Thanks ME I got it from him person when we had him onsite before he blogged it but that is the exact citation, I was in a hurry last night and grabbed it out of Word from desktop search:-)
If you ever get a change to take a course he's teaching it or otherwise interact with him, take it. He is an amazing resource when it comes to AD and related technologies. Last I heard he was primarily teaching internally... Sadly he's like Laura Robinson and doesn't publish nearly enough...at least publically From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, April 30, 2015 7:27 PM To: [email protected] Subject: [spam] [dkim-failure] Re: [NTSysADM] RE: OT: Forcing a Server's AD Site Solid reference to Glenn LeCheminant. http://blogs.technet.com/b/glennl/archive/2010/08/13/minimizing-risk-during-ad-upgrades.aspx<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.technet.com_b_glennl_archive_2010_08_13_minimizing-2Drisk-2Dduring-2Dad-2Dupgrades.aspx&d=AwMFAw&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=rFVzun-VljQrbek2aIJmrPd1yWvSP0y9-HwKYRGjrNQ&s=f76LOar9HrRPE0wfwuoPotLo2-9TeEjcB6RKmYjjF5s&e=> -- Espi On Thu, Apr 30, 2015 at 6:44 PM, Free Jr., Bob <[email protected]<mailto:[email protected]>> wrote: I find it very useful for testing in isolated sites as well. We used it extensively for isolated testing the introduction of up level DCs based on some guidance Glen L gave us years ago Systematically test computers/application usage and coexistence with W2K8 DCs. 1) For applications running on Windows that find DCs through DCLocator<https://urldefense.proofpoint.com/v2/url?u=http-3A__msdn.microsoft.com_en-2Dus_library_ms675983-28VS.85-29.aspx&d=AwMFAw&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=rFVzun-VljQrbek2aIJmrPd1yWvSP0y9-HwKYRGjrNQ&s=8S3awuIza1Sbz2Br3YtSbcjslhcLOHi5TUvAGrrvBjI&e=>, move the application servers into the temporary site....during a maintenance window of course. a) Add SiteName string value to netlogon\parameters registry key on the application servers and set it to the temporary site name. SiteName overrides DynamicSiteName written by the dclocator algorithm. Basically you are telling the computer what site it belongs to without having to change/create subnet configuration in AD. b) change the secure channel of the application server to the W2K8 DC using nltest /sc_reset:domain\dcname c) wait until Kerberos tickets expire, or reboot the application server, then have the application owner perform functionality testing. 1) now if the scenario is more complex...client connects to application, which impersonates client to access resources on backend servers, then you will want to do a,b,c on client and backend systems to make the testing as realistic as possible. 2) For LDAP applications running on Windows that use the domain A record to find a DC, add a host file entry on the application server pointing the domain A record to the W2K8 DC a) wait until kerberos tickets expire, or reboot the application server, then have the application owner perform functionality testing. 3) For LDAP applications not running on Windows, identify the mechanism they use to find a DC/LDAP server...probably configured in the application itself...then provide it with the DC A record or domain A record, or SRV record to be used to find the W2K8 DC. a) execute on a test matrix to ensure application functionality. 4) General authentication and ticket processing through the W2K8 DC. Work with business unit managers (aka..guinea pigs) to put their machines into the temporary site (SiteName reg value) and have them perform their normal business functions for a while....tests their machine and locally installed apps ability to use the new DC for auth and queries. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael B. Smith Sent: Wednesday, April 29, 2015 5:49 PM To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: [NTSysADM] OT: Forcing a Server's AD Site You may find this helpful: New blog post: Forcing a Server's Active Directory Site http://bit.ly/1OGb4OK<https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_1OGb4OK&d=AwQFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=AjnGBQswDZDW-ydu_VSqmfRJV4UjrIdU6tt4DFfMPsw&s=zFyDI2TVoGrBtCKNOp4hiMAnw2wWj6yvJcpTaNhlOJc&e=> http://theessentialexchange.com/blogs/michael/archive/2015/04/29/forcing-a-server-s-active-directory-site.aspx<https://urldefense.proofpoint.com/v2/url?u=http-3A__theessentialexchange.com_blogs_michael_archive_2015_04_29_forcing-2Da-2Dserver-2Ds-2Dactive-2Ddirectory-2Dsite.aspx&d=AwQFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=AjnGBQswDZDW-ydu_VSqmfRJV4UjrIdU6tt4DFfMPsw&s=TT9pdy20fdCilZcWYmBsffjohp6Lxspl0UO6nHIWqec&e=> ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
