when servers replicate within a site OR intrasite, in a multi domain enviorment, do
they need to contact a GC to find each other?
or for any reason.
what is the role of the gc in AD replication, inter and intra site?
thanks
.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š
i don't need the schema or domain naming roles to restore my domain. i have all the
other roles.
yet it still has issues with finding a gc or replicating within a domain.
why?
this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or
even a test, MS expects you to
try this:
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia,
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 10:45
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir]
Be sure to ensure that at least one test user is in a dlg, gg, ug and at least one dlg
across the NC boundary. That gives you the full taste of the problem. ;)
You should find that the GC in the domain shows you UGs that the user is in, but not
the DLG across the NC boundary. To restore that you
Do you have any white papers
Lynden
From: Seyboldt, Volker
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004
4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop
oh,
I think you should have a look at some
whitepapers about implementing G
Guido,
The configs I have been testing with since Eric's post are as follows.
One Forest. 4 domains. One Domain has 2 DCs, one has 3 DCs, the other 2 have
1 DC. All DCs are GCs.
In one of the Production environment restores I had personally done, I know
for a fact that the OU was fat-fingered o
Title: [ActiveDir] disaster recovery
No, you need the root domain as it holds some of the roles
etc.
In order for this to work, you need to restore the root
domain as well. I've found that doing this with a virtual server is
sometimes easier but that just saves on hardware
requirements.
Exactly, enter my point that you either need to restore a DC in each domain or
repopulate the groups.
Is it me or are we saying the same thing over and over? Are you just not happy with
the language I used to say it?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
oh,
I think you should have a look at some whitepapers about
implementing Group Policies in Active Directory
You should implement this in a group policy of active
directory and yes typically this is done on a DC
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia
I know - and that GC won't containt the DNs of the domain local groups of
the other domains, that the users were a member of. I think this is the key
that I'm trying to get accross. You can get the DNs of the groups for your
own domain and the UGs of other domains when you're restoring a GC - but
Do you do this on the domain controller
Lynden
From: Seyboldt, Volker
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004
3:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop
yes you can
You can use restricted groups in group
policies to a
VB Script and a GPO, or Login Script.
http://www.myitforum.com/articles/11/view.asp?id=2457
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia,
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 3:16
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir]
Remote Deskto
yes you can
You can use restricted groups in group policies to add any
group you want to the local "Remote Desktop Users" at each
PC.
Members (Users and/or groups) of the PC's local
ADministrator group are also automatically allowed to connect
remotly
From: [EMAIL PROTECTED]
[mailto:[
yes.
a quick question- can one restore an entire child domain without connectivity to the
root domain?
-Original Message-
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED]
Sent: Wed 3/24/2004 2:58 PM
To: [EMAIL PROTECTED]
Cc:
Su
Is there a way to add Domain Admins to the Remote
Users of every pc in our Domain with AD and not go to every PC?
This message is intended for the use of the individual or entity to which it is
addressed and may contain information that is privileged, confidential and exempt from
di
Title: [ActiveDir] disaster recovery
ï
You Zones is setting for Dynamic Updates =
YES???
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern,
TomSent: quarta-feira, 24 de marÃo de 2004 16:47To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster
recovery
Thanks, Darren!
-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 1:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Mike-
Yea, the local policy gets over-written by the DC policy because
restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have it by
default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have
it?
finally, when dc'
Mike-
Yea, the local policy gets over-written by the DC policy because the
local policy processes first in the pecking order, then site, domain and
OU linked GPOs.
What you could do is create a second GPO with your policy change, linked
to the DC OU but with a higher processing order (i.e. it proc
>From my procedure:
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
Authoritative
That need be dome across the domain boundary.
Another option: obtain from backups or the restored dc (like if it is a gc?) DN of all
I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil,
seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with
adsiedit and all dns records as well.
then at the DR site, i set up new servers with the same names as the old one's, ran
dcpro
Title: Message
Hi Justin,
In the really.. you have only 3 FSMO in this
child domain..
