Hi all.
New to the list. Roger says this is the group that knows their stuff with
AD. I've got an oddball one that I can't figure out. Sorry for the long post
as a beginning.
Here's the deal. I'm performing a migration from NT 4 domain to W3K AD. New
domain, new hdw, migrate only the necessary
thanks Tony for the reference, but I wasn't involved in
John and Sally's book, which is truly excellent. However, I did inspire
John to add some specific details on Object Level recovery to his AD Disaster
Recovery session - you can download his slides from his web-page (need to
register
Welcome to the list Charlie.
You say that you haven't blown away the trust and recreated it. I would
strongly recommend that you do this first and then rebuild the two way trust
between your W2K3 production domain and your old NT 4.0 domain. Do this
before you go ahead and build the other
Guido, I am definitely interested in this material.
I will be a very glad recipient
GT
- Original Message -
From:
GRILLENMEIER,GUIDO
(HP-Germany,ex1)
To: [EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 7:58
AM
Subject: RE: [ActiveDir] Robbie Allen DEC
don't know if i am jumping the gun once again, but am especially keen to get
hold of the documentation from Micrsoft on the delegations of administrative
tasks within Active Directory.
any news on its availability.
GT
List info : http://www.activedir.org/mail_list.htm
List FAQ:
I'm trying to fix an error with the pony DHCP server in windows, but in
the section of the detailed instructions from the MS site, im getting
an odd alert.
I am trying to force replication from one branch office to another. The
schedule is once every two hours, and I cant be arsed to wait. The
I would build an NT4 BDC on the domain, yank it off the main network and in
the lab promote it to PDC, build another NT4 BDC (so you can retry if the
process is wrong), upgrade the NT4 PDC to W2K, build and promote a fresh W2K
Server. See how the process goes and get familiar with it and run some
In my testing, forcing it still forces it even though that error pops. I
have a little tool (adqueueloop) that will display the replication queue in
near real time and doing that force always throws something into the
replication queue. I was actually quite surprised to see that when working
with
Hey Deji, quick point.
You don't need ADS_UF_PASSWD_NOTREQD set on the machine account. I
approached MS previously on this. Some of their tools do it, and some of
them don't. They are inconsistent but it works fine without it.
joe
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL
the news is, it's not out yet. The review is over and they've got some work
to do now to finish it (e.g. changing the definition of some of the
recommended admin roles etc.). As soon as I know it's out, I'll send a
quick update - my guess is MS is trying to officially release it at ITforum
in
Yeah after thinking about it more it doesn't surprise me though without
testing I don't want to say anymore about my theory and look more silly for
saying things off the cuff.
I don't know of any detailed logging like you are talking about. I wouldn't
be entirely surprised if it wasn't something
This error is by design. This is what you get by default when you try to
force a replication between two DCs in different sites using ADSitSvcs.
However, usually the replication DOES actually occur within the next couple
of minutes. You could use replmon to check whether or not the replication
has
that's when you use the AD Sites Services Snap-In - it only has the
ability to force replication within the same site - I believe this is
because it uses the normal DC notification method, which by default is
disabled between sites.
just use repadmin or replmon from the support tools - this will
Thanks Joe. Where do you get this tool from ?
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: 28 October 2003 13:54
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Alert when trying to force replication
across sites
In my testing, forcing it still forces it even though
I have the exact issue detailed in this KB article;
http://support.microsoft.com/default.aspx?scid=kb;en-us;306925
I have done exactly what it says there, allowing loads of time for
replication and rebooting etc etc and I still get exactly the same
error. Using ADSIEdit removes the entries from
Title: RE: [ActiveDir] OT: enterprise Spam blocking products
We are using Exchange 5.5 and the version of CDO that comes
with Exchange 5.5 SP4 has problems. Namely for us. The exchange directory name
has to match the AD username, Exchange Alias, and the SMTP address. Which is not
true for
Joe,
Thank you for your suggestions. They are very pragmatic and logical and
most importantly to me, understandable. As soon as possible, we will
consider their implementation and post our results.
