shit.... I need to submit a bug fix for that! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 2006-07-24 17:54 To: [email protected] Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: [email protected] Subject: RE: [ActiveDir] Have you built an R2 Forest? inline ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: [email protected] Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: [email protected] Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is <not set>, the default value is in effect as follows: * On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. * On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 24, 2006 2:12 AM To: [email protected] Subject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD - I would generally much prefer to adjust the value to what is appropriate for a company's backup & recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year... Granted, it's the inconsistency here with which MSFT has done the update of the schema.ini files which is not so nice - but the rules are pretty clear on how tombstone lifetime can be evaluated by an admin: if the attribute on the Directory Services object (tombstoneLifetime ð CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<MyRootDomain>) shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. Else it's whatever number of days has been set either by the DCPROMO routine writing a specific value into the attribute when creating a new forest, or by an admin changing the value to whatever is appropriate. /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 24, 2006 1:50 AM To: [email protected] Subject: [ActiveDir] Have you built an R2 Forest? If so... you may want to peek at http://blog.joeware.net/2006/07/23/484/ entitled "R2 tombstoneLifetime boo boo" -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
<<winmail.dat>>
