If the DC that died had FSMO roles, you need to seize them (check which
DC had FSMO roles with -- NETDOM QUERY FSMO)
This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I
remember correctly, it tries a XFER and then does a Seize (as that's the
logic for the Seize
this statement please ?
What is a XFER ?
When you say it does a seize, that means it choose a DC nearby ? and
seize *automatically* a seizure ?
Thanks,
Yann
*/Paul Williams [EMAIL PROTECTED]/* a écrit :
If the DC that died had FSMO roles, you need to seize them
(check which
DC had
?
That is a very interesting... Could you develop this statement please ? What
is a XFER ?
When you say it does a seize, that means it choose a DC nearby ? and seize
*automatically* a seizure ?
Thanks,
Yann
Paul Williams [EMAIL PROTECTED] a écrit :
If the DC that died had FSMO
You can register records like this by messing up a reverse lookup record
addition using DNSCMD.
--Paul
- Original Message -
From: EIS Lists
To: ActiveDir@mail.activedir.org
Sent: Wednesday, January 24, 2007 9:28 PM
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward
Upgrading W2K3 standard to enterprise editionYeah, you can upgrade std. to ent.
One of my implementation guys accidently built a load of boxes for me as Std.,
so I got him to upgrade them to Ent.
Worked fine. He did have issues doing this on a different project where there
was a stupidly
--
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 18, 2007 9:13 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition
,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:[EMAIL PROTECTED]
cell:401-639-3505
--
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 18, 2007 10:26 AM
The ACEs in the ACL on the file server are maintained by the LSA on that
server. ACLs on member servers are nothing to do with AD really. AD is used
to verify the SIDs in the ACLs when necessary, but it's the local LSA that's
doing the authorisation (based on the information in one's security
Yes. Enabling inter-site change notifications essentially means that you have
intra-site replication occuring over a site link. The only real difference is
that bridgeheads are still used.
Basically, when a DC receives a change, a notification is generated and sent to
it's downstream
The equals operator is looking for an exact match. As userAccountControl is a
bitwise attribute (each bit represents an option) then in many cases it won't
be 65536. Using the logical AND matching rule (1.2.840.113556.1.4.803) means
that it checks the bit in question, regardless of what other
If you're talking about group nesting, the mode of the domain limits some of
the potential configurations. Check to see whether or not you're in mixed
mode. If you are, nesting is limited and you can't have universal groups.
If you're in native, what group can't you place into what group?
Because it's not managed by the DS. The SID as you refer to it is actually an
ACE. The ACE is an item that makes up the DACL which makes up the ACL. This
is managed locally by the member server. Windows itself. The LSA. It's far
too expensive and problematic with the current design for
No. Not quite. No cleanup happens whatsoever. Even when the ACEs are in the
AD they aren't cleaned up. The LSA was mentioned to try and highlight the
expense and difficulty of such a cleanup operation. The fact of the matter is
that regardless of the securable object, it's ACE is managed
The SDPROP thread technically, doesn't do anythign with inheritance. That
is a trait of the security descriptor, which SDPROP sets. So,
realistically, SDPROP overwrites the nTSecurityDescriptor attribute and
increments adminCount to 1. The step of setting inheritance to off is
unnecessary
MONAD for Exchange is supposed to fix that but I am expecting tremendous
scaling issues in the environments I play in with it and quite frankly
have even admitted that I would rather see WMI as it doesn't saturate the
network lines passing data that isn't being requested.
I agree with you
If I had to guess, I would say it's because the launched process isn't a child
of the elevated Window, but is a child of Explorer (the shell) itself. This
isn't the case with a CMD prompt, whereby the launched process is an actual
child process.
Test it with Sysinternals' process explorer.
I imagine you used the version of ADPREP that ships with Windows Server 2003
SP1?
I believe you need to run ADPREP /DOMAINPREP /GPPREP.
This will add the inheritable ACEs to CN=Policies,CN=System,DC=...
Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE.
Re. EDCs.
that child objects will inherit this ACE
(unless NO_PROPOGATE is set, which is isn't).
--Paul
- Original Message -
From: Paul Williams [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, November 22, 2006 10:31 AM
Subject: Re: [ActiveDir] Enterprise Domain Controllers
Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, November 16, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?
I don't understand
Locating empty GPOs in a domain / forestIt varies depending on the CSE Neil.
