I'm a little curious too...if you turn off the 'bridge all site links' feature and set
up site links from each site to the hub site, the KCC doesn't create connection
objects between the DCs in the 'spoke' sites anyway. At least, that's been our
experience (single domain). We don't restrict tr
Thanks Robert...
-Original Message-
From: [EMAIL PROTECTED] [mailto:rrutherford@;dek.com]
Sent: Tuesday, October 29, 2002 2:34 PM
To: [EMAIL PROTECTED]
Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Clients being logged on by DCs at other sites
Thanks to all for th
Linton,
Thanks for answering. No, I don't have any additional suggestions... as I
said, I was just curious what your motivation was.
I believe the .Net server KCC has some improvements with respect to
hub-and-spoke topologies, so you may want to investigate that as well.
-gil
-Original Me
Thanks to all for there posts. I have spotted a few things that may be of
interest to some of you :-
I originally built and dcpromo'd all my DC's at my main site - they
registered under DNS as DCs for this site. I then moved them to their
relative sites and the DNS entries still remain. I will de
Nod.. yes, if I were to rename the new server the same as the existing print
server, this would work. We are migrating between an NT4 domain and a AD
domain, and the new print server has to conform to a certain naming
convention in the AD domain, ergo no rename.
-Original Message-
From: st
Gil, you are correct. I think Roger is confusing not having a the
client's subnet defined in AD with auto-site coverage. If the client's
subnet is not defined in AD then the process Stuart outlined is
followed.
If you have an empty site (a site without a DC) the following algorithm
is use
I can't speak for Joe, but the whitepaper lists a few good reasons.
Although we don't have 100 plus sites, I think we'll be doing something like
this anyway. Being a large conglomerate with separate operating companies
(each separately managed), we're pretty restrictive in our routers. For the
mo
Hello John
I don't know you specifi situation i can tell you my experience.
I needed a backup printer server.
Two hundred client was using it (Windows 98, NT , 2000).
I gave another name to the new server (SRVPRINTER02)
The old was SRVPRINTER01.
I created the same queues of SRVPRINTER01 by Print
Just curious, but why?
-gil
-Original Message-
From: Linton Smith (WBTQ) [mailto:GWLLES@;Weston.ca]
Sent: Tuesday, October 29, 2002 11:13 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Manual Replication
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn
NETLOGON on the DC is repopulating the SRV recs for you. You need to set the
registry entry (on the DC)
/HKLM/CCS/Services/NetLogon/Parameters/LdapSrvPriority to the appropriate
DNS SRV priority value. I don't think you can set the weight this way.
This doesn't make it impossible for the DC to ser
But NETLOGON does create SRV recs to cover DC-less sites if there are sites
and subnets defined, which is what the original post indicated ("to create
an empty site (no DCs)for you [sic] subnets")
At least that's how I read it...
-gil
-Original Message-
From: Roger Seielstad [mailto:roge
All,
These two KB articles talk most of what has been discussed .. and more.
Hopefully they will clear the air a bit ...
How Domain Controllers Are Located in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247811
Windows 2000 members Still Authenticate with BDCs after PDC Upgr
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn
ol/ad/windows2000/deploy/adguide/adplan/default.asp
Linton
-Original Message-
From: Joe.Baird [mailto:Joe.Baird@;kingwoodcable.com]
Sent: Tuesday, October 29, 2002 12:56 PM
To: [EMAIL PROTECTED]
Subject: [ActiveD
I have three DCs for our main domain, one of which I do not want servicing
active directory logons under normal circumstances. I went into DNS and
changed all of the entries for that DC to have a priority of "100" which
should insure that all DNS replies will have that DC last in the list.
However,
no
-Original
Message-
From: Patton, Jim
[mailto:[EMAIL PROTECTED]]
Sent: Monday, October 28, 2002
5:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default
Wallpaper via GP
Has anyone else continued
to receive multiple copies of this
message?
Site coverage works exactly as Stuart Kwan explained - without manual
intervention of the RR records, the actual logins are processed fairly
randomly - they don't necessarily authenticate to the closeest site. It just
doesn't happen.
