RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Right there with you Rick... Unfortunately some of the things previously chosen will be difficult, I think, to dig themselves out of. Most notably around the perms and such. There are actually things they could do in the E2K product if they would just be willing to *officially support* deviations to the main product design that came out so long ago. Like for instance all of the crappy LDAP filters and the perms that are put down by default. I would like to change a lot of those perms and filters because I think they could work (better in all cases) in other ways but the instant I start to mention them PSS Alliance starts running around with their hands in the air saying "That isn't supported that isn't supported". I do understand their point but, in my opinion,it comes down to not having a complete understanding of the product and how it works. Heck if I had a product I only knew how to support when someone was doing exactly what the book says I would be leary to let them deviate as well. Unfortunately the book wasn't written for any large company so the chapters are still being written and the PSS guys aren't the authors. Some of the things I have heard out of PSS Alliance Exchange to explain things has been bordering on insanely ludicrous so I am now at a point where when I hear"that is unsupported"Ilaugh and say what else is new?Many times when we have an issue it seems we dig ourselves out and then explain to MS how we did it, we actually prefer that our onsite Exchange PSS guy not be around when we are figuring problems out as we move faster. We pull him in when we need something sent back inside to MS. I think that they probably do very well with smaller cookie cutter installations that do everything the MS way butonce you get into the custom designed environments we might as well just have the QFE coders or Product Team with us because that is where all the questions go any way only we usually have to wait until the local PSS or the Texas PSS guys feel it should go to QFE or Product Team. We had another fun one this week. Originally it was said that the ADC install would need Ent Admin access ONLY for the first ADC install. Now we send some guys to England to set some stuff up and the day before they go the MCS guy comes to me and says hey I have some bad news. It seems the docs are wrong, we need Ent Admin access to install the ADC over in Europe... Very frustrating. Anyway, I think Exchange Servers and the other Exchange groups have far too many perms right off the bat from the forest and domain preps. Obviously the property set setup is completely cockeyed. Having to give the app Manage Replication Topology rights is a bit much but that is partially the AD team's issue because of how they designed the perms for that or at least exposed the perms for that. Because Exchange feels it OWNS the directory (heck it came from Exchange so they should own it huh?) they feel that it is fine that they get any and all perms into it and surrounding it. I don't think I have seen an LDAP Query yet that I would consider good. Usually there is a caveate that it shouldn't have many records to choose from *most of the time*. All basic things that they should be able to tweak whether prior to the forest prep or after, they are things that they could change and MS should be able to support if they had a stronger understanding of how it all worked within PSS. I think one thing that might help with dev work around MS would be to take away admin rights from all of the developers. Make them work as non-admins and figure out how to do things when you aren't god on a system. I would expect their designs would change radically. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 28, 2003 12:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Brian, Thanks for this. This is a step in the right direction. And, to me at least, this proves that the Exchange architects and developers _ARE_ capable of learning and listening - I just question that they are really applying the effort in the right areas. Until I see some real improvment in the ACE/ACL/Delegation methodology, I'm still really skeptical that they get it at all. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, BrianSent: Thursday, August 28, 2003 10:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From:
RE: [ActiveDir] Problems with too many nested group memberships
Hey Guido. It seems that the notechain I have involves the fix in 327825 and that applying that change to the DC's should be enough because the client pieces were already in place or had been in place all along. The client handles the whole expansion process and looking at the post from Carlos (thanks Carlos and Hi right back at ya) the GroupCount/GroupIds fields explanation for the kerb ticket seem, at least to me at first blush, to be verification. The note chain I have is very high level, no level of detail like the doc Carlos posted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 28, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Also I seem to recall them saying that the functionality has been on the client receiving side for some time, they just never added the functionality to the DC side because I had responded with a question similar to yours Guido. joe -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 7:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships I'll see if I can dig up the note I have from PSS on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, August 28, 2003 3:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the
RE: [ActiveDir] overlapping IP space in AD sites?
