if single domain, etc well I had to ask. And yes refreshing = dcpromo out
and dcpromo on new HW.
Thanks
Paul
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 14, 2005 2:15 PM
To: ActiveDir
Issues with Kerberos authentication??? Are you sure?
That is available in ALL modes/leves. It must have been something with new
features that are introduced when the level is increased... E.g. LVR with
Exchange 2000
Cheers,
Jorge
From: [EMAIL PROTECTED] on
that is because the server is a root server. a DNS server is a root server when
it contains a root zone called .(dot)
If you want to use forwarders and/or root hint servers you should delete the
root zone
cheers,
jorge
From: [EMAIL PROTECTED] on behalf of
The PDC FSMO is also important for password changes. See:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/161.aspx
The PDC FSMO in the forest root domain sync time with an external time source
if configured so (also see:
I would think the client
receives a list of referrals anduse the DC on top of the list and goes
down the list until it finds a DC that responds. A client simply does not know
why a certain DC does not respond. It can be anything... firewall, network, DC
down or whatever.
As there is no
anything else.
Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 14 December 2005 9:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS
I would think
Hi,
I have not tried it myself, but for that I guess you could enable audit success
on object access in the DD GPO and on each workstation enable auditing on
executing files starting from Program Files and lower (and possibly other
dirs). The events are logged on local workstations. Although
Yes you can...
The following articles will helps you in your migration from W2K/E2K to
W2K3/E2K3 and especially when doing an in-place upgrade of the domain:
* MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests
That Contain E2K Servers ( http://support.microsoft.com/?id
Hi,
I'm trying to understand the logic of nslookup when querying for all domain
controllers...
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.tld
returns a list of all registered hostnames of the DCs that have registered the
record mentioned. At the bottom of the list it also shows the
IMHO, a domain rename would be needed if the NetBIOS and/or DNS domain name
needed to change. (different structure)
Just for changing the case in ADDT a domain rename is not needed. Just did it
in my test environment by changing the case of the value of the attribute
dnsRoot of the object
, as well as in ADDT.
[hence domain rename]
If the only requirement is to change the name in ADDT then benefit versus pain
is really skewed towards pain :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 08
is to change the name in ADDT then benefit versus pain
is really skewed towards pain :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 08 December 2005 15:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
More than half a year ago I did a migration from Netware 5, NT4 and Exchange
5.5 to Windows/Exchange 2003. I remember posting information about it. Guido
also posted some info about a migration job he did. Don't remember if it was
last year or in the beginning of this year. So you might want to
RIDs are is requested and distributed in blocks of 500 RIDs. Each DC has at
least one block (RidpreviousAllocationpool). When that block has been exhausted
for 50% of its RIDs, the DC will ask a new block and store that in the
attribute called Ridallocationpool. When that block
read/write permission on the useraccountcontrol attribute of the user object.
HOWEVER...
the disabled/enabled status of a user object is represented by a bit/flag in
the useraccountcontrol attribute and that same attribute consists of more
bits/flags. So if you delegate read/write permission
Take a look at an article
written by Darren Mar-Elia
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37928
Cheers
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Thursday, December 01, 2005 15:32To:
activedirectorySubject: [ActiveDir] joining
Pinto, Jorge de wrote:
Talking about the Britisch... In the UK pub opening hours are around the
clock since a week or so...I think a pub owner could introduce his own AD and
use this very interesting attribute for his customers.. ;-)
I also looked if it had a sigar(s) attribute, but no luck
It is possible... you only have to do it another way...
query AD for the object that matches a certain sAMAccountName
---
sDomainDNSW2Kx = ADCORP.LAN
ssAMAccountName = JORGE
Set oConnection = CreateObject(ADODB.Connection)
Set
of Almeida Pinto, Jorge de
Sent: Tue 11/29/2005 8:20 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain
Controllers
OK, you are right on the choice of words... they don't age out, but will get
cleaned
First, look at each role and see
what it does...
Forest FSMOs
* Schema Master -- needed
when updating the schema
* Domain Naming master --
needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator -- needed for
legacy clients (NT4, W9x) when changing passwords,
Well, if he was a techie.. he
should understand why outlook should not be installed on the
DC
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Tuesday, November 29, 2005 16:38To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 29, 2005 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer
First, look at each role and see what it does...