--
Roger D.
I think chapter 4 of the "Branch Office Deployment Guide" should help you.
Great resource! ...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/ad/windows2000/deploy/adguide/addeploy
-Original Message-
From: Joe.Baird [mailto:Joe.Baird@;kingwoodcable.com]
Could someone point me in the direction of a Microsoft whitepaper or an
article that details how to create a manual replication model? Meaning I
want to turn the KCC off and do all replication manually.. Thx
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.
There is a whitepaper from Lucent that describes how to restrict enterprise
admins from domain access at
http://www.lucent.com/livelink/161922_Whitepaper.pdf Is that what you are
tring to do?
-gil
-Original Message-
From: Lori Demkovich [mailto:LDemkovich@;infosysinc.com]
Sent: Tuesday,
You can delete them, but because the DCs publish them, they might very well
reappear. You should figure why they got there and verify that the source of
the problem has been addressed. Nothing more frustrating than deleting a
bunch of objects just to have them reappear an hour later ;)
Possible re
Really? What part is not the case? That clients don't authenticate, or that
DCs don't publish SRV recs to cover DC-less sites based on cost?
My experience has been that site coverage works as advertised.
-gil
-Original Message-
From: Roger Seielstad [mailto:roger.seielstad@;inovis.com]
I would like to create a group that can fully adminstrate our AD forest but is NOT a
member of domain admins. How do I get started?
I created a group and added the members (groupa).
I then added GroupA to the local administrators group on each server.
I also Delegated GroupA full control of
Thanks but it's my W2K clients that are causing the problem.
Robert Rutherford
MIS Department - DEK
+44 (0)1305 208232
+44 (0)7970 122362
Are your NT 4.0 clients running the DSclient add-in? Based on your email
I'm going to assume no. An NT 4.0 client without the add-in will see the AD
domain as an NT 4.0 domain and the DC that responds to the client the first
is the one the authenticates. In the NT 4.0 world, it's still the NetBI
Yes that is part of the process. The guy that posted said that he has
already checked this and configured this. Since he has configured sites and
subnets the next thing to do would be to check the sites in DNS.
Tim Hines, MCSA, MCSE (2000 & NT4)
MVP - Active Directory
- Original Message -
It is too easy.
Last I heard, PSS doesn't consider that a supported process.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA
> -Original Message-
> From: Tony Murray [mailto:
Thanks... I can see the entries in the sites that shouldn't be there...
both a _ldap and _kerberos record. Is it safe to delete these records if
they also exist in other sites?
Thanks again
Robert Rutherford
It may be that I am new here (Hi, guys!) and not that familiar with things,
but wouldn't this be a matter of associating the site and subnet with a DC?
I think that the "Sites with no DC" thread references this.
~
-K.Borndale
IT Manager
Sybari Software
If your sites are configured correctly then I would assume that there may be
a dns problem. DCs register ldap records in the site that they are a member
of. Look in your zone for _msdcs/ dc/ _sites/ site name . Each site name
folder should only have ldap records for the DCs that are within its s
Hi All,
All my DC's are W2K, and since moving a considerable amount of NT4 clients
to 2000, I have noticed that 'some' clients are periodically being logged
on by DCs at other sites. All my site config is correct, and my DC's have
relatively very little load.
Some of my remote sites have very s
I don't recall Quest's Fastlane product requiring it. Since we were going to
a virgin forest, however, there was no reason for us to even look at mixed
mode for it.
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinge
> If you decide to create an empty site (no DCs)for you subnets, the
> autosite coverage algorithm will ensure that clients in that site are
> authenticated with a DC in a nearby site. The DCs in the closest site
> based on cost will register site-specific SRV records for the empty
> site.
>Fr
After have been
trough this myself in the last couple of weeks and spending a large amount of
hours on the phone with MS PSS, this is what my conclusion
is.
There are 2 ways to
build a AD test environment.
First
way:
-Do a system disk
and system state backup.
-Take a machine that
has th
33 matches
Mail list logo