Do you install the OS
Restore the System State
Perform an authoritative restore of the
database of the child
domain
If
necessay seize the Roles
Thanks
for advance!
Anderson
Patricio[EMAIL P
Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford
Klara,
This might help.
http://www.microsoft.com/windows2000/techinfo/interop/dirsync.asp
r/
Lou
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004
10:53 AM
To: [EMAIL PROTECTED]
Subjec
I see, so you were just covering a single NC condition. Ok, your logic is correct, but
the caveats are complex. Many users think they have no group memberships across the NC
boundry when they do, but that's neither here nor there. I would recommend my
procedure as a safe guard. Further, it isn't
Title: Message
In a
nutshell yes.. I'd go to the Microsoft site and pull down one of their
procedures... sorry I can list one off now.
-Original Message-From: Salandra, Justin
[mailto:[EMAIL PROTECTED] Sent: 24 March 2004
17:01To: ActivedirSubject: [ActiveDir] Recover a
It's common practice to add other GPO links to the DC OU.
-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers
Hi all,
Question:
Has anyone experienced issues
Deji,
you'll have to go into more details of your test setup. Does multi-DC mean
more than one DC in the forest (which could also be one per domain), or does
it mean each domain has more than one DC in your lab? You won't see some of
the issues with just one DC per domain. Also, are these DCs hos
I have a question for everyone. If you have a
child domain and for some reason you lose every domain controller in the domain,
and you have a spare server that you install the OS on, how would you go about
getting the domain back up and running.
Do you install the OS
Restore the System Sta
I confess my lack of understanding of this procedure. I've used the procedure
I posted many times in restoring deleted objects (including OUs). Since you
posted this yesterday, I've been scratching my head and hacking OUs on my
test domains and restoring them following the procedures I posted and t
Can someone point me to a tool/way that we can extract our highly expanded eDirectory schema ? We are in the process of looking to migrating eDirectory to AD or AD/AM.
Klara.
The information contained in this mes
Eric,
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted.
let me try to clarify everything i have.
w2k server with one nic card configured with a static ip addy and our isp
dns server address.(tcp/ip properties)
dhcp and dns is provided by isp and assigned automatically to clients.
in admin tools dns properties lists the internal dns ip as forwarders and
Return Receipt
Your
RE: [ActiveDir] DNS registration errors document
:
Regarding problem 2, make sure that your DNS settings on Server2 are
correct.
-Peter
[EMAIL PROTECTED]
Yes, all those tried .. including unregister of the dll and re-register. No
errors generated
The XP/Sp1 machine it works on is a machine mainly used in our test domain,
whereas the one that fails is in our production domain. The test one has had
many tools added during testing (including Visual S
You should have your ISP's DNS server in the forwarders tab of the internal
DNS server's properties. Your internal DNS server must be running a
forward lookup zone for your AD or else you have serious issues.
Hi all,
Question:
Has anyone experienced issues or know of any 'gotchas' with linking other
GPO objects to the Domain Controllers OU in addition to the Default Domain
Controllers Policy.
Rationale:
I would like to have a GPO ready that essentially has Windows Update enabled
for deploying app
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've brought this topic up previously, but I thought I'd run it across you
folks one more time to make sure I'm on the right track. We're preparing to
upgrade a single NT4 domain to a 2003 AD domain, and I'll tentatively be
using the following plan.
For everyone's reference, the spreadsheet of all ADM
settings is here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004
I would agree. I recommeded configured a root standalone (offline) and an enterprise
subordinate issuing CA. (I realize 3 tier is best but this will work for our
environment).
Thanks for your opinions. I don't think my coworker really gets certain things.
