Thanks for all of your answer - BUT I know about sIDHistory and how it works. I
am looking for how the authentication using sIDHistory works. Does there have
to be a secure channel in place between the target AD domain and the
not-trusted NT4 resource domain?
I also know that as soon as the
My god... guess I got it at the end... ;-)
The sentence I mentioned in the mail below (the one out of the MS technote) was
misleading me completely (I'd love to use being a non-native-English speaker as
an excuse ;-).
I think the sentence below does only mean that there has to be a trust
Right. And joe thinks I asked this question because I didn't know. ;o)
There are interesting idiosyncrasies with the built-in and default groups
that are not well understood.
This was the real reason that I was bringing up the discussion - to
hopefully ferret out some of the interesting and
Use a TLD of .AD or .LAN. Especially in large environments.
Don't use .AD, or you will have thousands of your users yelling and screaming
about not being able to get to Andorra websites. Okay, maybe not thousands...
:-)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
How many consultants on this list actually could enumerate
the property set attributes in a given forest in any reasonable
time? I can do it pretty quickly with adfind and little perl
script. Not sure of any other easy ways of doing it due to
the funky GUID handling.
Now that Joe
joe wrote:
Another mistake with the property sets in the base OEM setup
is the property set called Phone and Mail Options
(E45795B2-9455-11d1-AEBD-F80367C1) - no attributes in this
property set at all... Must not have any phone or mail
attributes in AD.
I actually reported this to
I do understand - that's what documentation is for... But I tend to
agree that documentation lacks in many places. However, you don't only
need it for changs in Property Sets - you basically need it for any
security change (or other critical change) you perform in AD which is
out of the standard,
Can't be SP3. I stopped messing with 2K in SP3 and the Island thing was still
there. I wasn't even aware that SP4 fixed the issue, but I haven't worked
much on an SP4 environment to know for sure.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
Anybody know where the registry equivalent of this is, in Windows Server
2003? I've un-checked the appropriate spot in the GUI, but my DC is
automatically restarting when it hits a blue-screen and it's becoming a
cycle I can't get out of. (Guess who's doing a DR drill at Sungard
today?)
Where
Please forward the script.
I would be very appreciative.
Thank you.
John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
Alpha Video
7711 Computer Ave.
Edina, MN. 55435
952-896-9898 Local
800-388-0008 Watts
952-896-9899 Fax
612-804-8769 Cell
952-841-3327 Direct
[EMAIL
I've had similar problems but they are caused by imaging software
(Altiris - Ghost - etc) that reloads an old image and registry causing
the machine password to be out of sync the next time it tries to
validate with the DC. Validation is every 30 days so the time between a
reimage and password
A common reason behind account lockouts is users changing their
password but being logged in to mutltiple workstations, or leaving a
Terminal Server session (or RDP) which means that the open TS session
has the old password cached and will lockout the user.
Another possibility is mapped drives or
Try:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
AutoReboot=dword:
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Thursday, May 12, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Thanks all!
-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 12, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disable automatic restart registry key
Try:
Here you go, courtesy of Robbie Alenn,
http://www.rallenhome.com/
Regards,
Jose
--
' This code displays the current settings for the password
' and account lockout policies.
'
Title: Synching NDS and AD
Nsure Identity Manager = "Metadirectory" for all disparate
NDS (Edir) and AD directories.
We are/have been looking at this question, and yes you can
do a simplesynch between Novell and AD with this product. *BUT* in
our case theOU structures between to the two
Hi All,
I am fairly new to some of the more in depth features of AD.
Where I am right now they have primarily used it for authentication on
their LAN. I would like to use it for GPOs and what not.
I have a VM lab set up with 2 clients and I DC (all 2K) and I am
trying to get a GPO to
Hi...
I 'm pretty sure you have to assign the SP to a machine, rather than a
user.
John
Tabs The Cat
[EMAIL PROTECTED]
As it is, I have the GPO apply to the OU Computers (i.e. lab.local -
Management - Computers) and the only item there is the computer
account (Client2).
Does that mean that it is applying to the computer account, or am I
missing something.
Thanks for the quick reply.
Tabs
On 5/12/05,
You've set up the user configuration portion of the gpo. what you need to do
is set up the computer configuration portion. Its the computer that gets the
sp NOT the user.
Also, unless you created it, the computer and user containers that are in
ADUC, are not OU's. They are just folders set up
Are there any caveats anyone knows of with the procedure outlined below
for renaming a 2003 Domain Controller with netdom?
