make sure the DNS server service, the DNS client service, and the DHCP client service are all running as expected. If it ends up that one of the 2000 DNS servers is having issues and you need to recreate it, this should help to ensure that you clean things. http://support.microsoft.com/?kbid=294328 NOTE: Not totally sure of the impact of step 4 in the above KB, so make sure you know what it is doing (test it) before doing it in production. Hope this helps Thanks, I will be trying this on May 13th. Results will be posted here. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Network routing/Cisco mailing list
Happy Friday to you all. Sorry for the OT - I am looking for a Cisco network routing or just general network routing mailing list. Any suggestions? I did search as well. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Forcing Kerberos to use TCP instead of UDP
Has anyone? http://support.microsoft.com/?id=244474 RE: http://www.mail-archive.com/activedir@mail.activedir.org/msg41616.html I am concerned about the impact on this environment. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Forcing Kerberos to use TCP instead of UDP
On 4/26/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Many times! What is your concern? 1) Does this change need to be made to all DC's? 2) What changes need to be made to clients and/or GPO's? 3) Will this have a short (or long) term negative impact to operations? 4) Has this been a solution for you with broken AD trusts between site to site VPN connections? 5) Is there any affect on over network traffic? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
On 4/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: To directly answer your question:, I'd suggest: Convert the zone to Standard primary on the problematic server. Configure the server to now use another DNS server for lookup. Then delete the newly-converted zone on this server Remove DNS from this server Reboot for good measure Ensure that there are no DNS errors present anywhere on the other DNS servers Ensure that this server can resolve records using nslookup and can ping by name and IP Then reinstall DNS on this server. There are six AD integrated DNS servers, all 2000 SP4, but this new DC (2003 SP1), when I added DNS (AD integrated) and started the services I see: Event Type: Error Event Source: DNS Event Category: None Event ID: 4010 Date: 17/04/2006 Time: 2:11:04 PM User: N/A Computer: DMTOR2K3 Description: The DNS server was unable to create a resource record for dom.example.ca. in zone .. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 7b 00 00 00 {... Since all the servers share the same DNS information, I do not understand which server to focus on as being problematic. Are you referring to the new 2003 DC - to perform the steps that you suggest? Thanks! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD trust between seperate forest - inconsistant RPC communication
Hello, Company A acquired Company B: A: Windows 2000 SP4 DC's and one Server 2003 SP1 DC B: Windows Server 2003 DC's A site to site IPSec VPN connection between the two sites was up and running months ago. Ping by name (and IP address) results are good. Today, we added a two-way external non-transitive trust between the two forests, first from domain A's 2003 DC and then domain B's 2003 DC. Subsequently, domain B shows up on Domain A member PC and is also available from various security (permissions) locations, however, you cannot enumerate domain B's AD from there. Here are some error messages: Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5719 Date: 24/04/2006 Time: 12:40:31 PM User: N/A Computer: NYDC2 Description: This computer was not able to set up a secure session with a domain controller in domain EXAMPLE due to the following: The remote procedure call failed and did not execute. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. I have looked at the following from Microsoft, but I am hesitant to proceed. Has anyone else seen this? Event ID 5719 - The system cannot log you on now because the domain name is not available. Symptoms: when attempting to logon a domain, you keep getting an error that The system cannot log you on now because the domain name is not available. Also, Event viewer shows Event ID: 5719. No Windows NT or Windows 2000 Domain Controller is available for domain domain name. The following error occurred: There are currently no logon servers available to service the logon request. Resolutions: One possible cause of this error is that you have run out of buffer space in the NetBT datagram buffer. To resolve this problem, increase the MaxDgramBuffering value from 128 KB to 256 KB. Run Regedt32.exe, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. On the Edit menu, click Add Value, and then add the following information: Value Name: MaxDgramBuffering Data Type: REG_DWORD Value: 0x4 Refer to 072704RL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
On 4/17/06, Al Mulnick [EMAIL PROTECTED] wrote: When you talk about deleting and such are you thinking about the newsgroups posts like this one: http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-05/msg00245.html ??? Yes, along those lines. But, the zone file in question in this scenario is the forward lookup zone for AD. Since DNS plays a critical role in AD, I am sure that you can understand that I am hesitant to just delete the AD DNS zone without understanding exactly how a new zone will automatically create all the essential resource records. Some questions: Is DNS AD-Integrated? Yes, the default. Software revisions in use? I am not sure what you mean, but there is a mix of Windows 2000 SP4 and Windows Server 2003 SP1. When the client fails, what's the error logged and what are they looking for? (I assume nslookup vs. live clients - is that correct?) Example: hosts file only contains one server on the LAN DNS cache has been flushed DNS client points exclusivley to IP of DNS server NIC has been restarted nslookup default server displayed; try a hostname lookup and I receive: DNS request timed out. timeout was 2 seconds When I ping a hostname not previously looked up (or in the cache), it takes a few seconds and then it finally resolves the name and pings host successfully. Regardless, do you know what can be done to resolve the original issue? What I have just described is more than likely a result of the root problem. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
New 2003 DC promoted into 2000 forest about 2 months ago. Server was stable so I added DNS services this morning. The zones from the other DC's showed up OK, but the following event was logged: Event Type: Error Event Source: DNS Event Category: None Event ID: 4010 Date: 17/04/2006 Time: 2:11:04 PM User: N/A Computer: DMTOR2K3 Description: The DNS server was unable to create a resource record for dom.example.ca. in zone .. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 7b 00 00 00 {... AND... when clients were pointed to the new DNS server, all lookups failed. I have read some tips on eventid.net and Google Groups, but I wanted to check with the AD guru's before I delete zones and such. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name
My goal is to automate a process to change Full Name and Display Name from John Doe to Doe, John. I am not yet familiar with VB et al scripting, so assistance would be greatly appreciated if you propose a scripting solution. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Roaming Profiles
Right, but if you have several remote sites in the US with a total of 150 users connected via site T1's to one Exchange server in Toronto (Canada)? Cached mode is pretty much necessary. ...D On 2/3/06, Navroz Shariff [EMAIL PROTECTED] wrote: I would highly discourage against using cached mode for roaming profiles. Just imagine the network resources they would be hogging up when they log onto a different computer and not to mention HDD space. We definitely have disable cached mode for roaming profiles. -Nav -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Friday, February 03, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Roaming Profiles I agree... but what about OST files - Outlook cached mode. Is anyone excluding the OST from the roaming profile? If so, a new OST will need to be downloaded at each computer the user logs into. Most are 100-300MB. Which is the lesser evil. :) ...D On 2/3/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: As just another piece of this, users sometimes just throw stuff on their desktop since they don't know any better or because that might be the first location that shows up during a save operation. The desktop is obviously included as part of the profile, leading to bloated sizes. