on language though.
And you will want to do this in passes most likely so you can ensure that the
department group is created when it comes time to add an object to it. It's
helpful to do it that way...
Does that help, or ??
Al
On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote:
Hey guys
and populate
the group structures as needed.
Al
On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote:
Thank you for the response Al.
To answer your ultimate question, which was Does that help, or ??, then I
would have to lean more towards ?? in my case. Not to say you didn't give some
excellent
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help
Thank you for the response Al.
To answer your ultimate question, which was Does that help, or ??,
then I
, but as was mentioned elsewhere in the thread, it's
not a question of the code, but the logic. Which you know already.
Bonus question: Do you know what you call somebody who gets a dev to do this
kind of coding work? :)
-ajm
On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote:
We have a software
Hey guys,
I'm trying to wrap my brain around how best to accomplish this and need
a little help.
I need to create a security group for each department in our company,
and then a security group for each section. At our company sections
fall underneath departments. So we may have a
Noah,
I initially thought that as well in regards to the video emulation performance.
Now correct me if I'm wrong, but I'll bet that you were using virtualized
Windows Server 2003 operating systems. The default setting in Windows Server
2003 is that your display hardware acceleration is
Try the command...
w32tm /resync /rediscover
See if that helps the client figure out where it should look for time.
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, January 10, 2007 2:12 PM
To:
I was asked today whether it was possible to allow or deny access to
shares not just based on user accounts, but also upon computer accounts.
My immediate response was that I didn't think so.
So I tested it by simply creating a folder up on our file server, and
added the computer account for
@mail.activedir.org
Subject: RE: [ActiveDir] Shares with Computer Account Permissions
Sure. IPsec.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 09, 2007 5:09 PM
Hi Yann,
I was reading this over the weekend, and perhaps this might provide enough
relevant info for you to find what you are looking for.
http://blog.joeware.net/2007/01/06/756/
~Ben
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, January 08,
I haven't seen a single e-mail from the mailing list since yesterday
morning. Is anyone else seeing this e-mail? Has anyone else received
e-mails since then?
Just curious if the list has just been dead for the past day, or if
something might not be working properly.
~Ben
Personally, I see the Account Operators group as going far beyond the
principle of least privilege. I simply have not run across a helpdesk
that actually requires the privileges on a scale that the built-in
Account Operators group provides. Most helpdesk personnel will do the
majority of their
I'm a bit confused on what you mean by removing the built-in security
groups? Could you elaborate a little bit for me?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, December 22, 2006 8:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
working throwing what appear to be .net
errors.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, December 22, 2006 12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets
In our
would need to change the
PW on their own account - and by default it's granted to the Everyone
well-known-secprin. This is NOT a security issue since if you know a
user's password, you _are_ the user.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent
In our case, I simply modified the security permissions on the OU containing
our user accounts to provide a granular delegation of rights so the members of
this security group can go into ADUC and unlock user accounts or reset/change
passwords only. I modified various read/write property
Paul,
On a side note, this part of your response caught my eye...
...and then retriggered SDPROP.
Is there a way to manually trigger SDPROP? There have been times when I
have wanted to do this but didn't know how or if it was possible.
Thanks,
~Ben
-Original Message-
From: [EMAIL
I meant to also include the link.
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4
E63-8629-B999ADDE0B9Edisplaylang=en
~Ben
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, December 18, 2006 11:35 AM
To:
Download the Account Lockout and Management Tools from Microsoft. More
specifically, from the downloaded EXE, extract the LockoutStatus.EXE
file and use it to query for the user account that is having issues.
It will tell you how many bad password attempts have been made, what
time/date the
Maybe he may be referring to the location of any possible new ADM files
included with Vista.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
I have been given a task for our secured environments (by secured, I
mean government clearances required) to develop a means to lock down
access to the CDROM drive at a user based level. They want most users
to be restricted from using the CDROM drives in anyway, but allow a
certain security
altogether. This would be on a
per computer basis though-not per user. See the following KB for
details:
http://support.microsoft.com/kb/555324
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 7:36 AM
To: ActiveDir
://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!293.entry
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some
I have been given a task for our secured
computers, even
when dropping the workstation quota to 0).
--James
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, December 07, 2006 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate join computer
My memory is a bit fuzzy on this as I read about this awhile ago, but
essentially when you run a logon script as you are, you are running it under
the credentials of the user logging in. So if you are attempting to install
some software, and the user logging in has only limited privileges,
Hello everyone,
Our desktop support group are all a part of a security group called IT. I
delegated the Create and Delete Computer ACEs to the security group over the OU
that I want them to add computer accounts into when a machine is joined to the
domain.
After I adjusted the security
as intended.
