Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-28 Thread chuckgaff 
My advice would have been to start with a 255.255.255.0 netmask (/24) - it's 
better for creating more subnets and hosts.  255.255.0.0 (/16) is more limiting 
if that is what the person is using, no matter what IP class is being used.  
But if not selected initially it's too late to easily go back...
 
Regards,
 
Chuck
 
 
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sun, 28 Jan 2007 3:01 AM
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries


hello,
 
just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?
 
Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0
 
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
 
 
- Original Message - 
From: Brian Cline 
To: ActiveDir@mail.activedir.org 
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I’d have to 
manually enter if this is not the case. I don’t mind doing it, but I was 
curious either way.
Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Check out the new AOL.  Most comprehensive set of free safety and security 
tools, free access to millions of high-quality videos from across the web, free 
AOL Mail and more.

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
Brian,

Thanks for the feedback - yes I think two T-1s or maybe even one is overkill. 
 But you do have to consider the WAN infrastructure before determining sites. 
 The number of users is a factor if you consider each user is probably on a 
workstation.  In the scenario we never had the information of why a separate 
site was being decided.

I'm not sure the person in question really needs a site and that's why I'm 
asking these questions -- you could technically have a fractional T-1 link and 
a 
handful of users and still stay with a single site rather than having a 
remote site.  There are two areas of consideration -- authentication traffic 
but 
also replication traffic so both have to be included.   I've personally found 
that a lot of people will decide to create additional sites when they often 
don't need to be created.  

Regards,

Chuck

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
What I would be interested to find out is:

1.  What is the WAN link speed for the proposed 2nd AD site?
2.  How much free available bandwidth do you have between the two desired 
sites?
3.  How many users sit in the proposed 2nd AD site?

If you have a fast reliable WAN connection (like a pair of bonded T-1s or 
higher) between the 2 sites then perhaps you don't need the 2nd site.

I understand subnetting and it's possible to use a different subnet mask to 
achieve a separate subnet.  However there should be a compelling reason to go 
to a second AD site before deploying it that requires it as this might save you 
making things more complex than required.

Regards,

Chuck

Re: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread ChuckGaff 
What is the criteria you are using to say you need another site?  That's the 
first question to ask - maybe you think you need one and you don't --

Chuck

Re: [ActiveDir] Remote DC's on Virtual Server

2007-01-19 Thread ChuckGaff 
Btw, internally Microsoft doesn't recommend Exchange virtually due to I/O 
issues ...  It's possible to run DCs on Virtual Server but I have questions 
about 
possible issues that I've heard about doing this.

Chuck

Re: [ActiveDir] can not browse the internet after dcpromo

2006-12-11 Thread ChuckGaff 
What server did you run DCPromo on?  Is this the first in a forest and an 
additional DC you are creating for an existing domain and/or forest?  Did you 
select the option to install AD-integrated DNS through the DCPromo process?

More information is required to ascertain what transpired -

Thanks,

Chuck

Re: [ActiveDir] Pagefile not being seen?

2006-12-06 Thread chuckgaff 
It's better to use 2x installed memory for Exchange as a starting point.  
Splitting the page file on separate physical disks should be OK as long as it 
is a total of 4 GB.  Depending on the how much messaging activity you have you 
might want to bump up the memory to 4 GB and then the pagefile would need to 
obviously be increased substantially to about double the installed memory.
 
Chuck 
 
 
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wed, 6 Dec 2006 3:31 PM
Subject: RE: [ActiveDir] Pagefile not being seen?


Check out this article for the Exchange memory settings.  There are a
few other tweaks in the registry.
http://support.microsoft.com/kb/815372

Do you have any third-party apps running on your Exchange servers?  I
have seen memory leaks in third-party apps cause this kind of virtual
memory issue.  
2K3 Standard does allow 4GB on a drive.  The way you have it set up with
2048 on two separate drives will give you a performance boost if they
are actually separate physical disks or RAID sets.  

I have typically heard 1.5 times physical for virtual, but I don't think
that is as much a best practice as a general rule of thumb.  Depending
on circumstances I have certainly set it lower or higher.  4 GB virtual
should certainly be enough.

Sorry for the random order of my answers.  I also have trouble following
directions and don't play well with others.

Hope this helps
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, December 06, 2006 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Pagefile not being seen?

Colleagues,

On two different Windows 2003 servers in as many weeks I have seen a
popup when I logged in that says "Your system is low on virtual memory.
Windows is increasing the size of your virtual memory paging file.
During this process, memory requests for some applications may be
denied."

On one server, I had 2048 pagefile on C. On the other, I had 4096
pagefile on C, but the note at the bottom of the screen showed only
2050. Both servers have 2Gb physical RAM, and both are Exchange 2003
servers. I have now put 2048 on C: and another 2048 on F: on both
servers.

So, I wonder if I have things set up right, so I have a few questions:

1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I have
read? Or is it actually 2Gb per drive? 
2. With 2Gb physical RAM, isn't 4Gb pagefile the standard?
3. With the /3GB and /USERVA=3030 switches set, which is what I learned
to do in class, why do I still get the Event Log error message that says
"The memory settings for this server are not optimal for Exchange."?

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Check out the new AOL.  Most comprehensive set of free safety and security 
tools, free access to millions of high-quality videos from across the web, free 
AOL Mail and more.

Re: OT - RE: [ActiveDir] W. in hell

2006-09-04 Thread chuckgaff 

This was sick and doesn't belong anywhere.


 


Chuck


 
 
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sun, 3 Sep 2006 9:58 PM
Subject: RE: OT - RE: [ActiveDir] W. in hell









Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would have been a engendered more rapid-fire flame war to the sender's satisfaction, even though the joke itself is very old and has outlived its useful shelf life.


 


I'm sure he's disappointed that this list is so geeky and full of maroons with no sense of humors.