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Friday, February 03, 2006 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Roaming Profiles I too am a fan of local profile, but I do not think that directly addresses Frank's issues... A couple of jobs ago at a school we used roaming profiles exclusively - made sense in our scenario. There was still at least 3-4 staff on a bad day that needed their profile reconfig-ed (all students used a mandatory profile). Bottom line - use GPO's to limit the size of the user dumping grounds, and/or redirect them. It's amazing how your profile shrink dramatically when you don't allow users to store their files as a part of their profile, you don't copy their IE cache, and redirect a couple of other folders. I feel for you Frank, as with users with profiles in excess of, say, 20 MB - with your links speeds, I am amazed that you do not experience more problems (but then I am sure it is only the ones that moves sites that cause the issues... give them a laptop and make them have local profiles!). ;) My $0.02 inc GST... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, William Sent: Friday, 3 February 2006 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Roaming Profiles I personally avoid roaming and mandatory roaming like the plague. One thing you can do is create a DFS Root for the profiles of the users that move around replicate to all of the sites that they visit. I would not recommend doing it for everyone else. I would actually stop using roaming for everyone else that does not roam. there are many alternatives to roaming using Group Policies because no matter how you look at it you are slowing down the user logon and the network especially with that many users. JMTC Bill From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, February 03, 2006 4:51 AM To: Active Subject: [ActiveDir] OT: Roaming Profiles Hi all, I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines. I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles. Because alot of our users log on to different computers at different sites, we are finding issues with corrupted profiles and logon speeds. On a few occasions, where a user has been added to a group, the permissions assign to this group are not shown when the users is logged back on. Deleting the profile and recreating fixes this issue but it's quite a time consuming effort. How does everyone deal with roaming profiles if used? sometimes there are instances where users just want to logon to the PC without their roaming profile so they can remote desktop to their PC. In this situation they have to take their profile across which can take forever depending on the size of profile and link. Any creative ideas? how about using DFS to store the profiles? Thanks Frank Yahoo! Mail - Helps protect you from nasty
Re: [ActiveDir] OT: Roaming Profiles
I agree... but what about OST files - Outlook cached mode. Is anyone excluding the OST from the roaming profile? If so, a new OST will need to be downloaded at each computer the user logs into. Most are 100-300MB. Which is the lesser evil. :) ...D On 2/3/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: As just another piece of this, users sometimes just throw stuff on their desktop since they don't know any better or because that might be the first location that shows up during a save operation. The desktop is obviously included as part of the profile, leading to bloated sizes. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Friday, February 03, 2006 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Roaming Profiles I too am a fan of local profile, but I do not think that directly addresses Frank's issues... A couple of jobs ago at a school we used roaming profiles exclusively - made sense in our scenario. There was still at least 3-4 staff on a bad day that needed their profile reconfig-ed (all students used a mandatory profile). Bottom line - use GPO's to limit the size of the user dumping grounds, and/or redirect them. It's amazing how your profile shrink dramatically when you don't allow users to store their files as a part of their profile, you don't copy their IE cache, and redirect a couple of other folders. I feel for you Frank, as with users with profiles in excess of, say, 20 MB - with your links speeds, I am amazed that you do not experience more problems (but then I am sure it is only the ones that moves sites that cause the issues... give them a laptop and make them have local profiles!). ;) My $0.02 inc GST... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, William Sent: Friday, 3 February 2006 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Roaming Profiles I personally avoid roaming and mandatory roaming like the plague. One thing you can do is create a DFS Root for the profiles of the users that move around replicate to all of the sites that they visit. I would not recommend doing it for everyone else. I would actually stop using roaming for everyone else that does not roam. there are many alternatives to roaming using Group Policies because no matter how you look at it you are slowing down the user logon and the network especially with that many users. JMTC Bill From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, February 03, 2006 4:51 AM To: Active Subject: [ActiveDir] OT: Roaming Profiles Hi all, I have a question regarding Roaming Profiles. Our environment currently have 3500 users which are all roaming profile enabled. Their profiles are stored on the local site server. We have approx 56 sites which are all linked by 256-1mb lines. I like the concept of roaming profiles, however some of our users have profiles ranging from 5mb - 200mb, some even with 1GB profiles. Because alot of our users log on to different computers at different sites, we are finding issues with corrupted profiles and logon speeds. On a few occasions, where a user has been added to a group, the permissions assign to this group are not shown when the users is logged back on. Deleting the profile and recreating fixes this issue but it's quite a time consuming effort. How does everyone deal with roaming profiles if used? sometimes there are instances where users just want to logon to the PC without their roaming profile so they can remote desktop to their PC. In this situation they have to take their profile across which can take forever depending on the size of profile and link. Any creative ideas? how about using DFS to store the profiles? Thanks Frank Yahoo! Mail - Helps protect you from nasty viruses. Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Automagically move AD computers into new/appropriate OU
On 1/10/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: If you know the admin password of all new computers, you can use netdom.exe to join machine remotely, and at the same time put it in exact ou where you want to put it. NETDOM JOIN comp1 /DOMAIN:WINDOM /UO:LocalAdmin /PO:LocalAdminPassword /UD:WinDom\DomAdmin /PD:DomAdminPassword /OU:OU=MyComps,dc=dom,dc=com Where comp1 = remote computer to join the domain windom = domain to join localadmin = local administrator of comp1 computer localadminpassword = localadmin 's password windom\domadmin = domain account with rights to join machine to domain DomAdminPassword = windom\domadmin's password Excellent, I will try this! Thanks! ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO - Windows classic view without losing Quick Launch bar in Win2000
Through GPO, is there a way to enforce Windows Classic View in the Folder View (WinXP SP2) - without losing the Quick Launch bar on the Windows 2000 computers. Thanks, ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Automagically move AD computers into new/appropriate OU
Is there a way to automagically place new AD computers into the correct OU, as opposed to the built-in Computer container? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Automagically move AD computers into new/appropriate OU
This is all fantastic information; especially since there are different ways of getting the same end result. Thanks, everyone! One more related question, if you have a dozen new PC's, what options are available for joining/adding computers to the domain -- besides logging into the PC and changing the network identification to the AD domain? Because I have only have experience in smaller environments, I have always added computers to the domain by aforementioned method. Cheers, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Promote 2003 member server in prep'd 2000 domain?
If I run forest and domain prep for 2003 on the 2000 schema master/FSMO god, can I then dcpromo a new 2003 member server without upgarding the Windows 2000 DC to Windows Server 2003? We are talking about an all 2000 domain with two DC's, Netware 5.x, and MSDSS for directory sync. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Promote 2003 member server in prep'd 2000 domain?
