Hi All,
I would be interested in your feedback concerning the story below. The full
story is also available on my blog
(http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx).
Any feedback on it would be a appreciated!
If you have question feel free to ask!
Thanks in advance!
looks like. It just looks to me like it was glossed over a bit by somebody
who's done an upgrade a few times.
My thoughts anyway,
-ajm
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Connecting the test
PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, November 24, 2005 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Connecting the test environment to the production -
what is your opinion?
Hi All,
I would be interested in your feedback concerning the story below. The full
Max: 999,999,999 days or 2,739,726 years (not including leap years)
the network latency must be very very high if even this is not enoughmaybe
we can undelete some dinosaurs... ;-)
Jorge
From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon
Rick Kingslan burped the following on 25/11/2005 4:24 PM:
So Rick, you have started burping answers? ;-))
jorge
From: [EMAIL PROTECTED] on behalf of Harald
Sent: Mon 11/28/2005 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server
ehhh... according to the KB article (http://support.microsoft.com/?id=312403)
objects do age out..
QUOTE
It is not critical that you manually delete the Distributed Link Tracking
objects after you stop the Distributed Link Tracking server service unless you
have to reclaim the disk space that
: RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain
Controllers
Might be a problem if the service is disabled, no?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 1:22 PM
Now this is fun...
The AD Schema contains the following attribute:
distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN
CN=drink
adminDescription=The drink (Favourite Drink) attribute type specifies the
favorite drink of an object (or person).
isSingleValued=FALSE
;-)
of Almeida Pinto, Jorge de
Sent: Tue 11/29/2005 8:20 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain
Controllers
OK, you are right on the choice of words... they don't age out, but will get
cleaned
First, look at each role and see
what it does...
Forest FSMOs
* Schema Master -- needed
when updating the schema
* Domain Naming master --
needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator -- needed for
legacy clients (NT4, W9x) when changing passwords,
Well, if he was a techie.. he
should understand why outlook should not be installed on the
DC
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Tuesday, November 29, 2005 16:38To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 29, 2005 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer
First, look at each role and see what it does...
Forest FSMOs
* Schema Master
to view all DCs in the forest
* repadmin /viewlist *
to view all DCs in the domain
* run nslookup and configure set type=srv and query for
_ldap._tcp.dc._msdcs.yourdomain.tld (per domain)
* NLTEST /DCLIST:DomainName
* netdom query dc
* run replmon and ask for show domain controllers in domain
Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 11:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema Attribute
Pinto, Jorge de wrote:
Talking about the Britisch... In the UK pub opening hours are around the
clock since a week or so...I think a pub owner could introduce his own AD and
use this very interesting attribute for his customers.. ;-)
I also looked if it had a sigar(s) attribute, but no luck
It is possible... you only have to do it another way...
query AD for the object that matches a certain sAMAccountName
---
sDomainDNSW2Kx = ADCORP.LAN
ssAMAccountName = JORGE
Set oConnection = CreateObject(ADODB.Connection)
Set
Take a look at an article
written by Darren Mar-Elia
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37928
Cheers
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Thursday, December 01, 2005 15:32To:
activedirectorySubject: [ActiveDir] joining
RIDs are is requested and distributed in blocks of 500 RIDs. Each DC has at
least one block (RidpreviousAllocationpool). When that block has been exhausted
for 50% of its RIDs, the DC will ask a new block and store that in the
attribute called Ridallocationpool. When that block
read/write permission on the useraccountcontrol attribute of the user object.
HOWEVER...
the disabled/enabled status of a user object is represented by a bit/flag in
the useraccountcontrol attribute and that same attribute consists of more
bits/flags. So if you delegate read/write permission
More than half a year ago I did a migration from Netware 5, NT4 and Exchange
5.5 to Windows/Exchange 2003. I remember posting information about it. Guido
also posted some info about a migration job he did. Don't remember if it was
last year or in the beginning of this year. So you might want to
IMHO, a domain rename would be needed if the NetBIOS and/or DNS domain name
needed to change. (different structure)
Just for changing the case in ADDT a domain rename is not needed. Just did it
in my test environment by changing the case of the value of the attribute
dnsRoot of the object
, as well as in ADDT.