The behaviour usually reverts with Admin Templates. Security settings don't
revert, but can roll back if they're set elsewhere (like you said). Darren's
already covered Software installation.
For example, if you set
I don't understand where you are seeing this info. Are you referring to the
applet that is used to raise the FL? Or something else?
As for the flag that is used to identify the directory, it is usually a
combination of:
msDS-Behavior-Version
nTMixedDomain
supportedCapabilities
Or at
Answering your questions
directly.
1. All GPOs have the same settings
as they use the same template(s) when created. This is probably for
simplicity and ease of use. You can add more ADM templates, and also add
CSEs and therefore other settings if you so wish. I don't think you can
remove
You need 4GT enabled (/3GB switch) if
these only function as DCs. There's not much info. on this, but if you
want to get the maximum LSASS footprint into RAM (~2.7GB) then you need to
enable 4GT. If you're running K3 SP1 Enterprise then PAE is enabled by
default and therefore the boot.ini
Title: Active Directory Health Check tool - where can it run from?
I assume you are referring to the ADST
tool that you get if you're a premier customer and MSFT come and do an AD
Healthcheck. As far as I know, this can be run from anywhere (in the
domain), as it's really just a bunch of VBS
If you take a look at the Windows 2000
clustering training material (I don't have it handy so my vocabulary will be
scetchy) there is a setup where you make the nodes the DCs for the domain that
the cluster resides in. I've never implemented such a setup though, so
can't vouch for it in
workstations are not scattered all over the place. They are
placed over 4 locations
This site has 3 DC's, which are all W2k3 R2 GC enabled.
Any impact problems to be aware of?
but thanks for the script!
Frank
Paul Williams [EMAIL PROTECTED]
wrote
Yeah, I sort of bitched about it last month when I had some time to reply.
I see about 90 - 100 minute delays.
--Paul
- Original Message -
From: Vinnie Cardona [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 18, 2006 1:00 AM
Subject: RE: [ActiveDir]
Here's a script I've used in the past to
do what you want:
-- http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/3be4867f843df935
I wouldn't worry about the computer logons
if you do this out of hours, e.g. run the script via a scheduled task or simply
Title: userAccountControl 544
If you create with ADSI, e.g. _vbscript_,
and don't set a password before the initial setInfo you get 2 + 32 + 512.
If you then set the password, you can un-set 32. If you don't set a
password and you have a password restriction policy, you cannot un-set 32 or
The project that I'm working on makes heavy use of LDAPS. However, at the
moment, we favour the latter statement - the built DCs don't leave staging
until the certs are pulled. They must be signed off, and that's one of the
last items on the deployment check list.
We'll probably automate
Title: FW: Script to move user account and computer accounts
Look at ADMOD or ADMT for xdom
move.
If you actually want to copy a user, look
at ADMT. Note. ADMT won't perform a copy, when operating
intra-forest, by default. But you can configure it to do so
IIRC.
Other options are to
LOL. It's in the rest room I'm told...
--Paul
- Original Message -
From: Rich Milburn [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006 6:56 PM
Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema
For the BrettSh T-Shirt, my vote is for the line to
Perform an AND query.
In ADFIND, this looks like
this:
adfind -default -bit -f
"(objectCategory=person)(userAccountControl:AND:=65536)" cn
If you want to use ADUC, or something
else, you'll need to use this:
((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536))
I assume you mean NetPro Directory
Analyser? I've not done much with any, but we've got NetPro Directory
Troubleshooter here and from what I've seen of it, it doesn't compare with
Quest's SOAD as it does more proactive, task oriented stuff.
I've not seen NetPro's analyser.
Quest's SOAD is
Perhaps Tomasz and I should blog about this more for now. :)
Yeah, you guys do that please!
This looks like it's taking off, and some of it is a real black art for some
infrastructure people...
--Paul
- Original Message -
From: Joe Kaplan [EMAIL PROTECTED]
To:
Great answer Joe. I completely
missed the multi-domain issue, thinking (as I wrote) that was only an issue for
DLGs. Oh well, you've certainly refreshed my memory and answered the
question admirably.