On 12/9/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Yes you can... Thought so, I just wanted to make sure I was reading between the lines in the MSKB's. [...] snip articles I have. Forestprep on the schema master Domainprep on the infrastructure master This DC is both, so it is obviously OK to do both on this DC. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Netware 5, 2000 AD, and Exchange 5.5 to 2003
Netware 5 with 2000 AD and Exchange 5.5 will all be migrated to 2003. Anyone have experience with this - any tips/suggestions? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Netware 5, 2000 AD, and Exchange 5.5 to 2003
On 12/7/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: More than half a year ago I did a migration from Netware 5, NT4 and Exchange 5.5 to Windows/Exchange 2003. I remember posting information about it. I will dust off the archives, then. Thanks. [...] Another source you could use is the library from Quest. It contains 3 articles about migrating from Novell (http://wm.quest.com/library/) Checking it out. I assume Netware 5 is used for file and print services and AD is used as the primary authentication system. Right? File, Print, and user login - with some type of syncronizcation between the two directories so that Exchange and Outlook works. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Broken 2000 AD? Trying to upgrade to 2003 Exchange 2003
Well, after rebooting the remote DC, fixing the DNS root hints (were pointing to itself) and rebooting the server, the Exchange 2003 forest and domain prep and upgrade were successful. I am now about to prepare the forest for Windows Server 2003. In the meantime, if you see anything obvious in my original post, please let me know so that I can fix it. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Broken 2000 AD? Trying to upgrade to 2003 Exchange 2003
On 12/3/05, Danny [EMAIL PROTECTED] wrote: Well, after rebooting the remote DC, fixing the DNS root hints (were pointing to itself) and rebooting the server, the Exchange 2003 forest and domain prep and upgrade were successful. I am now about to prepare the forest for Windows Server 2003. In the meantime, if you see anything obvious in my original post, please let me know so that I can fix it. OK, stop the party; I am not seeing: F:\I386adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten tial domain controller corruption. For more information about preparing your forest and domain see KB article Q3311 61 at http://support.microsoft.com. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. c Opened Connection to SRV01 SSPI Bind succeeded Current Schema Version is 13 Upgrading schema to version 30 ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable). If the error code is Insufficient Rights, make sure you are logged in as a mem ber of the schema admin group. Adprep was unable to upgrade the schema on the schema master. [Status/Consequence] The schema will not be restored to its original state. [User Action] Check the Ldif.err log file in the C:\WINNT\system32\debug\adprep\logs\200512031 25020 directory for detailed information. Adprep was unable to update forest-wide information. [Status/Consequence] Adprep requires access to existing forest-wide information from the schema maste r in order to complete this operation. [User Action] Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20051 203125020 directory for more information. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Failed to transfer the schema FSMO role - 2000 to 2003 upgrade
adprep /forestprep is failing. User is built-in administrator with full rights. Adprep created the log file ADPrep.log under C:\WINNT\system32\debug\adprep\logs\20051203132518 directory. Adprep copied file D:\Win2003SRV\I386\schema.ini from installation point to local machine under directory C:\WINNT. Adprep copied file D:\Win2003SRV\I386\sch14.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch15.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch16.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch17.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch18.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch19.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch20.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch21.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch22.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch23.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch24.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch25.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch26.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch27.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch28.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch29.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\sch30.ldf from installation point to local machine under directory C:\WINNT\system32. Adprep copied file D:\Win2003SRV\I386\dcpromo.cs_ from installation point to local machine under directory C:\WINNT\system32\debug\adprep\data. Adprep copied file D:\Win2003SRV\I386\409.cs_ from installation point to local machine under directory C:\WINNT\system32\debug\adprep\data. Adprep successfully made the LDAP connection to the local domain controller SRV01. Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null). LDAP API ldap_search_s() finished, return code is 0x0 Adprep successfully retrieved information from the local directory service. Adprep successfully initialized global variables. [Status/Consequence] Adprep is continuing. ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. For more information about preparing your forest and domain see KB article Q331161 at http://support.microsoft.com. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit. Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=UID,CN=Schema,CN=Configuration,DC=DOM,DC=SRV-MH,DC=com. LDAP API ldap_search_s() finished, return code is 0x20 Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix Q293783 for SFU has been applied. Adprep was unable to upgrade the schema on the schema master. [Status/Consequence] The schema will not be restored to its original state. [User Action] Check the Ldif.err log file in the C:\WINNT\system32\debug\adprep\logs\20051203132518 directory for detailed information. Adprep set the value of registry key System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to 1 Adprep was unable to update forest-wide information. [Status/Consequence] Adprep requires access to existing forest-wide information from the schema master in order to complete this operation. [User Action] Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20051203132518 directory for more information. schupgr
[ActiveDir] AD Wish list
Title: AD Wish list Hi I've been asked to contribute to a wish list and was planning on asking for some AD tools - specifically for reporting. I've had a look about, but the prices vary wildly. I know there's no chance of anything that's going to do a great job (Quest) as we're talking ,00's rather than ,000's. :) Trouble is there are a lot of tools out there and often they're doing stuff much of which I can script (or plagiarise :) ), plus the odd extra. Does anyone have good experiences of anything in the ,00's price range that'll report back auditing/stats/security info? All the best Danny
RE: re[2]: [ActiveDir] Getting computer name from a username
Hi Shane Have a look at PsLoggedOn from Sysinternals. It may be what your looking for. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager Sent: 01 December 2005 11:08 To: ActiveDir@mail.activedir.org Subject: re[2]: [ActiveDir] Getting computer name from a username nt\currentversion\winlogon /v defaultusername Thats not exactly what I was looking for. I have no idea what the computer name the user has logged onto. Can you get this from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VBSCRIPT ADSI IADs Get Method
