Thanks. What i'm worried about is that netbios/tcp is turned off and they have no wins servers. how will this affect an external trust like the kind being attempted? Thanks again
On 8/10/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > See inline below.... > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 09, 2005 5:32 PM > To: [email protected] > Subject: Re: [ActiveDir] AD migration > > Do you mean check off "associate with external account" on the user attrib? > > [RTK] If you mean the ACE "Associate with External Account" in the ACL of > the Mail-enabled disabled user - which should have a new entry of [domain in > other forest\user], yep. That's the one. I seem to remember that there is > at least one maybe two more ACEs that need to be checked as well. Should > become apparent pretty quickly. If you can't find it - I'll dig it up. > > Also, how do they see the GAL in the old forest? > How does outlook in the new domain find the gc's in the old domain(i > think the answer to this is when it points to the exchange server in > the old forest, dsproxy will direct them to a gc in the exchange > server's site?) > > [RTK] The Exchange server in the old forest still has associated GCs, so > yes - the GCs that are located by the Exchange servers are still used for > the purposes that they are needed for. > > also, i tought a lot of things would break when disabling netbios/tcp, > like ESM,outlook pre 2003,exmerge,etc. > > [RTK] It's important to understand a specific distinction - especially when > related to E2k and E2k3. The dependency is on NetBIOS name resolution - not > specifically the Application layer API NetBIOS. Remember - NetBIOS is not a > protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and > have WINS - you're going to work fine with what you state above. > > Thanks > > On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > > Don't worry Kingslan, I won't hold anything against you! ;) LOL > > > > > > > > "Aric" Bernard > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Tuesday, August 09, 2005 2:52 PM > > To: [email protected] > > Subject: RE: [ActiveDir] AD migration > > > > Ummmm.... Well, one - I like simplicity. Two, I'm not a big fan of > > WINS. > > If all we're trying to do is to establish trust for a migration... > > > > Besides, Bernard has already been here to show me the error of my ways, > > Thank you. > > > > ;o) > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Tuesday, August 09, 2005 4:40 PM > > To: [email protected] > > Subject: RE: [ActiveDir] AD migration > > > > I didn't read the entire thread so maybe this is answered but this stuck > > out > > to me, why isn't WINS going to work? > > > > WINS replication nor name resolution doesn't require any trusts nor even > > authentication. It is all entirely unauthenticated with replication > > being > > handled through IP address based "connection agreements" between the > > source > > and destination targets. > > > > WINS is entirely name resolution, no worries with trusts or anything > > else in > > terms of that name resolution. > > > > When you register in WINS, it is anonymous. When you query WINS it is > > anonymous. Only when you use the admin interfaces to say look at the > > database or modify the connection agreements, etc does any form of > > authentication come into play. > > > > > > When playing across subnets like this with netbios functionality, WINS > > is > > generally the best way to go, certainly it is one of the least complex. > > The > > only time I would really look at using LMHOSTS is if there was a > > requirement > > not to use WINS or you don't want the names to be resolveable to anyone > > that > > asks. > > > > > > joe > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Tuesday, August 09, 2005 12:07 PM > > To: [email protected] > > Subject: RE: [ActiveDir] AD migration > > > > Really, it uses neither. The NetBT is involved, but because we are on > > (at > > present) untrusted domains and forests, WINS isn't going to work. > > > > Typically, this is done with an LMHosts file in the \Drivers\ETC > > directory. > > The records are going to be very specific, as they will define the > > domain of > > the target domain, as well as (typically) the PDC for the target. A > > 'mirror' LMHosts will be set up on the other trusting side. > > > > As noted, the format of the records is specific, and can be found here: > > > > http://support.microsoft.com/kb/180094/ > > > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > > defined, otherwise they will not work. > > > > Good luck - it's not daunting, but can be tedious to get working the > > first > > time. > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Tuesday, August 09, 2005 5:58 AM > > To: [email protected] > > Subject: Re: [ActiveDir] AD migration > > > > Sorry to keep harping- but if you have a trust between a child win2k > > domain > > in one forest with a root or child domain in another forest, does this > > use > > wins or dns. > > i know this is not a "real" forest trust and more like an external trust > > in > > that its not transitive and uses ntlm and NOT kerberos, but does it also > > relie on wins/netbios like an old NT-style trust? > > > > thanks > > > > On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > > > I just started today so what I got was- they have connectivity to the > > > child dns server but they cut off connectivity to anything in the root > > > > > domain. > > > the firewall is blocking all root traffic. > > > this has been like this for a week. > > > nothing is replicating to the root and there is no access to the _msdc > > > > > forest zone. > > > > > > The forest is win2k native with an empty root and 1 child domain in a > > > seperate tree. > > > they have DA access in the child domain but no DA/EA access in the > > root. > > > all the exchange servers(about 10) are in the child domain. > > > the only recipent policy in the root is the default one and the > > > enterprise > > RUS. > > > > > > > > > They want to migrate the child domain and all the resources to a new > > > forest where we have full control of everything. > > > i assume we do not need connectivity to the _msdc forest dns zone to > > > create a trust with the old child domain to migrate everything over(or > > > > > anything in the root dns zone). > > > > > > I'm not 2nd guessing the Quest guys, this is only for my own > > education. > > > > > > Thanks a lot > > > > > > > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > > > I am sure Quest's consultant's knows what they are doing. Didn't you > > have them put a quote and migration plan together prior to the actual > > migration? Or are you asking these questions because you are second > > guessing > > them? Or is this just for your own knowledge? > > > > > > > > My understanding is that both domain names have to be different when > > using ADMT to migrate from a Source Domain to a Target Domain, unless > > Quest > > has a tool that over comes this that I am not aware of. Are you trying > > to > > keep the same domain name as the source? Microsoft also has a free tool > > that > > will allow you to rename the traget 2003 AD domain as after you have > > completed your migration and decommissioned old DC's. > > > > > > > > Jose > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of Almeida > > > > Pinto, Jorge de > > > > Sent: Monday, August 08, 2005 2:46 PM > > > > To: [email protected]; activedirectory > > > > Subject: RE: [ActiveDir] AD migration > > > > > > > > > > > > What do you mean with "In fact, they are cut off from the root > > > > domain > > pyhsically. "? Do you mean as in there is not replication between the > > two > > domains? If yes... dare I ask for how long? > > > > > > > > As I know of you can migrate the child domain without the root being > > available because you will be having a trust between the new domain and > > the > > child domain > > > > > > > > I still don't understand what you mean... They are cut off from the > > > > root > > and the DNS is avlable in the root. I must be missing something. Can you > > explain a bit more? > > > > > > > > Jorge > > > > > > > > ________________________________ > > > > > > > > From: [EMAIL PROTECTED] on behalf of Tom Kern > > > > Sent: Mon 8/8/2005 11:08 PM > > > > To: activedirectory > > > > Subject: [ActiveDir] AD migration > > > > > > > > > > > > > > > > I just started working for a company. they used to outsource their > > > > AD/Exchange but now they're trying to get it back. > > > > > > > > Its a 2 tree, 2 domain forest. the root domain is empty. > > > > this company only has DA access on the child domain. No EA access. > > > > In fact, they are cut off from the root domain pyhsically. > > > > > > > > What they want to do is create a new forest and migrate all > > > > users,exchange,computers,etc to the new forest and be done with the > > > > old. > > > > They are going to use Quest sw and a consultant from Quest for this. > > > > > > > > My question is- can this be done without any connectivity to the > > root? > > > > both dns zones are in the root so they really don't have any dns > > > > locally as well(needless to say, you cam imagine what the rep logs > > > > look like). I'm sure this complicates matters. > > > > however, the Quest people seem to think this can still work. > > > > can it? > > > > > > > > also, can the new forest have the same domain names as the old one? > > > > > > > > Thanks(I'm the guy who posted about his new job jitters about a week > > > > > > or 2 ago, and here i am. Their AD is more messed up than I thought > > > > :) > > > > ) > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > This e-mail and any attachment is for authorised use by the intended > > recipient(s) only. It may contain proprietary material, confidential > > information and/or be subject to legal privilege. It should not be > > copied, > > disclosed to, retained or used by, any other party. If you are not an > > intended recipient then please promptly delete this e-mail and any > > attachment and all copies and inform the sender. Thank you. > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
