is clean
before you start with a repromotion.
Cheers!
John Reijnders
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
Sent: woensdag 9 maart 2005 13:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Database Corrupt
We'll use
Title: Message
Hi Neil,
Technically there is no need to place a DC
in a site. However, in your case it could be an option to
Link
the subnets that were formally linked to site B to site A
Decommision
the DC
Remove
site B
However, if you have a good reason to
Title:
Ben,
You should at least logon again to get the
new credentials. Your access token will be reconstructred when you logon and
any new groups will be added.
Also, make sure the policy has been
replicated to, and is being applied by, the DC that is acting as your logon
server.
Hi Bart,
The *main* performance hit is caused by the actual settings set in a GPO,
*not* the number of GPO's. However, besides performance, managebility is
important thing to consider when you're designing your GPO structure.
A limit you have to take into account is the maximum number of GPO's
Hi Manjeet,
Yep it is required, because the PDC Em processes all password
updates from clients not running the ADirectory client software. In addition, he
(is the PDC Em masculine?) is checked on an authentication failure to see if a
password has been changed but has not had a chance
Title: Loose vs strict replication consistency
Hi Neil,
I think the following kb provides with the
requested info.
http://support.microsoft.com/kb/317097
Cheers,
John
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: vrijdag 21 januari
Domain rename ... h ... somehow, my hart skipped a couple of beats
reading this suggestion. Of course the tools provided by MS contain
everything you need, except for a lot of courage, a long long free weekend
in which no bbq is planned because cold pizza will be the only food you will
be
Happy readings make sure to take a
couple of weeks of ;-)
http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci966312,00.html
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mohammed Tantawi
Sent: woensdag 12 januari 2005
14:25
To:
Title: How to determine a stale record by script
Hi Dines!
Dnscmd.exe will do the trick for you.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url="">
Cheers!
John
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
over this
trust.
Going from mixed to native mode has no consequences for you NT4 servers. If
you've got any NT4 DC's, these will stop functioning correctly as DCs.
However non DC server and workstations will function!
Cheers!
John Reijnders
-Original Message-
From: [EMAIL PROTECTED]
[mailto
Hi,
Personally I agree with the approach being followed (allowing only traffic
between certain hosts). However, remember to design/implement your
replication topology in such a way that AD will not try to replicate between
DCs that are not allowed to communicate through your tunnel! This can and
things seem to indicate that both domains must be at W2K3 FFL. Will SA
and SID filtering work if the new domain is W2K3 FFL and the old one is at W2K
Native ?
For SA to be able to work, the DOMAIN in which SA will be applied has to at W2003 functional
level.
Cheers!
John Reijnders
From
intended groups have access instead of relying on 'authenticated users'.
Maybe that's the path I should push for regarding #3 - your comments are
welcome!
Duh ... No further comments your honour! I rest my case ...
Cheers!
John Reijnders
-Original Message
Hi Justin,
Planning DFS and FRS Security is a good starting point!
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/sdccc_fsv_ogmn.asp
Cheers!
John Reijnders
-Original
what you end up with and ... why ;-)
Cheers,
John Reijnders
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: donderdag 6 januari 2005 21:32
To: activedir@mail.activedir.org
Subject: [ActiveDir] Forest trusts vs trusts
within
/proddocs/en-us/sag_DHCP_imp_PlanningNetworks.asp
Good luck!
John Reijnders
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: maandag 3 januari 2005 17:08
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP
Thanks Jorge, I did see
Windows 2000/2003 DNS servers include a feature called Scavenging. The
scavenging process, which is disabled by default, removes stale records from
the database. Scavenging can be configured on a per-zone, per-server, or
per-record basis. Keep in mind that if there is a record that is not
I totally agree with all the guys out there that urge you to scan your
DCs!!! I've been thinking about this issue for some time and I've come to
the conclusion that Active Directory would be THE IDEAL target for a virus
attack. The robustness of AD replication makes it the ideal distribution
You can use dnscmd.exe for Windows 2000 and Windows Server
2003.
From: Holland Matthew BC GB
[mailto:[EMAIL PROTECTED] Sent: dinsdag 2 december 2003
15:59To: [EMAIL PROTECTED]Subject:
[ActiveDir] Scripting a DNS Host Record Update
Greetings!
Does anyone know how I
Using the dcpromo.exe /adv option will present you with the "restore from
alternate location" option during the wizard install.
See for more details:
http://www.microsoft.com/technet/treeview/default.asp?url="">
http://www.microsoft.com/technet/treeview/default.asp?url="">
You could try to do an non-authoratative restore of your sysvol (setting the
burflags option to D2).
The procedure is: stop ntfrs.exe, set the burflags option to D2, start
ntfrs.exe. This will rebuild your sysvol.
