check the SITES and SUBNETS configuration...make sure the subnet of the Citrix
servers in defined in AD and assigned to the correct site.
also make sure the server (DC) B has not registered service records for the
site of the Citrix servers. This can happen when that site initially does not
.
--Paul
- Original Message -
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain
I forgot to mention:
* If the DC that died had FSMO roles, you need to seize them
it will go for the second site 10.10.41.0/24 (= best matching)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
(
the AD metadata cleanup is nothing more then removal/deletion of objects that
belong to a DC that is not live anymore. Just other like other object deletions
(user, group, etc) the deletions will replicate to other DCs (assuming
replication is working fine) that host the same partitions from
it will do automatically.
Regards,
Senthil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from
Hi,
Have a look at:
* http://www.kouti.com/adreport/ (not free)
* ACLReport.vbs v1.01 (free - http://www.kouti.com/scripts.htm
ACLReport.vbs v1.01
This script creates an HTML file named ACLReport.htm, that contains all the
ACLs of a given Active Directory tree. By modifying three lines in the
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel :
setting the attribute to 0 only will not help
to stop the adminsdholder from managing a certain group/user you either:
* remove it from a protected group, check inheritance and reset admincount to
not set
* configure dsheuristics (forest-wide config) as mentioned in
either explicit or inherited permissions will be replaced by the
permissions defined on the adminsdholder object
so if re-applying inheritance is not enough... you would need to define
explicit defined permissions...
for the default perms you can use the DEFAULT button and all custom
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Saturday, January 13, 2007 4:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema
the AD schema is (must be) extended with the R2 stuff when either
and thanks to you and Hunter which sent me the link to the DFS
requirements...I now understand more on the requirements.
Thank you all for your help. Really do appreciate it.
-vC
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto
aware once the client discovers there is no DC on its own subnet the
dsgetsite api sends an dns query for the SRV
_LDAP._tcp.dc._msdcsdomainname, i.e give me a DC that is responsible for
the X domain. DC should then inform the client, based upon the IP
information that the client
although the file servers are R2 because of the use of DFS-R (new replication
mechanism), you MUST extend the AD schema so that the DFS-R information can be
stored in AD
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server -
Also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx
from: http://support.microsoft.com/?id=255504
A domain controller whose FSMO roles have been seized should not be
permitted to communicate with existing domain controllers in the forest.
In this scenario, you should
Roles - Flatten DC?
On 11/01/07, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:
Also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx
from: http://support.microsoft.com/?id=255504
Thanks Jorge,
Nothing about three days of darkness or locusts or the massacre of
first-borns
As of w2k3 there is a setting that prevents the installation of IIS,
when enabled of course...
Computer configuration\Administrative Templates\Windows
Components\Internet Information Services\Prevent IIS Installation =
[ENABLED | DISABLED]
-Original Message-
From: [EMAIL PROTECTED]
If he just needs administrative equivalent permissions on THOSE TWO
MEMBER SERVERS you can put his account into the local administrators
group of each server...If he is logged on, tell him to log out and log
on AFTER you have added his account to the groups. DOMAIN ADMIN
quirevalent permissions is
You can't just change the authenticating DC from X to Y.
A DC for authentication is located by using DNS. By default clients
search for a DC that has records in DNS for their own site (DCs
physically there or covering the site) and when none found a query for
the DCs that have registered
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 10 January 2007 14:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to change login authentication
You can't just change the authenticating DC from X
for services use a script created by Dean Wells...
get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip
http://www.jadonex.com/downloads/dec/DECscripts.zip
PS joe/Dean: define coming soon ;-)
for scheduled tasks create a script using schtasks (w2k3)
Met vriendelijke groeten
In addition to what Brian said...
If you want to get OIDs for your organization to use in productive environment
you can get your OIDs using this page:
http://msdn.microsoft.com/certification/ad-registration.asp
More info:
and to remove those orphaned SIDs you could use SUBINACL (make sure you
download the lastest version from the MS site)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU
yes, it is free... you would still need to license the OS it runs on
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
(
in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a
migration to a NEW forest
high-level steps are
* use the W2K3 SP1 CD!