Title: Message Hi Steve From Jorge's code, once you have sObjDN you can bind to it with "LDAP://" sObjDN, then do what youneed toeach account from there.Seems efficient enough. :) Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: 01 December 2005 11:09To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method I've done this kind of thing but (as Jeremy has said) it seems really inefficient to have to make all those calls. As an example, suppose I have a list of students whose accounts I want to deactivate. I'll get that as a list of sAMAccountNames (because the student ID number is used for their username). I now need to query active directory to get the distinguishedname and then bind to that object to do things to it. For some purposes I know I can use getobject("WinNT://domain/samaccountname") but that isn't always suitable. What I want is something which allows me to specify the sAMAccountName in the LDAP: string. As a complete aside, is there a reason for the odd capitalisation which always seems to be used for sAMAccountName? SAMAccountName would seem much better? Steve -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 30 November 2005 20:14To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method It is possible... you only have to do it another way... query AD for the object that matches a certain sAMAccountName --- sDomainDNSW2Kx = "ADCORP.LAN" ssAMAccountName = "JORGE" Set oConnection = CreateObject("ADODB.Connection")Set oCommand = CreateObject("ADODB.Command")oConnection.Provider = "ADsDSOObject"oConnection.Open "ADs Provider" Set oCommand.ActiveConnection = oConnectionsQuery = "SELECT DistinguishedName FROM 'LDAP://" sDomainDNSW2Kx "' WHERE sAMAccountName = '" ssAMAccountName "'"oCommand.CommandText = sQuerySet oResults = oCommand.ExecutesObjDN = oResults.Fields("DistinguishedName") --- cheers, Jorge From: [EMAIL PROTECTED] on behalf of Burkes, Jeremy [Contractor]Sent: Wed 11/30/2005 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method Nevermind, just found the answer to my own question, and it is no, must use the persons CN, no other attributes are accepted, good to know. Thanks for the potential help. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Wednesday, November 30, 2005 3:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] _vbscript_ ADSI IADs Get Method Everyone, I am trying to write a _vbscript_ to connect to a user account using the samaccountname attribute to update some info. Is this even possible and if so can someone provide a code sample, I would think it would look something like this for Test in the Microsoft domain: LDAP://sAMAccountName=Test, OU=Users,DC=Microsoft,DC=COM or LDAP://sAMAccountName=Test,CN=Users,DC=Microsoft,DC=COM Then again, maybe this is not even possible. If not should I use ADO instead even though I am returning 1 record with each query, seems inefficient way to me when I can just use an ADSI pointer. Jeremy --Jeremy BurkesSystem Analyst/MIS SPHQ[EMAIL PROTECTED]PH: 202-764-1270 Fax: 202-764-1503 Email has been scanned for viruses by Altman Technologies' email management service
RE: [ActiveDir] FSMO role transfer
Hi I have to agree with Joe. Most of the time we (my colleagues and I :) ) are dealing with the mundane, which scripting makes interesting. :) Also, a previous poster mentioned career $'s being linked to scripting. Correct me if I'm wrong, but I think the point being made was that the process of learning something like scripting forces you to think about what's actually going on under the bonnet - reading far more technical articles than you may possibley have otherwise (well for me anyway :) ). That move up the curve is what opens door's to $'s not scripting in itself (not for me though! :) ). Cheers Danny joe, I can't believe you said this. Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. I stopped reading after this. Sorry. But I've got to cool down first. I've no argument with anything above this line and I concur and understand. BUT This is flat out wrong. Sorry. YMYMYM RH ___- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, December 01, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where
Re: [ActiveDir] OT: Licensing compliance SBS
On 11/30/05, Creamer, Mark [EMAIL PROTECTED] wrote: [...] Also, since I don't have any experience with SBS other than a very old version, does a client purchase one CAL that applies to all products utilized on the SBS server, or are there individual CALS for server, Exchange, etc? An SBS CAL includes licensing all products found on the SBS media. For example, with Premium Edition: Exchange, SQL, ISA, etc. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!
On 11/22/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: From your post I see the following: * RPCLOCATOR service on RADAR is disabled. Set it to STARTUP=MANUAL * OutBound REPLICATION is disabled on RADAR. ENABLED it. To enable both inbound and outbound REPADMIN /OPTIONS DC - DISABLE_INBOUND_REPL -DISABLE_OUTBOUND_REPL Thanks, I will try that. I assume RADAR is the schema master, you disabled outbound repl, updated the schema and forgot to enable repl. So it could ben true other DCs have not yet received the forestprep and domainprep updates RADAR has all the FSMO roles. I am not sure that this happened because I inherited this server after the original attempts were made. By the way: if you have exchange 2000 you should have fixed the schema before running w2k3 forestprep. If you have exchange 2000 look at: * W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers ? MS-KBQ314649 (http://support.microsoft.com/?id=314649) Exchange 2000 was upgraded to 2003 on this server in July. To see if forestprep and domainprep did their work see: MS-KBQ o Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest ? MS-KBQ309628 (http://support.microsoft.com/?id=309628) OK General info: o How to upgrade Windows 2000 domain controllers to Windows Server 2003 ? MS-KBQ325379 (http://support.microsoft.com/?id=325379) o Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 ? MS-KBQ324392 (http://support.microsoft.com/?id=324392) * Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders ? MS-KBQ305476 (http://support.microsoft.com/?id=305476) I will look at these as well. Thank you for your feedback and prompt assistance, Jorge. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!
Windows 2000 (SP4, all DC's) Server to 2003 upgrade. Forest and domain prep were both run on the root DC. Insert Windows Server 2003 CD and setup cannot continue because domain prep was not run. So, we run domain prep again. Here is a dcdiag and the adprep logs: DC Diagnosis Performing initial setup: Done gathering initial info. Doing initial non skippeable tests Testing server: Default-First-Site-Name\RADAR Starting test: Connectivity . RADAR passed test Connectivity Testing server: Default-First-Site-Name\TRAPPER Starting test: Connectivity . TRAPPER passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\RADAR Starting test: Replications [Replications Check,RADAR] A recent replication attempt failed: From TRAPPER to RADAR Naming Context: CN=Schema,CN=Configuration,DC=Dom,DC=example,DC=com The replication generated an error (8524): The DSA operation is unable to proceed because of a DNS lookup failure. The failure occurred at 2005-11-17 18:13.07. The last success occurred at 2005-11-17 17:48.51. 2 failures have occurred since the last success. The guid-based DNS name 83991b20-390e-411f-9c4b-de24adbff2f0._msdcs.Dom.example.org is not registered on one or more DNS servers. . RADAR passed test Replications Starting test: NCSecDesc . RADAR passed test NCSecDesc Starting test: NetLogons . RADAR passed test NetLogons Starting test: Advertising . RADAR passed test Advertising Starting test: KnowsOfRoleHolders . RADAR passed test KnowsOfRoleHolders Starting test: RidManager . RADAR passed test RidManager Starting test: MachineAccount . RADAR passed test MachineAccount Starting test: Services RPCLOCATOR Service is stopped on [RADAR] . RADAR failed test Services Starting test: ObjectsReplicated Authoritative attribute options on RADAR (writeable) usnLocalChange = 4294409 LastOriginatingDsa = RADAR usnOriginatingChange = 4294409 timeLastOriginatingChange = 2005-11-17 18:48.21 VersionLastOriginatingChange = 3 Out-of-date attribute options on TRAPPER (writeable) usnLocalChange = 2453 LastOriginatingDsa = 279cc9cf-7460-4f3a-bd02-062d5f07676e usnOriginatingChange = 1363 timeLastOriginatingChange = 2002-01-26 15:55.55 VersionLastOriginatingChange = 1 . RADAR failed test ObjectsReplicated Starting test: frssysvol There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . RADAR passed test frssysvol Starting test: kccevent An Warning Event occured. EventID: 0x845B Time Generated: 11/17/2005 18:36:46 (Event String could not be retrieved) . RADAR failed test kccevent Starting test: systemlog An Error Event occured. EventID: 0xC0009007 Time Generated: 11/17/2005 18:23:30 Event String: A fatal error occurred while creating an SSL An Error Event occured. EventID: 0xC0009007 Time Generated: 11/17/2005 18:23:30 Event String: A fatal error occurred while creating an SSL . RADAR failed test systemlog Testing server: Default-First-Site-Name\TRAPPER Starting test: Replications [Replications Check,TRAPPER] A recent replication attempt failed: From RADAR to TRAPPER Naming Context: CN=Configuration,DC=Dom,DC=example,DC=com The replication generated an error (8456): The source server is currently rejecting replication requests. The failure occurred at 2005-11-17 18:38.02. The last success occurred at 2005-11-17 17:57.38. 4 failures have occurred since the last success. Replication has been explicitly disabled through the server options. [Replications Check,TRAPPER] A recent replication attempt failed: From RADAR to TRAPPER Naming Context: DC=Dom,DC=example,DC=com The replication generated an error (8456): The source server is currently rejecting replication requests. The failure occurred at 2005-11-17 18:46.54. The last success occurred at 2005-11-17 18:35.00. 4 failures have
Re: [ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!
