RE: [ActiveDir] ISTG and Link costs
Ken, If you're in a large campus environment that uses fibre runs within the campus, you might (and should - to localize the authentications and logon traffic) create subnets to associate and identify the network infrastructure to AD. If this is the case, we're looking at a well-connected environment that would not use costing per-se within the campus environment. Intrasite connections are not subject to site links as the intersite links are. Be aware that well-connected is a moving target - usually considered to be (via rule of thimb) 5MB connection. But, it sould be as small as 64k available bandwidth - if it provides the necessary bandwidth to keep up with the out and back replication traffic. Now, if we are connecting a campus environment with, say, T-1 then yes, sites and site links would be correct due to the lower connection rate and a requirement to segment the network into sites. Because we now _have_ sites, site links are needed and the costing can be set to 10, for example, and to coincide with your query. It's reasonable to treat the entire AD Site and Site link environment as a routed infrastructure - because for all intents and purposes it is just that. It is simulating the network infrastructure in AD for the purposes of allowing AD to be sensitive and aware of the network difficulties and limitations. In your example, we have a campus costed at 10. Cost the 128k frame links out to the remote offices at 100. This will reasonably require that anything in the campus be communicated over the appropriate links, and anything going out will take the proper path - over a campus link to the remote site(s). In many cases, these environments will resemble a hub and spoke. Ultimately, there is an upper limit that must be taken into case in the automatic creation and maintenance by the Knowledge Consistency Checker (KCC). The formula to determine if you're getting close to the point where the KCC may be taxed would be (1+D)S^2 <= 100,000, where D = domains, and S = sites. If this number is exceeded, the KCC will push the processor on the DC on which the ISTG is located. Now that the background (and a bit more) is in place, I would set the local campus to 1 or 10, or something else aritrary but consistently smaller. The links from the campus to the remotes would be consistent, but higher by 5 or a magnitude - again, consistency is the issue as long as all links are the same. If you have links from a remote office to remote office, determine if you want communication from office to office. Set the link across there arbitrarily high. Long winded, yes. I hope that this goes a long way in helpingg you to understand the complexity of these issues. They can either be as easy or as complex as you want it to be. Much of it has to do with how your lower 4 layers of the OSI are currently in place. This, you have to play nice with or all of this is for naught. Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rinehart, Ken Sent: Wednesday, February 06, 2002 11:31 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ISTG and Link costs Rick This is interesting. I trying to gain more info on the significance of costs for non-backup type links. Say for instance a large local campus site with multiple say, 128k frame links out to field offices. I'm guessing you'd set the costs for the local site for 10 for no other reason than to have room for expansion. Would you set the costs differently for the field offices or does the fact that I've already setup a site connector that defines the link enough? Ken -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 9:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ISTG and Link costs Joe, It's not really _IF_ ISTG is running - it is. It is a role that the KCC assigns and requires, and unlike the Bridgehead, you cannot control who the ISTG role holder is. As to costing - the cost is assigned to the link. The site link is created by you and creates the physical connection to AD that is already assumed by the KCC. It defines the protocol (RPC or SMTP) and the costing based on relative speed of other site links in your infrastructure. The KCC manages the connection objects - the replication topology will take into account the costing you have placed on your links - whenever possible. The lower cost will be favored over a higher cost when creating the connection objects. Site links - created and costed by you. Connection objects - created by KCC, and infulenced by site link costing. ISTG (Intersite Topology Generator) - with the KCC, creates and maintains the replication topology. HTH! Rick Kingslan - Microsoft Certified Tr
[ActiveDir] ICQ problems in an AD
