Yeah, I would have to say your root admins don't know what is going on if they said they do things the way they do them for security. Too bad they aren't on this list. In the same position I would be highly tempted to take Enterprise Admin away from them and tell them I did it for security reasons with reasonable assurance they wouldn't be taking it back from me until they went and found someone else. This is a tough spot to be in. I definitely feel for you and you make me miss Ops and those types of politics even less. :o) joe
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, March 23, 2005 1:25 PM To: [email protected] Subject: RE: [ActiveDir] OT:strange favor Thanks for your help. I am documenting everything. This is the 2nd DR test that is screwed up that I've been involved with in this company. My company merged with another company(we are on equal footing). however, the company we merged with was already on AD and we were Win NT. So they suggested, "hey join our forest and keep your domain. You guys can still domain admins of your domain but we don't want to give you Enterprise Admin access for security reasons". So since we are geographically apart and have 2 seperate IT depts, we never cooridinate DR(in fact, they have never done DR). They give us a copy of the Root dc/dns server on a laptop and we take a VMware copy of a DR dc from our domain and do a restore. But of course,everything always goes wrong. last time, someone there ran ntdsutil and removed all the dc metadata for the root before we could disconnect our child dc. so for all purposes, our child dc refused to acknowldge the existence of the root(as all the data was cleaned and replicated from ad). now, the pw they gave us for the Enterprise Admin account doesn't work. I ran Gil's hack and reset it. Ad responded that "the password has been changed" and STILL i can't logon. i have errors in DNS log that the dc could not register its records. When i do an "ipconfig /registerdns", i get access denied. however i see all the srv and A records for the server. if i connect a laptop to the dc via a crossover cable, i can't logon onto the root domain. I get, domain cannot be found. i can do an nsloolup from the laptop and connect to the server that way and see all the records. this is really strange. the server takes about an 30 mins to boot up(i assume it can't find itself in dns to auth to,BUT the records are there). any ideas? I'm just about fed up with this delgation stuff with these two companies. they should just collapse us into an OU and run the show or give us enterprise admin rights. thanks and sorry to vent -----Original Message----- From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 3/23/2005 12:45 PM To: [email protected] Cc: Subject: RE: [ActiveDir] OT:strange favor
<<attachment: winmail.dat>>
