Not quite. You need to escape the comma like so:
((objectCategory=person)(objectClass=user)(displayName=phelps\, k*))
--Paul
- Original Message -
From: Matheesha Weerasinghe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, August 14, 2006 8:46 PM
Subject: Re:
You need to escape the comma, as a comma
is a delimiter and in the case of displayName it shouldn't be a
delimiter:
((objectCategory=person)(objectClass=user)(displayName=phelps\,
k*))
I've not read the whole thread, so can't
discuss whether or not this is the best way to do what you
Thanks Paul
M@
On 8/17/06, Paul Williams [EMAIL PROTECTED] wrote:
You need to escape the comma, as a comma is a delimiter and in the case of
displayName it shouldn't be a delimiter:
((objectCategory=person)(objectClass=user)(displayName=phelps\,
k*))
I've not read the whole thread, so
First forgive my ignorance, I didn't that the group should only exist in the
forest root domain. But how is it possible that CHILDDOMAIN\Incoming Forest
Trust Builders has permissions on the child domain in ADUC when there
shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders?
-Original
I'm not in a position to test whether this is a forest-wide or domain-wide
principal.
However, when you can't find something you think should be there, you should
search the GC. I've seen numerous people have issues with a user or group
not existing only to find it's in a parent domain.
I'm not in a position to properly prove-out the existence and/or reason for
the child domain ACEs. However, the Incoming Forest Trust Builders group
uses a well-known SID of S-1-5-32-557, this kind of SID lacks domain
affiliation, i.e. it doesn't technically belong to any particular domain
within
in addition to that
DC1 having FSMOset1 and DC2 having
FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event
logs DCdiag, etc)
if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to
DC1
apply patches
to DC2 and reboot and check
to mitigate that risk you can also place a DUMMY file (lets
say with the size of something like 1 GB)
normally, if the disk with the DIT/SYSVOL fills up you will
not have any space left to work with or to take any actions so solve the
problem.
however, if create one (or more) dummy files
Title: Setting FFL=2 automatically when building first DC in forest
Perhaps another change request for Longhorn? :)
already has
it!
DCPROMO contains a
crap load of new switches for an answer file but also as arguments for
DCPROMO
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL
see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/110.aspx
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
PohlschneiderSent: Friday, August 11, 2006 20:05To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding a 2003
Server to
when a DC is restored from the system state (amongst
others):
* the restored RID pool is thrown away (invalidated) and a
new RID pool is requested at the RID master
* the invocation ID of the AD DB is changed (which prevent
USN rollbacks)
so in your case it works because the backup is not
see my blog which contains an article about kicking NTFRS
(SYSVOL) to replicate after a non-auth rest of the SYSTEM
STATE.
Make sure the partner you specify in the registry key is
also the partner that is used in one of the inbound COs of the restored DC as it
otherwise does not work (this
We're in the process of replacing our w2k DCs with w2k3 machines.
Forestprep and domainprep went fine as well as putting the first new
w2k3 DC up.
Yesterday we demoted one of the old w2k machines and removed it from the
domain. Configured a w2k3 server with the same name and IP and ran
after demotion you still need to delete the server object manually in sites and
services (this is normal) (everything else like computer account, frs stuff and
ntds settings is removed by dcpromo)
1) you can promote servers to DCs while they are member of a domain or not. it
does not matter.
I'm sorry small correction...
You have two different things you have to worry about
special characters in, DNs andSearch Filters. They have different sets of
characters you need to worry about and also have twodifferent methods of
escaping the characters.
In DNs you escape special
I
cornfused is this a standard practice as I thought you did not want to move the
FMSO roles back and forth.
john
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: Thursday, August 17, 2006 4:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE:
the reason is that is a DC dies during the patching you do not have to seize
the rolesIMHO, I prefer transfering over seizing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland
Makes
sensehow many dc's do you have in you
infrastructure...
From: Almeida Pinto, Jorge de
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: Thursday, August 17, 2006 8:02 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles
split, patch question.
Outside of my MSDN account is there a preferred way to
obtain Longhorn Betas for testing?
~Ben
bit torrent? (just kidding)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Thursday, August 17, 2006 8:35 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [OT] Longhorn
Beta
Outside of my MSDN account is there
a preferred way to obtain Longhorn
As a person who tests/patches a bunch of single DCs I've never seen
a patch kill a server.
Driver update may and has, yes.
Impair functionality of the server, yes.
But kill it completely? Microsoft tests patches ahead of time and they
would find ahead of time if basic functionality of a
This will be one of the rare occassions I disagree with Jorge. I see no usefulness in this ping pong exercise. DC dies in the process of patching and it is the one holding a specific FSMO role. So what? Just seize the role and wipe the server and do your cleanup and reinstall.
Due dilligence
Technet Plus
On 8/17/06, WATSON, BEN [EMAIL PROTECTED] wrote:
Outside of my MSDN account is there a preferred way to obtain Longhorn
Beta's for testing?
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
I completely concur with Jorge on his process.