Rocky Habeeb
_
-Original Message-
AdQueueLoop is freely available from www.joeware.net on the free win32 c++
tools page.
You can also use repadmin with the /showqueue option but good luck actually
catching the item when it hits the queue... :op That is why I wrote the
tool in the first place.
joe
-Original Message-
Check Joe's excellent web site - http://www.joeware.net/. Specifically
http://www.joeware.net/win32/ under Windows 2000/XP/Windows 2003 Only.
al
Oliver Marshall wrote:
Thanks Joe. Where do you get this tool from ?
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: 28
Nope, it will do it cross site as well, it just throws the stupid error
message. I was of the same opinion as you until working on the AD FAQ and
actually sat down in a lab environment and tested it. It sticks the
replication request right in the queue just like normal.
joe
-Original
Stuart,
Do you have experience with Espion's Interceptor appliance? It
sounds like a very nice device but I haven't been able to find any reviews
online.
Thanks,jb
-Original Message-
From: Fuller, Stuart [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 2:05 PM
To:
Thanks Joe and John - good to know!
/Guido
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 28. Oktober 2003 16:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Alert when trying to force replication acros s
sites
Nope, it will do it cross site as well, it
Hello
What
is the diference between "Index
this attribute for containerized searchess in the Active Directory " and "Index
this attribute in the Active Directory"
Thanks.
Raul.
Index for containerized searches permits searching a container rather
than the entire directory. This can be used to improve lookup times for
container searches.
Hope this was what you were looking for?
Cheers!
John
From: Raul Martínez [mailto:[EMAIL PROTECTED]
Sent: dinsdag 28
Hello
I create a new class named doc, this class
is the type organizationalUnit. I have a OU with about 10 OU, and once OU
have 4 objects. Its recomemend active the option Index this attribute for containerized searchess
in the Active Directory ?
Thanks
Raul.
We had a dirty shutdown on a DC a few days ago, and it
would not boot back up successfully. We called MS PSS
before we took any recovery measures since this was
our first dead DC.
After some initial troubleshooting, MS recommended
that we manually remove the server from AD with
ntdsutil and
Title: Changing Passwords
My company is about to implement a security policy that forces users to change their passwords every 60 Days.
Problem some of our user accounts do not have self listed under security permissions within the ADUC. This user gets access denied when trying to change
For that very reason, I have no inhibitions about using a new name and ip
address. Unless you have a process that is hardcoded to use that IP
address, then I can think of no reason to wait for replication just to get
back to operational stability.
Al
-Original Message-
From: FDiskThePC
This is probably drifting off-topic for the list, so if anyone would rather
that we take it offline that's ok. And I'm not Stuart, but enough people in
our office mix us up that it shouldn't make a difference for the list :-)
There are some things about the Interceptor that I've been very pleased
Greetings,
I am experiencing a problem with
publishing applications through a GPO policy. We are running Windows
2003, in a Windows 2000 Native environment. SMS 2.0 is able to install
the apps from the distribution point, but the Policy does not seem to be
working. I have created an
Title: Message
I
don't believe you can publish applications to groups. You'd need to publish it
to the OU which houses the user accounts, and then filter it by giving Read
access to the GPO to the group of users.
--
Roger D.
Are there any errors getting logged?
Are you getting a message saying that
group policies are getting applied successfully?
I had some issues getting a 2003 server to
accept group policies from a 2000 DC. I had to grant some additional domain
permissions.
Getting error messages
I was Hunter in a past life or was it yesterday... :)
Jason - to your specific question about an online review, I can't find one
on the net either. I asked our security guy about this and where he found
out about Espion. He told me that he originally found a review on MSN and
other security
Negative. There are no errors, nether on
the client or server.
Clarification We are running Windows 2003 on all DCs, just in AD 2000
Native.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damon R. Erickson
Sent: Tuesday, October 28, 2003
12:08 PM
To:
OK, I just gotta
share, to vent some of my frustration.
