however this is managements call.
and what do you do if your management tells you to shoot
you in your foot? I'd certainly
talk to your management and ask the rational behind their demand. Ideally
no user should be a member of the builtin Server Operators group of the domain
at all (no
Thanks Roger for the reply,
Problem is not the site setting, you see... when I ping for my domain's
DNS name... or access the netlogon folder on DC as
\\example.com\netlogon
This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.
this DNS resolution will
Thanks for the replies.
So far I managed to join in the domain an additional DC. Set it up as a Global
Catalog, set the replication time to four times per hour and now I am waiting
to see if the replication works ( I will switch the old DC down to see if the
users can log in without problems -
Scenario:
Single forest, with a placeholder root domain and 4 regional, child domains
Single group responsible for forest operations and each regional domain has
their own domain admins for domain-wide tasks
Requirement:
Place _msdcs.forestrootdomain.com in a forest wide ADP but do not allow
Return Receipt
Your RE: [ActiveDir] Transfer GPO between domains
document:
as long as you understand that this won't hinder domain admins from
changing things in the _msdcs.forestrootdomain.com DNS zone, then you
could go down this path and consider it an obstacle. If you don't
trust your child DAs to handle forest-wide config data, then they
shouldn't be DAs - by using
Return Receipt
Your RE: [ActiveDir] Transfer GPO between domains
document
:
Hi Charlie,
If it is a user registry setting (other than Binary) there should be no
problem with a custom ADM template.
Can you explain what registry key it is and exactly what is not working?
Alan Cuthbertson
- Original Message -
From: Charlie Kaiser [EMAIL PROTECTED]
To:
You might want to look and moving the profiles to a non-DC to avoid this issue ;)
Also, make sure you wait for the dcpromo to finish replicating. That amount of time depends on the size of your AD Database, speed of your network etc.
Phil
On 9/6/05, Boris Demirov [EMAIL PROTECTED] wrote:
Thanks
Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be
So if you have a mixed mode forest, what if you give perms directly to Global
groups on Enterprise objects in AD and only use local groups for Domain local
stuff?
or are you just supposed to rely on Auth users or Everyone for stuff like that?
What happens if your perms are checked against a
glad it helped.
somemorecommentsinline
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern,
TomSent: Dienstag, 6. September 2005 15:27To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] hide an
attribute
So if you have a mixed mode forest, what if you give
We recently had an issue where a policy seems to be
causing the registry size to blow up on several of our servers. We Believe
we have found the culprit policy and are looking into it but we want to monitor
things.On this front I am trying to put to gether a script that will go
thru a list
Why not using WMI to achieve this? Just keep the file list as you
did below and use WMI to update the registry size.
Check:
Sample
4.14 - SetWin32_RegistrySizeWithAPI (Direct Properties).wsf
or
Sample
4.15 - SetWin32_RegistrySizeWithAPI (Indirect
Properties).wsf
at http://www.lissware.net,
I agree client logon won't be a issue, asclients DC fit in the site boundary.
But some of my startup script access netlogon as \\example.com\netlogon, andI suppose accessing anynetwork resourceby UNC has nothing to do with site boundary, it is pure DNS resolution.
also what about domain DFS
Set objFile = objFSO.GetFile(admin$\system32\config\system)Set objItem = strComputer.objFile
WScript.Echo FileSize: objItem.FileSize
Should be replaced with
Set objFile = objFSO.GetFile( \\ strComputer \admin$\system32\config\system)
WScript.Echo FileSize: objFile.FileSize
On 9/6/05,
OK Add that to the number of books I must
get.
In the meantime. As I dont have the book
right now and I am very new to scripting. What is the difference between
the Direct Properties and the Indirect Properties?
Have started modifying but now having the
problems with setting the
Dfs is site aware. Since \\example.com\netlogon is managed by
Dfs, the client will receive the location closest to it based on site. What
you were referring to on returning DNS records is called netmask
ordering. Youre right about the limitations of it.
:m:dsm:cci:mvp
If I am using a DFS share that has copies of that share between child
domains am I not able to use Domain Local Groups in conjunction with
Global and Universal groups to grant permissions?
I noticed that I cannot choose Domain Local groups from the list.
Here is what I am trying to do
DFSshare
If I was to use the ADMT to migrate a workstation, would the wizard
actually change the domain membership of the workstations if I used the
ADMT v2 to migrate a workstation from child1.parent.com to parent.com?