I don't think I understand your question Roger... I will give it a try anyway... I haven't noticed a performance impact due to having the additional subnets if that is what you are asking. Then I wouldn't really expect it since it should be implemented as a simple btree search. The main reason I did it years ago was because contrary to documentation new DC's that were promoed that weren't on a defined subnet DID NOT go into Default First Site. They would go into some other site defined by some logic that I failed to ascertain which was a pain since we have several hundred sites. Additionally when we have clients come up on undefined subnets we would rather they get directed to our corporate datacenters versus randomly picking some site somewhere. This makes sense since we are basically three interconnected geographic hub and spokes networks with the interconnections between the hubs. The way the data center and the sorting sites (sites with the class-a's) and site links are defined the sorting sites end up using the data centers for DC coverage. It works out well. We, of course, would rather have all of the subnets and sites defined properly, but we understand reality and know it won't happen so we try to reduce pain felt by unsuspecting users by crutching as best as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 28, 2003 7:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? Is there any significant performance that you can discern from that scheme? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? This is fine. We actually have a couple of class A subnets defined and the subdefine those to more specific sites. I.E. Class A points to an overall company site. Many 24 bit mask or 23 bit mask subnets are then defined to further refine the site the clients should use. The clients will chase through the logic and find the subnet that most closely matches it and use that site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 27, 2003 11:10 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] When to seize FSMO roles in a Disaster
Title: When to seize FSMO roles in a Disaster Background: A company we consult for has AD implemented in three sites. One Domain, AD is in Native Mode. A DNS and Global Catalog server exist in each site. Site locations are VB, NV and DC. VB is the hub with a leased line T1 to DC and two T1s, load balanced, to NV. VB is home location and domain controllers in VB hold all FSMO roles. NV is semi-active production, but also established as a Disaster Recovery site in case VB goes boom! (lots of military targets in Hampton Roads). DC is a production site. Question is: If something happens in VB, when does it become absolutely necessary to seize FSMO roles in NV? I take it we would have to follow the same procedure in DC??? I understand once the roles are seized the domain controllers that held the roles must not come back up, not an issue. Shawn Hayes, MCSE Sr. Network Engineer Compass Technology Management Sound Business Sense for IT www.compass.net 757-226-3328
RE: [ActiveDir] When to seize FSMO roles in a Disaster
Title: When to seize FSMO roles in a Disaster The short answer, in my opinion, is "it depends," and it depends on a bunch of things. Which FSMO services are down, and what is the estimated time to restore the DCs holding those roles? Is itimpossible to restore those DCs, for whatever reason? What do you need to do from a functionality standpoint in the interim, before those FSMO role holders are back in production? You can probably go for a longer period of time without the Schema Master, Infrastructure Master, and Domain Naming Master. The RID Master and PDC emulator will likely need to come back much faster, but your environment may have unique requirements. It's a good idea to do disaster recovery drills on a regular basis, so that you know what you're up against when a DC, particularly a FSMO role holder, is down. This will give you an idea of how long it takes to recover a DC, and what issues you may hit (like recovering to dissimilar hardware, or in a location with severely restricted bandwidth). Microsoft's Active Directory Disaster Recovery Whitepaper has a good discussion on the impacts of FSMO role holders being down, and what you can expect from an impact perspective. http://www.microsoft.com/technet/treeview/default.asp?url=""> or http://tinyurl.com/llc4 Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 7:38 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] When to seize FSMO roles in a Disaster Background: A company we consult for has AD implemented in three sites. One Domain, AD is in Native Mode. A DNS and Global Catalog server exist in each site. Site locations are VB, NV and DC. VB is the hub with a leased line T1 to DC and two T1s, load balanced, to NV. VB is home location and domain controllers in VB hold all FSMO roles. NV is semi-active production, but also established as a Disaster Recovery site in case VB goes boom! (lots of military targets in Hampton Roads). DC is a production site. Question is: If something happens in VB, when does it become absolutely necessary to seize FSMO roles in NV? I take it we would have to follow the same procedure in DC...??? I understand once the roles are seized the domain controllers that held the roles must not come back up, not an issue. Shawn Hayes, MCSE Sr. Network Engineer Compass Technology Management Sound Business Sense for IT www.compass.net 757-226-3328
