RE: [ActiveDir] AD / Printers

[gerry rachar]

I use VBscripts in the All Users startup folders that 
are shortcuts to the scripts on the print server. I look after two high schools 
so I want the printing based on the computer not the user. The printer for the 
computer are installed on logon and are released on log off. When I need to make 
a change I change one script.
 
Set objNetwork = 
CreateObject("Wscript.Network")objNetwork.AddWindowsPrinterConnection "\\YourServer\YourPrinter"objNetwork.SetDefaultPrinter 
"\\YourServer\YourPrinter"
 
This seems to work well in the schools. If you wanted to 
make the printers user specific you could do it with group policy and still only 
modify one script.
 
Ger


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, December 29, 2003 4:44 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD / 
Printers

We're 
going through this now.  We're renaming our print servers to conform to our 
new AD naming standard, so obviously all our print queues break.  I used 
prnadmin.dll which comes with the Win2k resource kit, and the prnadmin.vbs that 
comes with it, and wrote a Winbatch script to call and register.  Basically 
it reads in all the print queues on the desktop, exports it to a txt file, does 
a search and replace for old print server->new print server, and exports it 
to a .bat file that it then executes which uses prnadmin.dll to add all the 
printers back in pointing to the new print server.  Works pretty 
well...

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Mike 
  HogenauerSent: Monday, December 29, 2003 6:09 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] AD / 
  Printers
  Is there an easy 
  way to move printers off one server to another in AD without users having to 
  remap? 
   
  Thanks 
  
   
  Mike 
  
   
  
   
  
  Rendition 
  Networks, Inc.
  10735 Willows Rd 
  NE, Suite 150
  Redmond, 
  WA 
  98052
  425.636.2148 | 
  Fax: 425.497.1149
   

  
  
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] AD / Printers

[Joe]

Since the server name is part of the mapping I would say no 
unless you had the old server pick up the new server name. You could do that 
either by just naming it that way or by adding an additional netbios name to it 
and getting it registered in WINS and/or DNS. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Monday, December 29, 2003 7:09 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD / 
Printers

Is there an easy way 
to move printers off one server to another in AD without users having to remap? 

 
Thanks 

 
Mike 

 

 

Rendition Networks, 
Inc.
10735 Willows Rd 
NE, Suite 150
Redmond, 
WA 
98052
425.636.2148 | Fax: 
425.497.1149
 

RE: [ActiveDir] AD / Printers

[Rimmerman, Russ]

We're 
going through this now.  We're renaming our print servers to conform to our 
new AD naming standard, so obviously all our print queues break.  I used 
prnadmin.dll which comes with the Win2k resource kit, and the prnadmin.vbs that 
comes with it, and wrote a Winbatch script to call and register.  Basically 
it reads in all the print queues on the desktop, exports it to a txt file, does 
a search and replace for old print server->new print server, and exports it 
to a .bat file that it then executes which uses prnadmin.dll to add all the 
printers back in pointing to the new print server.  Works pretty 
well...

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Mike 
  HogenauerSent: Monday, December 29, 2003 6:09 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] AD / 
  Printers
  Is there an easy 
  way to move printers off one server to another in AD without users having to 
  remap? 
   
  Thanks 
  
   
  Mike 
  
   
  
   
  
  Rendition 
  Networks, Inc.
  10735 Willows Rd 
  NE, Suite 150
  Redmond, 
  WA 
  98052
  425.636.2148 | 
  Fax: 425.497.1149
   

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] AD / Printers

[Mike Hogenauer]

Is there an easy way 
to move printers off one server to another in AD without users having to remap? 

 
Thanks 

 
Mike 

 

 

Rendition Networks, 
Inc.
10735 Willows Rd 
NE, Suite 150
Redmond, 
WA 
98052
425.636.2148 | Fax: 
425.497.1149
 


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Upgrading computers and computer objects

[Joe]

Hello. 

I am offering slightly different info/experience. Both because I am serious
and because I like to take up unpopular stands. :o)

If you have printer or MQ objects or other objects hanging off the computer
object either delete the object and all subobjects or remove the subobjects.


For just a plain jane stanalone computer object I see nothing wrong with
resetting the password on the account and rejoing. In fact that is a very
common practice in our company for Dev server accounts because there are
only 3 people in the entire company that can create the server computer
objects in the right place and if a server account pops up someplace else we
promptly "jail" it. We create the accounts with some delegated rights for
join (one of which allows password reset) to some given domain local group.
When the people in that group need to rebuild the machine they rebuild it,
reset the password on the account, and then rejoin. We have developer
machines that have had this done hundreds of times. 

There is a lot of chatter concerning the computer's SID. The SID of the
computer and the SID of the computer object are NOT the same. I am not
positive that the computer maintains a copy of its domain SID on itself
though I expect it may (Does Mark Russinovich watch this list at all? He
would know.). Irregardless they are separately created and maintained. This
is easy to see, dump the sid of the computer object which will have the
domain sid (adfind -gc -b -f name=machinename objectsid) and then dump the
sid of the machine (sideways method is to use getsid to get the sid of an
account and strip off the last security identifier field like -500 or -501).
Look at them, they are different. 


