Hi,
I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on
domain titi.com and a user usertoto on domain toto.titi.com.
I set usertiti as manager of usertoto and usertoto as manager of usertiti.
When I look a the usertoto and usertiti entries in the directories, I have:
-
The manager attribute is replicated between GCs as part of the Partial Attribute Set.
The directReports attribute isn't. Whether you see it or not will depend on the
domain of the DC you are querying.
Tony
-- Original Message --
Wrom:
Thanks Tony !
But, I don't query the Global Catalog but the whole directory itself.
I connect the DC of the titi.com domain to see the usertiti user and I connect the
DC of the toto.titi.com domain to see the usertoto user.
Is it so because toto.titi.com is a sub-domain of titi.com ?
If you really want/need it to be replicated to the GCs, you can use the
Schema snap-in, and check the box in front of 'Replicate this attribute to
the Global Catalog'.
Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB
Principal Advisor
Folks,
I'm looking for input to a debate we're having over whether or not
to root our campus Active Directory at gla.ac.uk (which is our public
internet persona) or at some other point such as ad.gla.ac.uk (which creates
a pseudo department in local terms) or gla.ac.uk.local.
The
Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a
bit rusty, but here goes.
The IM is responsible for maintaining references from objects in it's own domain to
objects in other domains. We know that member (forward) and directReports (backward)
are
Post in hasterepent at leisure
I've said member (more than once) below when I should have said manager.
-- Original Message --
Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ
Reply-To: [EMAIL PROTECTED]
Date: Thu, 10 Jun 2004 05:48:33 -0400
Mmmh.
Bitter experience? Perhaps not bitter, but having seen (and tried) many
attempts to integrate Active Directory with BIND, I would say that is not
the way you want to go if you want a stable environment. It's not that it
can't be done, it's that it's not a good idea in most situations I've seen
Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet
DNS Name, I can say I can be done without much pain. I choose to go with
Bind for all the DNS work rather on the internal network than delegate the
_srv record zones to Win/AD DNS. Our environment does not use dynamic
Hi,
I did recheck that and the result is that the group is listed in there, and
under the local policy setting there is no check in the box but there is one under
the effective policy setting column
So the problem should be elsewhere.
Thanks
Michel Bruyere
Network/systems
Ken,
I guess itÂ’s the definition of magic here *grin*
Taking raid sets from one machine to another (with an already existing RAID
set), mounting that new RAID set, performing some tasks, passing that raid
set through a third machine, bringing it back to the original server (with
changes
Title: RE: [ActiveDir] OT: Compaq Servers
Rick,
I may have been a bit harsh...sorry bout
that.
We did encounter a similar issue with running SS 6.x on
older hardware (like the 3xxx series, 5500, 8000's, G1 seriesetc), and
yes, I blame HP squarely for this. What we basically did is pull the
They manually enter a records? You are certainly the exception to most of
the implementations I've seen where data input error was a big issue and
name resolution was chaotic. It turned out that delegating the zones and
even zone transfers was much cleaner and easier to implement for those
I talked our web developers into moving the phone list from sql to AD. They
are asking me for any resources I have to get them started. For example the
user and contact schema. They are also looking for any good sites to get
them started pulling from AD.
Thanks,jb
List info :
All,
We are in the process of constructing a Lab to mimic the production AD
system as closely as possible. Doing a full DR into this environment is
certainly an option, however we have been looking into simply migrating the
AD structure and using this as a test bed to cleanup AD (OU's, objects,
Bring up a new DC..
Take it off the production domain and into the lab... Seize the roles?
You will have to do some clean up but it's the easiest way if it's not
going to be linked to your production domain.
Rob
-Original Message-
From: Glenn Corbett [mailto:[EMAIL PROTECTED]
Sent: 10
But then you should clean up your production AD to remove mention of the
DC that isn't there anymore.
http://support.microsoft.com/?id=216498
-Original Message-
From: Rutherford, Robert
[mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 8:21 AM
To: [EMAIL PROTECTED]
Subject: RE:
What development platform are they working with? Classic ASP, .NET,
something else?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, June 10, 2004 10:54 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD Phone list
I talked
This situation holds a lot of promise for DCs running on virtual servers. I
know it's come up on the list before, and we have done some testing but
haven't rolled it into production yet. Basically, build a DC on a virtual
server; you can set it up with replication latency and other abnormal
I need to know when the Domain Admin Group has a user added to it or at
least have that operation audited, is there anyway to perform this with GPO
or something built into win2k server.
Thanks,
Aaron Visser
List info : http://www.activedir.org/mail_list.htm
List FAQ:
If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.
If you want to know when a user is added to the group, you could use a
GPO to turn on auditing of Account Management but then you would have
to search the audit logs of all of the DCs
Classic ASP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega
Sent: Thursday, June 10, 2004 11:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Phone list
What development platform are they working with? Classic ASP, .NET,
something else?
Here is his current code and error:
___
The error 0x80004005 Unspecified Error occurs when I try to query for
various items. I've added otherphone to this code as an example. The error
occurs on line 18: objRS.Open strSQL, objConn, 1, 1.