Forest FSMOs
* Schema Master
to view all DCs in the forest
* repadmin /viewlist *
to view all DCs in the domain
* run nslookup and configure set type=srv and query for
_ldap._tcp.dc._msdcs.yourdomain.tld (per domain)
* NLTEST /DCLIST:DomainName
* netdom query dc
* run replmon and ask for show domain controllers in domain
Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 11:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema Attribute
Max: 999,999,999 days or 2,739,726 years (not including leap years)
the network latency must be very very high if even this is not enoughmaybe
we can undelete some dinosaurs... ;-)
Jorge
From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon
Rick Kingslan burped the following on 25/11/2005 4:24 PM:
So Rick, you have started burping answers? ;-))
jorge
From: [EMAIL PROTECTED] on behalf of Harald
Sent: Mon 11/28/2005 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server
ehhh... according to the KB article (http://support.microsoft.com/?id=312403)
objects do age out..
QUOTE
It is not critical that you manually delete the Distributed Link Tracking
objects after you stop the Distributed Link Tracking server service unless you
have to reclaim the disk space that
: RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain
Controllers
Might be a problem if the service is disabled, no?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 1:22 PM
Now this is fun...
The AD Schema contains the following attribute:
distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN
CN=drink
adminDescription=The drink (Favourite Drink) attribute type specifies the
favorite drink of an object (or person).
isSingleValued=FALSE
;-)
PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, November 24, 2005 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Connecting the test environment to the production -
what is your opinion?
Hi All,
I would be interested in your feedback concerning the story below. The full
Hi,
You do not mention the type of trust you want to create but between a W2K and
W2K3 forest you can only create external trusts.
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b30ef067-746e-4453-b879-804259aafdd3.mspx
Cheers,
Jorge
Sometimes I wonder where managers hear that kind of stuff...
If the backup program has the possibility to report if the status of a backup
is OK or FAILED, then that backup util will most probably have an option to
send and e-mail. If it does not have that option but it has an option to run a
You might wanna take a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/161.aspx
Cheers,
jorge
From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar
Sent: Thu 11/24/2005 8:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find
Hi All,
I would be interested in your feedback concerning the story below. The full
story is also available on my blog
(http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx).
Any feedback on it would be a appreciated!
If you have question feel free to ask!
Thanks in advance!
looks like. It just looks to me like it was glossed over a bit by somebody
who's done an upgrade a few times.
My thoughts anyway,
-ajm
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Connecting the test
Hi,
Check out LimitLogon from MS. It only works in a W2K3 AD as it needs a separate
app partition for its data. It also extends the schema and as the Resource Kit
tools it is not supported by MS
For more info see:
http://www.thincomputing.net/newsitem296.html
From your post I see the following:
* RPCLOCATOR service on RADAR is disabled. Set it to STARTUP=MANUAL
* OutBound REPLICATION is disabled on RADAR. ENABLED it. To enable both inbound
and outbound REPADMIN /OPTIONS DC -DISABLE_INBOUND_REPL
-DISABLE_OUTBOUND_REPL
I assume RADAR is the
Now THAT would be fun! ;-))
Cheers,
The guy that is NOT puffing the pipe (where the heck did you get this
one?)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 18, 2005 16:08
To: ActiveDir@mail.activedir.org
you can use the example as explained at:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1214.mspx
although a group is used as example you can do it with users also. Modifying
the script to use an input file would to the en masse thing
cheers,
Jorge
: [ActiveDir] Renaming AD accounts en masse
Another command line option would DSMOD.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, November 17, 2005 12:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE
Of Almeida Pinto,
Jorge de
Sent: Thursday, November 17, 2005 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Renaming AD accounts en masse
the link to script I mailed you is to rename the common name attribute (CN)
using the movehere method.