On 11/21/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Are you also running Exchange 2000? One upgraded from Exchange 2000 (in July) to Exchange Server 2003; same server (not my choice; business decision). ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Improving your AD's fault tolerance with old hardware?
Thanks for all your feedback guys. I am off to do some promoting, member server promoting that is. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Methods to verify GC promotion
Could you please let me know all the ways to verify a DC has been successfully promoted to a GC? For example, will a dcdiag 100% verify this? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Improving your AD's fault tolerance with old hardware?
Correct me if I am wrong, but assuming the more DC's you have in your forest, the more fault tolerant your Active Directory will become, is it therefore worth it to use retired, possibly out of (hardware) warranty servers or workstations for this purpose if you are budget-less (to purchase new servers)? In this case, I am referring to orgs with 20-200 AD users. How about GC's and other related AD roles and critical software based services? Same deal? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exchange alternate email address
On 10/4/05, joe [EMAIL PROTECTED] wrote: One small thing, if the account is disabled, set the associated external account, if the account isn't disabled, don't set it. Also if it is disabled and you set the associated external account, verify that msExchMasterAccountSid gets populated with the SELF SID. Good points, Joe. One question: how do I verify msExchMasterAccountSid gets populated with the SELF SID? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Additional DHCP server same LAN
Your assumptions were correct. Conclusion: wait for physical LAN to seperate. Thanks for everyone's assistance! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Additional DHCP server same LAN
Two companies sharing the same physical LAN, IP configuration, Windows 2000 servers, two seperate forests, and one DHCP server. In the the not so distant future they will seperate. In the meantime, is there a way to point the XP pro clients from CompanyB to a new DHCP server on the same physical LAN through Group Policy or WMI Scripting? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] csvde Import in AD
I am attempting to import Notes contacts into Exchange. Without involving the complexity and maintenance of a Notes connector for this one time import, it appears as though Microsoft believes csvde is the best bet. So, based on the limited csvde help (from csvde /?) I am left with several crtical questions: 1) When csvde -i -f c:\filename.csv is run, where in AD will the contacts be imported when the OU is not specified in the command? 2) When an export is performed, is AD modified or is it a simple copy? I do not have a test environment available to me this morning, and I am running out of time, so any assistance would be greatly appreciated. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/31/05, joe [EMAIL PROTECTED] wrote: Yes. Someone followed the MS book examples pretty explicitly. :o) Can I simply break the AD trust and hope it does melt down? :) Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/30/05, Al Mulnick [EMAIL PROTECTED] wrote: What is it you need to accomplish then? If they're already separate, what's to separate other than name resolution and DHCP/network services? From an Active Directory point of view, the AD trust will need to be broken, but I would like to know what it might break - I am new to this specific environment, so I don't know what is currently relying on the trust. DHCP is shared, many AD sites are as well. Shared WAN and firewall, as well as many frame relay connections to remote offices. Can you get more clarifiction of the topology? Confirm it's two separate forests and not two separate domains in the same forest (dijointed namespace)? External trust, non-transitive. How can I confirm these are two seperate forests - besides looking in ADDT? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/31/05, Al Mulnick [EMAIL PROTECTED] wrote: Finding the root. I believe it was Dean who posted this a little while back. ... another thought, to determine your forest root in order to validate the dn you're supplying, the following single-line command line syntax will help - portqry -n domain name -e 389 | find root Run that on both domains and compare. portqry -n dc2 -e 389 | find root rootDomainNamingContext: DC=Dom,DC=example,DC=org portqry -n dc1 -e 389 | find root rootDomainNamingContext: DC=Dom,DC=contoso,DC=com Safe to say - seperate forests? ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
Good day to you all, Two companies that share the same IT staff, NOC, WAN connections (to remote offices), DHCP services, LAN distribution, some DNS, firewall, and an AD trust -- are very shortly separating in more ways than one. I would appreciate any tips or suggestions on where to start planning such spilt? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/30/05, Phil Renouf [EMAIL PROTECTED] wrote: Hmm, interesting my gmail now looks like a word edited message. Funny... Click Plan Text... instead of Rich Formatting. I thinks. Can you describe your AD environment a little more? I am a couple of days into this environment, so don't laugh, but I am pretty sure they are two separate forests with a trust between the two. Company A head office - approx 70 users: Example client DHCP: Hostname: A123WRKSTN.dom.example.org IP: 10.10.10.125 Subnet Mask: 255.255.255.0 Default GW: 10.10.10.1 DHCP Server: 10.10.10.122 DNS: 10.10.10.10, 10.10.10.11 Company B head office - approx 100 users: Hostname: B123WRKSTN.dom.contoso.org IP: 10.10.10.212 Subnet Mask: 255.255.255.0 Default GW: 10.10.10.1 DHCP Server: 10.10.10.122 DNS: 10.10.10.10, 10.10.10.11 IE settings: Company A: isa2000srv Company B: proxy2.0srv Outlook settings: Company A: exchange2000.dom.example.org Company B: exchange2000.dom.consoso.org You have two forests with a trust? Is it a Forest trust or an NT4 style trust? External trust, non-transitive. How can I confirm this (whether or not NT 4 style trust for example) besides looking in ADDT? You say they share 'some' DNS, can you qualify that a bit better? I will clarify this tomorrow. When you say they are going to split, how split are they going to get? Still in discussion. In the least, layer one of the network will be divided, the AD trust will need to be broken, DHCP and DNS separated. Will this be a physical split (ie: one company physically moving)? Or will it be more of a logical split with the two still continuing to share some infrastructure? They are discussing two separate NOC's, because all the servers, switches, firewalls, i.e. all network equipment is in the same NOC. Right now all is calm, but one is suing (three week old news) the other, so all hell could break lose. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Latency in Group membership