Justin A. Salandra
MCSE Windows 2000 2003
Network and Technology Services Manager
DFS is site aware, but what about
non-dfs? \\example.com will always
resolve to some domain controller, dfs or no dfs, using
round-robin dns, right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, September 06, 2005
8:59 AM
To:
Does anyone know of a way without creating separate hardware profiles, That
when a modem is in use the NIC(s) are disabled and when the NIC(s) are in use
the modem is disabled?
Regards
Mark
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
Short answer: Yes.
ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc.
Phil
On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote:
If I was to use the ADMT to migrate a workstation, would the wizardactually
Good morning folks, I am entertaining the idea of applying SP1 to our
2003 domain controllers. I figured I would start with
http://support.microsoft.com/kb/889101 but if you have any 1st hand
knowledge of any issues, please let me know.
For that matter, if you have a good link about applying
So technically I dont need to have
a tech go to that computer and physically change domains?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Phil Renouf
Sent: Tuesday, September 06, 2005
1:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
Correct. Run some tests with ADMT to get used to how it all works (preferably in a test forest with test workstations).
Note though that the machines have to be on and that there will always be a few that don't work etc.; this is pretty much the same thing as deploying any type of agent like
I've done some googling and searched the MS site a bit, but cannot find
an answer... The question I have is this: How does an XP computer
determine whether it's connected to the domain in order to decide which
firewall policy (standard or domain) to enforce?
The reason I ask is this: I see
It's probably to do with apply GPO over slow links, the troiuble is the spead
is measured as the speed of the NIC not the speed of the link. Unless you dial
up from the PC directly. I have had great fun with this and VPNs over ADSL and
dial up.
-Original Message-
From: Joe Pochedley
The domain mode is determined by the DNS suffix of your active network
connections. This article has information on troubleshooting the XP SP2
firewall:
http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx
And it links to this article which describes the algorithm for
Thanks for both the links. I had seen the first one, but not the
second.
While they answered the question I had, they didn't explain why the
firewall is still enabled when it shouldn't be. The slow link threshold
isn't an issue (set down the 200kbps quite some time ago, and confirmed
with
Thommes, Michael M. wrote:
SET LOGONSERVER at the command line should be enough.
And on a similar note, if I'm having trouble with a user logging on to a
specific DC, is there a way to force their workstation to log on to a different
one?
--Brett
List info :
nltest /sc_reset:domain\DC /server:computername will do the trick nicely.
Nltest.exe is part of the Windows Support Tools.
-Andrew
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of vex
Sent: Tuesday, September 06, 2005 3:39 PM
To:
Cace, Andrew wrote:
nltest /sc_reset:domain\DC /server:computername will do the trick
nicely.
Nltest.exe is part of the Windows Support Tools.
Thanks, I'll give that a bash. Looks more useful than set
logonserver=\\servername...
--Brett
List info : http://www.activedir.org/List.aspx
I emailed awhile ago about this issue-
i'm recreating my domain in a test forest for migration testing.
in our real and test forest, we have no connectivity to the root domain and no EA or SA access(never will). we are primary dns for both the root and child domain however.
I recreated our
Hi Johnny,
The only major issue I've run into was around
http://support.microsoft.com/?id=892501
HTH,
Katherine
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: 07 September 2005 02:15
To: ActiveDir@mail.activedir.org
Subject:
You are correct - the DNS server won't provide any
intelligence with regards to what it returns to a request. DNS should be
returning ALL records for the appropriate domain, which I believe NetLogon on
the local machine then parses against AD Sites by subnet.
Gil Kirkpatrick wrote an
I think this is the article you are referring
to:
http://www.netpro.com/forum/files/authentication_topology.pdf
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Wednesday, 7 September 2005 2:49 p.m.To:
ActiveDir@mail.activedir.orgSubject: RE:
I haven't done it on DC's yet (since I no longer run any...) but with
regards to member servers I'm finding it rock solid.
For a higher traffic DC or member server, I'd expect you'll see a relatively
large decrease in CPU utilization for network related things.
Roger Seielstad
E-mail
Ahh - there's the issue. That's not the same thing as logon
traffic.
Switching that to a domain DFS will certainly fix the issue
- DFS understands AD Sites
Roger SeielstadE-mail Geek
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh
ParmarSent: Tuesday,
39 matches
Mail list logo