RE: [ActiveDir] Deleting a subnet on a AD Site
I did, it looks fine, apparently there are no issues coming out of this. Thanks! -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site Sites are a way to define high-speed connected boundaries i.e. a network site on the same router, a MAN, LAN etc. By defining the site boundaries, you are telling your clients on that site to use this DC as their preferred DC because naturally, it's the fastest one they'll find according to network topology. Having it defined is not a problem if it's not being used, although it's extra baggage. I doubt it's worth dealing with now as it likely doesn't address your problem. Replication partners might affect you if you haven't cleaned those up however. I should have asked this before, but have you run DCDIAG and NETDIAG on the existing server yet? If so, what were the results? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 10:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues. Deleting the default policy is not necessarily what you want to do, but rather it's the file system you are working on. Re-read that article and see if it makes better
RE: [ActiveDir] Deleting a subnet on a AD Site
Yep, this is a good reason to supernet your subnets into catchall subnets and associate them with Domain Controller hubs. Basically saying, if you can't find a better match for this client for its IP address, tell it to use resources in the hub site. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Friday, October 15, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site While, in general, deleting their subnet will not prevent a client from logging on they could experience significant delays in doing so. Since the client will not be able to determine which DCs are closest, they could end up trying to be authenticated by a DC on the other end of a slow WAN connection. The purpose of a site is to let the clients know which subnets have fast connections to each other. That way a client can attempt to be authenticated by DCs that can respond quickly. If the client's subnet has been deleted, the client will randomly pick a DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 6:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site You'll be fine. In general, deleting a client's subnet does not prevent them from logging on. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney
RE: [ActiveDir] Deleting a subnet on a AD Site
While, in general, deleting their subnet will not prevent a client from logging on they could experience significant delays in doing so. Since the client will not be able to determine which DCs are closest, they could end up trying to be authenticated by a DC on the other end of a slow WAN connection. The purpose of a site is to let the clients know which subnets have fast connections to each other. That way a client can attempt to be authenticated by DCs that can respond quickly. If the client's subnet has been deleted, the client will randomly pick a DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 6:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site You'll be fine. In general, deleting a client's subnet does not prevent them from logging on. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues
RE: [ActiveDir] Deleting a subnet on a AD Site
Sites are a way to define high-speed connected boundaries i.e. a network site on the same router, a MAN, LAN etc. By defining the site boundaries, you are telling your clients on that site to use this DC as their preferred DC because naturally, it's the fastest one they'll find according to network topology. Having it defined is not a problem if it's not being used, although it's extra baggage. I doubt it's worth dealing with now as it likely doesn't address your problem. Replication partners might affect you if you haven't cleaned those up however. I should have asked this before, but have you run DCDIAG and NETDIAG on the existing server yet? If so, what were the results? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 10:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues. Deleting the default policy is not necessarily what you want to do, but rather it's the file system you are working on. Re-read that article and see if it makes better sense today. If not, let us know. Meanwhile, is this a single domain environment? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 3:22 AM To: [EMAIL PROTECTED] Subject:
RE: [ActiveDir] Deleting a subnet on a AD Site
You'll be fine. In general, deleting a client's subnet does not prevent them from logging on. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Thursday, October 14, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Deleting a subnet on a AD Site I have a domain that was originally setup in a public network and then was moved to a private one. It has three public subnets and one private in the Sites and Services mmc. Are there any issues deleting the public ones? they're not being used anymore internally. Thanks, AM -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policyon existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. * From the article * To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. How do you check what it states to do in the first paragraph of To fix the problem:? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the secedit /refreshpolicy machine_policy and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues. Deleting the default policy is not necessarily what you want to do, but rather it's the file system you are working on. Re-read that article and see if it makes better sense today. If not, let us know. Meanwhile, is this a single domain environment? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 3:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Well, I am hoping someone will be able to help me. I can not dcpromo another Win2000 Server on my network. I was originally able to do this but then active directory corrupted on the 2nd DC. This was then forced removed from being a DC. I used KB332199