 








Sincerely, 
   _    
  (, /  |  /)   /) /)   
    /---| (/_  __   ___// _   //  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon







From: Laura A. Robinson
Sent: Sun 9/3/2006 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: OT - RE: [ActiveDir] W. in hell




Okay, has anybody considered the possibility that this was an accident? I
know I've accidentally sent mail to the wrong addresses before by letting
autofill kick in an not paying attention to what actually got autofilled,
and this seems like a very strange thing to send to this list intentionally.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
> Sent: Sunday, September 03, 2006 8:49 AM
> To: ActiveDir@mail.activedir.org
> Subject: OT - RE: [ActiveDir] W. in hell
> 
> Yup and this list (especially with no OT marking) is the 
> place for that right?
> 
> Bring it to an OT list, mark your postings that have no 
> bearing on technical matter with an OT or something. 
> 
> Otherwise, you're just another spammer
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Brandon Pierce
> Sent: Sunday, September 03, 2006 1:14 AM
> To: Brandon Pierce
> Subject: [ActiveDir] W. in hell 
> 
> George Bush has a heart attack and dies.  He goes to hell, 
> where the Devil is waiting for him.
>  
> "I'm not sure what to do," says the Devil.  "You're on my 
> list, but I have no room for you.  As you definitely have to 
> stay here, I'm going to have to let someone else go.  I've 
> got three folks here who weren't quite as bad as you.
>  
> I'll let you decide who leaves."
>  
> George thought that sounded pretty good, so he agreed.
>  
> The Devil opened the first room.  In it were Richard Nixon 
> and a large pool of hot water.  He kept diving in and 
> climbing out, over and over.  Such was his fate in hell.
>  
> "No!" said George.  "I don't think so, I'm not a good swimmer 
> and don't think I could stay in hot water all day."
>  
> The Devil led him to the next room.  In it was Tony Blair 
> with a sledgehammer and a room full of rocks.  All he did was 
> swing the hammer, time after time.
>  
> No! I've got this problem with my shoulder.  I would be in 
> constant agony if all I could do was break rocks all day." 
> commented George.
>  
> The Devil opened the third door.  In it, George saw Bill 
> Clinton lying on the floor with his arms staked over his 
> head, and his legs staked in a spread-eagle pose.  Bent over 
> him was Monica Lewinsky, doing what she does best.
>  
> George Bush looked at this in disbelief for a while, and 
> finally said "Yeah, I can handle this."
>  
> The Devil smiled and said, "OK, Monica, you're free to go!"
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx





Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

Re: [ActiveDir] FMSO roles split, patch question.

2006-08-19 Thread ChuckGaff 


Just don't try to do NetWare on Virtual Server -- ouch...  other OSes seem to behave better -
 
Chuck
 

Re: [ActiveDir] Acqusition of 2003 Forest - options & experiences

2006-07-13 Thread ChuckGaff 


The tools are great from Quest - use either the Consolidator tool or the Domain Migration Wizard (DMW) depending on your scenario.  The tools are a must for medium to large-scale customers.
 
Chuck
 

Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferr...

2006-07-13 Thread ChuckGaff 


Absolutely - you will want the DC to do a DNS query for itself first and then the second DNS entry to the next nearest DNS server.  Hopefully you are using AD-integrated zones where possible.
 
Chuck
. 

Re: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread ChuckGaff 


Looks like SP1 fixes the DNS issue with replaces a few DNS files -- At this point Windows 2003 SP1 should be a minimum.  Good find -
 
Chuck
 
 

Re: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread ChuckGaff 


There were known issues with NT 4.0 with WINS resolution for when WINS packets were lost trying to return through the 2nd NIC using multi-homed DCs.  But I've have heard that this isn't the case in Windows 2000/2003.  Otherwise you are probably OK but double-check DNS as well per the other email.
 
Regards,
 
Chuck

Re: [ActiveDir] A quick(?) NTP question

2006-06-21 Thread chuckgaff 

That's my understanding as well is that the second one is a backup NTP address in the event that the first one is not available for some reason.  I would hope that if pointing to the US Naval Observatory NTP addresses that neither would fail.
 
Chuck -Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wed, 21 Jun 2006 11:06:02 -0700Subject: RE: [ActiveDir] A quick(?) NTP question




From what I have seen, it appears to pick one randomly. I don't know if there is any logic to the randomness. But, no, it does not speak to 2 and adjust. If it gets a valid response from either of the 2 you've configured, then the job is done.
HTH
 


Sincerely,    _      (, /  |  /)   /) /)       /---| (/_  __   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)     (/   Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: [EMAIL PROTECTED]Sent: Wed 6/21/2006 3:05 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] A quick(?) NTP question

Here's a simple one for anyone who understands the internals of NTP: 
Scenario: PDCe in root domain is configured to use 2 NTP servers 
Question: Will the PDCe always sync with the same NTP server unless it's not available and then sync with the other NTP server? Or Will the PDCe talk to both NTP servers and adjust its clock according to the various NTP algorithms used to determine which NTP server is 'more accurate'?
If the latter, does anyone have a doc which explains that algorithm? 
Many thanks, neil 
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 



Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

Re: [ActiveDir] NETBIOS Character Limitation?

2006-06-16 Thread chuckgaff 

 You're probably hitting the administrative share that may take up a character.  NetBIOS still has 15 characters and the 16th character is cached which represents the type of service or function <03>, <20> etc., which some represent the server or workstation service, or define a device as a Domain Controller --
 
Chuck -Original Message-From: Medeiros, Jose <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Fri, 16 Jun 2006 08:58:10 -0700Subject: [ActiveDir] NETBIOS Character Limitation?






Greetings, 
 
I am trying to create a 15 character SQL cluster name in Active Directory using a web based tool. The tool will only allow me to use 14 characters and the Active Directory group states “  The 14 character limit is due to the '$' that must be appended to the samAccountName for backward compatibility. WINS has a 15 character limit. To ensure there is always room for the '$' the field is limited to 14 characters “.
 
I have been working with WINS since 3.51, and it has always been NetBIOS names are 15 characters followed by a 16th binary value used the last 16th binary value unique ID I have  Michael Masterson's WINS & DNS book ( I was on the board of the NTEA www.ntea.net ) with him. http://www.amazon.com/gp/product/1562059432/qid=1150472910/sr=1-7/ref=sr_1_7/002-3567057-9128019?s=books&v=glance&n=283155
 
Was the character limitation reduced in AD 2003 and Wins?
 
Sincerely,
Jose MedeirosStorage Area Network Systems EngineerMCP+I, MCSE, NT4 MCT 408-765-0437  Direct, 408-449-6621 Cell
"Anyone who has never made a mistake has never tried anything new."
 Albert Einstein 
  [Image removed] 
 



Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

Re: [ActiveDir] Time Server for Forest Root PDC

2006-06-13 Thread chuckgaff 

You do want to choose a reliable source, whatever it is.  An external atomic clock is most likely to be reliable so long as you can communicate with it successfully and consistently.  It is important to keep internal system clocks in synch.
 
