RE: [ActiveDir] Contents of GC

[Dean Wells]

My apologies, that is absolutely correct ... it is 500 objects per hour not
5000 as I incorrectly mentioned earlier.

The "fast demotion" was back ported to 2000 (SP4 I believe) but I'm unaware
of the SPs involved in this particular instance so the repadmin trickery
seemed relevant.

Regarding the TSL check, it is indeed there and is supposedly in order to
ensure that the objects are not simply absent from the supplied read/write
replica due to replication latency ... a behavior, again, not exhibited by
the 2003 DSA and one that I would like to see made optional.  An earlier
post mentioned that Uni. group membership would be a credible reason for
utilizing  the TSL check ... this is not the case.  Since group membership
(excluding primary group membership) is maintained by the link-table,
removal of any row (DNT to DNT xRef) that is part of an existing link-pair
causes that relationship to be broken thus removing the errant Uni. group
members.

Having done some further digging, the /unhost and /rehost options are
officially "unsupported" but that's not to say they don't work ... it
depends on the replica links which are, in turn, dependant on the connection
objects and the partial replica in question ... removal of these replica
links will mitigate that problem (NOTE - this does not simply mean deleting
the connection objects).  Having now repro'd this myself, I found it easier
to manipulate the replica links by simply contriving a site configuration
that led the KCC to render no GC to GC partial replica connections rather
than consuming time using repadmin to manually remove the replica links
derived from them.  In short, this means placing each GC (one at a time) in
a temporary site that has a direct connection to the site that contains a
read write replica, triggering the KCC on that GC and finally running the
uplevel repadmin command (XP or 2003 required with 2003 Support Tools)
against the lonely GC.  I've since determined that /rehost functions
adequately without having to first unhost the partition.  In my case, it
rendered an error each time but succeeded nonetheless (I've since submitted
this as a potential big though I doubt it will be actioned since the
switches are, as I mentioned, "officially" unsupported).  Note that this
process is directly equivalent to de and re'GCing each GC assuming you have
only two domains in the forest and would, subsequently, become somewhat
pointless in that scenario.

Deano

--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bernard, Aric
Sent: Sunday, February 01, 2004 10:39 PM
To: [EMAIL PROTECTED]; AD mailing list (Send)
Subject: RE: [ActiveDir] Contents of GC


FWIW - If I am not mistaken, the KCC removal rate of objects in the GC
is actually 500 under Windows 2000. However, I believe that SP4 for
Windows 2000 also provides the rapid removal of GC objects such as is
provided in Windows Server 2003.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, January 31, 2004 3:03 PM
To: AD mailing list (Send)
Subject: RE: [ActiveDir] Contents of GC

I have a former student (a PSS tech.) looking into the very same thing
and
received a voicemail/email last night outlining precisely the behavior
you
reference.  The Microsoft definition of a lingering object (in my
opinion
and this instance) is too strict and an unnecessarily "guarded" (my two
pence at least) and also explains the less than 100% track record I've
experienced with this *feature*.  Advancing the clock and/or reducing
the
TSL are NOT (in most cases) viable options, thus we appear to be left
with
few plausible approaches.

The implementation of this feature bewilders me especially when
contrasted
against the equivalent 2003 behaviors, I'll do some digging and see what
turns up.

Regarding the /unhost switch, I wasn't aware that this is supported
against
a 2000 DSA??  With regard to 2003, the behavior when destroying
partitions
has been altered.  The objects are still removed in batches of 5000 but
the
iterations are no longer bound to the KCC cycle ... they are simply a
continuous low priority task.

The "for-in-do" loop I outlined is useful  within the context of the
original question (and may or may not continue to be of use if the
/unhost
switch is supported ... it depends on the resulting behavior which I've
not
tested against 2000).

Deano

--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Turin, Vladimir
Sent: Saturday, January 31, 2004 12:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC




  I did some tests and looks like method #2 (removelingeringobject)
won't work in described case. Apparently MS guys are checking tha

RE: [ActiveDir] Moving Schema Master

[Rich Milburn]

I'm getting shivers just thinking about your poor box out there in the cold
running Exchange, IIS, and a DC with a FSMO role to boot, all those lovely
services sitting out there in the DMZ a08[34; r  sorry that was a shiver
again ;-p

What do you have in between your DMZ and trusted net?  Something that can
log traffic?  If so you should be able to see dropped/rejected packets and
tell what ports are still not open.

Or - not the greatest solution but might be a quick way out - you could set
the default gateway on your Exchange server to the firewall (so no one can
compromise the box for a few minutes), open all ports IP to IP between
Exchange and the internal DC, transfer the Schema Master, close them back,
switch the GW back.  Might be quicker and easier than figuring out how to do
it a little more securely, and like Roger said, should only take a minute to
transfer the role.  Takes longer to find the syntax or tool than it does to
actually do it.

Rich

-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 2:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Okay, I'm trying to take the easy way out. Although I like your idea
Roger, I don't have a box to do that with. I opened some ports in
accordance with the following article:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Using schmmgmt, I still cannot move the Schema Master role. I am getting
the same error. What do you suppose I am missing?

