RE: [ActiveDir] Vertual Active Directory in production enviroment ?
When you shutdown a VM DC, you don't have the hardware clock keeping the system time more-or-less accurate. When you start the thing up I kinda like the idea of having vmware sort its time out long before Windows even knows what's going on, otherwise you're relying on the windows time service which starts after the OS. Also, I'd imagine the vmware tools would be somewhat more aware of the fact that a VM guest will constantly lose small amounts of time, whereas I'm guessing the windows time service would assume that it doesn't need constant adjustments. I don't know this for sure, so I kinda get the feeling I'm going to be corrected here :) Cheers, Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: 21 February 2006 15:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vertual Active Directory in production enviroment ? Hi Travis. Why would you set the DC VMs to time synch with the hosts instead of an outside source? Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jensz, Travis > Sent: Tuesday, February 21, 2006 2:30 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Vertual Active Directory in > production enviroment ? > I'd recommend giving the time service config a lot of > thought... best to have all VM guests sync'ing with their > hosts, and the hosts sync'ing with some reliable source (but > not the DCs, since they'll be VM guests). You'll probably > still want all the other clients to be able to time sync with > the VM DCs so you can't just disable the windows time service > altogether, but you can put it into 'server only' mode which > will still provide the service to the clients, but it won't > try and sync its own clock (leave that to the vmware tools). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Vertual Active Directory in production enviroment ?
Yep, we have 50-odd virtual 2003 SP1 DCs in our production environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k users. Generally speaking it seems to be working well, but then again we haven't finished decommissioning all the physical servers yet. I'd recommend giving the time service config a lot of thought... best to have all VM guests sync'ing with their hosts, and the hosts sync'ing with some reliable source (but not the DCs, since they'll be VM guests). You'll probably still want all the other clients to be able to time sync with the VM DCs so you can't just disable the windows time service altogether, but you can put it into 'server only' mode which will still provide the service to the clients, but it won't try and sync its own clock (leave that to the vmware tools). We have one lingering intermittent problem which we haven't figured out yet... when the GSX host has been rebooted and the GSX guests are starting up again, sometimes they're an hour behind. This obviously causes a few problems for AD. Another problem is the fact that Microsoft don't officially support it - they offer 'best effort' style support. Personally, I don't really consider it a major problem, because at the end of the day that's all they really offer anyway. Even if you're on a fully supported platform, there's no guarantee they'll be able to fix any problem you throw at them. Been there before... Cheers, Travis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sem 3Sent: 21 February 2006 09:08To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Vertual Active Directory in production enviroment ? Hi Guys We are considering vertualising our production Active directory infrastructure. About 40 DC's 2003 sp1 spread across 5 sites 60k+ users. VMware ESX server is the intended platform. Has anyone any experience doing this? Any stories to share? Gotchas? Ill feed back any conclusions to the list for info :) Cheers Max This message has been scanned for viruses by MailControl This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
RE: re[2]: [ActiveDir] Getting computer name from a username
This is a bit of an old way of doing things, but if the client machines are running the messenger service and they're registering with WINS, it'll register the userid into the WINS database with the IP address of the machine they've logged onto. If not, I'd do the scripting thing - but send it to a database Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: 01 December 2005 14:17 To: ActiveDir@mail.activedir.org Subject: RE: re[2]: [ActiveDir] Getting computer name from a username Importance: Low Hi Shane Ah you are looking the other way round, sorry not aware of anything is stored in the ad on this info. You could though on a stupid workaround method, create a simple batch file - attach it to all users via gpo logonscript - things like below @echo off Echo [%date% %time%]: [EMAIL PROTECTED] logged on >> \\yourdomain.com\netlogon\pclist.txt Run it in a week and you have that list of users..again this isnt something fun to be done.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager Sent: Thursday, December 01, 2005 12:08 PM To: ActiveDir@mail.activedir.org Subject: re[2]: [ActiveDir] Getting computer name from a username > nt\currentversion\winlogon" /v defaultusername < Thats not exactly what I was looking for. I have no idea what the computer name the user has logged onto. Can you get this from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Legato Replistor
Don't get me wrong, by all means get in there and test it out (I'm doing exactly that right now), but I think it'd be a little foolish to bank on product which hasn't even had its first release yet when there are others out there which have already had a few years to mature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 08 November 2005 15:47 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor >>>Give it at least six months for the initial problems to ironed out first...remember the pain of early Windows 2000 DFS? If there ever is a great argument FOR using DFSR "now", this is it! Rather than waiting for an arbitrary length of "cooling off" period, you ought to get in there now and test it out and see what works and what does not work for you - you have a better chance of effecting changes to the final product at this point, and you get the benefit of actually knowing and understanding the product better than you otherwise would. Moreso, it gives you a true understanding of its capabilities well before the Marketing spiel hits the airwaves and tart clouding your judgment. If you use it now, you will get the technical angle, and you will be less susceptible to some attractive jargons coined up by people like me whose very existence will depend on getting you to implement - I will have all the ammo then and you will have nothing but a whimpering "I just want to wait a while ." :). You noticed how Guido shredded my "Quantum Leap" theory, didn't you? That's what I mean. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ____ From: [EMAIL PROTECTED] on behalf of Jensz, Travis Sent: Tue 11/8/2005 3:00 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: Legato Replistor We've recently used RepliStor for our 2000 to 2003 migration, and now we're using it to maintain a hot spare at some of our larger sites. Generally speaking it's pretty good, and when everything's running well it transmits data surprisingly quick - I haven't bothered yet trying to prove whether or not it actually does replicate data on something more granular than a per file basis, but it's pretty quick. The main problem we had with it came down to a conflict with the AV software on the target machine. Since we're only replicating one-way (and RepliStor is locking the target data for us) we simply disabled AV on the target and we'll just enable it again if we ever lose the live server. However, it sounds like you plan to replicate data around in a multi-master scenario, so disabling AV isn't really an option... not sure how you'd get around it... maybe their support guys will be able to help you out. Also, all of our replication so far has been over LAN connections, so our experience with the software has very much been a best case scenario. We'll be tackling WAN replication some time soon. I'm sure the following applies to most data replication software, not just RepliStor, but here are a few things which caused us pain: - antivirus!! - switches with QoS enabled - files which had the offline attribute set - buffer area filling up As for DFSR, I wouldn't dream of using it the day it hits the shelf. Give it at least six months for the initial problems to ironed out first... remember the pain of early Windows 2000 DFS? Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 07 November 2005 21:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I've been doing various tests myself and while I wouldn't say a DFSR is a quantum leap from Double-Take, I'd certainly agree that it is when compared to FRS. Maybe even two leaps... Certainly something that I consider one of the main benefits of R2. But besides all the talk on the file replication improvements, you should also not loose focus on the various benefits of the updated core DFS itself. Here are my favorite changes of DFS/DFSR (other than dramatically improving repl. performance and efficiency): · new object type "Folders" to create Link-Hierarchy within the same DFS root · powerful options to configure Target priority (handling of link target referrals) outside of client's site (links within client's site will always be listed first in referral list) ? Random Order ? Lowest Cost ? Exclude Targets outside client's site ? special Failback option: Client's can be configured to fail back to preferred target (requires special hotfix - only
RE: [ActiveDir] OT: Legato Replistor
We've recently used RepliStor for our 2000 to 2003 migration, and now we're using it to maintain a hot spare at some of our larger sites. Generally speaking it's pretty good, and when everything's running well it transmits data surprisingly quick - I haven't bothered yet trying to prove whether or not it actually does replicate data on something more granular than a per file basis, but it's pretty quick. The main problem we had with it came down to a conflict with the AV software on the target machine. Since we're only replicating one-way (and RepliStor is locking the target data for us) we simply disabled AV on the target and we'll just enable it again if we ever lose the live server. However, it sounds like you plan to replicate data around in a multi-master scenario, so disabling AV isn't really an option... not sure how you'd get around it... maybe their support guys will be able to help you out. Also, all of our replication so far has been over LAN connections, so our experience with the software has very much been a best case scenario. We'll be tackling WAN replication some time soon. I'm sure the following applies to most data replication software, not just RepliStor, but here are a few things which caused us pain: - antivirus!! - switches with QoS enabled - files which had the offline attribute set - buffer area filling up As for DFSR, I wouldn't dream of using it the day it hits the shelf. Give it at least six months for the initial problems to ironed out first... remember the pain of early Windows 2000 DFS? Travis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 07 November 2005 21:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I've been doing various tests myself and while I wouldn't say a DFSR is a quantum leap from Double-Take, I'd certainly agree that it is when compared to FRS. Maybe even two leaps... Certainly something that I consider one of the main benefits of R2. But besides all the talk on the file replication improvements, you should also not loose focus on the various benefits of the updated core DFS itself. Here are my favorite changes of DFS/DFSR (other than dramatically improving repl. performance and efficiency): · new object type "Folders" to create Link-Hierarchy within the same DFS root · powerful options to configure Target priority (handling of link target referrals) outside of client's site (links within client's site will always be listed first in referral list) â Random Order â Lowest Cost â Exclude Targets outside client's site â special Failback option: Client's can be configured to fail back to preferred target (requires special hotfix - only available for XP SP2) â availability of options depend on special OS and AD additions (e.g. although mixing OS versions is possible, if domain controllers or root servers are running Windows Server 2003 without the release candidate version of SP1, they cannot provide referrals that support target priority or client failback) · Replication possible with standalone DFS root (not only domain based), but clients must be member of an AD domain · Replication allows to specify bandwidth to be used · differentiates between Replication Group and Content Set â Replication Group: * set of servers/members that participate in replication of content sets â Content Set: * folder that's kept syncronized on each member * does not need to be a shared folder (can be normal local folder on a member server - good for collection Logs etc.) * does not need to be part of a DFS namespace /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sonntag, 6. November 2005 09:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor It will actually transmit something like 10K - because of the tight compression. Or, to put it another way - in the 25Mb file scenario, the new file will get to the other side using DFRS on 2 sites connected by dialup before it gets to the other side using FRS on 2 sites connected by T1. There are various "this-can't-be-true" unbelievable replication magics going on here. I used to use Double-Take (from NSI) and used to think they were doing black magic because of their compression and diff replication. DFSR appears to be a quantum leap from that. I just had the pleasure of running through some test this week, following a 35meg .wmv file I downloaded from the DFSR Beta site. It's trully eye-popping. Let him join the beta - or download it and play with it. I don't think describing it will do justice to its capabilities. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now