if you want to change the sAMAccountName
Hi Mike,
Interesting scenario If you have an AD forest with a root domain and
child domain(s), why would users that have accounts in the child domain also
have accounts in the root domain? I'm trying to understand this one, so I hope
you can elaborate more on this. Thanks
Jorge
] On Behalf Of Almeida Pinto,
Jorge de
Sent: 16 November 2005 07:31
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered by
AdminSDHolder
Morning all, (at least here it is)
When users or groups are protected
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 16 November 2005 07:31
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT] Protecting objects not covered
by AdminSDHolder
Morning all, (at least here it is)
When users
you can only schedule BACKUPS with NTBACKUP. It is not possible to schedule or
create schedules using NTBACKUP. In other words...it is just not possible to
schedule a restore with NTBACKUP ;-)
Type NTBACKUP /? and in the command line referrence you will see:
Remarks
* You cannot
For those interested, my blog: http://blogs.dirteam.com/blogs/jorge/default.aspx
Still working on it, bit by bit. In time I'll post more
Cheers,
Jorge
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
That sounds logical. However the adminsdholder process only looks at users and
groups that are defined in AD as protected objects. As mentioned in
MS-KBQ817433 - Delegated permissions are not available and inheritance is
automatically disabled it is possible to include or exclude some of the
Pinto, Jorge de
Sent: Tuesday, November 15, 2005 3:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Protecting objects not covered by AdminSDHolder
That sounds logical. However the adminsdholder process only looks at
users and groups
LDIFDE -f output file -s DC -d DN of the location to start the search -r
((objectCategory=person)(objectClass=user)) -p Subtree -l list of
attributes you want to export. commaseparated
Jorge
Van: [EMAIL PROTECTED] namens Frank Abagnale
Verzonden: ma
see:
Tokensz
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cdisplaylang=en
Authentication Fails Due to User PAC
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx
Cheers
Jorge
try ADFIND using the new CSV option
http://www.joeware.net/win/free/tools/adfind.htm
Jorge
Van: [EMAIL PROTECTED] namens Mark Orlando
Verzonden: ma 14-11-2005 16:27
Aan: Active Directory Mailing List
Onderwerp: [ActiveDir] Export Users in a group
Hi all AD
without
a date, hence blank. Am I correct to assume that it is because the host
machine is not a DC, that is why no presence of AD modified date while
restoring?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Reply
? Do we have to
just manually create the replication link after it decided to delete it without
notifying us ? :( How can we make sure it automatically re-creates it?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
the attribute admincount=1 when an account was/is a member of a protected
group... besides checking the inheritance option you need to make admincount=0
Jorge
From: [EMAIL PROTECTED] on behalf of Ben D. Kusa
Sent: Fri 11/11/2005 5:16 PM
To:
Hi,
You have not told us if you are using W2K or W2K3 AD... There is a tiny
difference between the two...
When doing a bare metal restore I always advise to restore a backup of the
System Disk (in MS terms it is called the boot volume, and for both it means
the volume with the WIndows/Winnt
The KCC manages auto created links which means it creates and deletes COs
according to the then current replication topology. If it is the KCCs opinion
it should delete the CO it will. This may happen if the repl. top. changes
which can be new links, new DCs, etc.
One way to force generation
Every hour, the domain controller that has the primary domain controller (PDC)
emulator operations master role verifies the ACLs on members of the protected
groups and compares them to the ACL on the AdminSDHolder object. If the ACL
that is on the AdminSDHolder object is different, the ACLs on
With ADMODCMD you can query AD, disable users and add SELF to the ACL.
This is something I posted a while ago...
What to do with user accounts that are or not mailbox enabled when the
corresponding user(s) leave(s) the company. For that and without buying a full
blown solution you can create
(1) LDP - when connecting see the attribute isGlobalCatalogReady: TRUE;
(2) event id 1119
(3) reg key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Global
Catalog Promotion Complete = 1
(4) replmon
Cheers
Jorge
From: [EMAIL PROTECTED]
May sound stupid but...
* does the file exist?
* Is the DC pointing to your internal DNS or to your ISP DNS?
Cheers,
Jorge
From: [EMAIL PROTECTED] on behalf of Rachui, Scott
Sent: Mon 11/7/2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
damn... do you have a short version of this story?
From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 11/6/2005 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2
DSProxy Referral Process Changes
: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2
DSProxy Referral Process Changes
How long have you known joe? Short version PLEASE!
