Hmm.. I was thinking..
I am not so familiar with Server 2003.
I have 4 servers..
And 2 of them are running the domain. and the last 2 is ment for IISSo here is my question, how do i integrade the 4 servers into each other? and is it possible, to integrade AD and IIS if they are running on
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of MeWe
Subject: [ActiveDir] Integrating IIS and AD
: I have 4 servers..
: And 2 of them are running the domain. and the last 2
: is ment for IIS So here is my question, how do i
: integrade the
MeWe wrote:
Hmm.. I was thinking..
I am not so familiar with Server 2003.
I have 4 servers..
And 2 of them are running the domain. and the last 2 is ment for IIS
So here is my question, how do i integrade the 4 servers into each
other? and is it possible, to integrade AD and IIS if they are
I presume you are asking how can I make the IIS servers use the user accounts
and groups in AD?
If that is the question
The answer is:
* Add those IIS servers to the AD domain (right click my computer, select
properties, click on tab computername, click on change, select domain, enter
Sorry to bug the list with this one, but I am currently pulling large
bunches of hair out trying to fix it.
I have RIS set up on a fresh install of 2003, and certain clients (well
most of them) are failing to join the domain during the build process.
I have installed any NIC drivers to i386 and
Title: DCPromo Answer fileno DNS.
Thanks
Brian/Dan, this is now up and running perfectly.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan
HolmeSent: Wednesday, August 03, 2005 8:00 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPromo Answer
fileno
Title: Virtual Domain Controllers
We run
multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and
MS will give their best endeavours on support. Most of the time they don't even
ask us if the DC is virtual ;-)
Also,
ensure that the time sync capability is disabled in the
Return Receipt
Your [ActiveDir] OT - NT System Policy Leftovers
document
:
Sorry to keep harping- but if you have a trust between a child win2k
domain in one forest with a root or child domain in another forest,
does this use wins or dns.
i know this is not a real forest trust and more like an external
trust in that its not transitive and uses ntlm and NOT kerberos, but
Alright, I'm noticing something that I think is odd and I was wondering if
I'm just losing it.
We have an multi-domain empty root forest structure and I'm the DA of one of
those child domains. Also, our network is not fully routed. (Although my
domain is fully routed.)
I have a few DCs where
Hello and good day...
I was wondering if someone could direct me to a white paper that would give me
a go to on how to setup a fallback exchange server. Basically I just want to
setup an identical server and have the data from my front side exchange box
replicated to the back house exchange
AFAIK topology is a ring. All servers issue pull replication... so they
don't necessarily need a one-to-one relationship or bidirectional flow.
DC03 for example - replicates with DC01, DC01 replicates with DC02, DC02
replicates with DC03...
:m:dsm:cci:mvp
-Original Message-
From:
That capability is not present in the current Exchange product. There
are a number of third party solutions that fill the feature void.
Probably NeverFail and DoubleTake are the most visible solutions in that
space.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
The
other David pretty much covered it with perhaps the exception of Virtual DCs; in
the past I'vetended to avoid placing intersite load on Virtual DCs though
I prefer to achieve sucha result using staging/lag/latent (or whichever
term you prefer) sites assuming the customer in question
On a windows 2003 cluster running A/P. If you manually failover the cluster.
I would think the passive node would not show the shared drive in 'My
Computer' but on my new cluster they do, but they are not accessible. If I
reboot the passive node, they don't show in 'My Computer'
This cluster is
It would be helpful to know exactly how the print queues are mounted and what you mean by 'lose printer connectivity'
This is the case at least with Windows 2000.
I think what was just throwing me off is all conceptual.
I was wondering why DC03 and DC04 don't replicate but now I think I figured
it out. The sites they are in aren't adjacent and because we aren't fully
routed we prevented the creation of non-adjacent links to be established
unless we do
Thanks for your comments David A. and Dean :-)
You may have surmised my reason for asking. We have a few sites
where a single preferred BH has been designated and although it puzzled me, I
never really questioned it before. Our enivornment is such that this seems
unnecessary, so it's time
I need some programming help
How do I get this to work, I have a form and when I click a button I
want it to place in the date in a date field if there is no date there,
if there is a date there then I don't want it to do anythying
If Date_Created is null then
Date_Created = Date
Else
Really, it uses neither. The NetBT is involved, but because we are on (at
present) untrusted domains and forests, WINS isn't going to work.
Typically, this is done with an LMHosts file in the \Drivers\ETC directory.
The records are going to be very specific, as they will define the domain of
the
That must be why I drink so much of it!
:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Tuesday, August 09, 2005 10:59 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Replication Question
I think
why can't you just use stub zones or conditional forwarding for this to work?
or if NetBT is involved, can you just configure your wins servers to
replicate? I thought wins replication had nothing to do with NT
security. you just enter the ip of the partner servers...