[ActiveDir] sysvol not replicating
Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] sysvol not replicating
whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 Rittenhouse, Cindy [EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
No, that would be the worse possible thing you could do! You should never manually copy any FRS replicated data over as that could trigger a full replication of Sysvol and bring your network down to a crawl. If FRS isn't working, look for the root cause and fix that instead, don't try any shortcuts. The main thing to check is the components that FRS relies on, mainly DNS. How does the DNS configuration look, can you resolve names to\from that server? DNS misconfiguration should be the first possible cause you focus on as it is the most common. Other troubleshooting steps: Check all event logs for associated errors. Any jrnl_wrap or FRS\DNS related pointers? dcdiag /v netdiag /v repadmin /showreps (should have at least one inbound and outbound partner) Do any of these point you towards the problem? If you are unable to track down the source of the problem you can always give up and start again, which is actually not so bad as it sounds. If the FRS problem can't be resolved, dcpromo back to a member server, double check DNS settings and then attempt the promotion again. Simon Geary MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rittenhouse, Cindy Sent: 29 August 2003 16:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] overlapping IP space in AD sites?
You answered my question - I apparently left out 'impact' from the original statement. I guess at some point I figured that there would be a performance hit for trying to ascertain the most specific subnet. It does grab the most specific subnet, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? I don't think I understand your question Roger... I will give it a try anyway... I haven't noticed a performance impact due to having the additional subnets if that is what you are asking. Then I wouldn't really expect it since it should be implemented as a simple btree search. The main reason I did it years ago was because contrary to documentation new DC's that were promoed that weren't on a defined subnet DID NOT go into Default First Site. They would go into some other site defined by some logic that I failed to ascertain which was a pain since we have several hundred sites. Additionally when we have clients come up on undefined subnets we would rather they get directed to our corporate datacenters versus randomly picking some site somewhere. This makes sense since we are basically three interconnected geographic hub and spokes networks with the interconnections between the hubs. The way the data center and the sorting sites (sites with the class-a's) and site links are defined the sorting sites end up using the data centers for DC coverage. It works out well. We, of course, would rather have all of the subnets and sites defined properly, but we understand reality and know it won't happen so we try to reduce pain felt by unsuspecting users by crutching as best as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 28, 2003 7:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? Is there any significant performance that you can discern from that scheme? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? This is fine. We actually have a couple of class A subnets defined and the subdefine those to more specific sites. I.E. Class A points to an overall company site. Many 24 bit mask or 23 bit mask subnets are then defined to further refine the site the clients should use. The clients will chase through the logic and find the subnet that most closely matches it and use that site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 27, 2003 11:10 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
Can I simply copy those directories from one of my DCs to the DC in the remote location? = NO, you'd just cause further problems with FRS - it is MUCH preferrable to find out the ROOT-cause of why FRS is not replicating SYSVOL with another DC, as it should be. = for details to see what you should do check out the FRS troubleshooting guide (quite comprehensive and maybe a little too much, but afterwards you'll really understand how FRS works) = search for SONAR on www.reskit.com (SONAR is a useful FRS monitoring utility and the zipped file includes 'Troubleshooting FRS' white paper) /Guido -Original Message- From: Rittenhouse, Cindy To: [EMAIL PROTECTED] Sent: 8/29/03 4:32 PM Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 Rittenhouse, Cindy [EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] overlapping IP space in AD sites?