As you can tell from this, and from our
off-line conversation, I'm just using ASQ all the
Something like this, against a
GC:
(|((objectCategory=person)(memberOf=dn of group
01))((objectCategory=person)(memberOf=dn of group
02))((objectCategory=person)(memberOf=dn of group
03)))
You can also do it the way you want using
ASQ if you don't mind DN as the output. Here's an
When we spoke with the PM out in Redmond
it was said that the feature that allows you to copy a file on one replica and
that file get made up on another with very little replication traffic, e.g. a
comparison taken on the local source and then only the deltas replicated (just
like the rest
It's probably SMB (CIFS). The NT5.x
client service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three
We populate this on user creation because we use provisioning systems
(bespoke stuff that was written for the project(s)).
For some of our smaller customers, there were scripts that were run to
populate this stuff. Initially a bulk import, followed by monthly updates
or adhoc updates via the
Joe,
How is the DS calculating these
values? The reason I ask is I've always found it to be way off. For
example, take a look at the following output against one of my ADAM
instances:
D:\dev\dotnet\vb\dsadfind -h .:5
-b ou=people,dc=test-lab,dc=com -s one -f
Lucky you : )
I'm in an environment where we're doing
this now, and I'm not happy with how its being done (I think we can be even more
secure ;-), which means I've accidently volunteered to re-look at it all for the
next iteration of the design cycle...
(bollocks)
--Paul
-
No worries. It'sa big thread
that has spawned serveral different threads of discussion.
--Paul
- Original Message -
From:
Akomolafe,
Deji
To: ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 5:32
PM
Subject: RE: [ActiveDir] Strange password
especially if the layer-8 issues are not resolved
up
front.
Al
On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote:
Neil,
Try a re-read of the first couple of chapters of the first part of the
deployment guide book designing and deploying directory and security
services. Obviously it doesn't
DAs got nothing to do with it. It makes it easier, but this can be done by
someone without any account at all.
--Paul
- Original Message -
From: Bernard, Aric [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 10:33 PM
Not really, as it's now 512 and can't get
to that state without a password meeting complexity.
--Paul
- Original Message -
From:
Akomolafe,
Deji
To: ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 4:52
AM
Subject: RE: [ActiveDir] Strange
Neil,
Try a re-read of the first couple of
chapters of the first part of the deployment guide book designing and deploying
directory and security services. Obviously it doesn't spell out how to do
this -it doesn't even allude to how this is done- but does emphasise when and
when not to go
Title: VBScript Container Security
I can't point you at any examples, but
most of the documentation I read and from what MSFT people said at conferences,
reckons you should grant full control to the group for SMS servers on that
container. That's horse sh!t -you need to grant create and
Look into the Win32_Service class for
info. on how to view and manage services via script. Or, if you fancy
calling EXEs and not handling everything in code, use the SC.EXE
tool.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
It must be some kind of issue with the DS*
tools. I was using a combination of ADFIND and DSMOD last week to enable
~200,000 user objects (I forgot to set a password in a scrpit that created a
bunch of objects and therefore had a shed load of objects with uac of 546) and
it would die every
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain
You know ITIL. It's all guidelines
and advice, etc. It's not hands on processes for you (or if it is, I slept
through all that).
We obviously have a structured process for
testing additions. My question is more around technically implementing
such a process, with minimal intervention,
Have you actually seen this
behaviour? As it was my understanding that this particular policy is
processed by SCE outside of normal policy application (by the PDCe - I can't
remember how often, 60 minutes comes to mind but I don't know why). I've
tried to document this here:
--
_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml-
Original Message -
From:
Paul Williams
To: ActiveDir@mail.activedir.org
Sent: Monday, September 11, 2006 7:06
PM
Subject: Re: [ActiveDir] S
Impossible/irrelevant. If it's a domain account, the policy applies
regardless, because the account is stored in AD. If it's a local account,
then the policy doesn't apply regardless; domain account policies don't
apply to local accounts. Is this a local account or a domain account?
Any
But it's possible that someone changed this policy, created the account, and
changed it back.
I've done this myself (several times for service accounts to avoid [HP]
protect tool's obfuscation process).
It might not even have been intentional. One admin could have messed with
the policy
But you cannot set UAC to 512 if the
password is blank, as it doesn't comply with the password policy. Try
it. The other half of my post shows the error. I also tried it
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although
less specific) and it said it wasn't
check the password
length. Andrew Fidel
"Paul Williams" [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM
Please respond
toActiveDir@mail.act
Yeah, I think I saw your post last
night. Mail was taking 70 minutes to come through last night.