* update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member
servers)
* introduce w2k3 DCs
* move stuff over from w2k DCs to
servers for new windows 2003 dc , instead of Ml
530 , i have to use DL G4 servers for new installation .
How do i proceed.
Thanks
- Original Message
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 11:24:39 AM
Subject
easy... say something like: you cannot delete built-in groups/accounts ;-)
that should silence the guys and gals above! ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V.
- Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : see sender address
From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Fri 2006-12-22 17:29
To: ActiveDir
this is fun.. ;-)
http://www.gilsblog.com/index.cfm?commentID=93
http://www.gilsblog.com/index.cfm
cheers,
Jorge
PS.: sorry Gil! ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
@mail.activedir.org
Subject: Re: [ActiveDir] DFS-R replication through a firewall
We open port 135 for our subnets only. We made changes to registry to
force high ports through a range and open those ports in firewall policy.
-Z.V.
Almeida Pinto, Jorge de wrote:
Hi Everyone,
I assume everyone knows
It should work, I just tried it myself.
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter
Sent: woensdag 20 december 2006 10:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DSGET/DSQUERY
Hello,
Windows 2003
Dont know what is described in there but things to take care of are:
* Domain Functional Level
* DNS zone delegations for the new domain
* Forwarding from the new child domain up the tree
* Anonymous access configuration during creation
* OU structure
* GPO structure
* delegation of control
* etc.
Hi Everyone,
I assume everyone knows about:
How to restrict FRS replication traffic to a specific static port
http://support.microsoft.com/kb/319553
I was wondering about the configuration for DFS-R. Does anyone have experience
with that working through a firewall? (instead of opening 135 and
?
My first thought would be YES, it should reverse the changes it made
previously...on the other side...why doesn't it already? there is a
script...2003 is the second AD version... so I suspect something else might be
the reason why it does not do it
adminSDHolder sets the list you mention
Yes...
* No more SYSVOL bloat as all Administrative Templates are stored in a
central location
* For domain environments a central store can be created so that
ADMX/ADML files are NOT stored (which is the default) with EACH GPO (for both
local and domain).
* Results in
?
why is this service record not DOMAIN related? (or am I missing something here)
_ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa
^^^
what is SERVER-2? is that a domain? or a DC?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida
I prefer DFS over Robocopy as DFS stores it information in a central location..
Active Directory ;-))
I would go for DFS replicated with DFS-R, which is available on R2 servers.
DFS-R is so much cooler when compared with NTFRS. For example DFS-R ONLY
replicates changes whereas NTFRS replicates
:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created
an AD object?
?
can you explain?
Met
this?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object
object?
Test what I wrote in my other response.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
]
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 05 Dec 2006 13:44:47 -0500
Have you tested this?
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE
PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?
?
just like I wrote it and tony confirmed
are you asking if it is possible to undelete a tombstone which was created when
an object was deleted?
Well, yes it is possible.
When an object is deleted almost all of its attributes are lost except several
important attributes. Undeleting the object will not return the values of those
look at the owner
if it lists ADMINISTRATORS, you might wanna change the security option in the
default DCs GPO which is called: system objects: default owner for objects
created by members of the administrators group
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
of the directory objects.
Laura
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible
can you describe the type of change?
DCs have two types of replication mechanisms...AD replication and FRS
replication.
For example disabling outbound AD replication does NOT disable FRS replication
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure
and don't forget:
* MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange
2003
(http://support.microsoft.com/?id http://support.microsoft.com/?id=555262
=555262)
* MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003
(http://support.microsoft.com/?id
did you raise it on the DC WITH the PDC FSMO role or just a DC?
raising the DFL -- contacts the PDC FSMO
raising the FFL -- contacts the schema master FSMO
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent:
the question is what replication mechanism does it use in terms of
DFL change? Through FRS?
From the test lab, the change replicated to other DCs immediately. Is this
some kind of Urgent Replication?
Andy
On 11/17/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
can you
http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel :
: [ActiveDir] Locating empty GPOs in a domain / forest
Thanks horhay :-^
I'd found the GPMC script but your extra logic is very useful :)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 15 November 2006 12:19
What passwords are you talking about? For
which accounts?
