My apologies. :)
- WJR On Wed, Jun 19, 2013 at 7:55 AM, Webster <[email protected]> wrote: > i have no issues with any dc being virtual. some of my old(er) > colleagues in it do. same thinking that some have about a ts/rds/xa server > should not be virtualized. some people in it also syill believe the domain > is the security boundary in ad. > > some people never learn (dual meaning intended). > > webster (back from spain, germany, england and denmark. pay attention > wjr!) > > > Sent from my iPad so please excuse all the typos > > On Jun 19, 2013, at 2:42 AM, "John Matteson" <[email protected]> > wrote: > > Why should a DC not be a virtual server? Are you talking a run of the > mill DC/GC? Or are you talking about a DC/FSMO box?**** > > ** ** > > John M.**** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, June 18, 2013 9:00 PM > *To:* <[email protected]> > *Subject:* Re: [NTSysADM] RE: Finding AD groups with legacy members**** > > ** ** > > i have already shot down a few of the findings:**** > > ** ** > > every fsmo role needs to be on a separate dc (thanks brian for including > this non issue in your book)**** > > must be on dfl/ffl 2008+ before you can migrate to win7**** > > a dc should not be virtualized (actually still fighting w/ the head of it > on this one)**** > > and a few more stupid non issues**** > > ** ** > > this one finding of legacy members in groups is one i can't convince them > may not be worth the effort. they have many groups with many 1000s of > members, they (the consultants who did the assessment) modify group > membership frequently and believe it has a negative impact on bandwidth and > replication traffic.**** > > ** ** > > my overall task on this project is to get all 3 of their forests to server > 2012 dfl/ffl [1] satisfy the internal security team.**** > > ** ** > > webster**** > > > 1. before i can bring the first 2012 dc online, i have to prove in their > lab that i can do a full forest recovery for all 3 forests!**** > > > Sent from my iPad so please excuse all the typos**** > > > On Jun 18, 2013, at 5:12 PM, "Brian Desmond" <[email protected]> > wrote:**** > > *I’d triage whether this is actually really necessary before you go and > do this. I’ve had customers do this before – you have to build something to > suck out the membership and then reload it. ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]***** > > * ***** > > *w – 312.625.1438 | c – 312.731.3132***** > > * ***** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Tuesday, June 18, 2013 6:17 PM > *To:* <[email protected]> > *Subject:* [NTSysADM] Finding AD groups with legacy members**** > > **** > > Current project had a consulting group come in and do an AD Assessment. > One of their findings was that they have many groups with almost 5,000 > members. Most of the groups were created and users added pre 2003 DFL/FFL > . Their conclusion was the legacy members need to be removed and readded > to the groups to enable LVR for each group member.**** > > **** > > Whether you or I agree with this conclusion, I have been tasked with > finding which of their almost 24,000 groups have Legacy members. I know I > can do this:**** > > **** > > > C:\>repadmin /showobjmeta shc-dc > "cn=administrators,cn=builtin,dc=shc,dc=org"**** > > 17 entries.**** > > **** > > <snip> > 21 entries. > Type Attribute **** > > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > LEGACY member > PRESENT member**** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > PRESENT member **** > > > C:\>**** > > **** > > **** > > I could run that command 24,000 times but it would be nice to automate > that. BUT, all the DCs are 2003 so I don't have access to using the > Microsoft PowerShell AD stuff. My GoogleFU is failing me and I have not > found a script that finds AD Security groups with Legacy members.**** > > **** > > Any hints, clues, tips or help from the peanut gallery?**** > > **** > > Once I know all the groups with Legacy members, then my next task is the > removing of the Legacy members and adding them back in so LVR is enabled (I > did find a script for that).**** > > **** > > Once that is done, I can begin the process of moving them to Server 2012 > DCs and all those benefits.**** > > **** > > Thanks**** > > **** > > **** > > Carl Webster**** > > Consultant and Citrix Technology Professional**** > > http://www.CarlWebster.com <http://www.carlwebster.com/>**** > >