C:\WINDOWS>adfind -gc -b -f name=mainpro objectsid

AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003

Using server: w2kasdc1.joehome.com

dn:CN=MAINPRO,CN=Computers,DC=joehome,DC=com
>objectSid: S-1-5-21-1275210071-789336058-1957994488-218311


1 Objects returned

C:\WINDOWS>getsid \\mainpro guest \\mainpro administrator
The SID for account MAINPRO\guest does not match account
MAINPRO\administrator
The SID for account MAINPRO\guest is
S-1-5-21-1220945662-1682526488-1060284298-501
The SID for account MAINPRO\administrator is
S-1-5-21-1220945662-1682526488-1060284298-500

C:\WINDOWS>



SID1: SID of computer object is
S-1-5-21-1275210071-789336058-1957994488-218311
SID2: SID of computer itself is S-1-5-21-1220945662-1682526488-1060284298

SID1 != SID2


As for the removing the account from the domain when unjoining. This doesn't
occur as I think has been worked out. At most I have seen it disable an
account though even that isn't always done depending on what the context of
the user is that does the unjoin. If the user doesn't have permissions to
write the computer's useraccountcontrol she wouldn't be able to disable the
account. 



Hope that helps out. 


  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
Sent: Sunday, December 28, 2003 8:29 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Upgrading computers and computer objects

I'm curious what is the best practice or recommended way for the following
case:
I have several computers that are joined to the domain, and I'm going to
upgrade some of thse computers with a different computer (newer), though the
UNC name of these computers will remain the same.
Should I:
1. Remove the old computers from the domain, install the new computers, and
join them to the domain?
2. Since there are several computers, can I just delete the corresponding
computer objects in the ADUC, install the new computers, and join them to
the domain?
3. Just put the new computers in place, and join them with the same name?

So far, I'm doing the second way, because I think it is the cleanest way.

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Upgrading computers and computer objects

[Kingslan, Rick T.]

Rich,

I suspect it's not the SID it's looking at.  It's more likely the GUID.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, December 29, 2003 10:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Further info... after #9 on XP, I removed, rebooted, and then added it
back under a different name that happened to already exist.  It told me
that it already existed, and it added it back with the same name it had
before.  I'm pretty sure the name that exists is simply for a VM that I
rebuilt with RIS without removing the computer account.  So perhaps it's
checking the computer's SID and if it's the same one, it allows the
computer to be added back under the same name.  Perhaps resetting the
account allows you to add a new SID under that name without deleting and
re-adding the computer account in AD?
Rich

-Original Message-
From: Rich Milburn [mailto:[EMAIL PROTECTED]
Sent: Monday, December 29, 2003 10:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Yeah that's what I usually do.  I went through the process with Win2K
and WinXP just now.  Here is what I found:

Win2K -
1) logged on as domain admin,
2) moved to workgroup - silently succeeded
3) did not notice if account was disabled.  
4) Rebooted, logged in as local admin,
5) added it back to the domain, same computer name,
6) it asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin,
8) moved back to workgroup, it told me: This computer was disjoined from
the domain "DOMAIN.COM", but the computer account could not be disabled.
You should contact your network administrator with this information.  
9) Rebooted, joined back to domain with same computer name, no problems.

WinXP -
1) logged on as domain admin,
2) moved to workgroup, asked me for authentication, which I gave without
specifying domain,
3) checked ADUC and computer account was disabled but not deleted.  
4) Rebooted, logged in as local admin,
5) added it back to the domain, same computer name,
6) asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin,
8) moved back to workgroup, asked me for credentials, succeeded.  
9) Rebooted, joined back to domain with same computer name, no problems.

It seems that the only difference is that Win2K does not ask for
credentials and either silently succeeds or it fails to disable the
account.  XP asks for credentials.  What's the point in disabling the
account?  Not sure.
What does a reset gain you?  Not sure there either, because I never once
deleted the computer name or reset it before adding the computer back to
the domain with the same name.  Granted, the computer NIC and IP and etc
was the same so maybe it checks that before allowing you to add back
with an existing name.  But NT4 didn't allow that, you had to delete the
account first (and sync with the PDC!)

Rich

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Monday, December 29, 2003 10:05 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Wow. Never saw that before.

I'll have to play with my crashbox a bit later. Maybe its just because I
usually rebuild the box then worry about the domain account later...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 29, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Just tried it, XP SP1 on a 2003 domain, Network Identification, 
> switched from domain member to workgroup member:
> 
> Enter the name and password of an account with permission to remove 
> this computer from the domain.
> 
> User name:
> 
> Password:
> 
> This is while logged in as a domain admin.  It seems to be fairly new 
> behavior, I can't recall if AD 2000 did this or not.  It might be an 
> XP thing.
> 
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 29, 2003 9:41 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> I've only been prompted for credentials when joining a domain, not 
> when leaving one. And those are always for the new domain, not the 
> old.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED]
> > Sent: Monday, December 29, 2003 10:38 AM
> > To: [EMAIL PROTECTED]

[ActiveDir] Raise domain/forest function level, any caveats?

[montano]

Title: Raise domain/forest function level, any caveats?





Hi,


 I have a 2003 AD (upgraded from NT4).  I have 3 DCs (2 in main site, one in remote site).  DC1 in main site has all FSMO roles.

ALL NT4 BDCS have been removed.


I have 3 NT4 member servers remaining.  1 SQL server, 1 Exchange 5.5, and one fax server.