I know this is a little off topic but I've been trying to figure this out for awhile. I've been trying to get ICQ working on our network. But it won't run with users who are not Administrators. Basically whenever they run the program all that happens is the splash screen shows up and nothing happens. Now this isn't a problem for anyone with Admin rights, cause the program runs correctly for them. Now I contacted ICQ and they told me this: 1. From the profile you used when you first installed ICQ, run the registry editor (Regedit.exe). 2. Locate the root "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" 3. Click the ICQ key, and choose Registry -> Export Registry File 4. Under "Export Range", make sure the option "Selected Branch" is selected, and in the space under it, the correct path is showing (HKEY_CURRENT_USER\Software\Mirabilis\ICQ) 5. Choose a file name, and save it on your hard disk. Note the location you are saving the file to. It is best not to save the file on your desktop, since the desktop change between profiles. 6. Log out from the computer and log in with the other profile. 7. Locate the registry file your exported and run it. 8. Windows will ask you if you wish to import the registry settings. Choose "Yes" and confirm. 9. Locate the ICQ.exe file from the installed directory (usually in C:\program files\ICQ\) , then right-click the file and choose "Copy". 10. Minimize all windows 11. Right-click your desktop and choose "Paste Shortcut". Ok I tried that and it didn't work. Does anyone have a suggestion on what I could do to get these users working with ICQ without having to add them to the Admin Group (which I'm not going to do) Is there some type of GPO setting I can change that would get them working? Thanks Chris Hummert Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net http://www.noghri.net MS Beta tester ID #: 388366 Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contacts us." - from Calvin and Hobbes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Schema extension
I need a little guidance with AD schema extensions. I'm new to the list (and AD), so forgive me if this has been covered - I did browse/search the archives. We publish a unified messaging product that uses LDAP on the back end. We've been using openldap on linux, but will be moving to AD on 2k. In openldap, we created an objectclass for each user's voicemail attributes that we need - some mandatory and some optional. We need the same attributes available in AD. I'm thinking of doing this two ways, and was hoping for some input from someone with experience before implementing and testing either of them. 1. Create a new class and list it as an auxilary to the 'user' class. 2. Add the attributes to the 'user' class. I think #1 is the appropriate way to go, but #2 might be easier if it'll work. Based on what I've read about AD, I think that if we list any attributes as mandatory, we'll also have to create a property sheet for them in the User Properties dialog, as well as a page in the new user wizard, OR add users exclusively through LDAP, ADSI or scripts. If absolutely necessary, we could make the mandatory attributes in our class optional. Any input or suggestions would be very much appreciated. TIA, Steve --- Steve Thomas Network Administrator APEX Voice Communications, Inc. Voice: 818-379-8400 Fax: 818-379-8410 ICQ: 47046219 eMail/MSN: [EMAIL PROTECTED] Yahoo: tms1791 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ISTG and Link costs
Rick This is interesting. I trying to gain more info on the significance of costs for non-backup type links. Say for instance a large local campus site with multiple say, 128k frame links out to field offices. I'm guessing you'd set the costs for the local site for 10 for no other reason than to have room for expansion. Would you set the costs differently for the field offices or does the fact that I've already setup a site connector that defines the link enough? Ken -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 9:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ISTG and Link costs Joe, It's not really _IF_ ISTG is running - it is. It is a role that the KCC assigns and requires, and unlike the Bridgehead, you cannot control who the ISTG role holder is. As to costing - the cost is assigned to the link. The site link is created by you and creates the physical connection to AD that is already assumed by the KCC. It defines the protocol (RPC or SMTP) and the costing based on relative speed of other site links in your infrastructure. The KCC manages the connection objects - the replication topology will take into account the costing you have placed on your links - whenever possible. The lower cost will be favored over a higher cost when creating the connection objects. Site links - created and costed by you. Connection objects - created by KCC, and infulenced by site link costing. ISTG (Intersite Topology Generator) - with the KCC, creates and maintains the replication topology. HTH! Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Tuesday, February 05, 2002 1:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ISTG and Link costs If ISTG is running do you need to assign link costs between your sites? Does the ISTG handle all of this on its own, or does it consider link costs when it creates its replication model? Thx, Joe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD and Development Practices
We are starting our AD project, and are currently working with our development staff to determine the best way to interface with AD. In our current environment we have a number of "home grown" applications that look at SQL tables to determine application privileges. Some of the applications have as many as 50 individual access rights associated with them in the table. We are interested in some "best practices" for application security using AD. Some of the suggestions that we have had include using AD groups to handle permissions (but this method would create a very large number of groups). The other method was to add a security bit mask field for each app and use that. Does anyone have any suggestions/comments? -Ted- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/