Thanks
On 8/9/05, Rick
Group,
My manager wanted me to check, even though, I don't think that it is
possible, but, I will present the question.
He would like to add some custom fields, about 30, to AD. He would like
to add bio information into AD to be pulled by Sharepoint and other
applications for people to read.
Thank you...
We are looking into the Failover solution.
John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
Alpha Video
7711 Computer Ave.
Edina, MN. 55435
952-896-9898 Local
800-388-0008 Watts
952-896-9899 Fax
612-804-8769 Cell
952-841-3327 Direct
[EMAIL
This,
too, has been my experience with Windows Server 2003 in a SAN (EMC)
environment.
Rick
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Tuesday, August 09, 2005
9:19 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: quick
Tom,
The solution that I gave you is the only one that I know of. If you are
able to get DNS to work (doubtful) or are able to get WINS to replicate
across a trust that at the present time doesn't exist, more power to you.
However, given the trials and tribulations that you have discussed with
Certainly it is possible. And, it's not overly difficult to DO, but the
upfront planning that SHOULD be done can be tedious.
Remember - this is the schema.
My opinion - and it seems to be free today (as if I've ever been afraid to
give it...) - This is a job that just screams SQL server.
I
I need some programming help
How do I get this to work, I have a form and when I click a button I
want it to place in the date in a date field if there is no date there,
if there is a date there then I don't want it to do anythying
If Date_Created is null then
Date_Created = Date
Else
Justin,
I know we go off-topic at times, but I suspect that VB assistance, not
related to ADSI programming, might be stretching it a bit.
That's just my take.
There are forums and newsgroups (the VB NG hosted by MSFT for one) that are
going to be much more responsive to your need in this case.
...or ADAM. These kinds of requests have a tendency to creep beyond the
original scope, which can have unintended consequences if the upfront
planning falls short.
Hunter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday,
It has been a while I have had to deal with this, but I am about to
migrate another one of my domains and I have a question about NT 4 Share
and NTFS Permissions.
Is it the same in NT as it is in 2000/2003 that the scenario below is
true
Root Folder - NTFS Everyone Full Control, Share
Correct. Effective permissions for anyone who is a member of Domains Users
is READ on the files in the folder.
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, August 09, 2005 1:00 PM
To:
This is the web-based forums in the MSDN Community:
http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=32
Cheers!
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, August 09, 2005 1:04 PM
To:
As well as the folders in the in the folders right?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT 4 Permissions
Correct. Effective
Yep. Anytime you have ntfs and share perms, the most restrictive wins.
:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, August 09, 2005 2:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NT 4
Title: Virtual Domain Controllers
Thanks, Brad. That is very good to hear. I also
appreciate the tips.
JJ
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith,
BradSent: Tuesday, August 09, 2005 3:09 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual
Tom,
While I am sure that Rick has some document in which using LMHosts files
are identified as a best practice, I can assure you that it is quite
feasible to use WINS to accomplish the name resolution requirement for
the task at hand: creating an external trust between two domains with
different
Yes - as long as NTFS inheritance of permission is not disrupted.
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, August 09, 2005 1:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT 4 Permissions
We have a developer who wants us to allow delegation for a couple of SQL
servers and their service accounts so he can do distributed queries
across linked servers. This is new ground for us from an AD perspective
that I have just started researching and I'd like to hear other's
thoughts, policies
Sorry, I wasn't trying to be tricky.
I actually suggested the lmhosts solution but the consultants from ibm
who are planning the migration with MS are going the dns route.
MS hacked the formerly AD-intergrated dns from the root zone to be a
standard primary zone for our domain for this
Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...
Anytime you allow someone or something to impersonate, err, act on
behalf of another security principal, there is always cause for concern.
Constrained delegation certainly provides
The downside of both of these approaches (SQL and ADAM) is that they
require some sync of accounts. One nice thing about putting the data
into AD is that it is just there for applications to consume if they
need it. Your accounts follow your normal account management process.
No additional sync
Bob,
Make no mistake - I'm really not a fan of allowing Act as part of the
operating system or the Impersonation privilege.
That being said - from the work that I have done with other web developers
needing access to SQL or application servers, constrained delegation is the
best method that I
Do you have details on the accounts that will be delegated? With
constrained delegation, it is pretty straightforward to limit which
accounts can delegate to which other services, but you might want to be
very careful about limiting who gets delegated.
One really good idea is marking all the
Tom,
Argumentative - no. Tricky, no - I didn't think that at all. (*Trick* is
an old racing term of mine that leaks out now and again Simply means
doing something others don't do... It's not a bad term at all).
As Bernard pointed out - there's a thing or two that I didn't account for.