Is there anything to lookout for before raising domain and forest levels?


I want to begin the 2003 exchange migration process and would rather have the domain/forest level set at native before I run forest and domain prep.

Thanks all

RE: [ActiveDir] Upgrading computers and computer objects

[Rich Milburn]

Further info... after #9 on XP, I removed, rebooted, and then added it back
under a different name that happened to already exist.  It told me that it
already existed, and it added it back with the same name it had before.  I'm
pretty sure the name that exists is simply for a VM that I rebuilt with RIS
without removing the computer account.  So perhaps it's checking the
computer's SID and if it's the same one, it allows the computer to be added
back under the same name.  Perhaps resetting the account allows you to add a
new SID under that name without deleting and re-adding the computer account
in AD?
Rich

-Original Message-
From: Rich Milburn [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 29, 2003 10:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Yeah that's what I usually do.  I went through the process with Win2K and
WinXP just now.  Here is what I found:

Win2K - 
1) logged on as domain admin, 
2) moved to workgroup - silently succeeded 
3) did not notice if account was disabled.  
4) Rebooted, logged in as local admin, 
5) added it back to the domain, same computer name, 
6) it asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin, 
8) moved back to workgroup, it told me: This computer was disjoined from the
domain "DOMAIN.COM", but the computer account could not be disabled.  You
should contact your network administrator with this information.  
9) Rebooted, joined back to domain with same computer name, no problems.

WinXP - 
1) logged on as domain admin, 
2) moved to workgroup, asked me for authentication, which I gave without
specifying domain, 
3) checked ADUC and computer account was disabled but not deleted.  
4) Rebooted, logged in as local admin, 
5) added it back to the domain, same computer name, 
6) asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin, 
8) moved back to workgroup, asked me for credentials, succeeded.  
9) Rebooted, joined back to domain with same computer name, no problems.

It seems that the only difference is that Win2K does not ask for credentials
and either silently succeeds or it fails to disable the account.  XP asks
for credentials.  What's the point in disabling the account?  Not sure.
What does a reset gain you?  Not sure there either, because I never once
deleted the computer name or reset it before adding the computer back to the
domain with the same name.  Granted, the computer NIC and IP and etc was the
same so maybe it checks that before allowing you to add back with an
existing name.  But NT4 didn't allow that, you had to delete the account
first (and sync with the PDC!)

Rich

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 29, 2003 10:05 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Wow. Never saw that before.

I'll have to play with my crashbox a bit later. Maybe its just because I
usually rebuild the box then worry about the domain account later...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Just tried it, XP SP1 on a 2003 domain, Network 
> Identification, switched
> from domain member to workgroup member:
> 
> Enter the name and password of an account with permission to 
> remove this
> computer from the domain.
> 
> User name:
> 
> Password:
> 
> This is while logged in as a domain admin.  It seems to be fairly new
> behavior, I can't recall if AD 2000 did this or not.  It 
> might be an XP
> thing.
> 
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:41 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> I've only been prompted for credentials when joining a 
> domain, not when
> leaving one. And those are always for the new domain, not the old.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 10:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > You know... it's one of those things I rarely bother to do 
> > because I do #2
> > below, and the couple of times I have done it, I've never 
> > checked to see if
> > the account was gone.  Seems like you _should_ need domain 
> > privs to remove a
> > computer from the domain, and it _should_ delete the computer 
> > account... now
> > t

RE: [ActiveDir] Upgrading computers and computer objects

[Rich Milburn]

Yeah that's what I usually do.  I went through the process with Win2K and
WinXP just now.  Here is what I found:

Win2K - 
1) logged on as domain admin, 
2) moved to workgroup - silently succeeded 
3) did not notice if account was disabled.  
4) Rebooted, logged in as local admin, 
5) added it back to the domain, same computer name, 
6) it asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin, 
8) moved back to workgroup, it told me: This computer was disjoined from the
domain "DOMAIN.COM", but the computer account could not be disabled.  You
should contact your network administrator with this information.  
9) Rebooted, joined back to domain with same computer name, no problems.

WinXP - 
1) logged on as domain admin, 
2) moved to workgroup, asked me for authentication, which I gave without
specifying domain, 
3) checked ADUC and computer account was disabled but not deleted.  
4) Rebooted, logged in as local admin, 
5) added it back to the domain, same computer name, 
6) asked me for authorized login info to add account, succeeded.  
7) Rebooted, logged in as local admin, 
8) moved back to workgroup, asked me for credentials, succeeded.  
9) Rebooted, joined back to domain with same computer name, no problems.

It seems that the only difference is that Win2K does not ask for credentials
and either silently succeeds or it fails to disable the account.  XP asks
for credentials.  What's the point in disabling the account?  Not sure.
What does a reset gain you?  Not sure there either, because I never once
deleted the computer name or reset it before adding the computer back to the
domain with the same name.  Granted, the computer NIC and IP and etc was the
same so maybe it checks that before allowing you to add back with an
existing name.  But NT4 didn't allow that, you had to delete the account
first (and sync with the PDC!)

Rich

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 29, 2003 10:05 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Wow. Never saw that before.