Roger, Yeah - it will, through sorting through the subnets available - end up grabbing the most specific subnet that the client is on. So, if you have a /25 and a /24 (real-life - from our environment) the client being on the /24, the eventual selection of subnet and site associated will be to the most specific. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 29, 2003 10:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? You answered my question - I apparently left out 'impact' from the original statement. I guess at some point I figured that there would be a performance hit for trying to ascertain the most specific subnet. It does grab the most specific subnet, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? I don't think I understand your question Roger... I will give it a try anyway... I haven't noticed a performance impact due to having the additional subnets if that is what you are asking. Then I wouldn't really expect it since it should be implemented as a simple btree search. The main reason I did it years ago was because contrary to documentation new DC's that were promoed that weren't on a defined subnet DID NOT go into Default First Site. They would go into some other site defined by some logic that I failed to ascertain which was a pain since we have several hundred sites. Additionally when we have clients come up on undefined subnets we would rather they get directed to our corporate datacenters versus randomly picking some site somewhere. This makes sense since we are basically three interconnected geographic hub and spokes networks with the interconnections between the hubs. The way the data center and the sorting sites (sites with the class-a's) and site links are defined the sorting sites end up using the data centers for DC coverage. It works out well. We, of course, would rather have all of the subnets and sites defined properly, but we understand reality and know it won't happen so we try to reduce pain felt by unsuspecting users by crutching as best as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 28, 2003 7:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? Is there any significant performance that you can discern from that scheme? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? This is fine. We actually have a couple of class A subnets defined and the subdefine those to more specific sites. I.E. Class A points to an overall company site. Many 24 bit mask or 23 bit mask subnets are then defined to further refine the site the clients should use. The clients will chase through the logic and find the subnet that most closely matches it and use that site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 27, 2003 11:10 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low bandwidth connected remote offices, I was wondering how AD handles site subnet definitions that might overlap one another. For example: 10.10.0.0/16 = Site 1 10.10.88.0/25 = Site 2 The AD Sites and Services mmc allows (doesn't complain) about overlapping subnets. As always, any comments or experiences in this area are appreciated! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm
RE: [ActiveDir] sysvol not replicating
Just a guess here - but can you map to \\servername\netlogon? If you can - what is the value of: HKEY_LOCAL_MACHINE System CurrentControlSet Services Netlogon Parameters Script R/Bill -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:26 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] sysvol not replicating results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 Rittenhouse, Cindy [EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author
