Kurt -I've put several machines into the same switch and fabric of switches. all devices are on the same vlan, the default vlan. Not one machine on the same subnet can ping this box. i even switched ports and staticlly added its mac address to the switch.
i ran a trace on the server and noticed
Sharif Naser wrote:
Hello All,
I have a round 350 users to be created with their mailboxes in windows
2003, what is the best way to automate the process or delegate this job
to two account operators.
Any suggestions are highly recommended.
There are number of ways to achieve this but You
Youre right Joe that the
RODC PAS would complicate things for the developers. The easy
solution would be for developers to use the writeable flag when connecting to a
DC, then theyd be guaranteed to not get an RODCbut even that isnt
a great solution, and if we get the RODC GC it only
RODCs do NOT replicate a subset of objects = right now they basically
replicate everything a normal DC has (i.e. the full domain NC, config and schema),
less the password hashes of any users.
The OU vs. group discussion was solely around configuring the so
called Password Replication
Not sure if it makes sense, but this could potentially be combined
with the confidential flag RODCs wouldnt cache any confidential attributes,
unless a Confidential Data Caching Policy would allow them to do so
The confidential flag is already used by the Digital Identity
Management
I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving.
What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended
Just a quick addition - ifsuffices are defined then
the default (devolution) behaviour is disabled.
i.e.
you can one or the other and not both!
As a
result, you need to carefully pick and choose which suffices are added - if the
host specified is not found using one of the defined
just as an FYI:
If you specify suffix search list it will override
the searching of appending the parent suffix of primary DNS suffix.
So if you just specify:
domain2.domain1.com
domain3.domain1.com
and not
domain1.com
it will not search domain1.com since it is not
specified in the
All,
We are
rounding home base in our upgrade path to 2K3 and have our Exchange Server
Cluster runningW2K and EXCH2K and our Domain Controllers to upgrade
lastly. Which of them would you think would be the best to upgrade
first? We thought to upgrade the DC's first because it takes care of
Check your antivirus software to make sure it doesn't
include some sort of pseudo-firewall feature. Also make sure the built-in
firewall isn't enabled.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: Monday, July 31, 2006 1:15 AMTo:
Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name
Another FYI - Suffix Search List GPO is only available on Windows XP and up OS's.
It was not in Win2000 versions. We had to use scripts/reg keys to man age these back in the day.JefKazimer---http://www.jeftek.com
Date: Mon, 31 Jul 2006 10:46:38 -0400From: [EMAIL PROTECTED]To:
Hey -from the machines, i can defintely ping the
FQDN.[Neil Ruston]indeed - that should always work unless you have basic
DNS issuesIf you have hundreds even thousands of
workstations, the easiest way to distribute dns suffix search order listing is
thhrough group policy ?[Neil Ruston]most
Title: Message
I have used a tool called AD Infinitum for
this. Granted its not free, but it pays for itself
With ease of use and features.
Alex
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Sharif Naser
Sent: Monday, July 31, 2006 1:27
AM
To:
We thought about using the confidential
flag as the denotation for the RO-PAS, but that would break too many
applications.
The RO-PAS would only be for applications
that wanted to protect their secrets from replicating to a RODC. DIMS (aka cred
roaming) is a prime example. Most likely
Hi,
Setup: Windows 2003 +
exchange 2003.
My AD + Ex setup is
running on different hardware. Now what is the best way to find what types of
Network (and also how many on one
server) cards are installed on my all DCs and Exchange. I need to write a
script or a wmi query.
Thanks,
See, that's the limitation that for me would make me wonder whether or not in *my* environments I would want to deploy such an animal or go full bore and deploy a full GC.
The second biggest problem for me would be to accurately guess where a user might be when they logon to the network. They
Hi Nate,
Just in case you hadnt seen this
before, you might want to keep your eye on this KB article.
http://support.microsoft.com/kb/314649
Good luck with your upgrade!
~Ben
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
You can start with this http://www.microsoft.com/technet/scriptcenter/scripts/network/client/list/nwlsvb05.mspx?mfr=trueand
add in some logic to query AD for DCs and Exchange servers and then run the
scriptcenter code against those particular servers.
From: [EMAIL PROTECTED]
[mailto:[EMAIL
You and joe are in the same boat :)
I understand where the logic for the generalization comes from. My experience and instinct tell me to disagree with the both of you and to interpret the generalization in a different manner. I've worked with and met WAY too many programmers to think that I'd
This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two.
if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't
Try http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30eDisplayLang=en
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75,
Hey Brian, good to see your name on the
list...
I got pinged offline on the basis behind this
functionality. I admit to being a little shocked that someone was tossing
password type info into other attributes especially with AD being so generally
open to viewing, especially whenusing
For Exchange, there has been a lot around Exchange. At no
point though have I heard that they were even going to start consider supporting
Exchange with RODCs. I have hear a lot of absolutely we will not support
Exchange that way. If Exchange were supported, not to be a pain, but I can't
We thought to upgrade the DC's first because it takes care of the
extension
of the schema and all which has to be done prior to EXCH2K3 anyhow
The upgrade of the DCs does not take care of the schema extension
youll have to prepare your schema as a separate step prior to being able
Whoa... Nathan too. This list is
hopping...