He
Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...
That's the point of my query, I certainly don't understand all I know
about it and we have never allowed it, at this point I have just begun
to scratch the surface. I was totally
I didn't read the entire thread so maybe this is answered but this stuck out
to me, why isn't WINS going to work?
WINS replication nor name resolution doesn't require any trusts nor even
authentication. It is all entirely unauthenticated with replication being
handled through IP address based
Rick, I agree with your points on CD, but what are you talking about
here with Act as part of the operating system? That doesn't need to
get enabled anywhere to use constrained delegation.
Generally, that only tends to get added to accounts on Windows 2000 that
need to call the LogonUser API,
U Well, one - I like simplicity. Two, I'm not a big fan of WINS.
If all we're trying to do is to establish trust for a migration...
Besides, Bernard has already been here to show me the error of my ways,
Thank you.
;o)
Rick
-Original Message-
From: [EMAIL PROTECTED]
I ended up sending another Dc to the site so I could just readd this
server to the domain but AD will not start on that box. I keep getting
an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and
one at each remote site). We have dcs at our other remote sites
(diagram below):
Bob,
As Rick and Joe mentioned, as far as allowing a system to do something
on behalf of a user, constrained delegation is a pretty good solution.
Your developers need as I understand it is as follows:
User connects to a front application server (i.e. web server) and
authenticates to that server
A it is a personal aversion to WINS at the crux here... I see. ;o)
WINS is great, I loved it. I ran a huge WINS architecture and it ran well,
but then it was well configured and well monitored. MS didn't make it easy
to monitor it, actually I think they tried everything they could to make it
so
Don't worry Kingslan, I won't hold anything against you! ;) LOL
Aric Bernard
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 2:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration
What OS is the new DC running Windows Server 2003 SP1? Do you have a
firewall in-between the remote site and HQ?
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Tuesday, August 09, 2005 4:54 PM
To:
Correct - we're on the same page. Simply an example of things that I don't
like that have been used in the past to allow systems to act upon another by
issuing token-based methods.
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Jennifer,
RPC Server is Unavailable screams Name Resolution problem to me. Have you
done a NetDiag or DCDiag on either of these systems?
AD can replicate over a modem connection - I've done it connections with as
little as 64k available to small sites (not my choice) as long as IP is
available
LOL - I probably would not have this problem if I spelled my first name
correctly.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 09, 2005 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration
A it is a
I am going to basically say what the other said only I am going to put it
this way
IF the data needs to be available at all locations or a majority of
locations where your domain controllers are located, consider adding the
data to AD.
IF the data is going to be needed only at a couple of sites
Do you mean check off associate with external account on the user attrib?
Also, how do they see the GAL in the old forest?
How does outlook in the new domain find the gc's in the old domain(i
think the answer to this is when it points to the exchange server in
the old forest, dsproxy will direct
Ack! Aric, sorry about that.. I think that I've been almost fooled by
that once before and caught myself.
The other problem is the format that Outlook displays names in. Some are
Firstname Lastname i.e. 'Jennifer Fountain' (or just firstname / nickname /
pseudonym, i.e. 'joe') or Lastname,
Aric-
(Also trying to answer Joe K's questions)
The developer owns all 3 of the SQL servers involved so he definitely
has a vested interest in the integrity of the data on the SQL servers.
SQL server runs under a domain service account only used on them. They
just wanted me to create the SPN's
You may want to have Kerberos authentication all the way through, rather than
using Protocol Transition. At least in the IIS world, protocol transition
involves running your worker processes as LocalSystem rather than any other
account, which is yet another security issue you need to manage.
Agreed here. If you don't need protocol transition, don't use it. This
normally only comes up in situations where you have to use Basic auth on
the web tier for an Internet-based scenario or something like that. If
the web server can use IWA, then you can go Kerberos end to end.
Joe K.
I think you've basically got it. Constrained is the way to go. You
might consider implementing unconstrained at first for some testing to
make sure you can get it working with the less complicated scenario, but
you want to end up using constrained delegation in the final version.
I would like
joe,
You hit the nail on the head with what my problem is with this whole thread
- we're dumping crap into AD that really doesn't belong there.
Seriously, the data needs to be available to a SharePoint server and some
other apps, unless I read something wrong (wouldn't be the first time
I will be out of the office starting 08/10/2005 and will not return until
08/15/2005.
I will respond to your message when I return.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
See inline below
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, August 09, 2005 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD migration
Do you mean check off associate with external account on the
I'm sure that if we tried, the TerraServer could be
served by a few optimized ADAM servers, don't you think?
I realize this is tongue in cheek but no I don't think it would be good. I
am not of the opinion that everything should go into an LDAP Store. LDAP
isn't really designed for easily
69 matches
Mail list logo
