Use the replmon tool which comes with the
support tools... its a good place to start and will flag up errors. If
you just dump the errors into google you should find a resolution as its
a common tool If not then post here.
Also, use DCIDIAG (support tools) and dump
any errors into
this
would seem to contradict the concept of authoritative
restore?
that's because of everyone's notion of what you EXPECT an
auth. restore to do and how it is being promised in trainings etc. = "Auth.
Restore" will allow you to turn back the hands of time...
But once you dig into it and
This problem is really killing me
I installed several DELL Windows 2003 terminal servers in a Windows 2003
Active Directory domain. The correct internet settings are configured
trough policies. The proxy server is a Windows 2000 ISA server in another
W2K domain. (W2K domain trusts W2K3 domain)
Your DC doesn't have its default gateway pointing to your router, but
your PC does? If you point your DC's default gateway to the router, it
should be able to forward DNS resolution requests to one of the up-level
DNS servers.
I'm presuming that your DC is also your DNS server. If my
I'm not sooo expert as others like yourself, EFleis, and Dean Wells. I
really don't know a repsfrom a repsto ...
Cheers,
-BrettSh
(msft) Janitorial Services
On Tue, 17 Aug 2004, Rick Kingslan wrote:
Heh...take a hiatus from the list, and look who shows up We're getting
quite a good
We actually go one step further than this ... we also if we're in LVR
mode, and the link reference/membership was added post forest mode change,
then we even auth restore restore references. That's sort of merging from
the other angle.
Cheers,
Brett Shirley
(msft) AD Dev
On Tue, 17 Aug 2004,
So does this mean the following:
1.) I will point my DC's gateway to the router.
2.) On the TCP/IP of my DC's NIC I will only put 127.0.0.1 on the DNS
Server and leave the 2nd one blank.
Presuming this is correct, I just have a curious question.
Will the DC be intelligent enough to forward the
You are correct in point 1, but I would use the server's own IP address
instead of 127.0.0.1 in point 2.
When a client PC makes a DNS request, it sends that request to its
primary DNS server. If the primary DNS server is not available, the PC
will send the request to its secondary DNS server.
On your DNS server you will want to configure forwarders to your isp dns
servers.
Pyron
[EMAIL PROTECTED]
Yes I got it. Thanks!
1 Last question...
Since the ISA Server is in the topic.
The setup in my mind would be the ff.
1.) On DC's TCP/IP Settings the DNS Server would be the DC's IP not the
127.0.0.1. The secondary would be left blank.
2.) I would setup the DC's DNS Server to forward to the ISA
What if I have ISA as my Internet gateway?
I would just configure my DC's DNS server to forward to ISA DNS server. Right?
At 09:42 PM 8/17/2004, you wrote:
On your DNS server you will want to configure forwarders to your isp dns
servers.
Pyron
[EMAIL PROTECTED]
I think I know the answer to this but need some reassurance. I have a w2k3
domain and I need to join a w2k box to the domain, I don't have the license
for the upgrade yet. Do I have to run adprep on that w2k machine before I
join it to the domain or can I just run dcpromo and it will get all the
1) That'll be ok
2) What are you using the ISA box for?
Typically I prefer (depends on your setup)...
Having your DC forward out to your ISP.
Having your ISA servers DNS entry as the DC.
Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pyron
So if you have a win2k3 domain, then you've already run forest and domain
prep, or just dcpromo'd it straight up, right? I'll assume so.
If you dcpromo the win2k box as a new domain in the win2k3 domain's
forest, you will later need to run domain prep on the new win2k domain.
If you dcpromo
Would it make sense to change the order of the root hint servers in the
cache.dns file. My thinking is, if the root hints on every Windows DNS is
configured identically, the servers at the beginning of the list will have a
lot more traffic than those towards the bottom of the list.
Robert
All I do is enable forwarders and enter my ISP's DNS servers...
Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone
Sent: 17 August 2004 15:16
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS for AD Clients
Would it make sense to
Hi Jacob
Is the Win2K box going to be a member server or a domain controller? If it
is a member server, just join it to the domain - you should not have to do
anything else. If it is meant as a domain controller and your domain is
not in W2K3 Functional Domain mode, it again can just be added
So do I, but doesn't it do a root hint if the forwarder isn't able to
resolve the address, or does the forwarder contact the root hint server.