Chuck -Original Message-From: Rob MOIR <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Tue, 13 Jun 2006 11:33:20 +0100Subject: RE: [ActiveDir] Time Server for Forest Root PDC


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras
> Sent: 12 June 2006 18:23
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Time Server for Forest Root PDC
> 
> How have people on this list configured their Forest Root PDC to
> synchronize the time service?  Is it O.K. to use an internal time
> server on a firewall?  Is it best to point to tick.usno.navy.mil or
> time.windows.com?

I'm coming late to this party but that hasn't stopped me throwing in my
two pennies worth before...

We have our own atomic / radio clock here, physically attached to a DC.
The DC it is connected to syncs to this hardware and all our other
servers sync to this DC.

My feeling is that while having the correct time is obviously a very
good thing, what is more important is that all your nodes are consistent
with each other; in other words, I think that what source you pick is
less important than picking just one source and making damn sure every
node uses time that is based off this source.

-- 
Robert Moir
Microsoft MVP for Windows Servers & Security
Senior IT Systems Engineer
Luton Sixth Form College
Right vs. Wrong   | Good vs. Evil
God vs. the devil | What side you on?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

Re: [ActiveDir] Time Server for Forest Root PDC

2006-06-12 Thread chuckgaff 

The best approach is to setup NTP on the PDC Emulator role Forest Root DC to point to the two IP addresses by IP on the 2 US Naval Observatory time servers.  It is possible to use an internal server but best to use the external ones, depending on the individual company.
 
Chuck  -Original Message-From: Teo De Las Heras <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Mon, 12 Jun 2006 13:22:33 -0400Subject: [ActiveDir] Time Server for Forest Root PDC



How have people on this list configured their Forest Root PDC to synchronize the time service?  Is it O.K. to use an internal time server on a firewall?  Is it best to point to tick.usno.navy.mil or time.windows.com?
 
Teo

Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

Re: [ActiveDir] High CPU utilization during GPO updates

2006-06-08 Thread ChuckGaff 



Ok - thanks -- that's better than what you would see on Windows 2000 -- 
Darren can give you good info...
 
Chuck

Re: [ActiveDir] High CPU utilization during GPO updates

2006-06-08 Thread ChuckGaff 



Are you running Windows 2000 or 2003 DCs?
 
Chuck

Re: [ActiveDir] NET TIME command

2006-05-25 Thread ChuckGaff 



Be sure you have setup net time on the PDC Emulator server role as a 
starting point.  Ideally you should point to the IP addresses of the US 
Naval Observatory time servers off the Internet.
 
Regards,
 
Chuck

Re: [ActiveDir] [OT] RAID 5 Best Practice

2006-05-23 Thread ChuckGaff 



Exchange ideally should be run on RAID 1+0 if at all possible, even if it 
starts off with 4 disks although more is better and a SAN is preferable.  
Get the Exchange guides from the MS Technet site and start reading ...
 
Good luck,
 
Chuck

Re: [ActiveDir] [OT] RAID 5 Best Practice

2006-05-18 Thread ChuckGaff 



The cable harness and backplane are two places for single point of failure 
on a single server, but if something can be clustered this resolves those 
issues.  However, the disk since it's one of the few mechanical components 
of a server system is something to be concerned about since the changes of a 
disk failure is probably greater on a well-built server than any other 
component.
 
Chuck
 

Re: [ActiveDir] [OT] RAID 5 Best Practice

2006-05-18 Thread ChuckGaff 



One advantage of RAID 5 over RAID 1 mirroring is that with a RAID 5 hot 
spare, 2 drives can fail and you don't lose the data which is not possible with 
2 RAID 1 mirrored drives.  However RAID 5 is faster.  Another 
advantage is that you have to buy double the disks for RAID 1 as compared with 
RAID 5.  
 
Chuck

Re: [ActiveDir] Image a DC?

2006-05-11 Thread chuckgaff 

Agreed - Image a server as a member of a workgroup if needed and then run DCPromo after changing the network settings and computer name to ensure uniqueness of IP and NetBIOS name.  Then you can get a unique Domain name and equivalent SIDs/GUIDs.  After a project of deploying 70 of these you have to do the DCPromo after the imaging.  Some software also can be included but some will require DCPromo provided information (such as backup software that will need the Sysvol folder built after the fact).
 
Chuck -Original Message-From: joe <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Thu, 11 May 2006 10:53:03 -0400Subject: RE: [ActiveDir] Image a DC?


Ummm. No. Do not do it. Someone is misguided. Do not image domain controllers. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Mark Parris
Sent: Thursday, May 11, 2006 10:07 AM
To: ActiveDir.org
Subject: [ActiveDir] Image a DC?

Am I reading this correctly - HP is stating I should create an image of a DC and 
then deploy this DC image to all new DC's ?
Or does something happen under the hood?

Page 16.

Mark

http://docs.hp.com/en/eclass-is-platform/eclass-is-platform.pdf
 

Double-click on Create Image and enter the path and file name to store the new 
disk image. Since this image is of a Domain Controller, the image data should be 
stored in a secure location. If the local file system does not suffice for this 
purpose, then select something other than ".\images\."
Otherwise, type in a name and location such as ".\images\adimage.img." Click 
Finish to save the task. (Figure 11).

 Drag and drop this script to the server assigned as an Active Directory server 
through the deployment console. This causes the Domain Controller to be imaged. 
In order to keep a good backup of the Domain Controller, this process should be 
repeated periodically so that the image available for redeployment
(should this be necessary) is as up-to-date as possible..+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿÃ
ŠVryÊý§Š÷Š¾™¨i˽箊

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Putting a DC on VMware

2006-01-30 Thread ChuckGaff 



DCs can be built on VMWare so long as they stay up and running like 
actual hardware DCs and are properly backed up and maintained with the same 
standards.
 
Regards,
 
Chuck
 

Re: [ActiveDir] Time Service

2005-12-28 Thread ChuckGaff 



Yes, the Domain Controller holding the PDC Emulator Role is the 
Domain-based FSMO which should be configured, ideally for external time from an 
atomic clock such as the US Naval Observatory two addresses so long as you have 
access through Port 123.    Desktops can be configured if desired to 
point to the PDC Emulator for time synchronization with the PDC Emulator Role 
server.
 
Chuck
Architect, Unisys
 
 
 
 
 

Re: [ActiveDir] W2K & W2K3 environment.