I'll have to play with my crashbox a bit later. Maybe its just because I
usually rebuild the box then worry about the domain account later...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Just tried it, XP SP1 on a 2003 domain, Network 
> Identification, switched
> from domain member to workgroup member:
> 
> Enter the name and password of an account with permission to 
> remove this
> computer from the domain.
> 
> User name:
> 
> Password:
> 
> This is while logged in as a domain admin.  It seems to be fairly new
> behavior, I can't recall if AD 2000 did this or not.  It 
> might be an XP
> thing.
> 
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:41 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> I've only been prompted for credentials when joining a 
> domain, not when
> leaving one. And those are always for the new domain, not the old.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 10:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > You know... it's one of those things I rarely bother to do 
> > because I do #2
> > below, and the couple of times I have done it, I've never 
> > checked to see if
> > the account was gone.  Seems like you _should_ need domain 
> > privs to remove a
> > computer from the domain, and it _should_ delete the computer 
> > account... now
> > that you mention it I have "removed" computers from the 
> > domain without being
> > able to contact the DC.  What's the point of asking for an 
> > account that can
> > remove it from the domain, if you have to be an admin to get 
> > that far in the
> > first place? (though I've never tried switching to workgroup 
> > as a non-admin
> > account so maybe it will let you try to remove the computer 
> > from the domain
> > as a regular user and just ask for an admin account?)
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 8:58 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Actually, removing a computer from the domain on the client 
> side (i.e.
> > changing its domain 

RE: [ActiveDir] Upgrading computers and computer objects

[David Houston]

As Rick says option two would be the best way to go forward to it. The
new computers wouldn't have the corresponding SID of the computer that
they are replacing. Deleting the existing computer accounts will delete
the old SIDs, and by joining up the new machines with correct naming
convension that you are looking for will add the new SIDs to the
database. 
In option one, removing the machine from the domain should, I could be
wrong, do the same as deleting the accounts from ADUC. So option two
should save you time and effort on the install as well as hassle in the
future. 
Hope this helps 
Dave 

-Original Message- 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan 
Sent: 28 December 2003 19:32 
To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Upgrading computers and computer objects 


Irwan, 

I would concur that option two is the most successful method, from my
experience. For all intents and purposes, the Computer object is a
derivative of the User object and has a SID associated with it. Simply
naming a computer the same as an existing object will not yield the
desired result, and will often cause unpredicatble results. 

I might not be reading the options correctly, but I see option one and
three as the same. 

Rick Kingslan MCSE, MCSA, MCT 
Microsoft MVP - Active Directory 
Associate Expert 
Expert Zone - www.microsoft.com/windowsxp/expertzone 
WebLog - www.msmvps.com/willhack4food 


-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi 
Sent: Sunday, December 28, 2003 7:29 AM 
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] Upgrading computers and computer objects 

I'm curious what is the best practice or recommended way for the
following 
case: 
I have several computers that are joined to the domain, and I'm going to
upgrade some of thse computers with a different computer (newer), though
the UNC name of these computers will remain the same. Should I: 1.
Remove the old computers from the domain, install the new computers, and
join them to the domain? 2. Since there are several computers, can I
just delete the corresponding computer objects in the ADUC, install the
new computers, and join them to the domain? 3. Just put the new
computers in place, and join them with the same name? 

So far, I'm doing the second way, because I think it is the cleanest
way. 

Thanks 
List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 


Kind regards,
David Houston
Computer Consultant

Mob.: (+353) 087 6810844
E-mail: [EMAIL PROTECTED]


Dame Copmuters
Ruwenzori
Delgany, Wicklow
Tel. : 01-2873159
Fax : 01-2874521
E-mail: [EMAIL PROTECTED] 


  _  


This document may include proprietary and confidential information of
Dame Computers.
and may only be read by those person or persons to whom it is addressed.
 
If you have received this E-mail message in error, please notify us
immediately.
This document may not be reproduced, copied, distributed, published,
modified,
or furnished to third parties, without the prior written consent.
 
 
 
  Outlook tools! : Outlook tools and add-ons ...
 

  _  


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

Wow. Never saw that before.