Kind Regards,
Jennifer Fountain
Well, that's not really an "infrastructure" then is it? That's a single
server running all the roles with no separation and protection that you get
from separation. More importantly, PKI has many facets that have to be taken
into account. You can't just leave the root CA machine on the network an
Return Receipt
Your RE: [ActiveDir] DNS registration errors
document
:
Peter,
Our dns is configured as a forwarder only, is that the reason i'm having the
problems? Do I need to add our ISP DNS IPs as forwarders or just leave the
internal IPs as forwarders?
thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED
Return Receipt
Your
RE: [ActiveDir] Security and AD document
:
These articles might help:
A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q289241
AD Replication over Firewalls by Steve Riley,
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp
FYI:
Q224196 - Res
Hi,
I want to run AD behind a firewall.Can someone please suggest what
ports should I leave open so that all the clients to my AD can access it
successfully?
Any help would be greatly appreciated.
Thanks and regards,
Gagnesh
List info : http://www.activedir.org/mail_list.htm
List FAQ
If I remember correctly, part of this process is registering acctinfo.dll
(regsvr32.exe acctinfo.dll) . Did it register correctly the first time? Did you try
re-registering it? Maybe a reboot?
Mike Thommes
-Original Message-
From: Leeuwen van, JWJ (Joost) [mailto:[E
I am using XP Sp1 without the Exchange 2003 tools and the DLL works like a charm om my
PC.
Just f.y.i.
Try opening the DLL with depends, maybe you are missing some other components.
Joost
> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Waters, MW (Mike)
Guido, you said:
If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't
have to take any special precautions, as the group-memberships will be "revived" with
the authoritative restore of your users (as you've just deleted users, not groups).
Where did you get th
Thanks for the tip
It worked on one XP/SP1 and still fails on another.
If anyone know of any other workaround ... we still have Exchange 5.5 (for a
while), so don't want to use Exchange2003 tools yet.
Regards
Mike Waters
-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Se
Have a look at:-
http://www.jsiinc.com/SUBN/tip6900/rh6988.htm
This worked for us
Mike Waters
-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 20:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Dialup add-in for ADUC
Does anyone know where I can find th
the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challenges,
mostly related to users being in groups in the other domains of the forest
(e.g. Universal Groups or Domain Local Groups). If you're in a single domai
Anders,
We market a product call PolMan that will produce a
report of all settings that are enabled within your AD Policy. It provides a
list of all entries with columns for the Policy name, the extension type, key
name etc.
We also market a nice little ADM Template editor.
Feel free to
Greetings,
Actually I got 2 problems,
originally we 2 server one is DC other is additional DC for and existing
Domain. due to virus attacked server 2 was cleaned (reformatted) and
reinstall window 2000 server.
Problem are;
(1)
server 2 displays 2 operating system which I need to select, but
Hi,
We have a simple AD. Just one domain and nothing extra (no childs etc).
BUT what we do have is a domain spread across different IP addressing
systems and DC's behind Firewalls that have to do NAT.
One of our sites uses private IP numbers (site A) and another uses
public (site B)..
What thi
have a look at Microsoft.com/kb & search for: Microsoft Knowledge Base
Article - 270836 - you can test this on one client and see if the
performance gets better.
It might be a port issue depending on how the Exchange server communicates
eg Server-client & Client-server and how the firewall is set
It's only supported on server.
-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 20:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Dialup add-in for ADUC
Does anyone know where I can find the add-in for dial-in privileges? I
have them on the actual DCs,
It wont be a port issue as you wouldn't gain connectivity at all... If
it is a very old firewall then chances are that it may be causing
issues Will they drop it for a testing period to see if it makes a
difference? If it is for their benefit, i.e. their clients then they
may? At least that way
Greetings Mr.
Ander,
You can search that on
MS-KB or if you can mail me offlist i can send you as attachment coz i think i
cant send as attachment to the list.
Search for this key word
"Group Policy Settings Reference Spreadsheet (ADM Files)"
Cheers,
AThif
-Original Message-Fr
Is there any way to
get a nice overview (on excel etc) on the ADM templates that exist in
AD?
Have been trying to
export all the settings [even the ones not set] with no
luck.
Any help would be
appreciated.
Regards,
Anders
==
This
61 matches
Mail list logo