It's not really academic or obsolete, as
this proves that it couldn't have been 544 and set back to 512. Which
means that it is more than likely the password, or lack of, was set when the
If the permissions are being reset it is
the result of DSPROP. Google adminSDHolder or look at this:
-- http://www.msresource.net/content/view/38/46/
The reason this is happening is because
these users are members (directly or indirectly) of groups considered protected,
e.g.
PWD_NOT_REQ is 32.
You can create an
account with this set and bypass the need to set a password (ADSI does this
automatically if you dont set a password when you create an enabled user without
a password), but you cant set it back to 512 (normal) when its blank, like Al
says:
Pressed send before I
finished typing! : (
Following on from the
last mail
You can, however,
modify the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?
If you test this,
when you set the policy to
Use NTDSUTIL to seize the role(s) -
kb255504. Follow the steps in kb216498 to clean AD (metadata and FRS
objects) and DNS.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, September 05, 2006 1:02
PM
Posh! I prefer browns myself. Well, actually, reds...
--Paul
- Original Message -
From: Mark Parris [EMAIL PROTECTED]
To: ActiveDir.org ActiveDir@mail.activedir.org
Sent: Monday, September 04, 2006 4:30 PM
Subject: Re: [ActiveDir] Completely OT: Maroons
The only notes I use are
Google RID FSMO for the functions of the
RID master. Many people, including myself [1], have documented this.
This info. is easily findable on the big wild web.
As for how to view the RID of a user
object, there are several ways. An easy was is to download ADFIND (www.joeware.net) and type
If you do NSLOOKUP DOMAIN-NAME.COM then
you will get a list of all the DNS servers for that domain. For example,
if you are using AD-Integrated DNS, you will get a list of any DCs that are also
DNS servers. Basically, that command returns the (Same as parent) records
for the domain.
If you
Probably because it's a secondary
server. Check to see if that IP is hosting a secondary copy of the
zone.
--Paul
- Original Message -
From:
Ramon Linan
To: ActiveDir@mail.activedir.org
Sent: Monday, August 28, 2006 10:04
PM
Subject: RE: [ActiveDir]
Not much that you can do other than filter
out the replication errors from your monitoring solution, so that calls aren't
needlessly raised.
A couple of days won't cause you any
issues. Just ensure that everything is replicating and talking properly
when things come back online.
--Paul
If you don't have a host record (A) for
the hostname "sami", then you should delete the SRV record [1]. If that
isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of
XP workstations registering in DNS in the past.
--Paul
[1] Assuming of course that you don't have
a
be sure to drink my
first coffee of the day _before_ replying in the future!
--Paul
(No I didn't spot the error; I was
notified offline ;-)
- Original Message -
From:
Paul Williams
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 29, 2006 10:43
AM
Subject: Re
Then your problem is likely a DNS issue. Ensure that all clients are
pointing to at least two DCs. Ensure that your DCs are pointing to at least
two as well, as they're also DNS clients.
--Paul
- Original Message -
From: Pankaj Verma [EMAIL PROTECTED]
To:
environment to
create a Longhorn DC.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 17, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Longhorn Beta
http
Not quite. You need to escape the comma like so:
((objectCategory=person)(objectClass=user)(displayName=phelps\, k*))
--Paul
- Original Message -
From: Matheesha Weerasinghe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, August 14, 2006 8:46 PM
Subject: Re:
You need to escape the comma, as a comma
is a delimiter and in the case of displayName it shouldn't be a
delimiter:
((objectCategory=person)(objectClass=user)(displayName=phelps\,
k*))
I've not read the whole thread, so can't
discuss whether or not this is the best way to do what you
I'm not in a position to test whether this is a forest-wide or domain-wide
principal.
However, when you can't find something you think should be there, you should
search the GC. I've seen numerous people have issues with a user or group
not existing only to find it's in a parent domain.
Valid point. But you should [try and] restore from the backup that ran the
night before and that you verified successfully completed before you applied
the patch... ;-)
If you have a document process that goes through the proper change control,
then there shouldn't be any reason to do
I have. When bulk-patching NT 4 servers several died (OS was trashed, not
the h/w) and had to be restored from the backup the night before.
There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB
section of the disk, although that hit workstations more than servers as
they'd
http://connect.microsoft.com/
--Paul
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 4:35
PM
Subject: [ActiveDir] [OT] Longhorn
Beta
Outside of my MSDN account is
there a preferred way to
Yeah right! Our customers still have hundreds of NT 4 boxes...
I saw some (three) production 3.51 boxes four months ago...