It takes a lot less hassle and a lot less feeling of concern to move a FSMO
prior to an update of a machine than to have to seize the role later
regardless of the reason of it going down. Especially when you have a script
that applies the NTSUTIL
Whets the time interval on moving these before you patch the DC's that the
roles were on.
john
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, August 17, 2006 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO
Valid point. But you should [try and] restore from the backup that ran the
night before and that you verified successfully completed before you applied
the patch... ;-)
If you have a document process that goes through the proper change control,
then there shouldn't be any reason to do
I have. When bulk-patching NT 4 servers several died (OS was trashed, not
the h/w) and had to be restored from the backup the night before.
There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB
section of the disk, although that hit workstations more than servers as
they'd
http://connect.microsoft.com/
--Paul
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 4:35
PM
Subject: [ActiveDir] [OT] Longhorn
Beta
Outside of my MSDN account is
there a preferred way to
Skid marks?
More like blood, guts, gore and medics yelling Triage!
I can tell you though that we've had way more issues installing service
packs than patches though. Gimme a patch Tuesday and I don't blink an
eye. hand me a service pack and I'm not looking forward to it.
SBS 4.5 we
That was definitely the first place I
checked, and unless Im blind (which Ive been accused of many
times by the way), I dont believe its an available option on the
connect website to test.
Ill probably end up just using my
MSDN copy in our test environment to create a Longhorn DC.
NT 4.0?
'nuff said.
NT should be killed off. :-)
The patching mechanisms of the NT 4.0 era is not the patch mechanisms of
today. We've gone from like 8 patch engines down to 2. We didn't have
patch Tuesday when NT was built.
Paul Williams wrote:
I have. When bulk-patching NT 4 servers
I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production.
I am not into restoring from backup unless absolutely required. I like how
easy it is to rebuild and repromote. As I mentioned in the other post, I
consider DCs to be expendable like individual drives in a RAID Set.
Now if I was crazy enough to run a bunch of other services on a DC that were
Minutes to hours. Depends on what exactly is going on. If it was heavy
maintanence do it as far as you want in advance, if rolling through applying
patches move the role, patch the server, move the role back. Depending on
how many patches and the reboot times it could be less than 5 minutes with
I believe Longhorn/Vista is an invite only Connect
program.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Thursday, August 17, 2006 1:46 PMTo:
Nah, even when you test stuff still can go wrong. It takes so
little time to just transfer the roles. I dont backup/restore, I just
reimage/rebuild. DCs are expendable. Last big client I had, the forest roles
floated around the enterprise core sites, and the domain roles floated around
the
That is fine Deji, you can completely disagree as much you
want, it wouldn't be the first time we haven't agreed. :)
BTW, I never said Best Practice, I said this is what I do
and I agree with Jorge. But in the end, I don't care about best practices, I do
what I think is right and the least
I always try to frame my responses around the requested info. In tis case, the OP wanted to know the folloing:
After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter?1. Remote DC/GC's first2. no. 13. then no 2.
The simple and logical answer
true when invited you can activate it on the connect site and play around
with it
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel :
What about us poor admins, who for a variety of reasons
outside their control, don't have a "test" environment?
I'm just a little guy, supporting a small business that
doesn't have kilobucks to spare for non-production
equipment.
I sweat bullets every time MS issues updates and I spend a
That argument went out the window when the following happened:
Dell started selling desktops with jillion gigabyte drive space for under $1000
Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses.
Us poor admins no longer needed bazillion dollars to
IMHO the important thing is you are patched.
However you do it is your process. Now if one of these processes are
slowing you down reevaluate. But if you can patch within a
reasonable about of time (06-040) and you have a process for patching
(06-040)... who cares?
(btw ... we ARE
VPC and VMware is freeand you watch the gang on
www.patchmanagement.org report issues and share information. I patch at
home first, watch the listserves, make sure I have a good backup and let
'er rip.
If you have a good backup..and a DR strategy already in place, patches
are not a big
Sorry-
You just don't get it do you...
I'll be as blunt as possible: Management won't allow
it!
Gordon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: Thursday, August 17, 2006 2:45 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Time to find a new manager
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Gordon Pegue
Sent: Thursday, August 17, 2006 4:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles
What he said.
Because who are they going to blame when 06-040 gets inside an unpatched
network and nails Windows 2000 boxes and DOS's 2k3's?
Do they not let you patch at all...or not let you test patches? How are
you deploying or mitigating issues now?
If I.. little SBSer that I am... can
I agree with Jorge. Seizing is not a for the faint-hearted, as Brett's post
from a while back shows...
http://www.mail-archive.com/activedir@mail.activedir.org/msg39683.html
Tony
-- Original Message --
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
I had posted this today, and I was curious if
anyone knew why an LDAP filter drops the query when searching for a single space
value? Though I was using Joe's ADfind, I did have the same results in
ADSIedit, and thought someone better than I, may know why. It's not really
a problem, just a
48 matches
Mail list logo
