Hi Ken
I do not think group based security filtering works on computers - we never
got it to work anyways, although we only tried it once. Anybody have a
definitive answer on this that goes beyond I think?
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
"Ken Cornetet"
<[EMAIL PROTECTED] To:
<[email protected]>
om> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: RE: [ActiveDir]
Netlogon Polocies in W2K3 AD GP
[EMAIL PROTECTED]
tivedir.org
02/01/2005 09:04 AM EST
Please respond to
ActiveDir
Can't you use groups to realize your "dream world"?
Have groups for fastlink, hub, slow dc, etc, and use security filtering
on the GPOs
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 01, 2005 8:34 AM
To: [email protected]
Cc: [email protected]; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Netlogon Polocies in W2K3 AD GP
Hi Chandra
We played with it a little bit in our test lab. Definately an
improvement over making registry changes to force DCs to change SRV
records (we did that in one domain with 15 DCs to make the main office
the secondary site in case the onsite DC was down and it was a fair bit
of work to change and keep track of). We did conclude that in order to
make the GPO work you need to put separate OUs inside your Domain
Controller OU - and only apply the settings on each OU. For instance,
one of the settings is Priority setting - with the lowest priority being
the first one that DNS will provide in the authentication lookup.
Changing that for all DCs does not change anything. Raising that value
for all DCs except the one at your hub site will force your hub site to
the second choice for authentication after the DC within the site.
We never checked to see how long it would take the changes to propogate
out
- we forced things by updating the GPO on the server, removing all the
SRV records and forcing record reregistration to make the changes.
One other thing we found that adds to the hassle a little bit - not only
do universal changes require that you use OUs to separate your Domain
Controllers, the settings can only be applied either via. registry or
via. GPO. There is a setting to let the DC ignore the GPO but it
ignores all settings in the GPO.
That being said, we are looking to use parts of the GPO in our live
forest shortly to control authentication in the other regions. In a
perfect world, I would love it if you could find a way to set theses
settings on a less global basis. Perhaps WMI filtering allows that, I
have not played with that much. In my dream world, I would be able to
say any DC that is designated a hub gets these settings, any DC that is
designated a fast link gets these settings, any DC that is designated a
slow link gets these settings, and any DC that starts with M gets these
settings - and not have these be mutually exclusive (in essence a DC
could get the hub, fast link, slow DC and starts with M settings all at
the same time).
I gripe less when the coffee supply is greater.
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Chandra Burra
<[EMAIL PROTECTED] To:
[email protected]
m> cc: (bcc:
James Day/Contractor/NPS)
Sent by: Subject:
[ActiveDir] Netlogon Polocies in W2K3 AD GP
[EMAIL PROTECTED]
tivedir.org
02/01/2005 07:49 AM EST
Please respond to
ActiveDir
All,
Just wondering if some one has worked on the Netlogon policies in the
W2K3 GP (system.adm)
This have options to specify the site - DC srv records and so on....
just was going through them...Can some one highlight on specifically
tested and used.
Thanks,
Chandra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