RE: [ActiveDir] overlapping IP space in AD sites?
Hmmm... We're using /13 networks for a hub and spoke topology, with the hub spoke being a /16, carved into /23 and /24 blocks. Each spoke site generally /23 or /24 segment as well. As each /13 is basically designated as an AD site, it would make sense to then add a /13 masked catchall subnet to the design, associated with that site. Looks like I might be adding to the site topology soon... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? Roger, Yeah - it will, through sorting through the subnets available - end up grabbing the most specific subnet that the client is on. So, if you have a /25 and a /24 (real-life - from our environment) the client being on the /24, the eventual selection of subnet and site associated will be to the most specific. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 29, 2003 10:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? You answered my question - I apparently left out 'impact' from the original statement. I guess at some point I figured that there would be a performance hit for trying to ascertain the most specific subnet. It does grab the most specific subnet, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? I don't think I understand your question Roger... I will give it a try anyway... I haven't noticed a performance impact due to having the additional subnets if that is what you are asking. Then I wouldn't really expect it since it should be implemented as a simple btree search. The main reason I did it years ago was because contrary to documentation new DC's that were promoed that weren't on a defined subnet DID NOT go into Default First Site. They would go into some other site defined by some logic that I failed to ascertain which was a pain since we have several hundred sites. Additionally when we have clients come up on undefined subnets we would rather they get directed to our corporate datacenters versus randomly picking some site somewhere. This makes sense since we are basically three interconnected geographic hub and spokes networks with the interconnections between the hubs. The way the data center and the sorting sites (sites with the class-a's) and site links are defined the sorting sites end up using the data centers for DC coverage. It works out well. We, of course, would rather have all of the subnets and sites defined properly, but we understand reality and know it won't happen so we try to reduce pain felt by unsuspecting users by crutching as best as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 28, 2003 7:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] overlapping IP space in AD sites? Is there any significant performance that you can discern from that scheme? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] overlapping IP space in AD sites? This is fine. We actually have a couple of class A subnets defined and the subdefine those to more specific sites. I.E. Class A points to an overall company site. Many 24 bit mask or 23 bit mask subnets are then defined to further refine the site the clients should use. The clients will chase through the logic and find the subnet that most closely matches it and use that site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 27, 2003 11:10 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] overlapping IP space in AD sites? Hi, We have a pretty complex IP structure with various types of access. As we develop AD sites for low
RE: [ActiveDir] sysvol not replicating
