[ActiveDir] AD Restore
Return Receipt Your [ActiveDir] AD Restore document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:06/21/2006 11:32:53 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Restore
Return Receipt Your RE: [ActiveDir] AD Restore document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:06/21/2006 13:51:51 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Restore
Return Receipt Your RE: [ActiveDir] AD Restore document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:06/21/2006 13:51:36 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Deny Read Permissions to Group Policy
Return Receipt Your [ActiveDir] Deny Read Permissions to Group Policy document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:06/01/2006 08:02:17 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]Identity Access Mangement
While Calendra Directory Manager does support the Workflow of provisioning it is a bear to install and setup correctly. We attempted a POC with three BMC people on-site and in four days we could not get the product installed correctly. After that we decided to develop our own internal tool which mimics the legacy Control/SA Workflow tool. Chris Ryan The Kroger Company Corporate Information Security [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Blodgett, Candace Candace.Blodgett To @xerox.com ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] [OT]Identity Access Mangement 05/25/2006 10:45 AM Please respond to [EMAIL PROTECTED] tivedir.org I have a fair amount of experience with Active Roles. Although it helps our company with our AD delegation and permissions, we are looking at a separate product for identity management and workflow provisioning. For these purposes you are looking for supports workflow approval, self service and Meta Directory services I would say it supports self service and delegation mostly. Candace From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, May 25, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]Identity Access Mangement You two need a room ? :) Mark, can you give more information? I know Quest has something that might be of interest, but more detail might be needed to better understand. In the meantime, check out their ActiveRoles product. There are several others, but that's one that jumps to mind based on the way you describe it. MIIS? Hmmm did you also get cookies with the kool-aid? Did you feel really sleepy right after but just attribute it to sugar rush? Did the back of your neck sting or itch a little when you woke up? ;-) Don't get me wrong, MIIS has a place, but it can be a real PITA to get working. It's a significant investment in time and resources and it's not well understood in the industry. I can't begin to count how many environment I've been in and seen the services running and that's about it. Some real basic consuming of information and thennada. Nothing more. -ajm On 5/25/06, Carlos Magalhaes [EMAIL PROTECTED] wrote: They changed it again (Just checked and you 100% right :)) C Tomasz Onyszko wrote: On Thu, 25 May 2006 11:53:43 +0200, Carlos Magalhaes wrote Not yet no but we both know thats in the pipe line for SP2. I still would like to know why MIIS was not an option.C Workflow is not included in SP2, some solution is planned in Gemini time frame -- Tomasz Onyszko http://www.w2k.pl/ (PL blog) http://blogs.dirteam.com/blogs/tomek (EN blog) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP filters
Return Receipt Your RE: [ActiveDir] LDAP filters document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:09/27/2005 11:53:17 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Transfer GPO between domains
Return Receipt Your RE: [ActiveDir] Transfer GPO between domains document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:09/06/2005 07:49:01 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT-Exchange 2003 Site Folder Server
Return Receipt Your [ActiveDir] OT-Exchange 2003 Site Folder Server document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:08/23/2005 09:35:59 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Exchange 2003 Site Folder Server
Return Receipt Your RE: [ActiveDir] OT-Exchange 2003 Site Folder Server document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:08/23/2005 11:17:29 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT-Exchange 2003 Site Folder Server
Return Receipt Your RE: [ActiveDir] OT-Exchange 2003 Site Folder Server document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:08/23/2005 12:08:56 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
Return Receipt Your RE: [ActiveDir] export to csv document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:08/22/2005 08:26:07 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
Return Receipt Your RE: [ActiveDir] AD attribute document : was Chris Ryan/MIS/CORP/KrogerCo received by: at: 08/19/2005 13:41:55 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting the default UPN when migrating accounts u sing ADMT
Return Receipt Your RE: [ActiveDir] Setting the default UPN when migrating document accounts u sing ADMT : was Chris Ryan/MIS/CORP/KrogerCo received by: at: 08/11/2005 15:41:13 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Merging two domains