--Paul
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 15, 2006 2:34 AM
Subject: RE: [ActiveDir] ADFind
Restore it as you would any other
DC. The documentation that you refer to is either out of date, or
incorrect. The DS will invalidate the current RID pool when you restore
and request a new one from the RID master (itself) which should be the same
value as it was when it went down (if the
Which object are you trying to modify the fRSMemberReference attribute on?
You need to modify that attribute on the nTFRSSubscriber object called
CN=Domain System Volume (SYSVOL) which is located in the CN=NTFRS
Subscriptions container underneath the computer object for the DC.
You do not
Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Friday, July 14, 2006 6:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Always point a DC with DNS installed
I just whipped up this _vbscript_ to get
you started. Idon't have time to provide a more detailed breakdown
as that involves a little extra thought, but this should point you in the right
direction...
Save, for example, as c:\count.vbs and
run, from CMD, like so:
cscript c:\count.vbs
Ha ha. That's why my post says to
run using CSCRIPT.
--Paul
- Original Message -
From:
Ramon Linan
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 10, 2006 2:31
PM
Subject: RE: [ActiveDir] machine GP
load
I tried it out, I was
hitting
I've not tested this (just hashed it up as I read your post, so there's
probably going to be some syntax errors, etc. --please test first).
But here's a quick and dirty vbscript that should change all uppercase
accounts to lowercase.
set oConn=createObject(ADODB.Connection)
set
Title: Message
Lophcrack was purchased by Symantec and is
now sold as an enterprise security product. It's called LC5, I believe,
but has recently been discontinued (after symantec stopped selling it to people
outside of North America) and support runs out at the end of the year.
Which is a
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to make
a suggestion here, I would recommed you leave SYSVOL where it is, giving
I believe, from a past conversation, that
disabling hyper-threading on bridgehead servers with lots of inbound
connections, i.e. in enterprise deployments, should be *considered* as
the replication queue has two parallel threads for processor, core or hyper
threading processor as the system
I believe the school of thought here is
that the person has write access to the same volume as the DIT, which means he/
she can easily perform DOS attacks, etc. by filling up the disk.
I agree it's unlikely, but there you
go. Take the [real] examples of where people with write access to
Yeah, I'm not disagreeing with what you
and Darren say. In fact, I mostly agree. I'm just working in a high
security environment where every detail is scruitinised and extra care needs to
be taken with everything. I've always been one of these people that try
and look at both sides of the
schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading Dean's answer
in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading
If you've got the necessary auditing enabled in
your domain, and you had auditing ACEs configured on the DNS zone (location
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you
can. But you'll have to search each DCs security event log for this
info.
Otherwise, you
I've done this a couple of times, but on the exchange gateway servers, not
on an SBS box. I've never seen SBS.
Anyway, the easiest way to do this is to create a second virtual SMTP server
and set it to listen on port 26 (and send on 25). Configure the first
virtual server to send on 26 (its
I've never seen SBS, but my younger brother has just started a new job
(first one since leaving Uni) and bought a new server and it came with SBS.
When he built it it appeared he had no choice but to make it a DC, even
though he only wanted it as a member server -there's already an SBS box
Title: Setting FFL=2 automatically when building first DC in forest
It might be worth looking at the
%systemroot%\system32\schema.ini file again. I just had a poke around in
there after reading Dean's answer to your question yesterday and the first
section, the [DEFAULTROOTDOMAIN] section is
Title: Setting FFL=2 automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a
similar position to Neil a the mo'.
Question: Can I provide schema.ini as an argument
to the promotion or unattended or
See kb216498 for the info. on the NTDSUTIL
cleanup. Basically you need to perform a metadata, DNS and FRS
cleanup. ThatKB details all the necessary steps.
You'd determine the IP address of the workgroup
by the 1B and 1C records registered for that name.
The domain master browser is
Title: Setting FFL=2 automatically when building first DC in forest
Am hwyl, dwi am ymateb drwy beidio a dweud dim
byd mwy nagadlewyrchu dy bwynt!
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 2:10
PM
Title: Setting FFL=2 automatically when building first DC in forest
Ha ha.
(I don't actually speak Welsh. A friend of
mine translated my English sentance into Welsh for that witty
reply).
- Original Message -
From:
Dean
Wells
To: Send - AD mailing list
Sent:
1 - 100 of 133 matches
Mail list logo