I'll have to play with my crashbox a bit later. Maybe its just because I
usually rebuild the box then worry about the domain account later...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Just tried it, XP SP1 on a 2003 domain, Network 
> Identification, switched
> from domain member to workgroup member:
> 
> Enter the name and password of an account with permission to 
> remove this
> computer from the domain.
> 
> User name:
> 
> Password:
> 
> This is while logged in as a domain admin.  It seems to be fairly new
> behavior, I can't recall if AD 2000 did this or not.  It 
> might be an XP
> thing.
> 
> Rich
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:41 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> I've only been prompted for credentials when joining a 
> domain, not when
> leaving one. And those are always for the new domain, not the old.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 10:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > You know... it's one of those things I rarely bother to do 
> > because I do #2
> > below, and the couple of times I have done it, I've never 
> > checked to see if
> > the account was gone.  Seems like you _should_ need domain 
> > privs to remove a
> > computer from the domain, and it _should_ delete the computer 
> > account... now
> > that you mention it I have "removed" computers from the 
> > domain without being
> > able to contact the DC.  What's the point of asking for an 
> > account that can
> > remove it from the domain, if you have to be an admin to get 
> > that far in the
> > first place? (though I've never tried switching to workgroup 
> > as a non-admin
> > account so maybe it will let you try to remove the computer 
> > from the domain
> > as a regular user and just ask for an admin account?)
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 8:58 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Actually, removing a computer from the domain on the client 
> side (i.e.
> > changing its domain membership to a workgroup) does NOT 
> > remove the machine
> > account from AD (nor did it remove the account in NT4 
> > domains). No domain
> > rights are required to remove a machine from the domain - you 
> > can prove this
> > by using the local admin account of a machine to remove it 
> > from the domain.
> > Local admin has no domain rights, yet you can remove the 
> > machine from the
> > domain.
> > 
> > The only action I know of which will remove the computer account
> > automatically is running DCPromo to remove a DC.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> > 
> > 
> > > -Original Message-
> > > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > > Sent: Monday, December 29, 2003 9:32 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > > 
> > > 
> > > Irwan forgive me if I read you wrong... 
> > > 
> > > I think what he's asking is about leaving the computer 
> > > accounts in AD or
> > > deleting them.  When you remove the computer from the domain 
> > > (like join it
> > > to a workgroup) it removes the computer account from the 
> > > domain.  Or you can
> > > turn the computer off and delete the account forcefully with 
> > > ADUC or dsrm or
> > > whatever.  Or you can reset the account - something I've 
> > rarely used,
> > > because I didn't know what the difference was from deleting 
> > > the account and
> > > adding the new computer with the same name.
> > > 
> > > Rich
> > > 
> > > -Original Message-
> > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> > > Sent: Sunday, December 28, 2003 1:32 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > > 
> > > Irwan,
> > > 
> > > I would concur that option two is the most successful 
> > method, from my
> > > experience.  For all intents and purposes, the Computer 
> object is a
> > > derivative of the User object and has a SID associated with 
> > > it.  Simply
> > > naming a

RE: [ActiveDir] Upgrading computers and computer objects

[Rich Milburn]

Just tried it, XP SP1 on a 2003 domain, Network Identification, switched
from domain member to workgroup member:

Enter the name and password of an account with permission to remove this
computer from the domain.

User name:

Password:

This is while logged in as a domain admin.  It seems to be fairly new
behavior, I can't recall if AD 2000 did this or not.  It might be an XP
thing.

Rich

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 29, 2003 9:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Upgrading computers and computer objects

I've only been prompted for credentials when joining a domain, not when
leaving one. And those are always for the new domain, not the old.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 10:38 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> You know... it's one of those things I rarely bother to do 
> because I do #2
> below, and the couple of times I have done it, I've never 
> checked to see if
> the account was gone.  Seems like you _should_ need domain 
> privs to remove a
> computer from the domain, and it _should_ delete the computer 
> account... now
> that you mention it I have "removed" computers from the 
> domain without being
> able to contact the DC.  What's the point of asking for an 
> account that can
> remove it from the domain, if you have to be an admin to get 
> that far in the
> first place? (though I've never tried switching to workgroup 
> as a non-admin
> account so maybe it will let you try to remove the computer 
> from the domain
> as a regular user and just ask for an admin account?)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 8:58 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Actually, removing a computer from the domain on the client side (i.e.
> changing its domain membership to a workgroup) does NOT 
> remove the machine
> account from AD (nor did it remove the account in NT4 
> domains). No domain
> rights are required to remove a machine from the domain - you 
> can prove this
> by using the local admin account of a machine to remove it 
> from the domain.
> Local admin has no domain rights, yet you can remove the 
> machine from the
> domain.
> 
> The only action I know of which will remove the computer account
> automatically is running DCPromo to remove a DC.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 9:32 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > Irwan forgive me if I read you wrong... 
> > 
> > I think what he's asking is about leaving the computer 
> > accounts in AD or
> > deleting them.  When you remove the computer from the domain 
> > (like join it
> > to a workgroup) it removes the computer account from the 
> > domain.  Or you can
> > turn the computer off and delete the account forcefully with 
> > ADUC or dsrm or
> > whatever.  Or you can reset the account - something I've 
> rarely used,
> > because I didn't know what the difference was from deleting 
> > the account and
> > adding the new computer with the same name.
> > 
> > Rich
> > 
> > -Original Message-
> > From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> > Sent: Sunday, December 28, 2003 1:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Irwan,
> > 
> > I would concur that option two is the most successful 
> method, from my
> > experience.  For all intents and purposes, the Computer object is a
> > derivative of the User object and has a SID associated with 
> > it.  Simply
> > naming a computer the same as an existing object will not 
> > yield the desired
> > result, and will often cause unpredicatble results. 
> > 
> > I might not be reading the options correctly, but I see 
> > option one and three
> > as the same.
> > 
> > Rick Kingslan  MCSE, MCSA, MCT
> > Microsoft MVP - Active Directory
> > Associate Expert
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > WebLog - www.msmvps.com/willhack4food
> >   
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> > Sent: Sunday, December 28, 2003 7:29 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Upgrading computers and computer objects
> > 
> > I'm curious what is the best practice or recommended way for 
> > the following
> > case:
> >