Title: Message Hi We only have one siteand a mesh topology. Replication is hourly, but even when we update group membership then force replication the latency still exsists. All the DC's are on Gig links! Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 13 July 2005 15:31To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Latency in Group membership Just curious, how often are you replicating between your sites?And what does your topology look like. We have noticed this type of issue when we make the changes on one of our DCs that doesn't directly replicate to the one that is being authenticated to. So we had to wait one hour for one set of replications to take place and then another 3 for the other set. (We have a really slow link with a DC at one end so we had to do the longer replication time.) Charlie -Original Message-From: McCann, Danny [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 13, 2005 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership Hi There are no apps running on the DC's. The event logs are clean, butthere is the occasionaldirectory replication problem (every few days), a single object with "directory busy, will try again later", which willthen succeed on the next replication. Butthey pass all the DCDiag tests. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2005 13:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership What apps are running on the DC's? Have you checked to be sure that replication is functioning correctly? Event logs clean? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, July 13, 2005 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in Group membership Hi Recently our domain has began to show some latency in resolving group membership. Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself. Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and everything appears to be fine. Network performance is good and there's no great loading on any of the DC's. I'd be grateful if anyone could help me out with some guidance on where to look next. Thanks Danny
RE: [ActiveDir] Latency in Group membership
Title: Message Hi We do have the odd user whois member of a large number of groups (~20). How many is too many? Looks like a lot of investigative work required then. Oh well, coffee on and sleeves rolled up! Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 14 July 2005 04:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership You need to determine what your replication latency is. If the group membership is set on an authenticating DC, you will get it is in your token unless there are other issues like having way too many group memberships or something else that causes a kerberos issue. So again, look at how long your latency is for making a chance and seeing it on all DCs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, July 13, 2005 10:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership Hi There are no apps running on the DC's. The event logs are clean, butthere is the occasionaldirectory replication problem (every few days), a single object with "directory busy, will try again later", which willthen succeed on the next replication. Butthey pass all the DCDiag tests. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2005 13:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership What apps are running on the DC's? Have you checked to be sure that replication is functioning correctly? Event logs clean? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, July 13, 2005 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in Group membership Hi Recently our domain has began to show some latency in resolving group membership. Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself. Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and everything appears to be fine. Network performance is good and there's no great loading on any of the DC's. I'd be grateful if anyone could help me out with some guidance on where to look next. Thanks Danny
RE: [ActiveDir] Latency in Group membership
Hi That's a highly likely explanation. Some re-organisation of the groups/membership required then. We're due a spring clean anyway. :) Is an offline Metadata cleanup worthwhile performing? Thanks to all for the advice. Much appreciated! Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: 14 July 2005 10:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latency in Group membership My gut says that it is not a member of a lot of groups, but more a group with too many memberships ... If you have too many values for a group (the official soft limit is 5000), then you can get write conflict, or version store issues, that can cause the group membership change to not be applied because of a timing issue or resource issues, that may be temporary. Replication continues to try, and eventually succeeds. This could be an explanation. Cheers, BrettSh [msft] SDE On Thu, 14 Jul 2005, McCann, Danny wrote: Hi We do have the odd user who is member of a large number of groups (~20). How many is too many? Looks like a lot of investigative work required then. Oh well, coffee on and sleeves rolled up! Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 14 July 2005 04:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latency in Group membership You need to determine what your replication latency is. If the group membership is set on an authenticating DC, you will get it is in your token unless there are other issues like having way too many group memberships or something else that causes a kerberos issue. So again, look at how long your latency is for making a chance and seeing it on all DCs. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Wednesday, July 13, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latency in Group membership Hi There are no apps running on the DC's. The event logs are clean, but there is the occasional directory replication problem (every few days), a single object with directory busy, will try again later, which will then succeed on the next replication. But they pass all the DCDiag tests. Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 13 July 2005 13:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latency in Group membership What apps are running on the DC's? Have you checked to be sure that replication is functioning correctly? Event logs clean? Al _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Wednesday, July 13, 2005 4:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in Group membership Hi Recently our domain has began to show some latency in resolving group membership. Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself. Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and everything appears to be fine. Network performance is good and there's no great loading on any of the DC's. I'd be grateful if anyone could help me out with some guidance on where to look next. Thanks Danny List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS Client for Mac and UNIX
A while back our Mac guy asked Apple if they could engineer a DFS client and they said they would look into it - same problem as yourself. I don't know what came of it, or if he found an alternative solution, but I'll find out and let you know if anything useful came out of it. He's on holiday at the moment though :). Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 14 July 2005 11:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DFS Client for Mac and UNIX Hey All, Been a while... Got a problem. I am being tasked to work on an automated provisioning system for network resources. Obviously AD will be the security provider HUB. I would also like to be able to use DFS as the HUB for access to shared network data. The problem is that we have a large contingency of Mac's and possibly some Linux / UNIX. I have been searching, and it looks like it might be possible to use SAMBA as a DFS client. Does anyone here have any experience or suggestions on how best to allow alternative clients access to DFS shares? Thanks in Advance, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Latency in Group membership
Title: Latency in Group membership Hi Recently our domain has began to show some latency in resolving group membership. Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself. Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and everything appears to be fine. Network performance is good and there's no great loading on any of the DC's. I'd be grateful if anyone could help me out with some guidance on where to look next. Thanks Danny
RE: [ActiveDir] Latency in Group membership