Migration Manager for Active Directory from Quest will allow you to migrate objects from the external domain without setting up a trust. I believe you do need to be running 2003 in the source domain as it stores information in ADAM during the migration. Check out the URL below. http://wm.quest.com/products/migrationmanagerad/ Almeida Pinto, Jorge de jorge.de.almeida To [EMAIL PROTECTED] ActiveDir@mail.activedir.org com cc Sent by: [EMAIL PROTECTED] Subject ail.activedir.org RE: [ActiveDir] Merging two domains 08/06/2005 02:39 PM Please respond to [EMAIL PROTECTED] tivedir.org yeah... this is also the first thing I thought. I also thought of something else. Will those users ever need to access their old resources? (like mail, files ,etc) If no access is allowed how are you going to do that? Exmerge all mailboxes into PSTs en burn files on DVD or something like that? Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sat 8/6/2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Merging two domains Interesting issue. SIDHistory is not much of an issue, obviously. Apparently, the users won't have access to the old forest, so it's of little value. I would suspect, as a 'from the hip' approach - given you limits you really only have a .ldf or a .csv dump of the accounts that are to become a part of your domain. However, if you aren't going to be allowed any access to the old forest, then there is no reason to think that the users would be any more than newly created principlas, along with the computers that you might acquire. Dump the information, but I wouldn't get to terribly concerned about what is coming with them. Other than name, logon name, samAccountName, there isn't much that you can use. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, August 06, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Merging two domains We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised
[ActiveDir] Chris Ryan is out of the office.
I will be out of the office starting 07/28/2005 and will not return until 08/02/2005. I will be out of the office 7/28 - 8/1, I will respond to your message when I return. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADMT Group SID History
Thanks Mark and Guido, that was the problem. Everything is working great now. Chris Grillenmeier, Guido guido.grillenmei To [EMAIL PROTECTED]ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] ADMT Group SID History 07/12/2005 05:36 PM Please respond to [EMAIL PROTECTED] tivedir.org yep, sound just like the source-domain's SIDs are being filtered when the resource is still in the source domain (external.dev). Realize, that you only need to disable SID filtering on the trust in the source domain - you should leave it enabled on the target domain. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Dienstag, 12. Juli 2005 21:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADMT Group SID History Have your turned off SID filtering on the Trust? NETDOM trust DomainX /domain:DomainY /quarantine:No /usero:DomainX\AdministratorX /passwordo:* The * will cause a prompt for the password. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 12 July 2005 19:53 To: activedir@mail.activedir.org Subject: [ActiveDir] ADMT Group SID History All, I've been following the Sybex book, Mastering Windows 2003, to test an inter-forest migration from external.dev to development.dev using the ADMT. I have not received any errors during the migration and everything appears to be setup correctly, however, I do not think the SID History is functioning properly. I have a 200 domain named External.dev and a 2003 domain named development.dev. I have a group on External.dev called Accounting and a member of that group named Pete. I have a member server in external.dev, N060MSADDEV4, with a share named Accounting. The Everyone group has been removed from the ACL and the External\Accounting group has been given full control. I migrate Accounting from external.dev to development.dev with the box checked to migrate SID histories and I receive no errors. The new Accounting group in development.dev should have a SID matching the one on the Accounting group in external.dev and since that group has access to N060MSADDEV4\Accounting any new member of Develppment\Accounting should be able to access N060MSADDEV4\Accounting. I create a user named Tom in development.dev and place him in the new Accounting group and attempt to connect to the share and access is denied. If I then migrate N060MSADDEV4 to development.dev and Add the equivalent security references for the target object and leave the source references in tact I can then access the share with Tom, but according to the book I should not have to do that. Am I not doing something correctly in this test? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADMT Group SID History
All, I've been following the Sybex book, Mastering Windows 2003, to test an inter-forest migration from external.dev to development.dev using the ADMT. I have not received any errors during the migration and everything appears to be setup correctly, however, I do not think the SID History is functioning properly. I have a 200 domain named External.dev and a 2003 domain named development.dev. I have a group on External.dev called Accounting and a member of that group named Pete. I have a member server in external.dev, N060MSADDEV4, with a share named Accounting. The Everyone group has been removed from the ACL and the External\Accounting group has been given full control. I migrate Accounting from external.dev to development.dev with the box checked to migrate SID histories and I receive no errors. The new Accounting group in development.dev should have a SID matching the one on the Accounting group in external.dev and since that group has access to N060MSADDEV4\Accounting any new member of Develppment\Accounting should be able to access N060MSADDEV4\Accounting. I create a user named Tom in development.dev and place him in the new Accounting group and attempt to connect to the share and access is denied. If I then migrate N060MSADDEV4 to development.dev and Add the equivalent security references for the target object and leave the source references in tact I can then access the share with Tom, but according to the book I should not have to do that. Am I not doing something correctly in this test? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can a 2003 server be a domain controller in a 2000 domain?