It will not let you change the password as
the policy mentions: at least 1 day old
Password policies are not defined in the default
domain controllers policy, but in the default domain policy
Cheers,
jorge
From:
Can you explain the steps you've taken?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile :
point DCB1 to another DNS server and see what
happens
cheers,
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent: Friday, November 10, 2006 21:40To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with
Replication Mess
Hi -
maybe another options is...
use joe's ADFIND and query for dnsNode objects and specifically the dnsRecord
attribute. And see if you can filter differences
just a wild idea
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows
if you just want to migrate the servers from one domain to the other, you can
use ADMT. However... if you also need to translate data, that is another story.
File based data - ADMT
Print services - SUBINACL
Services - SUBINACL
Shares - SUBINACL
Registry - SUBINACL
IIS - third party
SQL - third
...
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 07, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated
Hi Brian,
The following represents subnet 10.1.1.0/24, as you can see, it is used in the
CN and NAME
Expanding base
'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'...
Result 0: (null)
Matched DNs:
Getting 1 entries:
Dn:
See:
Best practices for DNS client settings in Windows 2000
Server and in Windows Server 2003
http://support.microsoft.com/?id=825036
cheers,
jorge
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: donderdag 2 november 2006
17:26
To:
* within the same forest -- no need to translate profiles (although different
SID, GUID takes care of this)
* between different forests -- profile translation is needed (different GUID
and SID)
you can use ADMT or any third party tool
as soon as users start to use their new account you
I used Joe's tool (no sexual connotation here) because it was easy and fast
never mind half of the world does it! ;-)
ROTFMAO
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG
.
/Guido
From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Thu 10/19/2006 8:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sysvol replication
won't change until you deploy Longhorn and switch to LH DFL
Guido, can you explain what you
have a look at:
Addressing Problems Due to Access Token Limitation
http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en#filelist
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en
joe,
if you are talking about the "operatingSystem" attribute in
AD, wellit depends
Using the
latest available builds here...
if OS="Longhorn" and serverRole="writable DC"and
media="Full Install" then "operatingSystem" attribute DOES NOT contain special
characters
if
OS="Longhorn"
The addition/change of an ACE on a folder or file is like the addition/change
of file/folder...
within a site it will replicate immediately and between sites according to the
schedule as soon as the replication window opens
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
won't change until you deploy Longhorn and switch to LH DFL
Guido, can you explain what you mean with this?
(I know SYSVOL will be replicated with DFSR as soon as DFL=W2K7 is reached)
thanks
jorge
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure
Tony,
Don't forget to rename the DCs as that is an additional action after the
domain rename
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, October 17, 2006 05:48
To: ActiveDir@mail.activedir.org
Subject: RE:
1 nothing
2 nothing
3 nothing
4 nothing
5 nothing
6 nothing
7 nothing
8 nothing
9 nothing
10 nothing (just to be sure)
;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fleming, Dave
(DotComm)Sent: Tuesday, October 17, 2006 15:29Subject:
[ActiveDir] I'm
very very true
interim forests...
AND another part is responsability...first it's mine and
THEN it is yours (and there is very little to nothing in between). In other
words... a clear hand-over moment.
although the selling company is responsable for the first
phase the buying company
sh!t..he found the list...and I hoped he would never find it
well... I guess it did not work when I told him it was something like edir.org
;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
to search for accounts that HAVE
the option "DONT_EXPIRE_PASSWORD" enabled
ADFIND
-bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"
and to use it with a saved query
use as the LDAP filter:
:1.2.840.113556.1.4.803:=65536) ?
Why couldn(t i find any results with my first query ?
And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query
??
Thanks for your answer :)
Yann
Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit :
to search for accounts that HAVE the option
by, you really cannot find it anymore when querying AD
;-)
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
PohlschneiderSent: Friday, October 06, 2006 14:34To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account
deletion
Is
OT = Off Topic
http://en.wikipedia.org/wiki/Off-topic
;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Thursday, October 05, 2006 15:40
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] what is the meaning of OT in front
only 10 types of people understand binary...
one type does understand and the other type does not understand
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC
are you by any chance trying to promote a R2 DC? If yes, use ADPREP from the
SECOND CD from the R2 distribution set
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC
Both forests can be connected to each other as long as within the
connected environment each domain name is unique (NetBIOS and DNS)...