For those folks who don't know Nathan... Read his signature
carefully and realize the level of people this list is seen by. And don't email
him directly unless you found a world ending issue with Longhorn DCs, he is a
busy guy about right now. :)
This is why I expect most people won't be managing the
policy that closely. I see RODCs going out with a policy to cache all passwords
but admin passwords. You get the benefits and don't deal with additional
management overhead.
Some places will care enough to do the extra work and some
Title: Message
Hi. _vbscript_ may be used to do
that.
Atila Firmino
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex
AlborzfardSent: segunda-feira, 31 de julho de 2006
13:18To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] bulk user creation
I have used a
One word... disjoint name space.
AD itself doesn't
need WINS unless DNS is broken because it uses FQDNs. It is everything else. If
you have a simple single domain setup, you are probably going to be able to
remove WINS requirements unless you have legacy apps that actually force a
lookup
Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators
Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard.I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all.
that being said, I'm thinking we all should
Joe,
isn't the below kind of like yelling, "OMG! Elvis!" in a McDonald's restaurant
in Kalamazoo and following it up with, "nobody ask for his
autograph"?
;-)
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, July 31, 2006 3:13 PMTo:
Hehe. Wrong list for this kind of question. Put on a
helmet.
But... yes you can, for as long as the DAs decide to let it
be that way. They will have no issues switching it right back. You CANNOT
prevent DAs from doing anything they want in the domain or the forest. You can
try likelike a
Miami or Montreal, quite a range there!
Do you want to speak French or Spanish?
:o)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: Monday, July 31, 2006 3:53 PMTo:
Wow! You are one very generous list member :)
Can I bring the family along? With the dog and my favorite neighbor?
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know
Understood. I made similar arguments in some places you will come to see in the very near future.
I will beg to differ on the "worth the benefit" claim vis-à-vis the headaches associated with WINS and how less resilient I've found INS to be compared to DNS.
However, my focus is on
Is it
possible to change who can create and/or edit GPOs? Sure. Will what you propose
accomplish what you want it to? Nope. Your Domain Admins can just put themselves
into the GP Creator Owners group, for example. Or in the root domain, they could
put themselves into the Enterprise Admins
Time for a cyclical answer. IF you figure out a way to prevent a DA from creating GPO, and it works against a certain DA, then that DA does NOT deserve to be a DA. So, just save yourself the research and just remove that DA from the DA group right now.
IF you have a DA whose skills or judgment
Hey that sounds like fun!!! Consider me down
for either locations. J
Alex
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Monday, July 31, 2006 3:53
PM
To: ActiveDir@mail.activedir.org;
Dre; Michah Castrenbaumawitz; [EMAIL PROTECTED]; mark; Nick
Does anyone know how I force replication through ASP 2.0?
My DCs are all local (no WANs) and 2003 SP1.
I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD. The portal
software (Peoplesoft) can only attempt
Andy-
Yes, its possible. There are actually two steps here. If
you have GPMC, highlight the Group Policy Objects node on your domain and choose
the Delegation tab. From here, you can delegate which groups can create GPOs in
the domain. However, even if you remove Domain Admins from this
By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves [EMAIL PROTECTED] wrote:
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do,
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application
The Netware partial-replica model immediately jumped to
mind when the RODC-PAS idea was broached. I can see a lot of customers
trying to use this feature to create partial-replicas way beyond concerns of
preventing replication of sensitive data. I suppose one big difference
(making an
I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need
Thanks Dareen and Za.What if DCs already configured to use specific port for RPC/DCOM (http://support.microsoft.com/kb/224196/) ? I think it will can be used by clients as well, right?
Another word, if I follow KB224196, do I need to open more based on the doc you provide
The way I read that was as follows:
20% means that 20% of your assets are unprotected 1/5 of sensitive
data is not managed like it should be, controlled, audited, protected etc.
20% of laptops with mobile data isn't encrypted.
20% of desktops unpatched
20% of servers unpatched.
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia
[EMAIL PROTECTED] wrote:
In case anyone is
interested, here's a doc that describes the AD schema extensions that will be
required to support the new wireless
not an argument for implementing bad securityI
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those
Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent
We'll write this off as a one-off addressing error, shall we?
Tony
PS. Is Saturaday a wet Saturday?
-- Original Message --
From: HBooGz [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date: Mon, 31 Jul 2006 15:53:02 -0400
Since we're all pretty
Certainly I know of a couple of customers who could
immediately make use of it in exactly that way right now. The first thing I
would be doing once that feature hit is finding out how much I could strip out
and then find ways to strip out even more because honestly, most of that Cat-1
base
Hey - even though i mistakenly added you guys gals to this e-mail, it doesn't take away the invitation.we all need a few days of RR!
e.g. see below..!
thanks for the sense of humor!On 7/31/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Giant Steps on the Palisades - Day Hike and Light
No, this is for the new Wireless policy features that are specific to Vista. R2 does not include them. Server 2003 included the schema extensions for Wireless policy that first appeared in XP, but this is new stuff.
From: "Matt Hargraves" [EMAIL PROTECTED]Sent: Monday, July 31,
Yeah I know where you are coming from Darren but absolutely
can't say it is ok because I do not believe it is ok at all. I think saying it
is ok or that it is understandable will relax people about it and people
absolutely should not be relaxed about it or feel that they can't do anything
If
it works for a subset of records, why not for
all?
Subsets of records are probably working because you have
different services responsible for the different records which also means
different SPNs used to generate the kerberos tickets for the
services.
Just
would have been nice to
56 matches
Mail list logo