Nah I think you missed what I was saying. When I said AD is
a big bucket of nails, I was trying to say, it is an LDAP directory, its in the
owners manual. Being an LDAP directory, the natural way of retrieving info out
of it is with LDAP. You simply need to work out the format of the data
Ok it sounds like you left a DC in each domain as a non-GC simply to hold
the infrastructure master roles. If that is the case, yes, promote all DCs
to GCs.
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
Hi all and greetings from darkest South Africa.
This is my first query to the gurus on the
list. This is my scenario.
I have a native mode Windows 2000 forest that Im
upgrading to Windows 2003. Its a single domain forest and this is what Ive
done so far.
1 ) Run adprep
I
would say you should be running in mixed mode
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Peter
JohnsonSent: Wednesday, March 31, 2004 9:21 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 and
Windows 98 issue
Hi all
also disable the "Domain Member: Digitally encrypt or sign
secure channel data (always)"security option in the Default Domain
Controller policy
however, don't forget to re-enable this after you've
upgraded all your Win98 clients
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Title: Message
Are
you using the domain name when using your login name, i.e.
domain\username?
-Original Message-From: Peter Johnson
[mailto:[EMAIL PROTECTED] Sent: 31 March 2004 15:21To:
[EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 and
Windows 98 issue
Hi
Did something similiar to ourselves at my company and got the same
results. What is going on is that you need to have the first 2003 domain
controller tohave the PDC Emulator FSMO. The article http://support.microsoft.com/?kbid=325379"How
to Upgrade Windows 2000 Domain Controllers to Windows
Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest
Hello all,
Having moved all of our users from an NT4 account domain to a Windows 2003 domain, we have a requirement to set policies on our citrix servers which sit in a separate windows 2000 forest,
If i have a forest where one domain has upgraded to windows 2003 at the win2k
functional forest and domain level, would this have an adverse effect on other domains
which were running dc's with win2k sp2 or vice versa?
do those dc's/gc's need to be at least sp3?
thanks
List info :
Cody
As others have indicated, you will have no issues with setting the IM role holder DCs
as GCs.
For a really good article that explains why, have a look at:
http://www.mcpmag.com/columns/article.asp?EditorialsID=403
Here's another article which covers GC placement generally:
You really want to get to SP4.
SP3 is minimum but in term of security fixes plan to get to SP4 soon for
compatibility. Patching is very important. Take a look at SUS or SMS.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, March
Hi,
I'm sure this has been covered in previous posts but how can I create a GPO
object and link it to the Domain Controllers OU but only apply it to a
couple of domain controllers for testing purposes?
Is it removing the authenticated users group and adding the specific domain
controllers to
Okay, here is everything that I have tried, applied and modified.
I have a few problems on a DC on a sub-domain. If I open the mmc on
either my desktop or on the sub-domain's DC, it gives me an access is
denied. But, If I open up an mmc console on the parents DC, I have no
problem. I am
Yes, that's exactly it. Grant those specific DCs the Read and Apply
Group Policy rights on the GPO.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, March 31, 2004 12:08 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Testing
Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest
Why do cross-forest trusts only work with W2K3? I may
have missed some piece of information, but have you seen this? http://support.microsoft.com/?kbid=823862
From: Wilkinson, Stephen
[mailto:[EMAIL
Did you try connecting to the share by UNC path fom theDC and from your
workstation? Was that test successful?
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=
When responding to posts, please Reply to Group via
your newsreader so
Hi:
We are doing an AD/E2K3 migration, and we have a scenario that I haven't found
covered in the archives:
Our AD forest presently consists of an empty forest root, with a single child
domain. We have a division, however, with significantly higher security
requirements than the rest of the
Are you sure that the separate domain will meet the organization's
requirements? Remember, the forest is the security boundary, not the
domains.
Hunter
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 31, 2004 11:36 AM
To: [EMAIL PROTECTED]
It was not successful. It prompted me for a username and password.
S
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines
Sent: Wednesday, March 31, 2004 11:11 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Unable to modify GPO Policy
Did you
I'm aware of that; that's still to be decided on, and I'm still gathering all
the requirements. Meanwhile, I'm looking into whether this is technically
feasible.
Thanks,
Andy
Are you sure that the separate domain will meet the organization's
requirements? Remember, the forest is the
Hi Andy,
Check out the following:
* Active Directory in Networks Segmented by Firewalls -
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-
9767-a9166368434eDisplayLang=en
* Restricting Active Directory Replication Traffic to a Specific Port
(MS-KBQ224196) -
I've been reading these paper, but most of them assume resource sharing /or
cross-domain authentications happening; the scenario I'm looking at (security
boundaries/requirements being looked at separately) is simply having
replication between the domains (and mail flow, but that's a separate
Return Receipt
Your RE: [ActiveDir] Domains Separated by Firewall
document
:
Andy, a domain separated by a firewall in the same forest is feasible and it
sounds like you're on the right track as far as concerns and architecture.
Keep in mind that there are new features in the Exchange application as well
that make it different than the 5.5 setup you currently have. You'll
I have a question for everyone,
If I have a facility that is using the same back up and tape drive as
me, could I take their tapes and access the backed up data on those
tapes and restore that data to an alternate location?
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare
Yup... That's the idea.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 31, 2004 4:40 PM
To:
This is also why most backup software vendors offer the ability to password
protect the information on the tapes.
-Stuart Fuller
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 31, 2004 2:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Thanks, I'll be looking at it from that side as well. I was originally under
the impression that the AD architecture was done, and that I just had to do
the engineering, but it appears that's not the case- I'll be convening
meetings with them to get the architecture finalized before I go into the
If that doesn't work, you may want to consider IPSec tunnels if the firewall
can support. Simplifies the config and secures the transport. The overhead
is on the server but you can buy NIC's that offload the processing.
If you use the tunnel, it's two ports and a protocol to setup and works
Does anyone know of a was that I can
Pull a query of AD that lists each user, what ou they are in and what groups
they belong too
smime.p7s
Description: S/MIME Cryptographic Signature
IPSec is another option I'm considering, but I'd like to think the SMTP link
approach would be more straightforward; once this project is completed, it's
being turned over to an Operations shop, so I'd like to keep it simple for
their sake.
-Original Message-
From: [EMAIL PROTECTED]
dsquery (come with 2k3, but also works fine on
2000)
get OU from DN of user objects
get groups from memberOf attribute (will not be complete in
multi-domain forests, but maybe good enough for what you
need)
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
or create a sub-ou underneath the domain controllers OU which you link the GPO to.
then put those DCs into the sub-OU. not only good for testing purposes...
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Mittwoch, 31. März
Enjoy.
Windows Server 2003 Active Directory Branch Office Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-
9FA7-3A95C9540112displaylang=en
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
Actually, Guido you can also use SMTP to replicate PAS data. That
facilitated GCs across the firewall. (you said just config and schema,
which I assume was just an oversight, but wanted to be sure we were all
clear)
I've done this. What sorts of guidance are you looking for? It's
typically fairly
35 matches
Mail list logo