[hence domain rename]
If the only requirement is to change the name in ADDT then benefit versus pain
is really skewed towards pain :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 08
is to change the name in ADDT then benefit versus pain
is really skewed towards pain :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 08 December 2005 15:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
Yes you can...
The following articles will helps you in your migration from W2K/E2K to
W2K3/E2K3 and especially when doing an in-place upgrade of the domain:
* MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests
That Contain E2K Servers ( http://support.microsoft.com/?id
Hi,
I'm trying to understand the logic of nslookup when querying for all domain
controllers...
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.tld
returns a list of all registered hostnames of the DCs that have registered the
record mentioned. At the bottom of the list it also shows the
Hi,
I have not tried it myself, but for that I guess you could enable audit success
on object access in the DD GPO and on each workstation enable auditing on
executing files starting from Program Files and lower (and possibly other
dirs). The events are logged on local workstations. Although
Issues with Kerberos authentication??? Are you sure?
That is available in ALL modes/leves. It must have been something with new
features that are introduced when the level is increased... E.g. LVR with
Exchange 2000
Cheers,
Jorge
From: [EMAIL PROTECTED] on
that is because the server is a root server. a DNS server is a root server when
it contains a root zone called .(dot)
If you want to use forwarders and/or root hint servers you should delete the
root zone
cheers,
jorge
From: [EMAIL PROTECTED] on behalf of
The PDC FSMO is also important for password changes. See:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/161.aspx
The PDC FSMO in the forest root domain sync time with an external time source
if configured so (also see:
I would think the client
receives a list of referrals anduse the DC on top of the list and goes
down the list until it finds a DC that responds. A client simply does not know
why a certain DC does not respond. It can be anything... firewall, network, DC
down or whatever.
As there is no
anything else.
Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 14 December 2005 9:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS
I would think
In a single domain forest you should have all DCs as a GC. Why? There is no
additional overhead in terms of replication and/or disk space needed. Only
benefits. I would leave it as is
cheers,
jorge
From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed
have you seen the following:
http://www.windowsitlibrary.com/Content/667/04/2.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_object_visibility.asp
also look at: http://www.kimberry.co.uk/Downloads/Index.aspx -- Implementing
Server Security focusing on
The IM is a domain FSMO role. SO the only concern is WITHIN the domain
No matter what forest structure you have for each domain the following applies:
* If all DCs in a domain are GC, there is no other choice where to put the IM.
So no issue here
* If at least other DCs in a domain (besides
if single domain, etc well I had to ask. And yes refreshing = dcpromo out
and dcpromo on new HW.
Thanks
Paul
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 14, 2005 2:15 PM
To: ActiveDir
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Interforest Password
There must be an error code with that error. Can you post it?
Cheers,
Jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Friday, December 16, 2005 09:47
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Failed DC
Had a
No. That domain wide
authentication thing you mention is called selective authentication. Although
the selection you made is OK, that isnot what you need in this case to get
admin permissions on the source domain. To read more about selective
authentication see:
SAM enumeration via Group Policy you're
also likely to end up with problems accessing resoures.
Regards,
Mylo
Almeida Pinto, Jorge de wrote:
No. That domain wide authentication thing you mention is called
selective authentication. Although the selection you made is OK, that
is not what you
Hi,
Remember the DCPROMO thing on Vmware I experienced a while ago?
(http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx)
I found another similar issue, but this time it occured when creating a trust
(external or forest) between two forests. The solution is still the same
When
.
I'll have to try the password thing when I get back to the office to see if
that works in my environment.
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Sunday, 18 December 2005 2:06 p.m.