This is a freshly built machine that was brought up in the same AD site
as the old system it was replacing for operational reasons. The old
system was demoted and removed a
Title: DsReplicaGetInfo() failed with status 8453 (0x2105) - Permissions
One of these days, hopefully I can contribute to this list instead of asking questions all the time.
At any rate, Im getting this error when I run repadmin /showrepl dcname. Everything Ive looked up points to Q329860
Wow - do I feel like newbie now. I just realized what you and John
were saying. For some reason I was fixated on the User Configuration
portion and I never even noticed that I was applying it to the user
vs. the computer.
After reading both responses I went back and then the light bulb went
off.
Hi,
I remember the following issue described in
http://support.microsoft.com/default.aspx?scid=kb;en-us;316826
You Must Rename the SYSVOL Member Object to Rename a Windows Server 2003
Domain Controller
Cheers
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To:
Title: DsReplicaGetInfo() failed with status 8453 (0x2105) - Permissions
Last time I looked it was "Manage Replication Topology" on
the domain head to use it on K3 without errors.
However, I don't think you are missing much, if this is a
K3 domain you should be seeing all of the inbound
Title: Synching NDS and AD
In response to Stuarts posting,
" NIM is actually bigger than just
eDir and AD Sync, and it's certainly more than just a simple sync with the
ability to control the flow of metadata and modify data on the fly through XSLT
XML, it also includes the idea of
When you apply GPOs to a container, make sure if it's a Computer
Configuration that computer objects are in the OU. Same thing with User
Configuration. User Objects have to be in the OU.
I think what you are doing is appling a GPO to your OU with User Config
settings, but your user accounts are
If I remember correctly you need at least the
DS-Replication-Monitor-Topology extended right. I assume your elevated
account is member of the enterprise admins which have this right to manage
replication throughout AD or a member of domain admins which have this right
to manage replication for the
Hi,
Try the following:
Account Lockout and Management Tools
Download tools that you can use to troubleshoot account lockouts, as well as
add functionality to Active Directory
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-
8629-B999ADDE0B9Edisplaylang=en
Cheers,
In addition to Jorge's comment (which I have to admit to having not
experienced), ensure you rename the DC via the command line not the
SYSDM.CPL applet.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
Title: DsReplicaGetInfo() failed with status 8453 (0x2105) - Permissions
Yeah, thats whats happening.
Running /replsum on the other hand, flatly drops the DCs with 8453 from the
list.
Thanks again guys J
:m:dsm:cci:mvp
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Hello:
I am working with redirecting My Documents in
various sites. I have some follow up questions to the thread I started a few
months ago.
Some sites have poor connectivity. There is no
replication of data between sites (for home directories). Laptop users use
Offline Files.
Title: Synching NDS and AD
"If you've setup your AD structure so differently to
your eDirectory structure within the same company then there's either something
wrong with one of the structures or there's something wrong with you
"
!?!?!?!
Because all companies
have the same people
So what are some clever methods yall use to not
expose the password in a script?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rick Kingslan
Sent: Sunday, May 08, 2005 9:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO not
applied - thinks it
Title: Synching NDS and AD
I won't argue with Mr. Culver about
whatNovell'sfine Nsure Identity Manager(DirXML) product will
or will not do, for obvious reasons... :-)
He is absolutely right thatyou canwrite any
type of rules to do the variousnasty one to many, many to one, and many to
Title: Synching NDS and AD
In
response to Joe's post, Matthew Culver wrote:
" Well, I guess it's good job
security to revolve technologies: you'll get to do it again very soon in some of
those same accounts with Linux :)
Companies changing over the years... change the directory with
it
In response to the post by Stuart, Matthew Culver wrote:
I agree with a lot of what is being said here and the way that he's talking
about setting it up (with a location attribute) is how I'd do it too however
based on the brief description I think I would have made the directory
structures
Title: Synching NDS and AD
I am not entirely surprised by the response. Over the years
I have run into lots of folks coming on site to large companies I have been at
and saying similar things. They often change their opinions fairly quickly once
the see the real world of large enterprises.
Use tool provided by MS called eventcombMT.exe.
Get a domain controller name of (using set command from logged on m/c)
account which is frequently getting locked and run eventcombMT.exe on
same domain controller. Use in build query of tool called ACCOUNT
LOCKOUT (Search-bulit in searches--account
39 matches
Mail list logo