Seems someone doesn't follow the KISS method :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 11:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Debate over 'split horizon' DNS
It' 6000+
If you simply want:
Same users\groups
Same OU structure
Same GPO's
I highly suggest you look at GPMC (group policy mgmt console) scripts...
CreateEnvironmentFromXML.wsf
CreateXMLFromEnvironment.wsf
-steve
- Original Message -
From: Glenn Corbett [EMAIL PROTECTED]
To: [EMAIL
His error comes from the strSQL building he's doing (mostly :)
Here's a modified version that works in my environment based on the code you
presented. The wscript.echo command is just to put the data on the screen.
I also didn't spend any time with the attributes she was looking for such as
I think it was the KISS method at the time it was deployed. Probably made
more sense to leave it since it was working. I would have most likely. ;)
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, June 10, 2004 2:19
Looks like he's setting the connection string to something
inappropriate:
snip
strConn = Active Directory Provider
objConn.Open strConn
/snip
Should read more like:
snip
strConn = LDAP://mydomain.com/DC=mydomain,DC=com;
objConn.Open strConn , strUserName , strPassword , 0
/snip
Paul
0x80004005 is 99.9% of the time caused by permissions issues.
Make sure that its running under a user context with enough permissions
to execute the querey.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
As someone pointed out to me off-list - you probably don't need to
specify the domain in both formats, it's just a habit of mine that
seemed to resolve some issues for me a while back, but I don't remember
why I do it now.
Paul
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
(Man, Tony's gonna get really mad at me for being so continuously
off-topic. :-) But this is my List full of really smart people, so I
keep coming to you guys for non-AD-specific stuff that I can't figure
out.)
Scenario:
I work for a major university, and each fall we offer Back-to-School
It works well, we have done it. We took a DC from our root domain, plus DCs
from two of the (four) child domains. If you have multiple domains, I
would suggest that make sure your DCs are GC servers before you take them
offline. This caused us a few difficulties when we tried to make the
From my MSMQ friend to me..
snip, with some cleanup edits
1. A queue will only get empty if he actually writes a program that
empties it. He should investigate why his program is not receiving all
messages out of the queue.
2. If he wants to empty out the old messages but keep the queue, he
We have some homegrown stuff that monitors specified groups and sends an
email nightly if anything changes. Been doing that for quite sometime.
An example of one easy approach is at
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/38400/38400.
html
Sure you can audit it with built in
you have different options when you're trying to implement the exact
same namespace in a physically separated lab, or when you want to
integrate your lab into the production network, choosing a different
domain name.
For the first option you can go the clone DC or grab DC method as
described in
don't use the Restricted Groups feature on domain groups, especially
domain admins. This has caused various issues for companies and thus
they've backed away from this approach. However, using restricted
groups on member servers and clients works well.
\Guido
-Original Message-
From:
first of all, if titi.com and toto.titi.com are real names, then I'd
switch jobs - this would drive me crazy ;-)
Rgd. adding the directReports to the PAS: that would be nice, but isn't
possible for the backlinks of linked attribute-pairs - this is the case
here for the directReports attribute =
you may not be using a GC query, but the directReports backlink is still read from the
same linktable on a DC when it is also a GC.
in your scenario, the DC used to lookup the titi.com user must have been a GC and
the other one a normal DC. This has nothing to do with the domain hierarchy.
Tony, as just mentioned in my other post, this is not an IM topic, as this is about
visibility of backlinks (which are not influenced by the IM).
Backlinks are only visible on DCs, which host the naming context of the object with
the forward link (i.e. for directReports this would be those,
if your test clients are all win2k/xp, you could also use the
NT4emulator registry key on the server to prevent the machine from
accepting the kerboros auth. protocol = win2k/xp clients will search
for other DCs that allow kerb.auth. (check MS Q298713)
initially the key was added to prevent the
How about this instead of pipen it to a file, put it to an xml/html
file?
http://www.jsiinc.com/subo/tip7300/rh7340.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, June 10, 2004 8:54 AM
To: '[EMAIL PROTECTED]'
Subject:
I'm curious, do you have any more details?
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
don't use the Restricted Groups feature on domain groups, especially
domain
More Details
Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1
Server for Teacher Data, 1 Server for Student Data
Win2003 Servers 1 for Office Staff
And the fun begins,
Well the biggest problem I am faced with is that the users (Students) ON the
network are constantly
How do I copy/move local user groups from one win2k server to another?
This e-mail and any files transmitted with it are for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
If you are not the intended recipient, please contact the sender by reply
I don't exactly remember what I wrote when I replied to this elsewhere, so forgive me
if I already told you this:
Try setting a compliant password in the image, and then putting Whatever has to go in
the AdminPassword key to prompt the user.
If this doesn't work, I would suggest engineering
Addusers.exe from the resource kit will dump from one local machine and
import into another.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar,
Dinesh (Cognizant)
Sent: Thursday, June 10, 2004 10:10 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
46 matches
Mail list logo