Title: Message Hi There are no apps running on the DC's. The event logs are clean, butthere is the occasionaldirectory replication problem (every few days), a single object with "directory busy, will try again later", which willthen succeed on the next replication. Butthey pass all the DCDiag tests. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2005 13:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in Group membership What apps are running on the DC's? Have you checked to be sure that replication is functioning correctly? Event logs clean? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Wednesday, July 13, 2005 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in Group membership Hi Recently our domain has began to show some latency in resolving group membership. Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself. Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and everything appears to be fine. Network performance is good and there's no great loading on any of the DC's. I'd be grateful if anyone could help me out with some guidance on where to look next. Thanks Danny
Re: [ActiveDir] Attemping to remove DC - NTDS Replication 2022 Er ror
On 6/20/05, Tony Murray [EMAIL PROTECTED] wrote: No. In that case it looks like the two DCs might have conflicting information about how the FSMO roles are distributed. Not sure how that happened. What happens when you run the command against both servers? For example, netdom query fsmo /server:YourDC1 and then netdom query fsmo /server:YourDC2 If that still gives no further clue then consider running DCPROMO again using the /forceremoval switch, as described in the following article. http://support.microsoft.com/default.aspx?scid=kb;en-us;332199 Good point. Done. If you use this method then you will need to perform a metadata cleanup, which is described in another KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;216498 I will finish this part tomorrow. Thank you very much, Tony. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Attemping to remove DC - NTDS Replication 2022 Error
Greetings, I am trying to remove the second domain conroller from a 2003 domain, however, when I attempt to remove the DC via dcpromo, I receive the following errors in the event log: Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 2022 Date: 20/06/2005 Time: 2:28:58 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: MAIL2 Description: The operations master roles held by the local domain controller could not transfer to the following remote domain controller. Remote domain controller: \ The local domain controller cannot complete demotion. User Action Investigate why the remote domain controller might be unable to accept the operations master roles, or manually transfer all the roles that are held by the local domain controller to the remote domain controller. Then, try to demote this domain controller again. Additional Data Error value: 5005 The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers. Extended error value: 0 Internal ID : 52497778 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Warning Event Source: NTDS Replication Event Category: Internal Configuration Event ID: 1837 Date: 20/06/2005 Time: 2:28:58 PM User: example\exchange$ Computer: MAIL2 Description: An attempt to transfer the operations master role represented by the following object failed. Object: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=LOCAL Current operations master role: CN=NTDS Settings,CN=MAIL2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=LOCAL Proposed operations master role: CN=NTDS Settings,CN=exchange,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=LOCAL Additional Data Error value: 3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Attemping to remove DC - NTDS Replication 2022 Er ror
On 6/20/05, Tony Murray [EMAIL PROTECTED] wrote: Hi Danny Have you tried the suggested workaround, i.e. to transfer the FSMO role(s) to your other DC and then try DCPROMO again? To find out how the roles are distributed you can run the command; netdom query fsmo Yes, all the roles have been transferred to the other DC. To find out more about transfer of roles have a look at the following KB article. http://support.microsoft.com/?id=324801 If all the roles listed from a 'netdom query fsmo' are on the other DC, does this KB apply? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD DR - replication lag site
I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] All (Now the definition of a CV)
On 5/9/05, Francis Ouellet [EMAIL PROTECTED] wrote: Curriculum Vitae, also known as resume ;-) 1) http://www.google.ca/search?q=define%3ACurriculum+Vitae 2) A CV in North America is much different than a CV in Europe; a CV in North America is not the same as a resume. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Odd exchange error
On 5/6/05, John Parker [EMAIL PROTECTED] wrote: Hey all I have an issue with Microsoft Exchange Server 2000 Enterprise running on a Win2K AD box. In the event viewer I keep getting this error message: Error 0x7da occurred while rendering message 0001-76cb for download for user [EMAIL PROTECTED] This error is repeating every few seconds when the user has his email client (Outlook Express 6) opened and this goes on since a few ago. It is always the 0001-76cb message. Can I delete that message somehow? How? What does the number 0001-76cb mean and how can I access the specific message? Send us your event ID #, and then look it up at eventid.net ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows Server 2003 R2 Public Beta now Available
http://blogs.technet.com/windowsserver/archive/2005/05/06/404591.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [exchangelist] RE: Password protecting OST
On 5/2/05, Al Mulnick [EMAIL PROTECTED] wrote: Agreed that there is little benefit to locking an OST (mirror of your mailbox and is protected by domain credentials inherently). Yes, there is little benefit if one relies on a password protected PST (or OST) as the one and only layer of defence. However, there are casual and undetermined attempts to access other peoples data, and by password protecting the OST as one of many other layers of defence, you make it that much more difficult; but of course - never impossible. [...] Curious why you ask though. What's the high-level goal? I simply wanted to know if someone had found a way to password protected an OST like a PST - separate from domain credentials. I am not looking for an elaborate solution or undermining a higher-level goal. I do appreciate all of your thoughts. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] How to verify successful installation of additional DC
On 4/24/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: KB http://support.microsoft.com/default.aspx?scid=kb;en-us;298143 Excellent! Thank you all! Good morning to you. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How to verify successful installation of additional DC
How can I verify successful installation of additional domain controller in a 2003 domain? (Used to be one DC, now there are two, but I want to make sure the installation of the second DC was 100% successful) Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] How to verify successful installation of additional DC