Robert
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, August 17, 2004 10:19
I tend to start with
repadmin /showreps
and go from there.
I also have a little perl script that I used to run on 2K
that would use the IADSTOOLS.DLL from the reskit but that seems to have broken
once I jumped to XP and I haven't worked out why yet. The info it gives is
basically the
I can neither confirm nor deny those
accusations...
:o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Friday, August 13, 2004 10:35 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] (hopefully)
quick syntax question
Thank you
Joe! Youre a
The forwarder deals with it all. It handles everything, i.e. running up
and down the global DNS architecture.
BR
Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone
Sent: 17 August 2004 15:24
To: '[EMAIL PROTECTED]'
Subject: RE:
I am confused by what you are looking to do in this post...
You could be saying you want to join a 2K machine as a member of a K3 Domain
or you could be saying you want to promote a 2K DC into a K3 Domain. I only
say the latter because of your mention of ADPREP. ADPREP is something you do
with
You should get the repadmin version from ADAM and run:
repadmin /replsum * /bysrc /bydst /sort:delta
It should run fine from any WinXP box joined to your domain. It will not
run from any Win2k box.
I think you will be very pleased.
Cheers,
Brett Shirley
(msft) AD Dev
ADAM:
Does anyone have an
example of using a GPO to copy a file to all machines? I have a screen
saver I am supposed to distribute across the organization and really dont want
to do it manually.
Thanks.
Login script/startup script?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss
Sent: 17 August 2004 15:53
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO to copy a
file to all machines
Does anyone have an example of using a GPO to copy a file to
all
Is the host machine listed in the error in any way related to the NT4 trust?
Are you seeing this with multiple machines or are they all for the same
machine?
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, August
This is an out there question but I'm looking for the best way to do something.
I've been asked to come up with a method of turning off wireless cards
when a laptop is in the office and connected to the domain.
Turning on/off the NIC's is a straight forward process via a scipt so
that is not the
Would it be better to run it as a login script for the
machine or the user?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
RutherfordSent: Tuesday, August 17, 2004 9:57 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO to copy a
file to all machines
Login
I don't have an example but I would recommend doing this in
the computer startup scripts. Just have the script pull the file from wherever.
At this point you are running as localsystem of the machine so you will have the
perms to put it anywhere on the box you like and will be done before
Hi,
Does anyone know a
way of forcingusers to use a set screen resolution through Group
Policy?
-ChristineChristine EastonCitrix/Windows 2000
EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA
02210Work: 617-748-6034Cell:
617-290-4407
Depends upon where the file needs to be copied to. Login
scripts run in the security context of the user, so you are somewhat limited in
terms of what you can do there. Machine startup scripts run under localSystem
but of course, don't have the logged onuser's context, if you need it. If
Thanks. Ill give that
atry.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, August 17, 2004 10:16 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO to copy a
file to all machines
I don't have an example but I would recommend doing this in
the computer
Ok Rick, don't be mad but I have to thump you...
You need to make your posts at least as long as your signature. An 8 line
sig for a 3 line post is crazy insane. Especially when we haven't heard from
you in like months.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi,
In ADAM, is there any means by which we can make a user present
in one application partition (say, dc=abcd,dc=com) appear in
another partition say cn=configuration,cn={guid} ?
Thanks,
Harry
I know this is off
topic, but this does pertain to AD authentication. I know there were serious
vulnerabilities in IIS4/5 for IISadmpwd, but was wondering if the same is true
for IIS 6.0? There are some folks over here that are worried about doing
anything with IIS.
Thanks for the
Somone needs to update a mail filter for the list... Wonder what it keyed
on to make it think this was spam.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 17, 2004 10:16 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL
I could test this, but I think someone on this list already knows the
answer. If I create a share and give the computer account read access
to the share. Would I then be able to copy the file without explicitly
giving credentials in the startup script?
