Hi Jeff,
Concerning Exchange 2000,
Windows 2003 and the Forest functional level DON'T forget the following as
mentioned in http://support.microsoft.com/?kbid=831809 (Exchange
2000 Recipient Update Service does not replicate changes successfully in forest
functional level 1 or 2 in Windows Server 2003 Active
Directory)
Cheers
Jorge
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus Sent: Friday, February 04, 2005 18:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Well Guys,
Here's what we're gonna do.
we currently have a 2000 based network (soon to move to
2003) containing 1 exchange 2000 server that is also DC( yes we are fixing that
! soon to exchange 2003) 3 SQL 2000 servers ,1 file /print
server (is primary DC as well not to worry - big box -) and a few
other member server preformin other user functions.
We are converting all these servers to from local disk
to mirrored Falcon Stor SAN Arrays. All data and programs
will reside on the san Arrays, only the os will be on the local
disk.
The arrays Will replicate real time
over a wan link to another San Arrary in an office in houston. ( the dr
site) the dir site will have 8 hp blades to function as backup servers to each
of the current servers, In addition the office will have there own file/print/dc
for their own use as well as an exchange server to host their email (these are
the 2003 boxes im setting up now)
The Idea is for a few 5-10 key users to be able to fly
to Houston and begin work within 24 hours of current buiding failure. the
rest of the users will report to a nother local site we will setup to allow them
to work via a vpn to houston.
So thats what were gonna go . I hope you get the
picture now ! :)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. gee joe, that sounds like a really good way to cause a lot
of work. Or to harass me ;-)
I wouldn't really want to go down that road for DR purposes
- I'd rather have a good way of ensuring delayed replication and a fast
recovery option for the existing forest. Adding another forest _for
this purpose_ won't necessarily allow users from the production forest to
"easily" continue work if that one's gone for some reason (i.e. even if you get
so far as to sync users, groups and passwords, you'd still have loads of
issues due to missing ACLs and Entitlements for Filesystems and Apps
etc.)
Cheers,
Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. I am going to throw a little monkey wrench at this one.
:o) Mostly because I like harrassing Guido.
Depending on what is meant by this being a DR site, it
might be valuable for this to have its own forest and domain. The question is,
define the disasters it is supposed to help with. If it is simply physical
location disasters, same domain/forest is fine. But if it is to also help with
the forest going toes up and you need something people can work in as fast as
possible with that time being measured in minutes, then separate forest and
domain is something to consider.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 31, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. ok - that puts a little different touch to your
story.
in this case (esp. as a DR site and on separate HW
with physical security in place), you're fine to host a DC in that
site.
Yes, you can add it to your 2000 domain and you've already
supplied the solution as well: you'll need to prepare the schema of the forest
via ADPREP /forestprep and then prepare the domain you'll join the DC to
via ADPREP /domainprep. If you have Exchange 2000 first apply the E2k schema fix
(read Q314649)
Check here for all the details: http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_overview.asp
But definitely don't start a new domain (for which you'd
still need to upgrade the schema) - an OU is perfectly fine for your
situation.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus Sent: Monday, January 31, 2005 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. physical security is not an issue. locked computer room
only pt admin and manager has access. this office will eventully become a
disaster recovery location housing a bunch of blade servers and replicated
disk. The need for a domain controller is like you said -- network
connectivity and access- this office supports a few key personel
( money makers !!) so the cost of a few servers a some
2003 licenses and an exchange server is not a big deal speed and relibility
are more important.
but i'm still dealing with the question of
1: we are planning to upgrade our
headquarters the 2003 in about 3 -4 months. can we setup the
new server with 2003 as domain controllers so we won't have to upgrade them
later ? if so anything special we need to do ? IE: forest prep ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Monday, January 31, 2005 3:50 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi, I could not agree more
with Guido! The security aspect is the most important reason to go for the
suggested solution. However, there's one thing to keep in mind in this scenario
namely the trustworthiness of your network. If you're not placing a DC in the
remote location, network connectivity becomes a must to enable a user to do
his/her work. Sure, there's a thing as cached credentials on a client, but logon
on to a domain is important for a lot of services. Cheers! John Reijnders (soon to
change his e-mail address into a MSFT one) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Grillenmeier,
Guido definitely give them
an OU and I'd also urgently suggest you don't make the machine in that remote
office a DC at all => first of all
it's not required for 15 folks - you'll need it for other things such as
file/print (they should easily be able to authenticate to your main office;
assuming NW connectivity - which you'd also need to setup
replication...) => secondly, it's
much more secure, as you will likely not have much physical security in an
office of 15 people and if you're using the one box for everything it's unsecure
from a delegation perspective /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jeff
Kraus Hi, we are setting up a remote office if
about 15 people that will be linked by a vpn. we are buying new servers that have
win2003 on them. I have a coupe of questions,I
hope you would indulge me with your opinions. 1: we are planning to upgrade our
headquarters the 2003 in about 3 -4 months. can we setup the
new server with 2003 as domain controllers so we won't have to upgrade them
later ? if so
anything special we need to do ? IE: forest prep
? 2: We have a raging
debate weather to set them up as a domain or a org unit in
their own site. we have a part time adiminstrator there htat we need to give
right to for day to day admin work. thanks for your
help. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. |
- RE: [ActiveDir] new 2003 domain controller in windo... Jorge de Almeida Pinto
- RE: [ActiveDir] new 2003 domain controller in ... Travis Robinson
- RE: [ActiveDir] new 2003 domain controller in ... Grillenmeier, Guido