I believe you would still have to prep the forest and the domain in order to even promote a 2003 DC in a 2000 domain. Antonio Aranda [EMAIL PROTECTED] u To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] Can a 2003 server be a 07/08/2005 10:24 domain controller in a 2000 domain? AM Please respond to [EMAIL PROTECTED] tivedir.org I have a 2000 domain with a mix of 2000 and 2003 member machines. There is an offsite where all the member machines are 2003. And I wanted to setup an alternative Domain controller at this site with what is already there. I am in the process of planning and testing the upgrade to a 2003 domain but until then I need a domain controller at this site. So would 2003 domain controller work in a 2000 domain at least temporary? Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Virtual Domain Controllers
All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Thanks for all of the responses. I had a chance to look at the KB article on USN rollback and found it very informative. I will get to the white paper when I have a little time. I am still concerned about the Snapshot feature. How do others handle this? Is it possible to turn it off or apply a deny permission to that feature or is it used? Am I off base in worrying about this aspect? Harper, Gary [EMAIL PROTECTED] hn.orgTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Virtual Domain 06/16/2005 10:27 Controllers AM Please respond to [EMAIL PROTECTED] tivedir.org We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message- From: Geary, Simon [mailto:[EMAIL PROTECTED] Behalf Of Geary, Simon Sent: Thursday, June 16, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security settings not Inheriting
That was exactly right. Thanks for the help! Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Tony Murray [EMAIL PROTECTED] rgTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security settings 05/27/2005 04:12 not Inheriting PM Please respond to [EMAIL PROTECTED] tivedir.org Sounds like it could be the AdminSDHolder. Have a look at the following articles. http://support.microsoft.com/?kbid=232199 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 28 May 2005 7:52 a.m. To: activedir@mail.activedir.org Subject: [ActiveDir] Security settings not Inheriting All, I am attempting to delegate full control of one OU to a particular group of Admins. I have run the Delegation Wizard, selected the group, customized a task to delegate permissions to the folder, all existing objects in the folder and the creation of new objects and then selected Full control. I checked the security tab of the OU and the group is there with full control. I checked some of the sub OU's and this group is given full control over them via inheritance. I am running into trouble with some specific objects. These security settings did not filter down to some groups and users. I attempt to manually give the group full control and it allows me to add them. I check it again a few minutes later and the group is gone. Does anybody know what would cause this? As far as I know there are no scripts or GPO's affecting this OU that would cause this to happen. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Security settings not Inheriting
All, I am attempting to delegate full control of one OU to a particular group of Admins. I have run the Delegation Wizard, selected the group, customized a task to delegate permissions to the folder, all existing objects in the folder and the creation of new objects and then selected Full control. I checked the security tab of the OU and the group is there with full control. I checked some of the sub OU's and this group is given full control over them via inheritance. I am running into trouble with some specific objects. These security settings did not filter down to some groups and users. I attempt to manually give the group full control and it allows me to add them. I check it again a few minutes later and the group is gone. Does anybody know what would cause this? As far as I know there are no scripts or GPO's affecting this OU that would cause this to happen. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT DNS Entries Disappear
All, We had a situation yesterday where random A records would disappear from DNS. All of these records were static so should not be affected by scavenging. I do not know why records would disappear other than the restoration of an old backup that did not contain those records. This is a Windows 2000 DNS server with an Active Directory integrated zone that preforms zone transfers to 3 BIND servers. Does anybody know why this would happen or how to monitor this type of event? Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.orgTo Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations that are in the domain are unable to open up a session, but those outside my org who have an account are able to open up the session. What could be the issue? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] delegation not working on Win2k AD