2005-12-14 Thread ChuckGaff 



Absolutely -- you must fix DNS and other core service issues in Windows 
2000 or your migration could experience difficulties.
 
Chuck
 

Re: [ActiveDir] Reducing number of Global Catalogs

2005-12-14 Thread ChuckGaff 



Actually I prefer that all DCs be GCs and can't see why you wouldn't 
do that globally at this point in time.
 
Chuck

Re: [ActiveDir] Reducing number of Global Catalogs

2005-12-14 Thread ChuckGaff 



The issue with IM on GCs is solved in Windows 2003 for multi-domain 
forests...
 
Chuck
 

Re: [ActiveDir] FSMO role transfer

2005-11-30 Thread chuckgaff 

A lot more is going on behind the scenes when transferring FSMOs besides checking boxes -- Also there's more to moving to Domain Naming Master -- 
 
Chuck
 
  -Original Message-From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 30 Nov 2005 13:38:43 -0800Subject: Re: [ActiveDir] FSMO role transfer


That's my point.  If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click?   Cace, Andrew wrote: > It is available in the AD snap-ins. In AD Domains & Trusts, you can > transfer the Domain Naming master by right-clicking the name of the snap-in > in tree-view and choosing Operations Master. In ADUC, right-click the name > of the domain and choose Operations Master to transfer the RID, PDC, and > Infrastructure masters. In the Schema Management snapin, you can transfer > the Schema master by right-clicking Active Directory Schema and choosing > Operations Master. > > Next question...Why isn't there a single place to click all of these? > > -Andrew &g
t; > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA > aka Ebitz - SBS Rocks [MVP] > Sent: Wednesday, November 30, 2005 3:09 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] FSMO role transfer > >  > > If the task is that trivial > If the benefit is so great > Why isn't it part of the AD snap ins as a one button task? > > > instead> > > David Adner wrote: > >> I'm not debating the effort it takes to make the change
. I'm saying I >> don't see the point in devoting whatever amount of effort it takes for >> something that's going to provide benefit only, IMO, an extremely rare >> case. And if that case happened, the corrective action is also a >> trivial process. And again, I'm not saying I don't see your point; I just >> > don't agree with it. > >> >> >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta >>> Nathaniel V Contractor NASIC/SCNA >>> Sent: Wednesday, November 30, 2005 12:32 PM >>> To: ActiveDir@mail.activedir.org >>> Subject: RE: [ActiveDir] FSMO role transfer >>> >>> That 
process is trivial in itself. It does not take much to transfer >>> the roles before you conduct maintenance on a server. Why not do it? >>> It will save you cleaning up metadata after you seize a role of a >>> failed operations master. Sounds like a stitch in nine saves time >>> concept to me. I do not intend on taking every proactive measure >>> either, but when it comes to the small and quickly implemented >>> measures that could save plenty of time, I try to utilize all of them >>> available. >>> >>> Is that agreeable? >>> >>> Nathaniel Vincent Bahta >>> >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED]] On Behalf Of David Adner &
gt;>> Sent: Wednesday, November 30, 2005 1:24 PM >>> To: ActiveDir@mail.activedir.org >>> Subject: RE: [ActiveDir] FSMO role transfer >>> >>> Any proper maintenance plan has a backout plan and a recovery plan, >>> so I am preparing for the possibility of an unexpected problem. If >>> I'm pulled into a dark room because something goes wrong then I >>> should feel confident I'll leave that room with my hide mostly >>> intact; it may be slightly singed, but I can live with that. If >>> management isn't the reasonable type then that's a different issue. >>> >>> If your philosophy is to take every proactive measure ahead of time >>> possible, then that's fine. I just don't see the point with regards >>> to FSMO roles when the recovery action is a relatively trivial >>> process. This is obviously a matte
r of personal preference so I'm >>> not trying to convince others to change. I just found the concept >>> unusual so I thought I'd share. >>> >>> >>>  -Original Message-  From: [EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED]] On Behalf Of  [EMAIL PROTECTED]  Sent: Wednesday, November 30, 2005 10:16 AM  To: ActiveDir@mail.activedir.org  Subject: RE: [ActiveDir] FSMO role transfer   I would rather, as stated earlier, assess the risk and then act  appropriately. The original poster never defined
 'maintenance' in  detail.   The original post did state that the box would be down for ~2 hours  for maintenance. This is clearly more than a patch and a   >>> reboot. We've >>> >>>  been over that scenario and concluded that it carries a lesser risk.   As joe said, if the maintenance all goes badly wrong, do   >>> you want to >>> >>>  be pulled into a dark room and questioned as to why you did not  prepare for that eventuality?    neil    -Original Message-  From: Activ
[EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED]] On Behalf Of Susan  Bradley, CPA aka Ebitz - SBS Rocks [MV

Re: [ActiveDir] FSMO role transfer

2005-11-29 Thread ChuckGaff 



I've not worried about transferring the FSMO roles for general maintenance 
such as defragmentation or updating SPs, etc.  It's up to how flaky or 
solid  the DCs are -- if they are that flaky then maybe it's time to buy 
some newer hardware ...
 
Chuck
 

Re: [ActiveDir] FSMO role transfer

2005-11-29 Thread ChuckGaff 



If something went wrong you could still seize the FSMO roles as an option 
rather than doing a transfer.  Of course the procedures for all of these 
for the 5 FSMOs should be documented just in case needed..  
 
Chuck
 

Re: [ActiveDir] FSMO role transfer

2005-11-29 Thread ChuckGaff 



You can have the servers down for 2 hours with the Forest FSMO roles and/or 
the Domain FSMO roles for cleanup without concern.  It would become more of 
an issue if for a day or more.  Also bear in mind what each FSMO roles does 
since each is unique to a domain or the entire forest so that you don't rely on 
those things at the time of the cleanup.  One other consideration is that 
the three domain roles are easier to transfer but don't worry about them for 
scheduled maintenance of as short as 2 hours.
 
Chuck Gafford
Systems ArchitectUnisys

Re: [ActiveDir] CertSvc Error

2005-11-11 Thread ChuckGaff 



True if running in production -- thanks on the feedback of not needing to 
do a reinstall ...
 
Chuck
 

Re: [ActiveDir] CertSvc Error

2005-11-11 Thread ChuckGaff 



It can't hurt to try the uninstall/reinstall approach since that might not 
be a component that is "upgradable" ...
 