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

I've only been prompted for credentials when joining a domain, not when
leaving one. And those are always for the new domain, not the old.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 10:38 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> You know... it's one of those things I rarely bother to do 
> because I do #2
> below, and the couple of times I have done it, I've never 
> checked to see if
> the account was gone.  Seems like you _should_ need domain 
> privs to remove a
> computer from the domain, and it _should_ delete the computer 
> account... now
> that you mention it I have "removed" computers from the 
> domain without being
> able to contact the DC.  What's the point of asking for an 
> account that can
> remove it from the domain, if you have to be an admin to get 
> that far in the
> first place? (though I've never tried switching to workgroup 
> as a non-admin
> account so maybe it will let you try to remove the computer 
> from the domain
> as a regular user and just ask for an admin account?)
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 8:58 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Actually, removing a computer from the domain on the client side (i.e.
> changing its domain membership to a workgroup) does NOT 
> remove the machine
> account from AD (nor did it remove the account in NT4 
> domains). No domain
> rights are required to remove a machine from the domain - you 
> can prove this
> by using the local admin account of a machine to remove it 
> from the domain.
> Local admin has no domain rights, yet you can remove the 
> machine from the
> domain.
> 
> The only action I know of which will remove the computer account
> automatically is running DCPromo to remove a DC.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, December 29, 2003 9:32 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > 
> > Irwan forgive me if I read you wrong... 
> > 
> > I think what he's asking is about leaving the computer 
> > accounts in AD or
> > deleting them.  When you remove the computer from the domain 
> > (like join it
> > to a workgroup) it removes the computer account from the 
> > domain.  Or you can
> > turn the computer off and delete the account forcefully with 
> > ADUC or dsrm or
> > whatever.  Or you can reset the account - something I've 
> rarely used,
> > because I didn't know what the difference was from deleting 
> > the account and
> > adding the new computer with the same name.
> > 
> > Rich
> > 
> > -Original Message-
> > From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> > Sent: Sunday, December 28, 2003 1:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Upgrading computers and computer objects
> > 
> > Irwan,
> > 
> > I would concur that option two is the most successful 
> method, from my
> > experience.  For all intents and purposes, the Computer object is a
> > derivative of the User object and has a SID associated with 
> > it.  Simply
> > naming a computer the same as an existing object will not 
> > yield the desired
> > result, and will often cause unpredicatble results. 
> > 
> > I might not be reading the options correctly, but I see 
> > option one and three
> > as the same.
> > 
> > Rick Kingslan  MCSE, MCSA, MCT
> > Microsoft MVP - Active Directory
> > Associate Expert
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > WebLog - www.msmvps.com/willhack4food
> >   
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> > Sent: Sunday, December 28, 2003 7:29 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Upgrading computers and computer objects
> > 
> > I'm curious what is the best practice or recommended way for 
> > the following
> > case:
> > I have several computers that are joined to the domain, and 
> > I'm going to
> > upgrade some of thse computers with a different computer 
> > (newer), though the
> > UNC name of these computers will remain the same.
> > Should I:
> > 1. Remove the old computers from the domain, install the new 
> > computers, and
> > join them to the domain?
> > 2. Since there are several computers, can I just delete the 
> > corresponding
> > computer objects in the ADUC, install the new computers, and 
> > join them to
> > the domain?
> > 3. Just put the new computers in place, and join them with 
> > the

RE: [ActiveDir] Upgrading computers and computer objects

[Rich Milburn]

You know... it's one of those things I rarely bother to do because I do #2
below, and the couple of times I have done it, I've never checked to see if
the account was gone.  Seems like you _should_ need domain privs to remove a
computer from the domain, and it _should_ delete the computer account... now
that you mention it I have "removed" computers from the domain without being
able to contact the DC.  What's the point of asking for an account that can
remove it from the domain, if you have to be an admin to get that far in the
first place? (though I've never tried switching to workgroup as a non-admin
account so maybe it will let you try to remove the computer from the domain
as a regular user and just ask for an admin account?)

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 29, 2003 8:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Actually, removing a computer from the domain on the client side (i.e.
changing its domain membership to a workgroup) does NOT remove the machine
account from AD (nor did it remove the account in NT4 domains). No domain
rights are required to remove a machine from the domain - you can prove this
by using the local admin account of a machine to remove it from the domain.
Local admin has no domain rights, yet you can remove the machine from the
domain.

The only action I know of which will remove the computer account
automatically is running DCPromo to remove a DC.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:32 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Irwan forgive me if I read you wrong... 
> 
> I think what he's asking is about leaving the computer 
> accounts in AD or
> deleting them.  When you remove the computer from the domain 
> (like join it
> to a workgroup) it removes the computer account from the 
> domain.  Or you can
> turn the computer off and delete the account forcefully with 
> ADUC or dsrm or
> whatever.  Or you can reset the account - something I've rarely used,
> because I didn't know what the difference was from deleting 
> the account and
> adding the new computer with the same name.
> 
> Rich
> 
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, December 28, 2003 1:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Irwan,
> 
> I would concur that option two is the most successful method, from my
> experience.  For all intents and purposes, the Computer object is a
> derivative of the User object and has a SID associated with 
> it.  Simply
> naming a computer the same as an existing object will not 
> yield the desired
> result, and will often cause unpredicatble results. 
> 
> I might not be reading the options correctly, but I see 
> option one and three
> as the same.
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> WebLog - www.msmvps.com/willhack4food
>   
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> Sent: Sunday, December 28, 2003 7:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Upgrading computers and computer objects
> 
> I'm curious what is the best practice or recommended way for 
> the following
> case:
> I have several computers that are joined to the domain, and 
> I'm going to
> upgrade some of thse computers with a different computer 
> (newer), though the
> UNC name of these computers will remain the same.
> Should I:
> 1. Remove the old computers from the domain, install the new 
> computers, and
> join them to the domain?
> 2. Since there are several computers, can I just delete the 
> corresponding
> computer objects in the ADUC, install the new computers, and 
> join them to
> the domain?
> 3. Just put the new computers in place, and join them with 
> the same name?
> 
> So far, I'm doing the second way, because I think it is the 
> cleanest way.
> 
> Thanks
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> ---APPLEBEE'S INTERNATIONAL, INC. 
> CONFIDENTIALITY NOTICE---
> PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in 
> this message or
> any attachments. This information is strictly confidential and may be
> subject to attorney-client privilege. This m