On 4/23/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Running DCDIAG on both DCs would be a good start. That would be a good start. :) So I did at dcdiag /f:output.txt On the original DC: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Connectivity . MAIL1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MAIL1 Starting test: Replications . MAIL1 passed test Replications Starting test: NCSecDesc . MAIL1 passed test NCSecDesc Starting test: NetLogons . MAIL1 passed test NetLogons Starting test: Advertising . MAIL1 passed test Advertising Starting test: KnowsOfRoleHolders . MAIL1 passed test KnowsOfRoleHolders Starting test: RidManager . MAIL1 passed test RidManager Starting test: MachineAccount . MAIL1 passed test MachineAccount Starting test: Services . MAIL1 passed test Services Starting test: ObjectsReplicated . MAIL1 passed test ObjectsReplicated Starting test: frssysvol . MAIL1 passed test frssysvol Starting test: frsevent . MAIL1 passed test frsevent Starting test: kccevent . MAIL1 passed test kccevent Starting test: systemlog . MAIL1 passed test systemlog Starting test: VerifyReferences . MAIL1 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation . ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation . DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation . Schema passed test CrossRefValidation Starting test: CheckSDRefDom . Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation . Configuration passed test CrossRefValidation Starting test: CheckSDRefDom . Configuration passed test CheckSDRefDom Running partition tests on : DOMAIN Starting test: CrossRefValidation . DOMAIN passed test CrossRefValidation Starting test: CheckSDRefDom . DOMAIN passed test CheckSDRefDom Running enterprise tests on : DOMAIN.LOCAL Starting test: Intersite . DOMAIN.LOCAL passed test Intersite Starting test: FsmoCheck . DOMAIN.LOCAL passed test FsmoCheck And on the new DC: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\MAIL2 Starting test: Connectivity . MAIL2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\MAIL2 Starting test: Replications . MAIL2 passed test Replications Starting test: NCSecDesc . MAIL2 passed test NCSecDesc Starting test: NetLogons . MAIL2 passed test NetLogons Starting test: Advertising . MAIL2 passed test Advertising Starting test: KnowsOfRoleHolders . MAIL2 passed test KnowsOfRoleHolders Starting test: RidManager . MAIL2 passed test RidManager Starting test: MachineAccount . MAIL2 passed test MachineAccount Starting test: Services . MAIL2 passed test Services Starting test: ObjectsReplicated . MAIL2 passed test ObjectsReplicated Starting test: frssysvol . MAIL2 passed test frssysvol Starting test: frsevent There are warning or error events within the last 24 hours after
Re: [ActiveDir] Export and import essential AD objects for new forest
Thank you all for your most helpful responses! You guys are fantastic. Specifically: Jose Medeiros, Ken Jensen, and Ken Cornentet. Due to time constraints, I think I am going to go with the swing method, so here is my proposed plan of attack: Temp Server/ Server B: 1) Install Windows Server 2003 Standard 2) dcpromo as DC for existing domain 3) Make server as GC 4) Install Exchange Server 2003 Standard - use the same exact same naming convention as production (Server A) server? 5) Migrate mailboxes from production server (Server A) to Server B -- would I simply use the move mailbox function in ESM? 6) Move FSMO Roles from Server A to Server B 7) Verify DNS and WINS Configuration Production Server/Server A: 1) dcpromo original server down -- Ken Cornetet can you please elaborate on this one? 2) Wipe OS clean from Server A, and clean install Windows Server 2003 -- is this safe to do now Ken? 3) dcpromo as DC for existing domain 4) Make server as GC 5) Install Exchange Server 2003 Standard - use the same exact same naming convention as the original production server? 6) Migrate mailboxes from temp server (Server B) to Server A -- would I simply use the move mailbox function in ESM again? 7) Move FSM Roles from Server B to Server A 8) Verify DNS and WINS Configuration 9) Install SP1 for Exchange 10) Install SP1 for Windows 11) Install AV Software and other misc. software 12) Decide what I want to do with Server B. 13) Now everything should work if Server B was powered down for example -- correct? Does this make sense? Hopefully you can move Exchange mailboxes from Enterprise to Standard through the ESM. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Export and import essential AD objects for new forest
One follow-up to my last post: Should I be transferring or seizing the FSMO roles during this migration? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Export and import essential AD objects for new forest
Temporary small biz config: 1 Forest, DC, domain, and Exchange on one physical server - all version 2003. Core problem: I have to downgrade from Enterprise Edition to Standard Edition (demo turned into production). My goal: To export all of the essential Active Directory data from the Windows Server 2003 Enterprise Edition, and then import it into a fresh install and dcpromo with the same Forest and domain info of Windows Server 2003 Standard. What have I done so far? 1) Referenced http://support.microsoft.com/default.aspx?scid=kb;en-us;840015 - however it assumes that the OS and AD do not need to be re-installed - which is what I have to do. 2) Setup a test server on a segmented network with Windows Server 2003 STD + dcpromo with brand new forest and domain with the same name. 3) From the currently live Enterprise server, I exported AD info via ldifde -f domain.ldf, and then tried to import it on a test server with Windows Server 2003 + New AD with same domain and forest name. However, the test import live failed on the first line using the simple examples from ldifde help. 4) Searched a bit, but I guess I really need to find out what exactly I need to export and import - the essential AD stuff to accomplish my goal. Any assistance would be greatly appreciated. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 SP1 DC Disaster Recovery Testing - Reboots after selecting install from Recovery Consonle
Testing backups. Fresh install of 2003 SP1 and Exchange 2003. Backed up System State and Exchange IS. Purposely Destroyed AD, Exchange DB's and deleted System State boot files. Rebooted server, of course NTLDR missing. So, I boot from Windows Server 2003 CD, hit R for Repair/Recovery. Select C:\Windows as the install, but then it just reboots. Am I missing something? Have a found a bug in 2003 SP1? ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses
,CN=Microsoft Exchange System Objects,DC=testing,DC=local changetype: add dn: CN=exchangeV1,CN=Microsoft Exchange System Objects,DC=testing,DC=local changetype: add dn: CN=OWAScratchPad{5A6F9B24-8CAA-41CC-94DC-2646461C95ED},CN=Microsoft Exchange System Objects,DC=testing,DC=local changetype: add dn: OU=Local Users,DC=testing,DC=local changetype: add dn: CN=Danny smith,OU=Local Users,DC=testing,DC=local changetype: add List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses
On Apr 6, 2005 11:06 AM, Burkes, Jeremy [Contractor] [EMAIL PROTECTED] wrote: Try this: ldifde -f smtpaddress.ldf -s myserver -r (objectClass=user) -l ProxyAddresses=SMTP:* Pretty much the same results from what I can tell; no SMTP addresses listed. I will run a windiff to compare the results, but my eyes are pretty good. :) Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses (SOLVED)
On Apr 6, 2005 11:23 AM, joe [EMAIL PROTECTED] wrote: Danny, are you sure that is the output from that command? Did you cut and paste that command? Fresh install of Windows Server 2003 SP1. One AD user account for testing. I am 99.9% sure it's the correct output. I copied and pasted from RDP. That filter would only show user objects and the output you show is all objects which would be more of a filter like objectclass=*. I just verified the command you used in my forest and it worked fine except it returned computers and users (as expected from the filter) and didn't return any proxyaddresses (again expected from that command). That sounds right. To be honest, we played with ldifde in school many moons back, but I am just starting to play with it again today. You need to correct these issues. You should change the filter to be ((objectcategory=person)(objectclass=user)(proxyaddresses=smtp:*)) Interesting. Makes more sense. And you should change the attributes returned to proxyAddresses So the whole command would look more like ldifde -f smtpaddress.ldf -s myserver -r ((objectcategory=person)(objectclass=user)(proxyaddresses=smtp:*)) -l proxyAddresses Worked as advertised. Now would this (ldifde) compare to your AdFind tool? Note that this will filter down to just user objects with proxyaddresses that have smtp in them. Note that it will still return x400 addresses and other values in the proxyaddresses attribute. You can't pick which values you want returned out of the proxyaddresses attrib, it is all or nothing. I would rather all in this case, then. Thank you, Joe. ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/