Yep, this is a good reason to supernet your subnets into "catchall" subnets and associate them with Domain Controller hubs. Basically saying, if you can't find a better match for this client for its IP address, tell it to use resources in the hub site.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Friday, October 15, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site While, in general, deleting their subnet will not prevent a client from logging on they could experience significant delays in doing so. Since the client will not be able to determine which DCs are "closest", they could end up trying to be authenticated by a DC on the other end of a slow WAN connection. The purpose of a site is to let the clients know which subnets have fast connections to each other. That way a client can attempt to be authenticated by DCs that can respond quickly. If the client's subnet has been deleted, the client will randomly pick a DC. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 6:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deleting a subnet on a AD Site You'll be fine. In general, deleting a client's subnet does not prevent them from logging on. Thanks. � --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org � v - 773.534.0034 x135 f - 773.534.8101 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Meneses, Arturo > Sent: Thursday, October 14, 2004 9:27 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Deleting a subnet on a AD Site > > I have a domain that was originally setup in a public network and then > was moved to a private one. It has three public subnets and one > private in the Sites and Services mmc. > Are there any issues deleting the public ones? they're not being used > anymore internally. > > Thanks, > AM > > -----Original Message----- > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 8:08 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group > Policyon existing DC > > > As you were reading this, did you check the dcpromo log on the failed > promotion? > Are you trying to use the same domain controller name when you promote it? > > Are all of these domains in the same forest? If so, how's the FRS logs? > Any errors? > > Al > > P.S. GPRESULT.EXE from the reskit will tell you some information of > value about the applied policies. Also, have a look at this for some > other things to check http://support.microsoft.com/?kbid=830062 > > I don't think I'd haul off and just implement this, but it's something > to consider. You'll want to test this stuff out before implementing > it I'm sure. You may also do well to call Microsoft support and have > a more in-depth look of your environment done. > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rodney > Gardiner > Sent: Wednesday, October 13, 2004 10:58 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group > Policy on existing DC > > Al, > > I understand the article to a degree. I understand that I am in over > my head here. > > I understand it but just do not seem to be able to get it to work. > > > ********* From the article ************* > > To fix the problem: > > Make sure that existing domain controllers have applied security > policy and that the Enable computer and users accounts to be trusted > for delegation user right has been granted to the Administrators group > (Default Domain Controller Policy / Computer Configuration / Windows > Settings / Security Settings / Local Policies). > > If a domain controller does not have this right, confirm that GPOs > have replicated, and then manually apply the policy by typing the > following > command: > > secedit /refreshpolicy machine_policy > > NOTE: If the Application event log contains: > > Event ID 1704: Security Policy in the Group policy objects are applied > successfully. the GPOs have been appliced. > > If you're in a hurry, stop the Netlogon service on the source domain > controller that doesn't have this right, to discover another DC that does. > > ************************************ > > How do you check what it states to do in the first paragraph of "To > fix the problem:"? > > I do not believe that I can get the second part to work as I do not > believe that I can replicate as there is only 1 DC so to speak. Yes, > there are other BDC's but they are all WinNT4.0. > > Anyway, I tried the "secedit /refreshpolicy machine_policy" and it > stated in the DOS Screen to check the app log for any errors etc. > Nothing appeared in the apps event log so far and it has been about an > hour so I assume that it did not work. > > Any further help would be appreciated AL. > > Rodney > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Wednesday, 13 October 2004 11:08 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group > Policy on existing DC > > Yep, it's very likely that the two are related. > (here's a good reference of what's happening when and why I say the > two are > related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) > > You need to start by fixing the default policy issues. Deleting the > default policy is not necessarily what you want to do, but rather it's > the file system you are working on. Re-read that article and see if > it makes better sense today. If not, let us know. > > Meanwhile, is this a single domain environment? > > Al > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rodney > Gardiner > Sent: Wednesday, October 13, 2004 3:22 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy > on existing DC > > Well, I am hoping someone will be able to help me. I can not dcpromo > another Win2000 Server on my network. > > I was originally able to do this but then active directory corrupted > on the 2nd DC. This was then forced removed from being a DC. I used > KB332199 and > KB216498 to do this. > > I have since tried doing a dcpromo to create another DC but receive > the following error at the end of the wizard when it states "The > wizard is configuring Active Directory. This process can take several > minutes......":- > > The operation failed because: Failed to modify the necessary > properties for the machine account VLSSYDSHR1$ "Access is denied" > > This happens on ANY Win2000 machine that I try to promote with the > only difference being the account name. > > Second to this the Group Policy can not be accessed. Every time I try > to edit it on the only DC I receive the following error:- > > Failed to open the Group Policy Object. You may not have the > appropriate rights. > > Details: > The system can not find the path specified > > I have referred to KB253268 for this problem. > > I can see the {GUID} but do not really know what I am looking at. > > Is there a way of deleting the existing Default Group Policy and > creating a new one? > > I have screen dumps of anything that may be required. Any help that > can be given would be very much appreciated. I am not sure if the two > problems I am having are related to one another or not. > > Rodney > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > -- > ---------------------------------------------------------------------- > - This message has been inspected by DynaComm i:mail 5.0 > ---------------------------------------------------------------------- > - > > -- > ---------------------------------------------------------------------- > FutureSoft, Inc. > 12012 Wickchester Lane, Suite 600 > Houston, TX 77079 > If you no longer want to receive commercial e-mail correspondence from > FutureSoft, you may remove your address from our records by visiting > www.futuresoft.com/emailremoval.asp > ---------------------------------------------------------------------- > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