The DNS provider on
Windows 2000 (included in the resource kit supplement and available for download
from Microsoft) is NOT compatible with the DNS provider on Window 2003!
Dagnabit! The CreateZone() and the WriteBackZone() routines
Title: Message
Yeah, she and I got to know each other on this list
(she's one of the folks that convinced me you were worth putting up with as an
MVP - then to nominate you). I know that I've met her in person, but I
can't put the name to the face.
She is a good one, to be sure
Rick
Title: Message
And
don't even think about the bugs and memory leaks!
-gil
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Michael B. SmithSent: Tuesday, October 28, 2003
1:36 PMTo: [EMAIL PROTECTED]Subject:
[ActiveDir] DNS WMI
Title: Message
Yep - this is correct. Group Policy is somewhat of a
misnomer, as it really doesn't have anything to do WITH groups, per se. To
publish, it must be done to the containers in which GP can be applied, OU,
Domain, Site.
And, you need Read and Apply Group Policy on the filter for
Title: Message
Ahhh
yes, the DNS WMI Provider. What a piece of ..., ok I won't go there
:-) What kills me is that the MSDN documentation has NEVER been
right. Even after they updated it for 2003 it was still wrong. I've
submitted corrections to newsgroups and even to anMS internal docs
Title: Message
Thanks for the info.
I assign to computers specifically, which
is a total hassle to manage.
Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rick Kingslan
Sent: Tuesday, October 28, 2003
12:56 PM
To: [EMAIL PROTECTED]
Subject: RE:
I believe a GPO was modified by someone with the appropriate 'rights',
but that person did not communicate changes were to be made and now we
see some strange issues
Issues are not the point of this question. Does anyone know of a way to
determine who modified the GPO?
Thanks in advance,
FullArmor FAZAM GPO Auditor... www.fullarmor.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 2:26 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
I believe a GPO was modified by someone with the
Title: Message
Steve,
Something that has a tendency to escape some folks is that,
like users, you can create a group for Computer Objects as well. Just
because they are computer objects doesn't mean that they can't be in a
group.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
Could anyone told me how to import and LDIF file, from a LDAP directory, to
an AD domain?
I really appreciate it.
Juan
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
Great, but anything built in to the OS? Anyway I can point a finger at
a DBA that is poking is hands where they do not belong. Please don't
ask why they have rightsaarrgghhh
Shawn
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003
Use LDIFDE...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/sgw
_install_ldifde.asp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Juan Ibarra
Sent: Tuesday, October 28, 2003 2:52 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
File and Object auditing on the Sysvol and Policies directory explicitly
should do the trick???...At least this would show who was making
changes. At that point I can confront that person..
Sound correct?
Thanks Gil
Shawn
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL
We're going from 2 sites to 3 sites. So far, we've used the
DEFAULTSITELINK for simplicity's sake and have the KCC creating replication
links. The only thing we changed was the replication interval to every 15
minutes. With the creation of a 3rd site, plus to allow for future
expansion,
Shawn,
Separate verification that what Gil is telling you is correct. I've needed
to set up just the same to manage some issues with an Admin that had rights
that he really shouldn't have, yet was mandated by management that he have
them. The only way to convince management was to prove that
That was it. I removed the trust, recreated it, and all works perfectly.
Summabeech. You'd think there would be a way to verify this with a tool.
None of the ones I have picked up on it. I played with security settings
till I was blue in the face. Thank god for security templates. Sure makes
I was waiting for BRO and SIS to come along too after MOM and DAD.
Maybe they were to close to BOB and made someone nervous :-)
Diane
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, October 28, 2003 6:28 PM
To: [EMAIL
Shawn-
You can use AD auditing to see changes to a GPO, since any GPO that is
modified touches both the Group Policy Container object in AD as well as
SYSVOL. Using the AD auditing event is a quick and dirty way of finding
out who changed the GPO, although, as Gil mentioned, you can't really
tell
52 matches
Mail list logo