Thanks,
~Ben
-Original Message-
From: WATSON, BEN
Sent: Thursday, December 07, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: Delegate join computer to domain
Hello everyone,
Our desktop support group are all a part of a security group called IT. I
delegated
It really shouldn't matter whether or not the page file resides on the
boot partition or not.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Thursday, November 30, 2006 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
I'm attempting to delegate out the permissions to adjust the Remote
Access Permissions under the Dial-In tab in Active Directory for user
accounts. When performing an LDAP query, I notice that changes to this
setting are recorded in the msNPAllowDialin attribute. Set to False
when Deny Access is
Ah, that's a nice clarification. I actually wasn't aware of the 16MB
limitation for page file size on the boot partition, especially since I
had done just what you said. Set the boot partition to no paging file
and just set it manually on an alternative disk.
Very good to know, thanks for the
, November 30, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate VPN rights
You will need to modify dssec.dat to expose the property.
http://www.activedir.org/article.aspx?aid=24#11
Tony
-- Original Message --
From: WATSON, BEN
.
http://www.activedir.org/article.aspx?aid=24#11
Tony
-- Original Message --
From: WATSON, BEN [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date: Thu, 30 Nov 2006 09:34:39 -0800
I'm attempting to delegate out the permissions to adjust
With the release of Vista to MSDN as well as the Microsoft Licensing site for
download, I would assume that an Administration Tools Pack should be quickly on
the way soon for Vista. Anyone have any information on when a Vista compatible
Adminpak will be available?
I would've run Vista Beta 2
It looks to me like this domain controller has not replicated for a very long
time and has passed the tombstone lifetime. You will probably never get this
DC to function properly in it's current state and you would probably be best
served by simply demoting and repromoting the domain
@mail.activedir.org
Sent: 11/18/06 6:25 PM
Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack
http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx
Try installing it like that
WATSON, BEN wrote:
With the release of Vista to MSDN as well as the Microsoft Licensing site for
download, I
Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=437266SiteID=17PageID=1
Try the RTM .. it appears to work
(98% complete on my Vista download so I can't confirm yet)
WATSON, BEN wrote:
Yeah, I found that page when beta 2 came out. While
exactly the kb, but take a
look and see if you can't modify the dsacls command to report the ownership of
the records.
Al
On 11/7/06, WATSON, BEN [EMAIL PROTECTED] wrote:
Hey guys,
Simple question I hope. I
was looking for a way to determine a couple things about DNS
Hey guys,
Simple question I hope. I was looking for a way to determine
a couple things about DNS (A PTR records) entries in an Active Directory
Integrated DNS environment
1)
Is there a way to determine whether the entry has been manually
defined (and thus is never scavenged) or
Hi Bruce,
First, youll probably want to seize the FSMO roles held
by the crashed domain controller. Its probably not a good idea to
bring up another domain controller with the same name as the previous one that
used to hold the FSMO roles until youve moved those roles to another
DC. You
There shouldnt be any reason why this would cause any issues.
~Ben
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yann
Sent: Wednesday, October 25, 2006 7:23 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Need some advices
Hello all ;)
I have a Windows 2003 R2 single domain/forest. This domain/forest was built
upon Windows 2003 R2 so it has never had to go through any upgrades.
I wanted to query for the true last logon time/date for various users and
noticed that the LastlogonTimestamp is not an available attribute for the
Jabber supports the use of SRV records and works beautifully
against AD for authentication. I got a Jabber server up and running for my
company as a test about a year ago, however I was extremely let down by the
quality of the clients. Each client seemed to have its own quirk, bug, or
:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Yes.
Thanks,
-Steve
-Original Message-
From: WATSON, BEN [EMAIL PROTECTED]
To: ActiveDir
Message-
From: WATSON, BEN [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 9/25/06 11:12 AM
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Well, I just attempted to add group and groupOfNames into the
groupofURLs objectclass
a hypothesis as I do not have the details on exactly what
changes were made when to the schema.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE
. If
you were on Windows Server 2003 and in Forest Functional Level 2, i.e.
Windows 2003 Forest Functional Level, you could have defunct the schema
change.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Sunday
Title: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Correction, 10 domain controllers in 9 sites.
From: WATSON, BEN
Sent: Friday, September 22, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
/ decimal 8372 :
ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for 20b4
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 1:03 AM
To: ActiveDir
PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Hi Steve,
First off, thanks for all your help, you are always incredibly helpful.
Here's the output you requested from
PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Hi Steve,
First off, thanks for all your help, you are always incredibly helpful.
Here's the output you requested from
] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Hi Steve,
First off, thanks for all your help, you are always incredibly helpful.
HereĆ¢EUR(tm)s the output you requested from
to be collected.