Rick
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent
If you just disconnected the DC(s) without demoting it/them, the metadata from
that/those DC(s) is still in AD. To remove AD metadata look at the following
articles. These explain very well on how to do it.
How to remove data in Active Directory after an unsuccessful domain controller
demotion
FYI
Potential file corruption problem on NTFS volumes during extensive stress tests
in Windows Server 2003 Service Pack 1
http://support.microsoft.com/default.aspx?scid=kb;en-us;909360
Cheers,
Jorge
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It
Hi Russ,
For that you need to query all DCs as the old attribute is not
replicated between DCs
The new lastlogontimestamp attribute only is available in DFL W2K3 and
is replicated between DCs
In both FLs you could use OLDCMP (with the users option) from
joeware.net
).
Ulf
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Tuesday, October 25, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Site
Hi
Of
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005 8:08 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] AD Lag Site
|
|yes... IF the detection of the deletion is BEFORE the
|replication window to the lag site. Otherwise the tombstone
|will replicate
because this same thing happens in
every test win2k3 forest i create.
thanks
On 10/24/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
true.. they should be there. if your replication is working the CNAME
records must be available otherwise you would have little replication
partition/NC. If you have configured DNS zones with the forest
replication scope you'll see them listed there
Jorge
From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Tue 10/25/2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
Hi,
Guido and Gil wrote a great
ebook about recovery whereas information about lagsites is
included
Take a look at: http://www.netpro.com/events/adrecovery/index.cfm(registration
needed)
For starters some
tips:
* Place at least on DC for each
domain in the lag site
* Allow the DCs in the
s the root dns entries and srv rr
for GC's and DC guid's.
How does that relate to the subdomain i see in DNS called
ForestDnsZones?
This subdomain only contains site specific records for ldap
servers.
Thanks
On 10/25/05, Almeida
Pinto, Jorge de [EMAIL PROTECTED]
wrote:
If
you have configur
this has been answered quite a lot of times so you might wanna search the
archives for all kinds of reactions...
simple answer: NO
Cheers,
Jorge
From: [EMAIL PROTECTED] on behalf of Whaley, Greg
Sent: Tue 10/25/2005 9:34 PM
To: ActiveDir@mail.activedir.org
For starters look at:
MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That
Contain E2K Servers
MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server
2003
MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003
During the day? It depends what other services are running on the DCs. As long
as the switch is smooth (enable new first, disable older second) nobody will
notice it
you can do a DC at a time if you wish.
The most important one here is:
* Fix the schema because of exchange 2000 in w2k AD
*
true.. they should be there. if your replication is working the CNAME records
must be available otherwise you would have little replication ;-)
Are you sure the replication scope is set to all dns servers in the forest,
secure dynamic updates are enabled, etc.
Jorge
Title: OT: Technet movie (fun!) ;-)
For those interested
Goto: http://www.microsoft.com/netherlands/technet/itsshowtime/sessionh.aspx?videoid=
Sign in with your passport if needed
Click on the text Bekijk de hele voorstelling (top-right) (MOVIE IS IN ENGLSIH HOWEVER!)
New feature
With (contional) forwarding you
specify the DNS zone and the IP address of the DNS server that hosts the zone.
When a clientqueries for "_ldap._tcp.pdc._ms-dcs.DNSDomainName"
and the DNS server of the client does not host a DNS zone
"DNSDomainName" the DNS server itself queries its
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/03b7fc47-e25c-4af8-822f-f856b565b76a.mspx
repadmin /replicate
repadmin /syncall
with /replicate you can specify wildcards for DCs
Be VERY carefull as this can increase network traffic!
Cheers,
Jorge
Hi,
I'm not sure if I would want this in the AD DB as this would mean a
larger DIT (as every change is stamped... - how many versions are kept
as history?) and additional replication traffic. I would prefer a better
central auditing solution instead of having to check each DC to see for
who made
Yes you are correct. The answer is No. A domain within a forest is the
authentication boundary. So when all DCs of domain other.biz are unavailable
the users from other.biz will not be able to log on as there is no DC
available to authenticate the user at logon and create the access token.
, 2005 23:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documenting AD
Jorge, we need to introduce you to objectcategory.
