I have two users in the Account Operators
group. I delegated full control for AD Sites and Services. I want to allow them
to have the ability to manually force DC replications. They are getting an
Access Denied when they tried to force replication. Where else did I not do
correctly?
Title: [ActiveDir] _gc and _ldap SRV records
So reading this am I correct in
this interpretation? I should remove the _msdcs domain from xyz.root and
instead create a new zone called _msdcs, cycle netlogon to force registration
of records?
:m:dsm:cci:mvp
From:
[EMAIL
Hi
From a search in the acctivedir archives with the key words Replication
Delegating, you'll find Jorge's answer for delegating replicaton to a
non-admin user.
From the delegation wp:
Replication Management Tasks
Force replication between two servers
Extended right Replication
We have an upcoming
project which will require an LDAP directory containing both our internal users,
and our extranet users. Currently, our internal users are in one AD domain, the
extranet users are in another. The domains are in separate forests, and there
are no trusts.
My plan is to
creating a separate zone for _MSDCS.ForestRootDomain.tld is especially
interesting in multiple domain forests. In single domain forests it is not
needed as all DCs in the domain with DNS already get the info through the zone
ForestRootDomain.tld. Although not needed I always configure a
grin yep... that is what I would have said../grin
;-))
#JORGE#
From: TIROA YANN [mailto:[EMAIL PROTECTED]
Sent: Fri 7/29/2005 3:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Control Delgation
Hi
From a search in the acctivedir archives
We are running 2000 AD. I have two groups named the same. One group is a
security group and one is a distribution. They are in different OU's. Can
having a Management security group cause some type of issue with a Management
Distribution group in ad? The Management distirbution group
Title: DCPromo Answer fileno DNS.
Hii All,
I have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member server. I have promoted the W2K3 Member server using a dcpromo answer file, but cannot seem to force it to install DNS.
Any ideas ??
Brad
PS: Answer file below.
It shouldn't cause you a problem. The reason is because they don't have the
same name other than the displayname. Everything else should be different.
Al
From: [EMAIL PROTECTED] on behalf of Christine Allen
Sent: Fri 7/29/2005 10:24 AM
To:
Here is the link.
http://www.goatstore.com/eventlogs.zip
Thanks,
Charlie
-Original Message-
From: Carerros, Charles [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 27, 2005 9:26 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Event Log Question
With the number of
Title: [ActiveDir] _gc and _ldap SRV records
Whats
the difference or adverse affects of just making a secondary copy of the root
domain zone on every dns server in a multi domain forest as that zone contains
the _MSDC.forestrootdomaim zone instead of partitioning just the
_MSDC zone?
Hi,
Does anyone know if its possible to tweak a domain controller so that
authentication requests from a client that exceed 2000 bytes (not sure if
thats the default for Windows 2000 domains XP) may be authenitcated by the
DC.
I know its possible with a regisrty hack on the client by
Hello,
We use MIIS 2003 to synchronise users identity between AD2003, openldap, Oracle
9i, and that works pretty good.
MIIS includes preintegrated directory to manage such as ADAM, novell
edirectory, Active Directory, DSML, Oracle 9i, and many more called Management
Agents (MA) or connectors.
We just push this registry setting out to all of our workstations:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parame
ters]
MaxPacketSize=dword:0001
This forces all kerberos traffic to use TCP.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Devan,
I'm still poking around for a more authoritative answer, but I don't believe
that there is a 'server side' setting for changing that behavior.
To really understand why, think about who needs to authenticate with who.
It's not the server starting the conversation ;o)
Rick
Hi Rick,
I absolutely agree but I was hoping there was a way to set this variable on
the server side.
Worse scenario this may have to be tweaked client-side. By forcing these
clients to authenticate using TCP does it add latency to the authentication
process when they return to their home
No latency. Like I said, we just push that registry setting out to all
users. I've never seen a difference when logging in.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Friday, July 29, 2005 11:26 AM
To: ActiveDir@mail.activedir.org
Cool, Thanks
Firefox - Rediscover the web
Original Message Follows
From: Ken Cornetet [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] UDP vs TCP
Date: Fri, 29 Jul 2005 11:32:31 -0500
No latency. Like I said,
Hi,
We need the Fast User Switching Service to start
automatically when we restart a client but of course this is disabled as it is
part of a domain. Is there anyway to use GPO, scripts etc to exert a control
over Windows Services?