If this still results in journal wraps errors you could also stop ntfrs.exe,
delete
I don't want a turkey ... I want a NETPRO CHICKEN *##*(@*#**@
-Original Message-
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: woensdag 26 november 2003 21:49
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Happy Thanksgiving...
well, you all
-
From: John Reijnders [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 20. November 2003 08:02
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Part of domain offline
Joe is correct ... Another important thing to notice is the fact that with W2000 SP3 a new feature can be enabled, namely Strict replication
If security is an issue for your shop you should make the move to XP
(considering the fact that your working for a bank I asume this is an
issue?). If you need to maintain some legacy clients in your environment for
the sake of some prehistorical applications you should at least implement
the DS
Joe is correct ... Another important thing to notice is the fact that with
W2000 SP3 a new feature can be enabled, namely Strict replication. Having
this feature enabled
lessens the risks caused by DCs that have not replicated for some time. The
risk is lessened because of the fact that the
If you want to delegate the rights to manage the stuff handled with AD SS
you need to delegate the manage replication topology to the right group.
Site management is a task performed at forest level so delegating this right
means delegating the rights for the complete forest.
Thinking about it
Two important "tasks" that sites have to deal with is optimizing
replication traffic on one hand and authentication traffic on the other. At the
moment you have a couple hundred physical sites in terms of individual
subnets.By default you start designing your site topology by doing a
as provide a stable structure for
everyone to use.
Thanks for taking the
time for such a detailed and informative response! The catch-all subnet is an
especially interesting tip I hadnt thought of before.
mc
-Original
Message-From: John
Reijnders [mailto:[EMAIL
The E2K3 deployment guide provides a lot of usefull info ...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/exchange/Exchange2003/proddocs/library/DepGuide.asp
Cheers!
John
-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
The ren tools do not support renaming domains with Exchange integrated into
the schema. That's a quote that pops into my misty, still frozen and
haven't had my coffee yet brains. So that would imply that even if your
domain doesn't have any exchange boxes in it, your forest has, so your stuck
...
How to Perform a Disaster Recovery Restoration of Active Directory on
Dissimilar Hardware -- http://support.microsoft.com/?kbid=263532
-Original Message-
From: Orin Rehorst
To: [EMAIL PROTECTED]
Sent: 7-11-2003 17:14
Subject: [ActiveDir] Bare metal restore on other hardware?
I'm
Do's:
- Make good backups before the change
- Apply for your own OID
- Follow the step by step / best practices guides from MS
- Use lfdif exports/import to get a repeatable/predictable result
Dont's:
- Screw up ;-)
Cheers!
John
-Original Message-
From: Burns, Clyde
To: [EMAIL
of other domains, leveraging SIDhistory (althoughI hear this also works
in mixed mode, but is not supported...)
From: John Reijnders
[mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November
2003 09:37To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] native mode
The rollback possibili
The rollback possibilityis a interesting issue.
I've looked into this and came across the following quote from Microsoft:
"While the Windows Server 2003
functional level provides a number of features and advantages, you might choose
not to move to this functional level if your environment
Forcing a replication sounds like fixing a problem that shouldn't be
there... But let's give it a try. Mayby we can find another way of solving
your problem.
First of all, you want to be in charge of the decision of choosing the DC on
which the computer account is created. This can be done by
Title: Message
Booting a DC in DSRM effectively boots it into a "workgroup mode".
However, you will be able to access a network shareif you have another DC
nearby that can authenticate the user that tries to access the network share.
So, you will need to present your credentials when you're
I remember having seen this `tool` with the CD incuded with the book
`Building Enterprise Active Directory Services notes from the field`. It
consists of an excel sheet that `does the job`. My experiences with these
numbers is that they are not too bad. However, this is only an indication
... Make
Title: RE: [ActiveDir] Setting up Sites
Here's an answer from a European guy struggling with AD infrastructures containing more than 1.000 sites (and DCs) connected by ISDN connections ... Consider yourself to be a lucky guy ;-). We've been through this discussion numerous times over here...
This error is by design. This is what you get by default when you try to
force a replication between two DCs in different sites using ADSitSvcs.
However, usually the replication DOES actually occur within the next couple
of minutes. You could use replmon to check whether or not the replication
has
Index for containerized searches permits searching a container rather
than the entire directory. This can be used to improve lookup times for
container searches.
Hope this was what you were looking for?
Cheers!
John
From: Raul MartÃnez [mailto:[EMAIL PROTECTED]
Sent: dinsdag 28
.
Tony
-- Original Message --
From: John Reijnders [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 23 Oct 2003 08:13:00 +0200
As an addition to the previous mails I would like to point out a particular
issue with the schema master. The installation
The upgrade to W2003enforces 2 policies (previously not enforced).
Disabling them and thereby weakening your security(but hey ... it might
get your users back to work) in the Default Domain Controllers Policy might do
the job for you:
Microsoft Network Server: Digitally sign communications
How is your Dutch ;-)? I've writte numerous articles on this topic for
European magazines (Windows .Net Magazine dutch version). Feel free to ask
for them if you're interested.