I would run the delegation wizard at the Domain.com level and delegate the Join a computer to the domain permission instead of creating a GPO. By using the wizard it grants the Create Computer Objects permission on This object and all child objects. Setting this permission at the OU level will allow the user to move computer objects between OU's but not join computers to the domain. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Mark Parris [EMAIL PROTECTED] it.co.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] delegation not 05/17/2005 12:25 working on Win2k AD PM Please respond to [EMAIL PROTECTED] tivedir.org I was under the impression that the setting in the GPO add workstations to a domain was the legacy way of granting such permissions and the correct way was on an OU where the accounts would live would be to grant create and delete computer objects and then grant full control to those objects. Regards Mark -Original Message- From: Medeiros, Jose [EMAIL PROTECTED] Date: Mon, 16 May 2005 13:44:26 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] delegation not working on Win2k AD Hi Michael, By default everyone in the domain can join up to 10 computers. My only thought is that you may have inadvertnly configured the wrong setting and after they added the 10 machines they are now be denied the right to do so. The corerect seeting is add workstations to a domain . Sincerely, Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruyere, Michel Sent: Monday, May 16, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] delegation not working on Win2k AD Hi, I used the delegation wizard to delegate the join computer to the domain task to the technicians group. Everything worked fine until today. For no apparent reasons, it gives an access denied to the technicians group members when they try to join a computer to the domain. Nothing has changed on the system, I mean manually. When I go into the security tab, I can see that they have the right to create computer objects. I tried to use the delegation wizard again, but still no go. Ideas anyone? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Tracking OU Deletion
Hello All, We had an OU that was first moved and then deleted from our production environment last night. Below is a list of what we are auditing. My question is, what events should I look for to determine who moved and Deleted the OU? Or, am I out of luck as we are not auditing object access success? Local Policies/Audit Policy |---+-| |Policy |Setting | |---+-| |Audit account logon events |Success, Failure | |---+-| |Audit account management |Success, Failure | |---+-| |Audit directory service access |Failure | |---+-| |Audit logon events |Success, Failure | |---+-| |Audit object access|Failure | |---+-| |Audit policy change|Success, Failure | |---+-| |Audit privilege use|No auditing | |---+-| |Audit process tracking |No auditing | |---+-| |Audit system events|Success, Failure | |---+-| Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Time Sync between Forest Root and Child Domains
Set the time source on your Root PDC with net time /setsntp:SERVERNAME On all other DC's do not set a time source with net time /setsntp: By not setting a time source the DC's should all default to the Forest Root PDC. Or you can manually set the other DC's to sync with your forest PDC with net time /setsntp:PDCname [EMAIL PROTECTED] overy.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 04/07/2005 11:33 [ActiveDir] Time Sync between AMForest Root and Child Domains Please respond to [EMAIL PROTECTED] tivedir.org This should be a simple thing to do, but it's driving me up the wall. Here is what I would like to do: 1) Sync my PDCE in my forest root with a reliable internet time server 2) Have my other domain controllers in the forest root sync with the PDCE 3) Have the PDCE's in my child domains sync with the forest root PDCE I should be able to do this via Net Time, but so far I am getting no joy. Here us the problem: 1) Windows 2003 root domain 2) PDCE, and all other domain controllers in the root domain, keep synching with the first W2K3 server introduced in the root domain. This happens to be a virtual machine... 3) On the PDCE and all other domain controllers in the root domain, using net time /DOMAIN:(netbios name of our root) does not help. Still synced with this VM. Any suggestions? This should not be this diffucult Thanks, J This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Anyone installed Windows 2003 (Server) SP1 yet?
