RE: [ActiveDir] new 2003 domain controller in windows 200 forest.

[Jorge de Almeida Pinto]

Hi Jeff,   Concerning Exchange 2000, Windows 2003 and the Forest functional level DON'T forget the following as mentioned in http://support.microsoft.com/?kbid=831809 (Exchange 2000 Recipient Update Service does not replicate changes successfully in forest functional level 1 or 2 in Windows Server 2003 Active Directory) Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus Sent: Friday, February 04, 2005 18:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Well Guys, Here's what we're gonna do. we currently have a 2000 based network (soon to move to 2003) containing 1 exchange 2000 server that is also DC( yes we are fixing that ! soon to exchange 2003) 3 SQL 2000 servers ,1 file /print server  (is  primary DC as well not to worry - big box -) and a few other member server preformin other user functions.   We are converting all these servers to from local disk to mirrored  Falcon Stor SAN Arrays.  All data and programs will reside on the san Arrays, only the os will be on the local disk. The arrays Will  replicate  real time over a wan link to another San Arrary in  an office in houston. ( the dr site) the dir site will have 8 hp blades to function as backup servers to each of the current servers, In addition the office will have there own file/print/dc for their own use as well as an exchange server to host their email (these are the 2003 boxes im setting up now) The Idea is for a few 5-10 key users to be able to fly to Houston  and begin work within 24 hours of current buiding failure. the rest of the users will report to a nother local site we will setup to allow them to work via a vpn to houston.   So thats what were gonna go . I hope you get the picture now ! :)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. gee joe, that sounds like a really good way to cause a lot of work. Or to harass me ;-) I wouldn't really want to go down that road for DR purposes - I'd rather have a good way of ensuring delayed replication and a fast recovery option for the existing forest. Adding another forest _for this purpose_ won't necessarily allow users from the production forest to "easily" continue work if that one's gone for some reason (i.e. even if you get so far as to sync users, groups and passwords, you'd still have loads of issues due to missing ACLs and Entitlements for Filesystems and Apps etc.)   Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. I am going to throw a little monkey wrench at this one. :o)  Mostly because I like harrassing Guido.   Depending on what is meant by this being a DR site, it might be valuable for this to have its own forest and domain. The question is, define the disasters it is supposed to help with. If it is simply physical location disasters, same domain/forest is fine. But if it is to also help with the forest going toes up and you need something people can work in as fast as possible with that time being measured in minutes, then separate forest and domain is something to consider.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 31, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. ok - that puts a little different touch to your story.   in this case (esp. as a DR site and on separate HW with physical security in place), you're fine to host a DC in that site.   Yes, you can add it to your 2000 domain and you've already supplied the solution as well: you'll need to prepare the schema of the forest via ADPREP /forestprep and then prepare the domain you'll join the DC to via ADPREP /domainprep. If you have Exchange 2000 first apply the E2k schema fix (read Q314649)    Check here for all the details: http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_overview.asp   But definitely don't start a new domain (for which you'd still need to upgrade the schema) - an OU is perfectly fine for your situation.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus Sent: Monday, January 31, 2005 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. physical security is not an issue. locked computer room only pt admin and manager has access. this office will eventully become a disaster recovery location housing  a bunch of blade servers and replicated disk. The need for a domain controller is like you said -- network connectivity and access- this office supports a few key personel ( money makers !!) so the cost of a few servers a some 2003 licenses and an exchange server is not a big deal speed and relibility are more important.   but i'm still dealing with the question of     1: we are planning to upgrade our headquarters the 2003 in about 3 -4 months. can we setup the new server with 2003 as domain controllers so we won't have to upgrade them later ?     if so anything special we need to do ? IE: forest prep ?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Monday, January 31, 2005 3:50 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi,   I could not agree more with Guido! The security aspect is the most important reason to go for the suggested solution. However, there's one thing to keep in mind in this scenario namely the trustworthiness of your network. If you're not placing a DC in the remote location, network connectivity becomes a must to enable a user to do his/her work. Sure, there's a thing as cached credentials on a client, but logon on to a domain is important for a lot of services.   Cheers! John Reijnders (soon to change his e-mail address into a MSFT one)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: maandag 31 januari 2005 21:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest.   definitely give them an OU and I'd also urgently suggest you don't make the machine in that remote office a DC at all => first of all it's not required for 15 folks - you'll need it for other things such as file/print (they should easily be able to authenticate to your main office; assuming NW connectivity - which you'd also need to setup replication...) => secondly, it's much more secure, as you will likely not have much physical security in an office of 15 people and if you're using the one box for everything it's unsecure from a delegation perspective   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus Sent: Monday, January 31, 2005 7:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi, we are setting up a remote office if about 15 people that will be linked by a vpn. we are buying new servers that have win2003 on them.     I have a coupe of questions,I hope you would indulge me with your opinions.   1: we are planning to upgrade our headquarters the 2003 in about 3 -4 months. can we setup the new server with 2003 as domain controllers so we won't have to upgrade them later ?     if so anything special we need to do ? IE: forest prep ?   2: We have a raging debate weather  to set  them up as a domain or a org unit in their own site. we have a part time adiminstrator there htat we need to give right to  for day to day admin work.   thanks for your help.           This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.