To: ActiveDir
] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, 19 December 2005 2:05 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: Failing to create a trust
Just before going to a party yesterday, I was playing with 2 VMs. Each Vm was a
DC in its own forest/doman and I wanted to create
The adminsdholder process only
looks at users and groups that are defined in AD as protected objects. As
mentioned in MS-KBQ817433 - "Delegated permissions are not available and
inheritance is automatically disabled" it is possible to include or exclude some
of the default admin groups
] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 20, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adminCount attribute
The adminsdholder process only looks at users and groups that are defined in AD
as protected objects. As mentioned
Hi Deji,
Yes, it is true. If the FFL is set to W2K3, then that means that all CURRENT
and FUTURE domains will be at DFL W2K3. If that was not the case and you would
be able to introduce a domain with DFL W2K native then it would also be
possible to introuce W2K DCs. And that is impossible in
I just wanted to wish everyone happy holidays and the best for the new year!
A merry christmas to you all and that you all have a good start for the new
year!
Be careful with the fireworks! ;-)
Cheers,
Jorge
This e-mail and any attachment is for authorised use by the intended
The Windows Server 2003 Active Directory Branch Office Guide contains some
Quality Assurance Health Check Scripts
http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=en
Cheers,
Jorge
From: [EMAIL PROTECTED] on
Yes you could.
However, clients/servers that are in that site have the old site name in the
registry as the site (dynamic setting) they are in. If you rename the site in
AD (it will also be renamed in DNS automatically by the DCs) and the
clients/servers query DNS to get a DC for the site
w32tm /monitor
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP: +0.000s offset from dc1.domain.com
RefID: 'LOCL' [76.79.67.76]THIS IS THE TIME
SERVER THE PDC IS POINTING TO
A PDC that is not configured with an external time source:(default
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service
w32tm /monitor
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP
machine or every OU
separately?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service
why are you using
_sites.dc._msdcs.DNSDomainName is for locating a DC (hence the _msdcs) that
hosts a certain service in a certain site
_sites.DnsDomainName is for locating a SERVER (does not need to be a DC) that
hosts a certain service in a certain site
for more info on service resource records see:
In addition to what already has been mailed
Before you make any mistake regarding the name...
make sure you AD domain name does NOT have DNS single labeled name!
For more info see:
MS-KBQ300684_Information about configuring Windows for domains with
single-label DNS names
Jorge
Everyone a happy new year and the best wishes!
Jorge
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or
am open to other possible solutions.
--
Kamlesh
On 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
_sites.dc._msdcs.DNSDomainName is for locating a DC (hence the
_msdcs) that hosts a certain service in a certain site
_sites.DnsDomainName is for locating a SERVER
what do you mean with The *wrong* SRV records are being produced on the child
domain DCs?
questions about this...
* On ALL child domain DCs?
* Do you mean the SRV RRs are in registered wrong in DNS, but the DCs itself
register the correct records or do you mean the SRV RRs are in registered
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 03 January 2006 14:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCs generating SRV records for 2 sites!?
what do you mean with The *wrong* SRV records are being
maybe stupid questions...
but are you WINS server IPs on the workstations also dynamically distributed by
DHCP or are these defined locally as static addresses?
Are you using both SERVER OPTIONS and SCOPE OPTIONS? Remember, if you changed
the WINS IPs in the server options and you still have
, Jorge de [mailto:[EMAIL PROTECTED] Behalf Of
Almeida Pinto, Jorge de
Sent: Tuesday, January 03, 2006 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Updating client DHCP settings in Windows NT
maybe stupid questions
can I get a free pass?
jorge
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Thu 2006-01-05 23:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC 2006
Well, I'm going. But I get a free pass... :)
-gil
.
We're not going to make speakers pay for their tickets, at least not until
after 2007. :)
-g
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, January 05, 2006 3:51 PM
To: ActiveDir@mail.activedir.org; ActiveDir
it looks like it should be a swiss army bag with a rolling 6 pack cooler that
you can take to the gym and is not a burden when drinking at the bar... ehhh I
mean doing some quality community interaction ;-)
is that possible Gil?