I have installed it on some production domain Controllers and have only had one minor problem with McAfee 7.1. I received Event ID 1002 in my system log from DCOM. The launch and activation security descriptor for the COM Server application with CLSID {2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool. This error was caused by framework.exe every time it tried to download updates. I changed the Launch and Activate Permissions to Default from Customize and the errors stopped. When the permissions were customized it was set to use the system account but it did not work, and I do not know why. Jason B [EMAIL PROTECTED] otmail.comTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] OT: Anyone installed 04/06/2005 01:56 Windows 2003 (Server) SP1 yet? PM Please respond to [EMAIL PROTECTED] tivedir.org Service Pack 1 for Windows 2003 server came out on the 1st of this month... it's a behemoth download at ~325MB and supposedly has a lot of improvements and new features. Has anyone had the fortitude to install it on production servers yet? If so, how's it working out? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
Thanks for the explanation, I really appreciate it. This is the first time I have attempted a domain consolidation so I want to be sure I have all the background information. I have a VMware lab environment with production data in it for testing and I will begin testing the products. Jorge de Almeida Pinto jorge.de.almeida To [EMAIL PROTECTED] 'Nathan Casey ' com [EMAIL PROTECTED], Sent by: 'ActiveDir@mail.activedir.org ' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 03/23/2005 05:32 RE: [ActiveDir] [Active Dir] PMHandling Duplicate Accounts During d omain Migration Please respond to [EMAIL PROTECTED] tivedir.org Hi, In an intraforest migration ADMT actually MOVES the user account by creating a new account in the target domain (new SID, but SAME GUID as the sourceaccount) with the SID of the source account in the sIDHistory of the target account. This is a destructive operation as there is no (quick) fallback. The only options for fallback are (only on W2K3) undeleting the source user account (but first delete the target account!!!) and an authoritative restore of the user acount in the source domain (but first delete the target account!!!). The main reason for deleting the target account, before restoring the source account, is that they have the same GUID as the source account. In an AD forest (and independent of the AD domain) NO 2 or more accounts can have the same GUID!!! When also doing migrating clients (w2k and w2k3 and wxp) there will no need to do a profile migration as the GUID does NOT change for each account. Using ADMT, only in an interforest migration is a NON-destructive operation as source accounts are NOT deleted by default If I'm correct Aelita's Domain Migration Wizard creates a new target account with a new GUID, puts the SID of the source account in the NEW target account's sidhistory AND keeps the source account for fallback. One of the caveats here is that you need to do a profile migration. It depends what's more important in an intraforest migration - fallback for source accounts or easy profile migration. I think the first! It is still not clear to me if you also have groups in the source domains that also need to be migrated and if these groups also have the same names in all the source domains. Don't forget to define closed sets of security principals if you don't change groups scope otherwise change the group scope to universal sec.. The target domain must at least be windows 2000 native to accept sidhistory and universal security groups For user accounts you must do a many-to-one migration of user accounts where the sid history of each source account is added to the sidhistory attribute of the target account. With ADMT I think merging user accounts would only work in inter forest scenarios and not in a intraforest scenario as GUID can not be consolidated into one account like this which is possible with SIDs From the ADMT readme.doc (see section Subsequent User Migrations Update Group Membership of Target Accounts) group memberships will be migrated to the target where as target group memberships that do not exist in the source will be preserved. DON'T use the option remove existing members when remigrating groups. I'm not sure though how this works in a intraforest migration scenario. The most sure thing for you is to create a VMware environment with at least 3 domains (root = target and both childs are source) (each with 1 DC) create some users and groups in all domains. Install trial third party tool like DMW and ADMT and configure accordingly. Create snapshot at this moment. First try ADMT and then the third party tool. I think in this case a third party tool like DMW would be the way to go. I don't know about NetIQ migtooling but I know DMW preserves source accounts even in an intraforest mig scenario.