Thanks guys,
A startup script is probably your best bet. Alternatively,
you can use Services Security policy to change the startup state of a service,
which will give you what you need at reboot.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David J.
KinsellaSent: Friday, July 29,
MIIS looks pretty complex, but it is something that can be figured out
(I've gotten it working so it can't be that hard ;) The thing I found
with MIIS is that things aren't where you think they would be, and
some switches/options do things that you're not expecting. There are
some good Q articles
each group in AD (distribution and/or security) must have a unique
samaccountname (pre-windows 2000 name) within the domain and must have a unique
common name within a container/OU.
Your groups have the same common name and they can exist because they are in
separate OUs. That's OK. Moving
the difference is the number of records in the zone that are replicated or
transfered. Creating a separate zone for _MSDCS.ForestRootDomain.tld only
replicates or transfers that contents instead of replicating everything in
ForestRootDomain.tld
I'm not sure if I understand your
I have MIIS, but have not used it for our OpenLDAP to Active Directory Sync.
Before I got MIIS I wrote python scripts to sync our LDAP with our Active
Directory. I don't sync passwords via the scripts, because we I have
another PHP script that sets the user password on both directories when
I have a question about Kerberos that I hope you guy can help me with.
In our environment, our client base (servers and workstations) has a different
DNS name than the domain where their authenticating DCs reside. They are
members of the same Active Directory domain, but due to decisions
One of the best MIIS lists I've found is [EMAIL PROTECTED] As far
as books, haven't found one. I think MIIS now finally offered as a MOC
course.
:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Friday, July 29, 2005 1:30
Title: Search User Accounts for Password Reset Date
I know it's possible to search user accounts for the Last logged in
date but is it possible to generate a list of the date and time each
user account is set to expire? On our old domain, Novell (gag) would
display the time and date that a
Greetings,
I've been a lurker here for quite some time and have had a relatively quiet AD
until recently.
We have a small network with 2K servers and a mix of 2K and XP2 workstations.
Until recently, everything was find.
Then Something Happened.
I'm not sure what started the ball rolling, but
May look strange but are you running McAfee 8.0i??
Got someone that had something similar and the TDI driver of VS8 was the
culprit...
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de vex
Envoyé : Friday, July 29, 2005 4:15 PM
À :
Michel-
Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill
effects on the DC's but this certainly caught my eye as we are scheduled to
move it over to production soon.
Thanks
Bob
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
What happens when you run DCDIAG from the broken DC ?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, July 29, 2005 1:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Urgh... troubleshooting
Michel-
Care to
Anything in the event logs? Is it possible that it was messed up by a
virus, see odd processes running? Maybe try a root kit revealer. Were
patches recently applied? Is the clock in sync with the other DCs?
Thanks,
JD
-Original Message-
From: vex [mailto:[EMAIL PROTECTED]
Sent:
Make sure the DNs settings on the Server are correct in the up properties. If
one of your servers or dc's is looking at wrong dns then you will have a
problem. I
Separately I had a similar problem in late April when I applied a security
patch from MS. It fubared the tcpip stack with
We are trying to
reorganize our forest and move accounts to one domain with multiple child
resource domains, mostly for political reasons that most Universities are
familiar with. What tool(s) are available besides ADMTv2 to migrate users from
one domain to another within the same forest?
I'm starting a new job in a week as a AD/Exchange engineer(I posted about my
anxieties before on the list).
This company used to outsource all their AD/Exchange infrastructure and now
they want to take control of it.
As it stands, their relationship with the outsourcing firm is rocky.
While the
Bruyere, Michel wrote:
May look strange but are you running McAfee 8.0i??
Got someone that had something similar and the TDI driver of VS8 was
the culprit...
No McAfee products on site, but I *did* just upgrade that server to Pervasive 8.