Chuck
 

Re: [ActiveDir] Crashed Root DC HELP!

2005-11-01 Thread ChuckGaff 



Do you have any other forest root domain DCs or is this the only one?  
Also, which FSMOs resided on this root DC besides the Schema Master and 
Infrastructure Master?  Did it also have the Domain Naming Master, RID 
Master and PDC Emulator roles?  
 
If you have other forest root DCs you may be able to transfer the roles 
using NTDSUtil -- check Microsoft.com for detailed instructions in syntax 
--  If not, then this is a case where you may need to try to recover the 
System State data from backup.
 
Good luck ...
 
Chuck Gafford
Systems Architect
Unisys

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-31 Thread ChuckGaff 



It may make sense for smaller environments - I'm usually dealing with 
the 1000 user-plus environments on most occasions.  In everything testing 
is key.
 
Thanks for the good points,
 
Chuck Gafford
Systems Architect
Unisys
 

Re: [ActiveDir] Browser Election on Network.

2005-10-31 Thread chuckgaff 

There are rules for a client becoming a Master Browser -- OS version, amount of RAM, etc. that can cause a desktop to become the Master Browser.  If you turn off the Browser service (or you can hack the Registry and switch a setting from Auto to No for trying to become a Master Browser), this will solve the problem.
 
If you can get a copy of Browse Monitor from the server ResKit, you can then see which machines are becoming a Master Browser for a domain.  It seems like this happens more in Windows 2000 domains with XP machines and when PCs are more powerful than servers since a PC can become a Master Browser.
 
Regards,
 
Chuck Gafford
Systems Architect
Unisys
  -Original Message-From: Webster <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Sun, 30 Oct 2005 18:21:40 -0600Subject: RE: [ActiveDir] Browser Election on Network.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of Ravi Dogra
> Subject: Re: [ActiveDir] Browser Election on Network.
> 
> Yes this Box is a DC in my Network.
> 
> That is what makes me worry. why would a client machine win an
> election for Network Browser master.

Had a network where browstat showed 16 master browsers (1 DC, 2 SQL servers
and 13 XP SP2 PCs) on the network.  They had another issue we were tracking
down so PSS had the customer disable the Computer Browser service on all
servers but the PDC Emulator DC and issue a GPO to disable that service on
all PCs.  That stopped the browser master wars (reducing network traffic)
and helped us narrow down the other issue (1 building could not browse the
network and no other building could see them in NN).

HTH


Webster

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-31 Thread chuckgaff 

I could see virtualizing low-end Exchange systems such as FEs and Bridgehead servers as stated earlier.  The higher end databases are the ones that I have a problem with at this point in time, but I'm sure that the technology will evolve to where this becomes possible for higher end databases.
 
It would be best in all cases to test a virtualized and non-virtualized option with production levels before proceding in a production environment.
 
Chuck Gafford
Systems Architect
 
Unisys
  -Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Sun, 30 Oct 2005 09:25:09 -0800Subject: RE: [ActiveDir] Exchange now supported on virtual hardware


>>Perhaps some day I'll have time to run JetStress on an clustered Exchange
server on ESX attached to a SAN to see how it performs.
 
Which is a good thing to do before concluding that virtualizing exchange is a
"no-no". I'm jetstressing, and doing the old, trusted loadsim (albeit without
access to a SAN) and I can't see a diff in performance. It's easy to based
our conclusions on prior (bad) experiences and start telling people not to
virtualize exc. But, until we can see any conclusive study of a performance
lag, such advice is technically unsound and indefensible. Virtualization has
evolved.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Presley, Steven
Sent: Sun 10/30/2005 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange now supported on virtual hardware



We are quite a large ESX shop (number of guest OS's are in the 1000's I
believe) and while I fought it for quite some time we have ended up
using ESX for our 5 front-end servers and our 3 bridgehead servers.
Most ESX guest OS's don't require much tweaking, but Exchange certainly
does (at least the bridgehead servers).  Once we got the settings right
for the bridgehead servers they fly like any other piece of hardware
(the FE's didn't really require much tweaking).  We have roughly 4,000
POP3\IMAP users, an average of 6k-7k of unique logons into OWA weekly,
and roughly 800,000 messages going through the bridgehead servers daily.
Virtualization of Exchange does indeed work for these types of servers
when properly configured.  Where I have seen ESX (and its little sister
GSX) fail is hosting for servers that run highly active databases.  ESX
works great for dedicated SMTP\POP3\IMAP\HTTP servers, but I would never
put a production Exchange mail store server on ESX for performance
reasons alone.  I have not specifically tested it however, but its more
of based on past experience (perhaps as virtualization advances this
will be a reality some day).  Perhaps some day I'll have time to run
JetStress on an clustered Exchange server on ESX attached to a SAN to
see how it performs.

For anyone who might ask why such a large virtualization footprint in
our datacenters.  The reason is simple.  We have literally ran out of
space and power in our datacenters.  Even as we build new datacenters
they fill up just as fast as we open them.  While I don't have the
numbers to give (not my field of focus here) I seem to remember seeing a
report that virtualizing certain portions of our datacenter, where
possible, has so far saved millions in hardware costs.

It certainly is not for everything, but virtualization technology is
definitely improving to where it is definitely an option.  For Exchange
and Active Directory, if ESX (or Virtual Server) is properly configured
it can work quite well.

Best regards,
Steven

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond
> Sent: Friday, October 28, 2005 6:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Exchange now supported on virtual hardware
>
> I disagree. Exchange on ESX can work out quite well in
> certain situations...
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
> 
> c - 312.731.3132
> 
> 
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> Medeiros, Jose
> Sent: Friday, October 28, 2005 5:29 PM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Exchange now supported on virtual hardware
>
> I could not have worded that better.
>
> Sincerely,
> Jose Medeiros
> ADP | National Account Services
> ProBusiness Division | Information Services
> 925.737.7967 | 408-449-6621 CELL
> 
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, October 28, 2005 6:53 AM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Exchange now suppor

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-29 Thread chuckgaff 

It's possible on ESX but I'm still inclined to recommend not virtualizing Exchange.   I think it's terrific with a good SAN on a Windows 2003 cluster and with high-end server hardware.  Again, for testing and development, that's fine.  Maybe I'm old school but that's where I'm at - I don't personally think the technology is quite as ready for prime time yet to entrust enterprise messaging systems on it --
 
Chuck  -Original Message-From: Brian Desmond <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Fri, 28 Oct 2005 18:48:48 -0400Subject: RE: [ActiveDir] Exchange now supported on virtual hardware


I disagree. Exchange on ESX can work out quite well in certain situations...

