Why should a DC not be a virtual server? Are you talking a run of the mill DC/GC? Or are you talking about a DC/FSMO box?
John M. From: [email protected] [mailto:[email protected]] On Behalf Of Webster Sent: Tuesday, June 18, 2013 9:00 PM To: <[email protected]> Subject: Re: [NTSysADM] RE: Finding AD groups with legacy members i have already shot down a few of the findings: every fsmo role needs to be on a separate dc (thanks brian for including this non issue in your book) must be on dfl/ffl 2008+ before you can migrate to win7 a dc should not be virtualized (actually still fighting w/ the head of it on this one) and a few more stupid non issues this one finding of legacy members in groups is one i can't convince them may not be worth the effort. they have many groups with many 1000s of members, they (the consultants who did the assessment) modify group membership frequently and believe it has a negative impact on bandwidth and replication traffic. my overall task on this project is to get all 3 of their forests to server 2012 dfl/ffl [1] satisfy the internal security team. webster 1. before i can bring the first 2012 dc online, i have to prove in their lab that i can do a full forest recovery for all 3 forests! Sent from my iPad so please excuse all the typos On Jun 18, 2013, at 5:12 PM, "Brian Desmond" <[email protected] <mailto:[email protected]> > wrote: I'd triage whether this is actually really necessary before you go and do this. I've had customers do this before - you have to build something to suck out the membership and then reload it. Thanks, Brian Desmond <mailto:[email protected]> [email protected] w - 312.625.1438 | c - 312.731.3132 From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Tuesday, June 18, 2013 6:17 PM To: <[email protected] <mailto:[email protected]> > Subject: [NTSysADM] Finding AD groups with legacy members Current project had a consulting group come in and do an AD Assessment. One of their findings was that they have many groups with almost 5,000 members. Most of the groups were created and users added pre 2003 DFL/FFL . Their conclusion was the legacy members need to be removed and readded to the groups to enable LVR for each group member. Whether you or I agree with this conclusion, I have been tasked with finding which of their almost 24,000 groups have Legacy members. I know I can do this: C:\>repadmin /showobjmeta shc-dc "cn=administrators,cn=builtin,dc=shc,dc=org" 17 entries. <snip> 21 entries. Type Attribute LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member LEGACY member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member PRESENT member C:\> I could run that command 24,000 times but it would be nice to automate that. BUT, all the DCs are 2003 so I don't have access to using the Microsoft PowerShell AD stuff. My GoogleFU is failing me and I have not found a script that finds AD Security groups with Legacy members. Any hints, clues, tips or help from the peanut gallery? Once I know all the groups with Legacy members, then my next task is the removing of the Legacy members and adding them back in so LVR is enabled (I did find a script for that). Once that is done, I can begin the process of moving them to Server 2012 DCs and all those benefits. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/>