Denny
-Original Message-
From:
Brett, I guess you're talking about the restore of back-linked
references (e.g. the memberOf links of a user object), by auth-restoring
the appropriate forward-links (e.g. the member links of the appropriate
groups) during the auth restore of an object (e.g. the user).
yes, that's nice, but it's
You might be able to achieve what you want with Group Policy and WMI filtering. That
would be a more elegant solution.
I haven't tried any WMI filtering, but I know there are people on this list who have.
Guys?
Tony
-- Original Message --
Wrom:
small correction: it's not the USNs that are increased = it the version
number
and as far as I understand it, an object won't inherit an attribut until
it's used the first time - so only attributes which are populated for
an object will have a version number in the first place.
maybe Brett
Yip.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
Sent: 17 August 2004 16:29
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO to copy a file to all machines
I could test this, but I think someone on this list already knows the
Thanks Brett. Did the full documentation on all the switches and options for
repadmin and what they all do and what all the output means ever get created
do you know? :o)
Pretty please. ;o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
Title: small domain upgrade strategy
I have a small non-profit I help out, and they have about 10 users and a single Win2K domain controller. They have purchased a new server, which comes with 2003. They want to get rid of the old server, so I intend to migrate as follows, and just want to
Title: small domain upgrade strategy
You should dcpromo the old win2k server afterwards to
remove it as a DC and then remove it from the domain. You may have already
planned on doing this you just didn't mention it :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
Title: small domain upgrade strategy
Yep, youre
right I need to put that in after the transfer of roles. Thanks for
pointing that out!
mc
From: Travis Riddle
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 17, 2004
1:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Title: small domain upgrade strategy
DNS, WINS, DHCP?
Don't forget to mark the new DC as a GC in addition to
transferring the FSMO roles.
The domain and forest functional levels won't get
automatically set to Windows Server 2003, so you will need to do this
too.
Tony
From: [EMAIL
I would first do the power off and add the dcpromo as step 7. If you
power the system off and have forgotten something, it is easy to power
the system back on.
Dennis
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Travis Riddle
Sent: Tuesday,
I don't see any verified backups listed in this strategy... :-)
**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
-Original Message-
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 17,
What vulnerabilities were they specifically worried
about? There were many changes made in IIS6.0 that were meant to address
security concerns but without knowing what they're concerned about specifically
it can be tough to help out.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Have a question of Ldap queries, was wondering if anyone could help.
If you are trying to do to an LDAP query of a user that is located in a sub
ou in a child domain is this correct
Root Domain is Domain.com
Child domain is Child.Domain.com
Organization Unit = Ou1
Under OU1 is SUBOU1
Under
Title: small domain upgrade strategy
Good
additions and advice. Thanks everyone
mc
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 17, 2004
1:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] small
domain upgrade strategy
So long as you're
Not far off. Try this:
Cn=user1,ou=subou1,ou=ou1,dc=child,dc=domain,dc=com
One thing you can do is use the subtree search option within LDAP to
search from the root down. If you specify distinguishedName (or 1.1, which
is the OID representation) as one of the attributes to return, you will see
Good to hear from you, Brett. You still as cynical as always? I
hope...
-BrettSh
(msft) Janitorial Services
Yep Not much has changed ;o)
Oh, and for joe
-r
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent:
MSI has the advantage of a) not running on every boot b) fixing anything that gets
deleted, corrupted, etc. I'd spend the extra 5 minutes and make the MSI, personally.
--Brian
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tue 8/17/2004 10:15 AM
The filter only actually runs against XP/2k3 clients, so, all your 2000 clients in the
GP's scope get the policy whether you want to or not. I've gotten them to work a
couple times before, but, frankly they've been a bit unreliable for me.
Thanks,
Brian
-Original Message-
Hi,
IIRC the ISAPI extension that was used to provide this functionality originally had
various buffer overflow issues.
I would check this out:
http://support.microsoft.com/?id=331834
Change password functionality replaced with Active Server Pages
Also this:
Thanks for all the pointers I'll play around with them and see
how clean I can make it. Seems like this would be a great security
feature for one of the extremely smart, bright (and I'm sure good
looking) guru's on the list just a thought...
Cheers
On Tue, 17 Aug 2004 21:21:10 -0500,
57 matches
Mail list logo