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose
Sent: Friday, October 28, 2005 5:29 PM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange now supported on virtual hardware

I could not have worded that better.

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 28, 2005 6:53 AM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Exchange now supported on virtual hardware


I couldn't agree more with Tony -- Exchange is a resource hog and should not
be done on VMWare except for testing purposes.  Just because you can doesn't
mean you should

Chuck Gafford
Systems Architect
Unisys
Mobile:  (405) 819-6766


-Original Message-
From: Medeiros, Jose <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Cc: # Jose Medeiros-IBM (E-mail) <[EMAIL PROTECTED]>
Sent: Thu, 27 Oct 2005 15:39:35 -0700
Subject: [ActiveDir] Exchange now supported on virtual hardware


Hi Tony, 

I have to respond to this. Many IT managers think you can just virtualize
any 
application because of all the marketing hype. Be very careful, I/O is
critical 
to Exchange and any other database application which may make running it on 
VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very 
resource intensive and will take whatever it can. Now I am sure if you have
a 
very small environment that it may make sense, but with Microsoft Small
Business 
server why would you want to?

Any body else car e   to throw in there two cents?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Behalf Of Tony Murray
Sent: Thursday, October 27, 2005 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware


Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual 
Server 2005 R2.  This article has just been released.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;320220
 
I guess this means we can now run a DC and Exchange on the same physical 
hardware without any of the previous limitations.
 
Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-28 Thread ChuckGaff 



Good thought on the consolidation scenario -- I can see a few more places 
where it might be helpful.
 
Chuck
 

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-28 Thread chuckgaff 

What's your sizing of mail stores and mailboxes there --
 
Chuck
  -Original Message-From: Coleman, Hunter <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Fri, 28 Oct 2005 08:35:27 -0600Subject: RE: [ActiveDir] Exchange now supported on virtual hardware



"It depends..."
 
We're running some production Exchange front-end servers on ESX and they perform as well as others that we have on physical hardware. Connector servers are also good candidates. Heavily loaded mailbox servers...I agree with you there.
 
Hunter


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 28, 2005 7:53 AMTo: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Exchange now supported on virtual hardware


I couldn't agree more with Tony -- Exchange is a resource hog and should not be done on VMWare except for testing purposes.  Just because you can doesn't mean you should
 
Chuck Gafford
Systems Architect
Unisys
Mobile:  (405) 819-6766
 
-Original Message-From: Medeiros, Jose <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) <[EMAIL PROTECTED]>Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: [ActiveDir] Exchange now supported on virtual hardware


Hi Tony, 

I have to respond to this. Many IT managers think you can just virtualize any 
application because of all the marketing hype. Be very careful, I/O is critical 
to Exchange and any other database application which may make running it on 
VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very 
resource intensive and will take whatever it can. Now I am sure if you have a 
very small environment that it may make sense, but with Microsoft Small Business 
server why would you want to?

Any body else car to throw in there two cents?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Behalf Of Tony Murray
Sent: Thursday, October 27, 2005 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware


Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual 
Server 2005 R2.  This article has just been released.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;320220
 
I guess this means we can now run a DC and Exchange on the same physical 
hardware without any of the previous limitations.
 
Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Exchange now supported on virtual hardware

2005-10-28 Thread chuckgaff 
I couldn't agree more with Tony -- Exchange is a resource hog and should not be done on VMWare except for testing purposes.  Just because you can doesn't mean you should
 
Chuck Gafford
Systems Architect
Unisys
Mobile:  (405) 819-6766
 
-Original Message-From: Medeiros, Jose <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) <[EMAIL PROTECTED]>Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: [ActiveDir] Exchange now supported on virtual hardware


Hi Tony, 

I have to respond to this. Many IT managers think you can just virtualize any 
application because of all the marketing hype. Be very careful, I/O is critical 
to Exchange and any other database application which may make running it on 
VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very 
resource intensive and will take whatever it can. Now I am sure if you have a 
very small environment that it may make sense, but with Microsoft Small Business 
server why would you want to?

Any body else car to throw in there two cents?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Behalf Of Tony Murray
Sent: Thursday, October 27, 2005 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware


Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual 
Server 2005 R2.  This article has just been released.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;320220
 
I guess this means we can now run a DC and Exchange on the same physical 
hardware without any of the previous limitations.
 
Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Trust issue

2005-10-12 Thread chuckgaff 

There are now at least two LMHOSTS recommendations -- must be a requirement to have some type of WINS/NetBIOS name resolution for the trusts, as was suspected.
 
Chuck  -Original Message-From: Kamlesh Parmar <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Thu, 13 Oct 2005 00:37:43 +0530Subject: Re: [ActiveDir] Trust issue


In my case, it worked out after putting the LMHOSTS entries.
On 10/13/05, Kern, Tom <[EMAIL PROTECTED]> wrote: 
Nope.also as an aside,what is pretty amusing(in a frustrating way) is MS was the one that told me about the lmhost entries. i remeber bringing this up on the list awhile ago and we all went back and forth about wheter  netbios is involved in a external trust between win2k and win2k3 and if it could be entirley done via dns.i know MS was just grasping at straws to try to help me out but its just amusing that no one can say without doubt or confusion wheter you need netbios or not in this senario inculding the guys that sell the product.only in the software industry, i guess...-Original Message-From: [EMAIL PROTECTED] on behalf of Brian Desmond &nb
sp;  Sent: Wed 10/12/2005 2:24 PMTo: ActiveDir@mail.activedir.orgCc:Subject: RE: [ActiveDir] Trust issue DCOM range locked down on one end but not the other?Thanks,Brian Desmond[EMAIL PROTECTED] [EMAIL PROTECTED]>c - 312.731.3132  _ &nb
sp;  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kern, TomSent: Wednesday, October 12, 2005 1:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Trust issuenope.-Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED]<
/A>]Sent: Wed 10/12/2005 1:46 PMTo: ActiveDir@mail.activedir.org Cc:Subject: RE: [ActiveDir] Trust issueIs there a firewall between the two places? PDC emulators in particular?Thanks,Brian Desmond  &nbs
p; [EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom Sent: Wednesday, October 12, 2005 1:35 PM&nbs
p;   To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Trust issueI have an external 2 way trust between a child domain in a win2k3 forest(win2k3 FFL) and a child domain in a win2k native mode forest.I set up the trust thru netdom or the Domains and Trusts mmc and after a fewminutes it fails coming from the win2k side.th
e win2k domain/dc stops trusting the win2k3 domain/dc but the win2k3 truststays up.i have dns set up for forwarding on both sides for the respectivedomains/dns servers.i also have lmhosts entries on both dc's in the trust.nothing is logged in the event logs are either dc.is there anything else i should be looking at?thanks alot&n
bsp;   .+w?B+v*rz Vryi??List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~~~ "Fortune and Love befriend the bold"~~~