Al
On 9/23/06, WATSON, BEN [EMAIL PROTECTED] wrote:
Sorry, I keep re-reading the e-mail and realize there was information I
failed to give you.
From what I understand of how the schema extension was added, it was
added manually simply through adsiedit
Our forest is currently experiencing some replication issues. The
common error we have been receiving has revolved around a single object.
To summarize, how do you permanently delete Active Directory objects?
More specifically, how do you remove an object that is already
tombstoned? Here is why
are you seeing associate with this error?
Vinnie Cardona
Systems Administrator
Ernest Health, Inc
Information Technology Dept
505.798.6472
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, September 22, 2006 6:18 PM
To: ActiveDir
The company I am currently working for has block
inheritance enabled for the Domain Controllers OU and apparently whoever
enabled this setting is no longer with the company (or they wont fess up
to why they did this).
Although I am curious, what sort of ramifications does
enabling block
Yep, your e-mail definitely hit the list.
I'm confused as to why the 512 UAC flag is making anybody
think that passwd_notreqd is set. A setting of 512 indicates a normal account.
544 would indicate a normal account with passwd_notreqd set.
Laura
If that is the e-mail you
Hi Rezuma,
You would want to perform a metadata cleanup through NTDSUTIL to remove
the child domain.
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Wednesday, August 30, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject:
I ran into this a few weeks ago. I have a domain running on an old
crappy box with two hard drives, and put the log files on the 2nd hard
drive. When all my system state backups were failing, I ended up
finding this KB article and found that the workaround in my case was
to move the log files
Outside of my MSDN account is there a preferred way to
obtain Longhorn Betas for testing?
~Ben
-
From: WATSON, BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, August
17, 2006 4:35 PM
Subject: [ActiveDir] [OT]
Longhorn Beta
Outside of my MSDN account is there a preferred way to obtain
Longhorn Betas for testing?
~Ben
that you were able to get it from the web
site,
let me know if otherwise.
--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Monday, August 14, 2006 8
Hey guys,
Simple question. Im trying to perform a search to
locate all the schema extensions that have been added in by our company.
I thought some simple syntax like this would work to find
all schema attributes with an attrbituteID prefixed with our OID.
adfind -schema -f
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADFind Query
Have a look at Dean's SchemaDiff on the download page:
http://www.activedir.org/Downloads/Downloads.aspx
Tony
-- Original Message --
From: WATSON, BEN [EMAIL PROTECTED]
Reply
* ldapdisplayname -sl
or the shortcut
adfind -sc sl:joeware*
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Monday
-schema -f name=joeware*
ldapdisplayname -sl
or the shortcut
adfind -sc sl:joeware*
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BEN
Sent: Monday, August 14
Title: Message
It seems that Cain Able development
has picked up greatly since LC5 was discontinued and seems to offer all the
features of LC5 and more.
Check out the list of network security tools that the creator of NMAP has
developed. Cain Able is #9.
http://sectools.org/
And
Title: Message
I think you might mean the storing of LM
hashes for compatibility with extremely old operating systems. When using LM
Hash your password at most will consist of 14 characters, while thats a
good length, the worst part is it is broken up into two 7 character strings. (At
] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access
In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have
delegated Exchange Full
:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access
In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have
-As at the Exchange
Org level, and if not whether it's getting overridden by an explicit Allow
further down the hierarchy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Thursday, August 03, 2006
11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.
Sometimes, the
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
6:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove
Defunct domains..
You can remove the orphaned domains
through NTDSUTIL. Doing a metadata cleanup.
From:
[EMAIL
Interesting exploit. Although I think this might not be new. I fired up a
somewhat old Windows XP VM I had to test it, and despite the fact that standard
users had permissions to readexecute AT.EXE, they were still denied access.
Same deal on my company workstation which is absolutely up to
Hi Nate,
Just in case you hadnt seen this
before, you might want to keep your eye on this KB article.
http://support.microsoft.com/kb/314649
Good luck with your upgrade!
~Ben
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
Is there a way to set a restricted group
membership, yet allow for additional members to not be removed when the group
policy is refreshed? We have a number of engineers that we grant local
administrator privileges on a case by case basis, and the initial reason I
dismissed the use of
When I wanted to do this with my domain
workstations, I simply used a group policy object to deploy a startup script
that added the proper security groups to the local administrators group. If I
wanted to then remove these groups, I would simply edit the script and switch
the /add to a
I was hoping to get some input from some of you to better
understand how you handle the design of test environments for application
testing. For example, I built a so-called Offnet which is a
duplicate of our production domain. We have a couple domain controllers
restored from tape backup,
and other items which can affect multiple tests that are ongoing
occur, the relevant persons can be notified so if they need to reschedule their
testing or adjust their testing schedule, they can.