Re: [ActiveDir] Enabling Password must meet complexity requirements
Your users will not be immediately prompted to change their password to meet the complexity requirements. They will be forced to use a complex password the next time a password change is required. Greg Felzer [EMAIL PROTECTED] u To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] Enabling Password must 03/23/2005 08:14 meet complexity requirements AM Please respond to [EMAIL PROTECTED] tivedir.org Does anyone know if this setting is enabled at the default domain policy are my users going to get prompted to change their passwords immediately if their current password does not meet the complexity requirements? Or will they be forced to use a complex password when they change their passwords? Thanks Greg Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Windows Infrastructure and Security Team Leader Office of the CIO Medical University of South Carolina List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration
We are currently trying to migrate all of our child domains into one single domain. There are 3 child domains, 2 of which are Windows 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows 2003 Native. We plan to use ADMT v2 for the planned migrations. There were many different project teams, each with a hand in AD, before I arrived. When an account was needed in a particular domain it was just created, even though there were obviously trusts in place. Now I have 1,000's of duplicate user ID's in the target domain. How would I go about merging the accounts in the child domains with the accounts in the target domain? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration
Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AMdomain Migration Please respond to [EMAIL PROTECTED] tivedir.org Are they all in the same forest? You mentioned child domains so I assume they are, but I just wanted to check. Do the accounts follow the same naming standard across all the domains? You mention the target domain is Windows 2003 Native, I assume this means Windows 2003 in Win2k Native mode? Phil On Wed, 23 Mar 2005 10:00:06 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We are currently trying to migrate all of our child domains into one single domain. There are 3 child domains, 2 of which are Windows 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows 2003 Native. We plan to use ADMT v2 for the planned migrations. There were many different project teams, each with a hand in AD, before I arrived. When an account was needed in a particular domain it was just created, even though there were obviously trusts in place. Now I have 1,000's of duplicate user ID's in the target domain. How would I go about merging the accounts in the child domains with the accounts in the target domain? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
These are the same users in the same forest, but in different domains. Mulnick, Al [EMAIL PROTECTED] T.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] [Active Dir] 03/23/2005 12:06 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org And when you say duplicates names, are they representing different users or the same users from different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AMdomain Migration Please respond to [EMAIL PROTECTED] tivedir.org Are they all in the same forest? You mentioned child domains so I assume they are, but I just wanted to check. Do the accounts follow the same naming standard across all the domains? You mention the target domain is Windows 2003 Native, I assume this means Windows 2003 in Win2k Native mode? Phil On Wed, 23 Mar 2005 10:00:06 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We are currently trying to migrate all of our child domains into one single domain. There are 3 child domains, 2 of which are Windows 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows 2003 Native. We plan to use ADMT v2 for the planned migrations. There were many different project teams, each with a hand in AD, before I arrived. When an account was needed in a particular domain it was just created, even though there were obviously trusts in place. Now I have 1,000's of duplicate user ID's in the target domain. How would I go about merging the accounts in the child domains with the accounts in the target domain? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Handling Duplicate Accounts During domain Migration
I have checked the help files in the ADMT and it appears that it will only replace the account in the target domain with the account in the source domain. As a result, the users will be removed from the groups in the target domain and they will loose access to their applications. I want to combine the properties of both accounts, however, there does not seem to be an option for that, other than to do it manually. Replace conflicting accounts Changes properties of existing accounts in the target domain to match the properties of the account with the same name in the source domain. Note When using the Replace conflicting accounts option to remigrate and update accounts, the user's group memberships in the source domain are checked. The user is made a member of groups in the target domain if the user is a member of those groups in the source domain. However, the wizard does not remove the user from groups in the target domain that no longer exist in the source domain. Mulnick, Al [EMAIL PROTECTED] T.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] [Active Dir] 03/23/2005 01:26 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org So merge is the correct term then? It's been a while, but I was thinking that ADMT could handle that. Have you checked the help files for merging source to target? al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration These are the same users in the same forest, but in different domains. Mulnick, Al [EMAIL PROTECTED] T.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] [Active Dir] 03/23/2005 12:06 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org And when you say duplicates names, are they representing different users or the same users from different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AM
Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
I think during an intraforest migration it is a copy, as the source user accounts are left intact and the users can continue to use them. This makes for an easy roll back if something goes wrong. I have not yet looked at using other tools as they, of course, will cost money and this tool is free. Management with the help of a consultant decided that ADMT would be able to do the job. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 02:13 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org Can ADMT merge between two domains in the same forest? Since intraforest migrations are a move and not a copy I was under the impression that you couldn't merge accounts while doing that. When doing an intraforest migration with NetIQ the option to merge conflicting accounts is not available. When doing a migration from a domain outside your forest you can absolutely merge accounts with the NetIQ tool, so I would be surprised if ADMT couldn't do that as well. Phil On Wed, 23 Mar 2005 13:26:12 -0500, Mulnick, Al [EMAIL PROTECTED] wrote: So merge is the correct term then? It's been a while, but I was thinking that ADMT could handle that. Have you checked the help files for merging source to target? al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration These are the same users in the same forest, but in different domains. Mulnick, Al [EMAIL PROTECTED] T.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] [Active Dir] 03/23/2005 12:06 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org And when you say duplicates names, are they representing different users or the same users from different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AMdomain Migration Please respond to