J.
From: [EMAIL PROTECTED] on
are you sure the OUs are correct?
it works for me when I try it... (see below)
Jorge
D:\TOOLSadfind -default -rb ou=computers,ou=org -f
(objectcategory=computer)
AdFind V01.28.00cpp Joe Richards ([EMAIL PROTECTED]) December 2005
Using server: rootdc001.ADCORP.LAN:389
Directory: Windows Server
is the OU structure you mention below setup from the left or from the right?
if it is from the left, it should be from the right (lower level -top
level), then it should be: OU=xpclients,OU=wsusclients
if you structure is:
OU=xpclients,OU=wsusclients corresponds to:
DOMAIN.COM
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Friday, January 06, 2006 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DEC 2006
Almeida Pinto, Jorge de wrote:
it looks like it should be a swiss army bag with a rolling 6 pack
cooler
Yes the SID of the local PC should be changed before
joining. In this case SYSPREP would bethe way to go
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard,
AlexSent: Monday, January 09, 2006 11:42To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Access
NETDOM ADD (adding computer accounts) or NETDOM JOIN (joining computers
to domain) with the /OU option
And if you have only ONE target OU you could redirect to it.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/D
epKit/1919bb9f-adc9-4b7b-82f0-9bcaead3b81e.mspx
Jorge
At the moment you think I could remove the domain now don't do that, but
shutdown the DCs to see what breaks. Of course you need to ignore errors
concerning replication with that domain. If after a while (some days) nothing
or nobody has started screaming then you could demote the DCs. Don't
Devon,
Trying to understand what you are saying... Not succeeding though...
If you created a CO manually the KCC will never touch that CO. Is that what you
want to know?
Jorge
From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Tue 2006-01-10 21:50
get created automatically.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, January 10, 2006 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site link connection not created
Devon
is that account member of the Domain Admins in AD?
jorge
From: [EMAIL PROTECTED] on behalf of Chandra Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD
Permissions
yes it is...and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
is that account member of the Domain Admins in AD?
jorge
From
:
yes it is...and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
is that account member of the Domain
] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Wednesday, January 11, 2006 12:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is...and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote
during a join the password is not reset (a default password is assumed --
computername$). the password is reset after 1 day of being joined and then each
7 days for NT and 30 days for w2k/wxp/w2k3
Jorge
From: [EMAIL PROTECTED] on behalf of Bernier, Brandon (.)
use OLDCMP from joeware.net (http://www.joeware.net/win/free/tools/oldcmp.htm)
Jorge
From: [EMAIL PROTECTED] on behalf of Marko Inkinen
Sent: Thu 2006-01-12 13:02
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Removing old computer accounts from AD
ADFIND -GC -B -F ((objectCategory=group)(mail=*)) sAMAccountname member
Jorge
From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 2006-01-12 13:40
To: ActiveDir.org
Subject: [ActiveDir] Brain Freeze - export list of mail enabled groups and
memberships.
accounts from AD
Man I hope he doesn't have a problem with oldcmp because I couldn't read a
thing he wrote...
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, January 12, 2006 7:07 AM
To: ActiveDir
Tony, Rich,
Is what is shown below the answer Rich did not get from Tony?
jorge
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Thu 2006-01-12 23:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow
Could
Tony and others...
Congrats and a happy 5th!
Thanks for this great and cool list!
Definitely a great place to hang out, meet people and learn about AD! ;-)
Cheers,
Jorge
PS.: so, where is the party?
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent:
Thanks everyone!
A week ago on january 6th I got notice from the US MVP Lead I have been
nominated (blogged that on january 6th
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today
(friday the 13th...) I got notice from the dutch MVP lead saying Microsoft
awarded me
To see which service registers what see:
http://support.microsoft.com/kb/q246804/
http://support.microsoft.com/default.aspx?scid=kb;EN-US;264539
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/cb7a2363-0ed6-4c7c-87ba-7cc9592a8028.mspx
jorge
Thanks Rich
Are you talking about the summit? Nope... I have never been to Redmond.