RE: [ActiveDir] Upgrading computers and computer objects

[Roger Seielstad]

Actually, removing a computer from the domain on the client side (i.e.
changing its domain membership to a workgroup) does NOT remove the machine
account from AD (nor did it remove the account in NT4 domains). No domain
rights are required to remove a machine from the domain - you can prove this
by using the local admin account of a machine to remove it from the domain.
Local admin has no domain rights, yet you can remove the machine from the
domain.

The only action I know of which will remove the computer account
automatically is running DCPromo to remove a DC.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rich Milburn [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 29, 2003 9:32 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> 
> Irwan forgive me if I read you wrong... 
> 
> I think what he's asking is about leaving the computer 
> accounts in AD or
> deleting them.  When you remove the computer from the domain 
> (like join it
> to a workgroup) it removes the computer account from the 
> domain.  Or you can
> turn the computer off and delete the account forcefully with 
> ADUC or dsrm or
> whatever.  Or you can reset the account - something I've rarely used,
> because I didn't know what the difference was from deleting 
> the account and
> adding the new computer with the same name.
> 
> Rich
> 
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, December 28, 2003 1:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Upgrading computers and computer objects
> 
> Irwan,
> 
> I would concur that option two is the most successful method, from my
> experience.  For all intents and purposes, the Computer object is a
> derivative of the User object and has a SID associated with 
> it.  Simply
> naming a computer the same as an existing object will not 
> yield the desired
> result, and will often cause unpredicatble results. 
> 
> I might not be reading the options correctly, but I see 
> option one and three
> as the same.
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> WebLog - www.msmvps.com/willhack4food
>   
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
> Sent: Sunday, December 28, 2003 7:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Upgrading computers and computer objects
> 
> I'm curious what is the best practice or recommended way for 
> the following
> case:
> I have several computers that are joined to the domain, and 
> I'm going to
> upgrade some of thse computers with a different computer 
> (newer), though the
> UNC name of these computers will remain the same.
> Should I:
> 1. Remove the old computers from the domain, install the new 
> computers, and
> join them to the domain?
> 2. Since there are several computers, can I just delete the 
> corresponding
> computer objects in the ADUC, install the new computers, and 
> join them to
> the domain?
> 3. Just put the new computers in place, and join them with 
> the same name?
> 
> So far, I'm doing the second way, because I think it is the 
> cleanest way.
> 
> Thanks
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> ---APPLEBEE'S INTERNATIONAL, INC. 
> CONFIDENTIALITY NOTICE---
> PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in 
> this message or
> any attachments. This information is strictly confidential and may be
> subject to attorney-client privilege. This message is 
> intended only for the
> use of the named addressee. If you are not the intended 
> recipient of this
> message, unauthorized forwarding, printing, copying, 
> distribution, or using
> such information is strictly prohibited and may be unlawful. 
> If you have
> received this in error, you should kindly notify the sender 
> by reply e-mail
> and immediately destroy this message. Unauthorized 
> interception of this
> e-mail is a violation of federal criminal law. Applebee's 
> International,
> Inc. reserves the right to monitor and review the content of 
> all messages
> sent to and from this e-mail address. Messages sent to or 
> from this e-mail
> address may be stored on the Applebee's International, Inc. 
> e-mail system.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List inf

RE: [ActiveDir] Upgrading computers and computer objects

[Rich Milburn]

Irwan forgive me if I read you wrong... 

I think what he's asking is about leaving the computer accounts in AD or
deleting them.  When you remove the computer from the domain (like join it
to a workgroup) it removes the computer account from the domain.  Or you can
turn the computer off and delete the account forcefully with ADUC or dsrm or
whatever.  Or you can reset the account - something I've rarely used,
because I didn't know what the difference was from deleting the account and
adding the new computer with the same name.

Rich

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sunday, December 28, 2003 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Upgrading computers and computer objects

Irwan,

I would concur that option two is the most successful method, from my
experience.  For all intents and purposes, the Computer object is a
derivative of the User object and has a SID associated with it.  Simply
naming a computer the same as an existing object will not yield the desired
result, and will often cause unpredicatble results. 

I might not be reading the options correctly, but I see option one and three
as the same.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
Sent: Sunday, December 28, 2003 7:29 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Upgrading computers and computer objects

I'm curious what is the best practice or recommended way for the following
case:
I have several computers that are joined to the domain, and I'm going to
upgrade some of thse computers with a different computer (newer), though the
UNC name of these computers will remain the same.
Should I:
1. Remove the old computers from the domain, install the new computers, and
join them to the domain?
2. Since there are several computers, can I just delete the corresponding
computer objects in the ADUC, install the new computers, and join them to
the domain?
3. Just put the new computers in place, and join them with the same name?