I can not map to \\servername\netlogon, the directory does not exist. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Just a guess here - but can you map to \\servername\netlogon? If you can - what is the value of: HKEY_LOCAL_MACHINE System CurrentControlSet Services Netlogon Parameters Script R/Bill -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:26 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] sysvol not replicating results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 Rittenhouse, Cindy [EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial
RE: [ActiveDir] sysvol not replicating
Don't dcpromo down and back up- you will just waste your time. What are the last events in the FRS event logs. If EVERYTHING else is perfect, we can check the registry to see what your seeding server is. If it doesn't have any problems, we can do a non-auth restore which will be the quickest way back up (flip a reg key and bounce the ntfrs service). /Siddharth On Fri, 29 Aug 2003, Simon Geary wrote: No, that would be the worse possible thing you could do! You should never manually copy any FRS replicated data over as that could trigger a full replication of Sysvol and bring your network down to a crawl. If FRS isn't working, look for the root cause and fix that instead, don't try any shortcuts. The main thing to check is the components that FRS relies on, mainly DNS. How does the DNS configuration look, can you resolve names to\from that server? DNS misconfiguration should be the first possible cause you focus on as it is the most common. Other troubleshooting steps: Check all event logs for associated errors. Any jrnl_wrap or FRS\DNS related pointers? dcdiag /v netdiag /v repadmin /showreps (should have at least one inbound and outbound partner) Do any of these point you towards the problem? If you are unable to track down the source of the problem you can always give up and start again, which is actually not so bad as it sounds. If the FRS problem can't be resolved, dcpromo back to a member server, double check DNS settings and then attempt the promotion again. Simon Geary MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rittenhouse, Cindy Sent: 29 August 2003 16:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
Cindy, Try to run these scripts on the server with the problems, You have to change some parameters in the QA_Check.cmd and CheckServer.cmd regarding subnet, IP address and servername, if finished then run the startQA.cmd. This script will check everything regarding your DC and it will create several .txt files. If you want, you can send the files to me, then I can inspect them These scripts are coming from MS and you can find them in the Branch Office Deployment Guide. Rename the .txt extension to .zip Regards, Dennis Schut Technical Consultant MCP, MCSE, MCSA2K 2K3, MCSAS MCSES, MCSE2K MCSE2K3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 16:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PK §¡o.CÑöSQ M¬ qa_parse.vbsí]msÛ6þÌä?ì馻çèlÇN_ÝU]_Y¸ë[EMAIL PROTECTED],,Àxùm áÅóú8ñ|~³ðkíªÍ¤âÕë¾Òê³»i¸æã°¿»»«c|àRyHcìUÍûwÌà$ Ð|Õt#N\ê#î|¬:c|[EMAIL PROTECTED] ©ªiëb2ÞpÂV}[3 w# ?Ê$ J/¿x^ áDÈg®áövèùRz¡yÞñ¼áa Ä v`¬;ðnJ¥4ÉoÏw^{ïñO!½îqRºOÌ×cD?þýkí;@qè59Tô: Bß»\^{ÇúBé¿x®Saþ*õ£?jWªJü±ËC¿_véMÂ*FcJrÂïëLñ-½µ»½MR¡ÔX^üf`qÑÿ/w¡b©RÙºSò±ùVÁtgØÂTÕá»\6?y*T[:[EMAIL PROTECTED] åGæú3f·é+®?h¦øH¶PLc. ([EMAIL PROTECTED]'HYõsÏó i³*$Q°[=ܯPéO-º. GjÔWÇ9étGèð sÇ^°ÖiûbyYËƪûPbþK4hÍFõɤ§DP\[£ Q7zøv5üÀ|À/ÏÍa$(£îs95¦HõÌCã)ÅüLå*£°f:r['^ Æ å«¬VÈwCeÁ³66§`à #Ó5À+H1¤ü_~5û»¡Ê÷v]¡øf²¬1tôË~ÉF¨ Xn-p ?ü¨j:Çp`½Ün Ps]Éjegëå,åÚ¤»Q? t0õ±lÒ `ØUÁ)*6-|««{JTHG°.