For me this is the first MVP nomination and award! ;-)
I also heard from a dutch friend of mine who is also MVP, to saw a bigger hole
(letterbox) in the door so that the postman can shove all the stuff through
also take a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/105.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/107.aspx
Cheers,
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Monday, January 16, 2006 16:07To:
Title: FYI: W2K3 SP1 VMWARE issue
Hi Everyone,
As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are:
* Adding additional W2K3SP1 DCs to the forest
* Creating trusts from a W2K3SP1 forest to another forest (does not matter which
If they need their own forest you need to create it first. But even before you
create it, design it. First setup what the requirement should be and then
design it to meet the requirements.
Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
Try:
adfind -schema -s base objectVersion
AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005
Using server: DC:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=domain,DC=local
dn:CN=Schema,CN=Configuration,DC=domain,DC=local
objectVersion: 30
1 Objects
It IS a problem in a Windows 2000 domain as the local machine SID is used in
nearly all aspects of security and before migrating to 2000 you should
resolve any duplicate SID issues which may have been caused by cloning
installations.
Huh..I'm having a small headache and I'm not smoking
Hi,
In AD:
the sAMAccountName must be between 0 and 256 characters long
the cn must be between 1 and 64 characters long
I guess the NET commands are still using legacy methods
When creating a group in a NT4 the limit was 20 char when you used the user
manager for domains. However, using
you need to clean its metadata through NTDSUTIL
If the DC in the test is a W2K3 SP1 DC you can do it like:
Ntdsutil metadata cleanup remove selected serverServerObject
When using this command, specify the distinguished name (DN) path of the server
object (ServerObject) of the domain
Clients and servers will always try to use a DC in their own site. The query
for that will be:
_ldap._tcp.SITE._sites.dc._msdcs.domain.tld
In the case the DCs that registered that record (in the actual site or in
another covering that site) are not available the client will query for a DC in
Are you talking about putting two DC instances on ONE host or two DC instances
where each instance has its own host?
Which VMware product are they thinking on using?
What is the reason for such a scenario?
DCs should only be administered by domain admins (or in other words: highly
trusted and
Hi,
I wrote the following a while ago... See if you can use the procedure
What to do with user accounts that are or not mailbox enabled when the
corresponding user(s) leave(s) the company. For that and without buying a full
blown solution you can create tooling in a simple way if the
Gil and Sean have written a great articles that explains this.
http://www.windowsitpro.com/Article/ArticleID/37935/37935.html
http://www.windowsitpro.com/Article/ArticleID/40718/40718.html
Cheers,
Jorge
From: [EMAIL PROTECTED] on behalf of David Wyatt
Sent: Tue
I guess it is the ADMINSDHOLDER object that is bugging you...
Every hour, the Microsoft Windows domain controller that has the primary domain
controller (PDC) emulator operations master role verifies the ACLs on members
of these administrative groups and compares them to the ACL on the
for the BURGFLAGS stuff see:
MS-KBQ290762_Using the BurFlags registry key to reinitialize File Replication
Service replica sets
Jorge
From: [EMAIL PROTECTED] on behalf of Adeel Ansari
Sent: Wed 2006-02-01 23:10
To: ActiveDir@mail.activedir.org
Subject:
To troubleshoot GPO processing:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/96405.asp
http://www.winguides.com/registry/display.php/1128/
If for some reason you want to delegate the use of some attribute and that
attribute is not listed in the in the property/attribute specific list, then
that attribute is hidden from being viewed. To be able to use that attribute
in the delegation of control wizard on THAT SPECIFIC DC, open
run the script on the DC that should host the FSMO role(s) or replace
%COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an
argument. Make sure to adjust the script concerning the FSMO roles that should
be seized/transfered
-- Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
run the script on the DC that should host the FSMO role(s) or replace
201 - 300 of 532 matches
Mail list logo