;o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, October 13, 2005 6:16
Yep, no problem
jorge
From: [EMAIL PROTECTED] on behalf of Salandra, Justin A.
Sent: Mon 10/17/2005 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DFS using a Hidden Share
Is it possible to create a DFS Root that is hidden using the $ symbol
'Forest is the security
boundary'-statement B. Simon-Weidner
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Almeida Pinto, Jorge de
|Sent: Monday, October 17, 2005 6:47 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE
Hi Rania,
One forest with one domain should do it for you and make all DCs a GC
The site and replication topology is used:
* By DCs so they know with which DC to replicate with within a site and between
sites
* By clients/servers to find the nearest DC for authentication, GPOs, etc.
Now we
I don't understand why you want to use a child domain in the factory location?
Can you tell us the reason(s). In my opinion there is no need for that.
Remember what I said for redundancy purposes you at least need 2 DCs for each
domain For the scenario you want to implement (2 domains) you at
Well
To query for ANY DC (or LDAP server) in the domain you use:
_ldap._tcp.dc._msdcs.domain.tld
To query for ANY DC (or LDAP server) in a certain site you use:
_ldap._tcp.site name._sites.dc._msdcs.domain.tld
If a computer does not know its site it uses the first and if it know its site
Hi,
Try the following:
Cheers,
jorge
'http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/enumvalues_method_in_class_stdregprov.asp
###
Const HKCU = H8001
Set
LDAP filter for disabled user accounts
((objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))
LDAP filter for enabled user accounts
((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Cheers,
Jorge
Technicallyyou would only need
multiple domains if:
* separate pwd policies are needed (third
party products exist that can do this in a single domain)
* replication boundary for AD and SYSVOL
replication is needed for some reason
* keep current old domain structure (if
this is a cool
Upgrade KBs:
See:
MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That
Contain E2K Servers
MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server
2003
MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003
you can introduce a new/fresh windows 2003 dc and after transfer the roles to
the w2k3 dc.
Jorge
From: [EMAIL PROTECTED] on behalf of Jennifer Fountain
Sent: Tue 10/4/2005 8:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows 2000 AD to
Title: Multiple forests with a common DNS parent zone
For the information you have
posted I don't feel uncomfortable re-using the XXX.COM DNS name and building a
new forest root called GLOBAL.XXX.COM (assuming your internet presence is
XXX.COM). Isn't XXX the company's name?
In my opinion
Scripting would be my first
choice...
Script Center has great
examples:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/list/default.mspx(Retrieving User Account
Properties)
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/modify/default.mspx(Modifying User
Title: [ActiveDir] Cleaning up Stale entries in AD
Well, then OLDCMP can help you
detect "old" accounts. OLDCMP is from Joeware (http://www.joeware.net/win/free/tools/oldcmp.htm)
For computer accounts you could
use something similar as mentioned below or just fire up OLDCMP each 2 months or
Take a look at an article written by Marcus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Friday, September 30, 2005 10:35
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Aging and Scavenging
I am seeing more
Take a look at an article written by Marcus
http://myitforum.techtarget.com/articles/16/print_view.asp?id=6287
Cheers,
Jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Friday, September 30, 2005 10:35
To:
All,
ADMTv3 has been released! It contains a lot of improvements compared to v2
Some cool improvements worth mentioning:
* Support for input files to chose object to migrate
* User rename
* Select source and target DC for migration
* Several pre-checks before migrating computers
* Improved
Just to be sure what you are asking...
IMHO:
* AD contains objects (users, groups, etc)
* DNS zones contain records (A records, SRV records, etc)
Are you talking about users in AD or are you talking about records in DNS?
Can you be more specific? My feeling says you are talking about DNS
Active, inactive it depends on what someone thinks is active and inactive
(meaning the number of days since last pwd change or lastlogon)
query for the account that have password not older than 30 days. Each Windows
computer by default initiates a password change after 30 days since the
Just to be accurate...
During a DEFAULT fresh W2K3SP1 install Post Setup Security Updates protects
the server by enabling WIndows Firewall until the first admin logon and the
admin clicks the FINISH button. After that the WIndows Firewall will be
DISABLED. Also remember there are several
301 - 400 of 532 matches
Mail list logo