On 7/25/06, WATSON,
BEN [EMAIL PROTECTED]
wrote:
I
was hoping to get some input from some of you
Ugh, this sounds exactly like the SOX audit
our company is currently going through. People asking for reports and
screenshots of things they simply dont understand. Its a joy.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25,
Byron,
I
thought you might find this a good read. Its an e-mail from Joe
Richards (author of the Active Directory OReilly book). Hes
talking about why a tech lead (architect here at AppSig) should definitely be a
separate role from an actual manager.
Much
like I would rather hit
Well, that was a forwarded e-mail gone
wrong. Just ignore my inability to properly replace the TO field with the
appropriate e-mail address. L
From: WATSON, BEN
Sent: Monday, July 24, 2006 8:43
AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] OT:
Interview
adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.
((objectcategory=classschema)(maycontain=uid))
The above tries to do a search for classes where the maycontain
attribute contains uid.
HTH
M@
On 7/19/06, WATSON, BEN [EMAIL
have offered. It's been invaluable for
my first time domain upgrade.
~Ben
-Original Message-
From: WATSON, BEN
Sent: Wednesday, July 19, 2006 9:28 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Forestprep Failure
Thank you to both Matheesha and Steve, this worked very
or
issues arise and fully testing before doing any of this in production.
Thanks,
-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, July 06, 2006 4:34 PM
To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
Subject: RE: [ActiveDir
for classes where the maycontain
attribute contains uid.
HTH
M@
On 7/19/06, WATSON, BEN [EMAIL PROTECTED] wrote:
Hello all,
I am at the point where I now have a smooth running Windows 2003 forest and
domain with the one exception of the UID attribute which I bypassed thanks to
the hidden
are
finished and of course as always test your procedure in a test environment to
ensure success in production.
Thanks,
-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 18, 2006 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
@mail.activedir.orgSubject: Re: [ActiveDir] Moving a
Certificate Authority
Please run "certutil -ds
cert-ds.txt"
and sendus ( or me ) the text
file.
steve
- Original Message -
From: WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, July 13, 2006 1:42
PM
S
I cant think of a group policy that
would override this. Is it possible that when you checked the user account
after you had made the changes that you hadnt waited for the replication
to take place? You may have made the changes on DC1, and when the user account
attempted to log in, it may
.
my .02
steve
- Original Message -
From: WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Tuesday,
July 11, 2006 3:08 PM
Subject:
[ActiveDir] Moving a Certificate Authority
As part of my
on-going journey into upgrading a 2000 domain to 2003, Iv
just wanted to make sure you knew
this. So, in the future ,you dont have to worry about removing\moving the CA in
order to upgrade DC's
steve
- Original
Message -
From: WATSON, BEN
To: ActiveDir@mail.activedir.org
Sent: Tuesday,
July
:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority
And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear
Thanks for the heads up on this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, July 12, 2006 8:22 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: Free Virtual PC
If anyone cares,
or something terrible like that.
Then if you want you could move it from that 2003 server to another 2003
server, or you could just leave it where it is.
Kevin
Brunson
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
As part of my on-going journey into upgrading
a 2000 domain to 2003, Ive run into the issue of moving the Certificate
Authority on one of the original domain controllers to a new Windows 2003 domain
controller.
I have found a couple KB articles that
seem to put me down a good path, but
.
my .02
steve
- Original
Message -
From: WATSON, BEN
To: ActiveDir@mail.activedir.org
Sent: Tuesday,
July 11, 2006 3:08 PM
Subject: [ActiveDir]
Moving a Certificate Authority
As part of my on-going journey into
upgrading a 2000 domain to 2003
I am working to perform a domain upgrade from 2000 to 2003
R2 and I am running into problems right from the start when attempting an
ADPREP /FORESTPREP. The domain also has Exchange 2003 running as
well. Also, we have never extended the schema with Services for Unix 2.0
which I know can
SMS 2003 in
our environment with the schema extended of course.
~Ben
From: Mathieu
CHATEAU [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 06, 2006
11:21 AM
To: WATSON, BEN
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Forestprep Failure
Hello BEN,
are you
installed? Do you run Schema Admins Empty?
Mark
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
Sent: 06 July 2006 21:13
To: Mathieu CHATEAU
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Forestprep Failure
Hello Mathieu,
Yes, we run a fairly simple
Title: Re: [ActiveDir] Forestprep Failure
Outstanding response
Steve! That was far more than I could have ever expected. I "almost"
wish I had not taken a vacation day tomorrow just to see if your instructions
will work! I'll certainly work on this Monday morning and let you know if
I
99 matches
Mail list logo