Re: [ActiveDir] Design Question

2005-10-12 Thread chuckgaff 

That's a good question on the number of domains in the Branch Office Guide -- it seems to be overkill unless they all have separate and independent IT departments or if there a requirement for a separate password policy or something else bizzarre.  I suppose you could deploy a DC to each branch, and especially if you have a slow, unreliable WAN link such as a fractional T-1 to each location and with 10 branches you should be OK using 10 extra DCs.  
 
Regards,
 
Chuck Gafford
Systems Architect
 
Unisys
Imagine It.  Done.
  -Original Message-From: Noah Eiger <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 12 Oct 2005 11:49:43 -0700Subject: RE: [ActiveDir] Design Question



Thanks, all. Good to see confirmation of the few-domains-as-possible concept.
 
Yes, I was planning to deploy a DC to each branch. Some are not as physically secure as I would like, though I realize that security is somewhat a function both of access and intent. I don't see a lot of latter -- but maybe that is what we all thought on September 10. Does that change the model?
 
-- nme
 
P.S. Why does MS still recommend so many domains in the Branch Office Guide? Is it for replication load?



From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Design Question

The same reasons apply to this situation as those of a much larger organization: deploy multiple domains if you need x, y, and z functionality.  Otherwise try to keep it to fewer domains. 
 
Are there are any compelling reasons to deploy multiple domains? Are you going to deploy a DC to each branch office?  
 


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 12, 2005 1:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Design Question
Hi -
 
I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible. 
 
My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root? 
 
Thanks.
 
-- nme

Re: [ActiveDir] Trust issue

2005-10-12 Thread chuckgaff 

I believe you need WINS for the trust for NetBIOS domain resolution but I've not tested it to prove otherwise ...
 
Chuck  -Original Message-From: Kern, Tom <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 12 Oct 2005 14:41:10 -0400Subject: RE: [ActiveDir] Trust issue


Nope.
 
also as an aside,what is pretty amusing(in a frustrating way) is MS was the one 
that told me about the lmhost entries.
i remeber bringing this up on the list awhile ago and we all went back and forth 
about wheter  netbios is involved in a external trust between win2k and win2k3 
and if it could be entirley done via dns.
 
i know MS was just grasping at straws to try to help me out but its just amusing 
that no one can say without doubt or confusion wheter you need netbios or not in 
this senario inculding the guys that sell the product.
 
only in the software industry, i guess...
 
 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Brian Desmond 
Sent: Wed 10/12/2005 2:24 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Trust issue



DCOM range locked down on one end but not the other? 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Kern, Tom
Sent: Wednesday, October 12, 2005 1:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trust issue

 

nope.

 

-Original Message- 
From: Brian Desmond [mailto:[EMAIL PROTECTED]] 
Sent: Wed 10/12/2005 1:46 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Trust issue

Is there a firewall between the two places? PDC emulators in particular? 


Thanks, 
Brian Desmond 
[EMAIL PROTECTED] 
  
c - 312.731.3132 
  
  

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom 
Sent: Wednesday, October 12, 2005 1:35 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Trust issue 

I have an external 2 way trust between a child domain in a win2k3 forest 

(win2k3 FFL) and a child domain in a win2k native mode forest. 
  
I set up the trust thru netdom or the Domains and Trusts mmc and after a 
few 
minutes it fails coming from the win2k side. 
the win2k domain/dc stops trusting the win2k3 domain/dc but the win2k3 
trust 
stays up. 
  
i have dns set up for forwarding on both sides for the respective 
domains/dns servers. 
i also have lmhosts entries on both dc's in the trust. 
  
nothing is logged in the event logs are either dc. 
  
is there anything else i should be looking at? 
thanks alot 
.+w?B+v*rz Vryi?? 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Design Question

2005-10-12 Thread chuckgaff 

ditto Jorge ...  
 
Now you have to figure out how many DCs to use, which would be based in part of the types of WAN connections/links ... if you have a slow and/or unreliable WAN link then you probably want a DC for those branch sites. 
 
Chuck -Original Message-From: Almeida Pinto, Jorge de <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 12 Oct 2005 20:37:02 +0200Subject: RE: [ActiveDir] Design Question



Technically you would only need multiple domains if:
* separate pwd policies are needed (third party products exist that can do this in a single domain)
* replication boundary for AD and SYSVOL replication is needed for some reason
* keep current old domain structure (if this is a cool reason??!!!)
* If your only option is to use the SMTP protocol for replication (can only be used between domains and not within domains!)
 
In my opinion  there exist very little reasons to none to use multiple domains within a forest. I would go for a single forest single domain structure and trying to acchieve that.
 
Cheers,
Jorge


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 12, 2005 19:47To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Design Question

Hi -
 
I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible. 
 
My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root? 
 
Thanks.
 
-- nme
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] Design Question

2005-10-12 Thread chuckgaff 

What is the bandwidth between the locations and what type of WAN link?  If fiber or fast, reliable (not WAN/T-1 type) connections, you may not need a DC in the remote branches.  Do you need a separate password policy for different groups of users?
 
If you can limit your design to fewer DCs it will be better and a single domain is preferred for Windows 2003 AD.
 
 -Original Message-From: Al Mulnick <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 12 Oct 2005 14:26:59 -0400Subject: RE: [ActiveDir] Design Question



The same reasons apply to this situation as those of a much larger organization: deploy multiple domains if you need x, y, and z functionality.  Otherwise try to keep it to fewer domains. 
 
Are there are any compelling reasons to deploy multiple domains? Are you going to deploy a DC to each branch office?  
 


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 12, 2005 1:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Design Question
Hi -
 
I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible. 
 
My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root? 
 
Thanks.
 
-- nme

Re: [ActiveDir] Cleanup of Active Directory...