But according to my notes, the problem was occuring
Found this, under Troubleshooting Active Directory : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d87e1c8f-2e6b-4ce3-b72b-7108acc6aecb.mspxMore
to the point there are some special security checks in DCDIAG for 2003 SP1 that
may be able to help. From the
My own opinion is that the organization should demand from the
consulting firm the administrator password or an equal account
immediately (as in, while they are on the phone with the person before
even hanging up).
Robert Williams, MCSE NT4/2K/2K3, Security+
Infrastructure Rapid Response Engineer
Weve been using the Quest migration
suite lately and have had pretty good success the biggest selling point
for me was that, unlike ADMT and the NetIQ (which are pretty much one in the same
except NetIQ will let you undo and is supposed to actually work
:D) was that it did a
I second this. My first order of business would be to get a
Domain/Enterprise admin account shortly followed by whatever
documentation they have (or whatever they are willing to give you).
The documentation will be light (or non-existant), but you should ask
for it anyway.
Phil
On 7/29/05,
I've seen issues with McAfee both with the Buffer Overflow checker hanging
DC's and with the scanner causing contention on the DIT files themselves that
were solved once we rebooted and excluded those directories from the scan. If
you're using a 3rd party backup tool that might be trying to
ADMT pretty much has the functionality of the good 3rd party migration
tools as far as migrations and security translations go. Where the 3rd
party tools shine is in complex migration schedules, migrations with
complex servers (SQL, IIS etc.) and they tend to offer easier/better
reporting/logging.
Original Message
From: Figueroa, Johnny
To: ActiveDir@mail.activedir.org
Sent: Friday, July 29, 2005 3:24 PM
Subject: RE: [ActiveDir] Urgh... troubleshooting
Found this, under Troubleshooting Active Directory :
There is a MOC course for MIIS and another one that touches on MIIS
while going over Security and Access Management:
2731: Deploying and Managing Microsoft(r) Identity Integration Server 2003
http://www.microsoft.com/learning/syllabi/en-us/2731afinal.mspx
2804: Microsoft(r) Security Guidance
The Quest tool copies the user? I didn't know that was possible, all
Intraforest migrations I have seen have been moves.
Phil
On 7/29/05, Rob Ryan [EMAIL PROTECTED] wrote:
We've been using the Quest migration suite lately and have had pretty good
success – the biggest selling point for me
Man, last night I must've been feeling brazen (or bored), because I
usually don't tell customers about disabling replication, esp. not how to
do in the entire forest in one whack ... esp. not on a forum ... some
warnings last nights mail should've come with ...
Warning 1: YOU MUST MUST MUST still
I wonder whether anyone has tried the ADAM
Synchronizer for similar scenarios:
http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19edisplaylang=en
The documentation is pretty vague about
the way the target objects are created.
Guy
This article may provide some help.
The DNS suffix of the computer name of a new domain
controller may not match the name of the domain after you install upgrade a
Windows NT 4.0 Primary domain controller to Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;257623
From:
One thing, and one thing only that I can say to this:
You cannot be responsible or be expected to run or manage this environment
until you take control of the DCs and REMOVE any other principal from ALL DC
and Exchange related groups - and add yourself to these groups (at least
initially - we can
Determine the max time of the password in the password policy and retrieve the
pwdLastSet attribute from each user. As the attribute pretends it is the moment
the password was changes the last time
Cheers
#JORGE#
From: [EMAIL PROTECTED] on behalf of [EMAIL
when doing intra forest migrations some tools are destructive menaing the old
user account is deleted before the new one is created. Reason is with a intra
forest migration the GUID does not change (SID does) the problem with this is
it does not provide fallback. In fact it is a MOVE. As I
the first thing that comes up is: who is able to access a DC (as in logon
locally or through TS). I'm not going forward with I want to say, because I
don't want to give wrong ideas!
Cheers
#JORGE#
From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Sat
the only way I know of with the AD/AM sync is from AD to AD/AM and not the
other way around.
#JORGE#
From: [EMAIL PROTECTED] on behalf of Guy Teverovsky
Sent: Sat 7/30/2005 1:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: MIIS, ADAM, AD
53 matches
Mail list logo