íõ+bëTçBL2èÒbE±´ußè°%Óئ[EMAIL PROTECTED]'6¦4dÏUÚNÃNaiói1Y~ØC)|Ë£[Ü AFôïðVLÚeê{mÊCð,Ý\Ò^^rpEð2®(Þç/¬OnÜb6¦ö3´RÓ E;Cî}òÖñ Ì·¾7þt¿ù8bÇB©LBÝ*¬.,.Ò03Ð =V'XbórC5z2êã x$[RÊÛ ¼rÃÐÛxºóbþ©Ünð¶½zÛbMXd°ºÎÃÙ«¿Ü%Û¨CKz Å®k6Âý³ _µq»nðb¡¼È5T _5R]V*÷gÏ6é-0UþÃ×¥µäã ´,E¥-ùµ'e: /p=;ê (£äÕÊêÎLTR f1Ñ ÏV-ê¹X8R]MôÄËSÈcçu.dúONëÚûökcmuï~¸8îϵNsFh5ÅÖQµÓT6O`ÉèyLâVS8b¡®87jDµ¸83ÕJ_ó ¼ÙTA¬RðùQW¸ÂGTãy¹y *_©ê÷KÒõÍNç¢Ê¾ù[½Ùî]´`kÂÛ#ËnÈÂHA§]¿ê^uÍÎÕûVíCíì¼öÓy3r¦ ,u{µÓ³Ö) nkpòþüüþX5κ¿\Ý#«ûf0Wÿb]µ.zWæéY·×ì4å3¾¥®é½76©¸/î¼üÐ`+Ë(mÏî²Öi!ºHè)©(Z9©GRò ¥uõÊVcq´Ï7Lº_pÍüLuÊñÀ¢ÂutËÏî¿:ó«ËN}¥ñVÁSÏ®zZª9FÈcµâáv§Ù?«×®°Óé5ñïE»}:sMѦ´Í[îFìÍófïDWs.·P/ëïÝ^Óû²;WÍCÌ\*`á-6ʸ¡~ëÉLFÔP×vj¡S,úħ))íó1[R0~OªËéÞRƤ٠øG°/¯ñ8tÅÇk%·+µYø?Z¸bu»Â³¾d(vyió+?âÃó\+¾Ü²ÒÒÌrýA%WK/ÐøfyºÕ¹¾týÇtT®Mæ;rösóýhì Ç»÷©+g.Þ·ÐjþüÓE§û¹³s+ôJZ,ØË×kæûâ}oãã×$?Ãëîa*µa{ñ5Þ©ßIfÏâÉ÷£6¿TÖ¡X¢.ÁäuÝæÖ$Yow³$ëÈ 1-LW9¾nÕ]ÁkÂF5bóoµÒy¯%½Fý¶¯Ï×'°gkKKêí#ðýÁwß}®Ò¯4É20´( ©$ùTe#¹Ph9ünÙp3À¤`:·³ wI©ÖÇ3Ì+ui°RsâfT¶+c-µ]½Ët%Âasñøe5í¡±Q=±ft£ÆÂ÷Í^yðEZwà+Þlp HNÎ~ܵXµX-Õý±º«j8#)ï,ë«Ëú8¨-íÄ^¹ä» s[EMAIL PROTECTED] ñ2 ÍFYêtÅM`m]Ð{ßh¤µÐñf9¬ôÈƳÐáÇðìfr³Ï ¼àZø×Ö ±ðâð~]¼_ÇðvÓÙoevT ~¤¦ødàóx+M~cЮ{ÌslìâZ¬R°cA;´°~ Xk¢uÖhMD¾iÇ-à÷ ¹64ö²$Ú¹W:!³rÂäÍʽk½=rÌ[Ô'D1!N§R¯\³âL~²³Á6ÛX 6×{¥õn,B{©ç[EMAIL PROTECTED] 3rèöÜ8²Å®Ånqûe·Dûe·À [EMAIL PROTECTED], - Z.ûåY.HKºÑe ÖGT GÂá·-p:ÊÊâc4Én O¹Z([(¯£Þ§ÖjÝxf¾/èó±ÖÃâ¶0nKí´ÐÜå#P¡l¨ç£Ù5ÊN+e¦1³ÀÎäYÔ׶åMy;ÚV¢BE½ªñêb=ºVÏã9,p¸ïÛh[(Û½×oKS¸%FÍêp½Á ß Dç°ßÓSA²ÇÞ×·¸Ò-ÑçiAvÏÓU5¬ËϪWP(®^÷KiZµaàB¡A|ÄM *QhÿÆì3SêFHZÚ lAû6íIZ2mC$%Kð t=òhsv5ÂâBAܾÝ-Ï%Z´A4^_xkͲ¯n4Öôìùdk[¸ovwK[FÓ´´UîÐÒ¯kNóÀáZ§5V ºJ\X8bxC=ÍÅéü)HN»ä³¡Ôú§Yoàw;Æ»³neÆÆ÷ãÃò¼Ó:æüçÌù÷»ÁßâØâ¸8Ktº98Xæ©0gGÍH.¸^ [EMAIL PROTECTED]WN|UUÖA ó)[EMAIL PROTECTED];öâíÆÁÈx·Mío2V¹ëÑ彧§Ås¾O7[EMAIL PROTECTED],J-J%NzB!ÄÇKtAü ! ?¶ÀµÀ- ÜÃÏ¥8\z.ÅvÁe!ë3Å-t-t7 ng®sV:!çß÷3HLr²Çàøm8~c;[EMAIL PROTECTED] ^÷Kô´ØO=-ÒÙ#áS *Û,R-Ruï»ýò¹Fj§]ÏxRDAºqÓô«F(Ý üú;ìéHIäõÙ¥©þ´æ¥y§SvJs÷¡ÓöZá¹+ïThmvÏ4¹^%!]ìe½î¯¸#ouî%¹ZÆꬫ%÷N ©+© ´ÂmM s¢¯4ú\ݾB, [EMAIL
RE: [ActiveDir] sysvol not replicating
Okay Cindy, did not work, off course... If you want I can send the files directly to you... just mail me on [EMAIL PROTECTED] Or download the files from the internet.. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Schut Sent: Friday, August 29, 2003 20:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Cindy, Try to run these scripts on the server with the problems, You have to change some parameters in the QA_Check.cmd and CheckServer.cmd regarding subnet, IP address and servername, if finished then run the startQA.cmd. This script will check everything regarding your DC and it will create several .txt files. If you want, you can send the files to me, then I can inspect them These scripts are coming from MS and you can find them in the Branch Office Deployment Guide. Rename the .txt extension to .zip Regards, Dennis Schut Technical Consultant MCP, MCSE, MCSA2K 2K3, MCSAS MCSES, MCSE2K MCSE2K3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 16:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Scavenging and DHCP Lease Expiration Times
Hey folks, Our DNS scavenging cycle is 7 days. Our DHCP leases expire every 3 days. Are there any notable drawbacks or problems in changing the DNS scavenging time period to match the DHCP lease expiration time period? Thanks! Marcus attachment: winmail.dat
RE: [ActiveDir] sysvol not replicating
This is probably a silly question, but you have applied all of the latest SP's and hotfixes correct and this machine isn't sitting at like SP1 or something? There are a ton of fixes for FRS out there. Other than that I would be looking at DNS very carefully and also checking regular replication (repadmin /showreps) to make sure that was working as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/