2005-10-03 Thread ChuckGaff 



Yes - you could take the data out with the CSVDE tool and 
massage/revise in an Excel .csv spreadsheet and then export back in, but do so 
carefully...
 
Good luck,
 
Chuck Gafford
Architect 2
Unisys
 

Re: [ActiveDir] NOVELL and WINDOWS 2003 AD

2005-05-23 Thread chuckgaff 

You have to use either Novell DNS if you have DNS servers running NetWare or Windows DNS as your authoritative system.  You can't have the same domain name in the way you are suggesting.  Mu advice is to use Windows 2000/2003 for your DNS which can be done by repointing the settings in NetWare in INETCFG under the DNS settings.
 
Regards,
 
Chuck -Original Message-From: Chandra Burra <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Mon, 23 May 2005 10:47:24 -0400Subject: [ActiveDir] NOVELL and WINDOWS 2003 AD


All,

Quick one please.client wants to have same domain name for the
existing Novell directory  and new Windows2003 AD as the same...ex;
xxx.com

Can this be done ...if yes, then what are the implications...and also
they wanted to stay on the Novell DNS...

Thanks you for inputs.


Chandra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Windows Server 2003 DNS Vs. LUCENT QIP DNS

2005-04-28 Thread ChuckGaff 



AD DNS is built-in / Active Directory integrated and Lucent is an external 
system -
 
Use AD's DNS if possible; also if you lose communications with your Lucent 
QIP systems, people could have severe login problems...
 
Chuck Gafford
Unisys
Architect 2
 

Re: [ActiveDir] Time synchronisation in a W2K domain

2005-04-13 Thread chuckgaff 

My advice is to run net time on your PDC Emulator role server to point to an atomic clock (US Naval Observatory) by IP address and not to a "hardware clock" locally.
 
Regards,
 
Chuck Gafford
Architect 2
 
Unisys
Imagine It.  Done.  -Original Message-From: Abbiss, Mark <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Wed, 13 Apr 2005 16:14:40 +0200Subject: [ActiveDir] Time synchronisation in a W2K domain


I was recently handed a new hardware clock to install into our domain. As the 
device needs to be placed in an area with good radio reception I decided to 
install it onto a PC. Our server farm is located in a secure bunker with no 
reception at all.

I know the usual time sync model is for DC's to get the time from the PDC role 
holder and then the time filters down from there to members servers and 
workstations. However, my PC is running Windows XP. 

So the question is, is it possible to set the XP workstation (with hardware 
connected) as the reliable primary source for time in the domain ? Should the 
Windows Time service be disabled on the PC ? What changes need to be nmade to 
the PDC Role holder and other DC's in the domain to make sure they are forced to 
sync with the XP workstation. Or is it just not possible to use an XP 
workstation ?

I have noticed that some of my machines are synching with the PC but others are 
not and I have not as yet determine why there is this erratic behviour. If I use 
the "w32tm /resync" command then on some machines it works and on others it 
doesn't.

Do I need to manually configure all DC's t point to the XP machine ? Do members 
servers need special configuration ? Why are general user workstations not 
showing the same time as the Time PC ?

Any advice greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] time sync script

2005-04-05 Thread ChuckGaff 



That's correct on the net time statements running on the PDC Emulator FSMO 
role which should ideally be done off the Forest Root domain in Windows 2000 or 
Windows 2003.  In the US it works well to point to the atomic clock IP 
addresses from the US Naval Observatory.  
 
Regards,
 
Chuck Gafford
Architect 2
Mobile:  (416) 550-0025 (Toronto)
 
Unisys
Imagine It.  Done.
 
 
 

Re: [ActiveDir] WINS topic

2005-03-30 Thread ChuckGaff 



You should consider having at least one WINS server in the empty root 
domain.  You will need WINS for NetBIOS name resolution that is still 
required by many applications.
 
Chuck Gafford
Architect 2
 
Unisys
Imagine It.  Done.
 
 
 

Re: [ActiveDir] DNS should point to...?

2005-03-29 Thread chuckgaff 

 You can point to the DC/GC/DNS server running the PDC Emulator role but better resolution on the primary DNS setting.
 
Chuck -Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Tue, 29 Mar 2005 13:03:20 -0500Subject: RE: [ActiveDir] DNS should point to...?





Agreed


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...?


In this scenario, Iâd recommend Primary to another and secondary to self.
 
Deji
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point to...?
 
Hi â
 
I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. 
 
The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary.
 
Any thoughts?
 
-- nme
 

RE: [ActiveDir] WINS

2005-03-07 Thread ChuckGaff 
Lots of applications require NetBIOS name resolution so be careful with trying 
to remove WINS and NetBIOS name resolution from your network.

Chuck
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Bizzare problem

2004-09-27 Thread ChuckGaff 



A good tool for Admin passwords is the Locksmith one from 
sysinternals.com
 
 
 
 
 

Re: [ActiveDir] Inf Master and GC Clarification

2004-07-03 Thread ChuckGaff 


This scenario is for Windows 2000 and apparently not for Windows 2003.
 
Chuck
 

Re: [ActiveDir] Tivoli Gateway on Windows 2003 DC - BAD?

2004-06-01 Thread ChuckGaff 



Best practices would be to Install it on a member server...
 
Chuck
 

Re: [ActiveDir] DNS Server Using its own IP as a Primary DNS

2004-04-22 Thread ChuckGaff 
Yes - the island issue is only in Windows 2000 and is resolved in Windows 2003.  In 
fact, you are forced in Windows 2003 if I recall correctly to change the second DNS IP 
address to something different on the server running DNS.

Chuck Gafford
MCSE (Windows 2003, 2000, NT 4.0), MCSE+I, MCT
Systems Architect, Unisys

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS Server Using its own IP as a Primary DNS

2004-04-22 Thread ChuckGaff 
It sounds like multiple people are in agreement - avoid the "island" effect, run DNS 
in Sydney on the DC but point the secondary DNS IP to Singapore...

Chuck Gafford
Systems Architect, Unisys
MCSE (Windows 2003, 2000, NT 4.0), MCSE+I, MCT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Trust issue

2004-04-22 Thread ChuckGaff 
You don't need to touch LMHOSTS for the trusts - just rebuild them if they are broken 
in the order mentioned earlier.

Regards,

Chuck Gafford
Systems Architect, Unisys
MCSE (Windows 2003/2000/NT), MCSE+I, MCT
www.unisys.com


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/