If the short notice is too short to take a language course in Dutch you
might find some inspiration on the O'Reilly
, but untill then ... Make
sure that every Exchange box can contact the Schema Master!
Cheers!
John Reijnders
-Original Message-
From: Abbiss, Mark [mailto:[EMAIL PROTECTED]
Sent: maandag 20 oktober 2003 11:58
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] FSMO role holding DC's
I have
You could use the .fin and/or .biz DNS names without getting into any AD
problems. However, you should think about the fact whether or not you want
to connect AD to the internet (not now but in the future?). Don't place your
bets on renaming your domains in the future using the new domain renaming
I agree with the fact that it won't buy you anything in terms of
performance. However, splitting up into D/E/F does reduce the chance that
journal wraps might occur. Journal wrap errors occur if a sufficient number of changes
take place while FRS is turned off or busysuch that the last USN
Consider using the ADUC provided with W2003. A new Active Directory Users
and Computers property page called Additional Account Info and the
lockoutstatus.exe utility are great troubleshooting tools for diagnosing
lockout problems. They've proven to be very helpfull over and over ...
Cheers!
John
You mention the fact that all clients point to these 2 DNS/DC servers.
If this
means that all clients are configures with 2 DNS servers, than you can migrate
the 2 DCs one at the time (after having transferred the FSMOs to the 3K box).
Hope this works out for you!
Cheers!
John
I can confirm this statement from MS. I've seen the lockout issues being
solved by the new version of the DS Client. The most recent version is not
available on the web site of Microsoft. You need to contact MS for
this.
Cheers!
John
From: Creamer, Mark
[mailto:[EMAIL PROTECTED]
I would like to attack this problem from an AD point of view. Your domain
structure consists of an empty forest root domain with a child domain. This
structure allows you to make every DC in the child DC a GC without much
overhead. The information in the empty forest root should be relatively
The DEC is the absolute killer conference on everything that has to do with
AD! It's the only conference I know that focusses on this topic and is able
to come up with new/relevant/interesting information for even the most
experienced AD engineers! I've been to the DEC in Amsterdam last year and
I don't know the cause of this problem but you could try restoring an older
version of the GPOs using the GPMC (Group Policy Management Console)... (if
you made backups of your GPOs).
If you haven't implemented this GPO management tool yet you should
definitely have a look at it! It's the way to
a child
domain (directory partitioning or strict domain policy requirements for
example).
Cheers!
John Reijnders
MCSE Windows Server 2003
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:14 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 2003
.
Cheers!
John Reijnders
MCSE Windows Server 2003
-Original Message-
From: Joe
To: [EMAIL PROTECTED]
Sent: 25-9-2003 3:36
Subject: RE: [ActiveDir] Security Logs
The only way to give out the ability to non-admins to read the security
log
in Windows NT or Windows 2000 is to grant
How hasn't ;-)?
There are some possible issues that can cause you a lot of headache when you
do not treat your SysVOL good. The main cause is that the SysVOL contains
junction points. Copying the SysVOL and then deleting the copy of the SysVOL
actually makes all the sysVOL on all your DCs
in the
same site as the DC to determine whether or not the network configuration is
causing the problemn.
Cheers!
John Reijnders
-Original Message-
From: Abbiss, Mark
To: '[EMAIL PROTECTED]'
Sent: 25-9-2003 10:37
Subject: [ActiveDir] Incredibly slow log on
Just wondering if anyone else has
tried using NTDSUtil? I've never seen this tool giving the wrong
answer.
Cheers!
John Reijnders.
-Original Message-
From: Scoles, Damian
To: [EMAIL PROTECTED]
Sent: 23-9-2003 21:41
Subject: RE: [ActiveDir] DSQuery shows wrong DC as holding role
As for the GC/Infrastructure thing, that's
members.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/sonar-o.asp
Cheers!
John Reijnders
MCSE Windows Server 2003
-Original Message-
From: Myrick, Todd (NIH/CIT)
To: [EMAIL PROTECTED]
Sent: 23-9-2003 20:23
Subject: [ActiveDir] Ultrasound for FRS troubleshooting.
http
You should at least be running SP3. This contains a lot of FRS improvements!
See Q285923:
To resolve this issue, synchronize the computers with the domain controller
clock time. Follow these steps:
Run the following command on all computers to synchronize the clock time
with the domain
The article How to Upgrade Windows 2000 Domain Controllers to Windows
Server 2003 (Q325379) is a must-read for you!
Cheers!
John Reijnders
-Original Message-
From: Pelle, Joe
To: [EMAIL PROTECTED]
Sent: 22-9-2003 23:16
Subject: [ActiveDir] Upgrading from 2000 AD to 2003 AD
Hello all
60 matches
Mail list logo