So far, I'm doing the second way, because I think it is the cleanest way.

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be
subject to attorney-client privilege. This message is intended only for the
use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International,
Inc. reserves the right to monitor and review the content of all messages
sent to and from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Applebee's International, Inc. e-mail system.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SMB Connections to a DC; How many is normal?

[Rick Kingslan]

Title: Message



Ummm..  What is SYSVOL (FRS, Dfs) replicated 
over?  I'd think port 445 - effectively a SMB connection that would be 
established, and not to any great suprise - held open for long periods of 
time?
 
I'm completely shooting in the dark because I'm nowhere 
near a machine right now that I can take a sniff off of - but I think (now that 
I'm intrigued) I will take an Ethereal trace of our DC to DC traffic and see if 
that's what it is.  Nothing like the sense of discovery (and Pissing 
off folks at eEye Digital..;o) 
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Monday, December 29, 2003 7:36 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] SMB Connections 
to a DC; How many is normal?


What is interesting is 
that some DC’s have open SMB connections for days, and weeks.  I wonder why 
that is…. Our DC’s don’t house any files, other than login 
scripts.
 
Todd
 




From: Joe 
[mailto:[EMAIL PROTECTED] Sent: Thursday, December 25, 2003 3:47 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] SMB Connections to 
a DC; How many is normal?
 
Completely depends on 
the useage per DC. You won't be able to get a single baseline that applies to 
all DCs equally unless you have your load balanced perfectly which you don't 
have. 
 
Some DCs will have x 
number of users using them regularly, some will have y. Z users will use the DCs 
in a slightly different way than Alpha users will, 
etc.
 
I think you should 
simply watch what you are seeing for a while and get used to the patterns and 
then maybe try to explain them. Most likely you will set the patterns and then 
just watch for large changes in them. 
 
   
joe
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Monday, 
December 22, 2003 3:04 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] SMB Connections to a 
DC; How many is normal?

I know this question is relative but 
lets say I have a 20K User Domain with 17 DC's, the DC's have a Gig of RAM and 
Dual Procs.  What would you say is the average number of SMB connections 
that should be connected to the box?  I know that as long as performance 
isn't slowing I am fine, but I am just looking for what people think and 
why...

 

Thanks,

 

Todd

RE: [ActiveDir] SMB Connections to a DC; How many is normal?

[Myrick, Todd (NIH/CIT)]

Title: Message








What is interesting is that some DC’s
have open SMB connections for days, and weeks.  I wonder why that is….
Our DC’s don’t house any files, other than login scripts.

 

Todd

 









From: Joe
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 25, 2003
3:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMB
Connections to a DC; How many is normal?



 

Completely depends on the useage per DC.
You won't be able to get a single baseline that applies to all DCs equally
unless you have your load balanced perfectly which you don't have. 

 

Some DCs will have x number of users using
them regularly, some will have y. Z users will use the DCs in a slightly
different way than Alpha users will, etc.

 

I think you should simply watch what you
are seeing for a while and get used to the patterns and then maybe try to
explain them. Most likely you will set the patterns and then just watch for
large changes in them. 

 

   joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Monday, December 22, 2003
3:04 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] SMB
Connections to a DC; How many is normal?



I know this question is relative but lets say I have a 20K
User Domain with 17 DC's, the DC's have a Gig of RAM and Dual Procs.  What
would you say is the average number of SMB connections that should be connected
to the box?  I know that as long as performance isn't slowing I am fine,
but I am just looking for what people think and why...





 





Thanks,





 





Todd

RE: [ActiveDir] How large are your security logs on your DC's?

[Myrick, Todd (NIH/CIT)]

Since I have such a large deployment of DC's, I try to keep my Security
Event Logs at about 2 Days worth on the DC's, and I am evaluating a product
from Aelita called InTrust to gather the logs into a MSDE database for
evaluation.  Specifically I filter on directory modification events and
failed account events.  I plan to email reports for both to me for review.

A poor mans solution to this could be to script Eventcomb utility to do the
same thing.  What ever the case... I recommend copying the event logs to a
central safe place once a day.

Todd

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 24, 2003 6:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How large are your security logs on your DC's?

David,

I have primarily two settings - servers internally to our environment, and
servers at-risk.  A server at risk is defined as a server in the DMZ or a
DC.  By default, the internal member servers are at 50MB.  My at-risk
servers have a security log of 100MB.  And, with me not being at work right
now either, seems that your audit settings are the same as what I'm using at
present.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, December 24, 2003 9:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] How large are your security logs on your DC's?

We have auditing enabled on all our servers, with the Security log set to
5MB on member servers.  We upped that number to 25MB on DC's because the log
was filling so fast, then again to 50MB, but it's still only maintaining
about 3-4 days worth of logs (we have it configured to prune as needed).  We
have plenty of disk space, but I know the more we track, the harder it is to
even open the log, especially remotely.  I'm curious how others have their
logs setup.

We need to be able to track when users have logged on or off and when
changes are made to policies and accounts.

The audit settings are (I'm doing this from memory; I'm not at work):

Account logon eventssuccess/failure
Account management  success/failure
Logons  success/failure
Object access   none
Policy changes  success/failure
Privilege use   failure
Process trackingnone
System events   success/failure

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/