So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) and another
forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to
each and setup
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Almeida Pinto,
Jorge de
Sent: Tuesday, October 03, 2006 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts
Both forests can be connected to each other as long as within the
connected environment
Have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspx
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, October 03, 2006 16:38
you are experiencing morphed folders within the
SYSVOL.
see:
MS-KBQ328492_Folder Name Is Changed to
FolderName_NTFRS_
MS-KBQ290762_Using the BurFlags registry key to reinitialize File
Replication Service replica sets (depending on
the situation this solution may need additional
for some reason I missed this message
nope that will not work
in short:
you can create the DFS root on any server and it does not
need to be the server hosting the data. DFS root servers are servers that manage
the DFS namespace (root, links)
To create the root you need to have a shared
to read on how the access token is build see:
http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc
authentication across domains depends if NTLM is used (external trusts) or
kerberos is used (forest trusts and intra-forest transitive
that are AD native and those groups only have memberships for the local
domain, then is his token going to include his memberships from
NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside
within addomain.com?
On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote
look at the ADAM help file and search for ADSchemaAnalyzer
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile :
i do.. ;-)
See anything "random"
here: Dèjì RANDOM
Akómöláfé?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services
LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)
(Tel
: +31-(0)40-29.57.777
(Mobile:
a stand alone root cannot
have more than 1 root server (unless on a cluster). only a domain based root
can have more than one root server
that is why I ask the Q
below
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP
Title: RE: [ActiveDir] Replication Metadata
hey joe,
how about ADFIND with an attribute
spellchecker? ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services
LogicaCMG
Nederland B.V. (BU RTINC
where is the [ActiveDir] part in the subject... (there goes my Outlook filter)
;-)
for attribs not shown in the ADUC GUI, you can extend the GUI (search the
archives for the MSDN link that shows how to do this) or you can add a VBS
script to READ or WRITE the attribs. One of the examples can
which server hosts the stand alone root? server 1 or
2?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ibarra,
JuanSent: Thursday, September 21, 2006 17:34To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS
ConfigurationImportance: High
OK, explain the following:
"I am configuring server1 with a standalone root, when asked
for the host server I enter server2 "
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services
LogicaCMG
not sure if this is the
answer to your Q (not clear what you mean), but lets give it a
try...
if you migrate a user with sidhistory, it
will not include the group memberships of the object in the source domain just
because the users old sid is in sidhistory. if you need to have the group
Hi Alberto,
Use the restricted groups feature in a GPO
For the group ADMINISTRATORS define/dictate which groups/users MUST/SHOULD
(e.g. Domain Admins, and local administrator) be in the group ADMINISTRATORS.
Everyone else not defined will not be listed and if defined prior to the
Each DC has two GUIDs...
* the objectGUID identifies the DC itself and is used for replication. That is
also the GUID that is registered in _MSDCS. This value can be found in the
attribute called objectGUID on the NTDS Settings object that is owned by the
DC. This GUID is created when promoting
my first and simple thought is: OLDCMP from
joeware.net
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
WadeSent: Monday, September 18, 2006 12:04To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting
Tools
Folks,
I am struggling
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is 'simple'
[and this would break the admin / support
model].
What
is being said is
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
I knew that, I just preferred him to say it for himself...
;-) (BY THE WAY: Mark, did you go to the game?)
it is also possible to rename a W2K3 DC when not in
DFL=W2K3 (thus DFL=W2K native/mixed) AND it is
have at look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx
which might help you on your way
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
If you want to change the computer name you need
toDEMOTE the server
isn't that for w2k only? (he's got
w2k3)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure
Yes, there is.
The password policy is checked as soon as the password entered (using
characters) is written into the directory, whether it is a new password or a
changed password.
If a password hash is written into the directory the system cannot check if the
password that generated the hash
now) Thanks in advance
"Almeida Pinto, Jorge
de" [EMAIL PROTECTED] Sent by:
[EMAIL PROTECTED]
09/04/2006 11:18 AM
Please respond
toActiveDir@mail.act
also see:
RID Master
FSMO explained
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx
cheers,jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, September 04, 2006
18:11To: ActiveDir@mail.activedir.orgSubject:
1 - 100 of 532 matches
Mail list logo