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 1:26 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Moving Schema Master 


Probably not without grief, no. ReIP-ing domain controllers isn't pretty,
and probably not something I'd want to do twice, and still need the box when
its done.

It might be better to build a swing box - take a desktop and make a swing
server out of it. Put it in the DMZ and swing the Schema role onto it. Once
replication settles (overnight?) move the swing box inside, reconfigure it
for the internal network, and then move the Schema role to the interior box.

Assuming you don't do anything stupid with the rulesets, there's no reason
that the IP of that box while in the DMZ couldn't be wide open to the
internal network, or better yet wide open to the internal DC.

And for the record, I've been sticking my neck out in one forum or another
for better than 7 years methinks...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 12:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Roger! How many years have I seen your name floating around these
> (and Dean's) lists? Yours is definitely a trusted voice my friend!
> I agree with you, and Squid is a solution I am familiar with. But, 
> this is a small shop and that particular box does more than just
> OWA. I know what you're thinking, but my hands are tied on this
> one. Can I simply move the FMSO role off that box (by very quickly
> placing it inside), then move it back into the DMZ with no grief? 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 03, 2004 12:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> I'd suggest rearchitecting the network to be a more sane envrionment.
> Putting Exchange in the DMZ is fairly scary.
> 
> IF your users are so intent on OWA from outside, it's a far 
> better option,
> IMO, to put a proxy server (either ISA or Squid-proxy if 
> you're Unix savvy)
> in the DMZ and putting the OWA box inside. You're putting an 
> aweful lot of
> collateral into an untrusted section of your domain, and 
> having to allow a
> LOT of traffic into the inside network. Permanently moving 
> the Exchange box
> inside would make a LOT of sense - even if you end up just 
> passing all OWA
> traffic all the way in.
> 
> Second - the issue with the schema master is most likely because the
> necessary ports aren't open enough from the outside. One 
> alternate, which is
> a bit ugly but could work, would be to set up IPSec tunneling 
> between the
> two boxes - that way its 100% open traffic because all of it would get
> encapsulated and passed through the pipe.
> 
> Personally, I'd permanantly move the Exchange box to address 
> both issues at
> once.
> 
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, February 03, 2004 11:08 AM
> > To: ActiveDir (E-mail)
> > Subject: [ActiveDir] Moving Schema Master 
> > 
> > 
> > Good Morning Folks

RE: [ActiveDir] NT4 BDC question

[Celone, Mike]

Thanks guys.  I'll take a look at 
it.
 
Mike


From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 4:30 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] NT4 BDC 
question

Also make sure you have a good backup of the system state 
before you run Upromote.  Actually I seem to recall UPromote making a 
backup as part of the process.  When we migrated to Active Directory, we 
ran this on over 50 computers.  I only had 2 computers that had major 
problems.  One was resolved with UPromote tech support and the second we 
had to restore the system state.  It is still an excellent 
product.
 
Denny


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Tuesday, February 03, 2004 3:52 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] NT4 BDC 
question

Mike-
 
You might want to consider using Upromote (http://www.purenetworking.net/Products/UPromote/UPromote.htm) 
to drop your NT4 BDC to a standalone server. We did this on several machines 
that were DCs in domains we were consolidating. Worked great for us...but if you 
go this route be sure to test it in a lab setting first.
 
Hunter


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
1:24 PMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] NT4 BDC question

We have a single NT4 
machine that is a BDC in our AD.  Right now the netlogon service has been 
turned off because we are trying to get all machines to authenticate to our 3 
Win2k DCs.  We would shutdown and remove this server but it has Autodesk 
Licence Manager on it and well it's being a PITA to move.  We need to go 
into Native mode so that I can use ADMT with SIDHistory and migrate our other 
domain in.  
 
So my question is 
this.  If we were to promote AD into Native mode and shutoff the netlogon 
service on the NT4 BDC would it get cranky that it can't replicate with the 
other DCs anymore?  Or would it not even try anymore since the netlogon 
service it turned off?  We plan on moving ADLM but right now it's not a 
priority and we need to start migrating in this other NT4 domain.  ADLM 
runs with the local service account and doesn't need access rights to the 
network at all.  Is there anything I am missing here?
 
Mike

RE: [ActiveDir] NT4 BDC question

[Depp, Dennis M.]

Also make sure you have a good backup of the system state 
before you run Upromote.  Actually I seem to recall UPromote making a 
backup as part of the process.  When we migrated to Active Directory, we 
ran this on over 50 computers.  I only had 2 computers that had major 
problems.  One was resolved with UPromote tech support and the second we 
had to restore the system state.  It is still an excellent 
product.
 
Denny


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Tuesday, February 03, 2004 3:52 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] NT4 BDC 
question

Mike-
 
You might want to consider using Upromote (http://www.purenetworking.net/Products/UPromote/UPromote.htm) 
to drop your NT4 BDC to a standalone server. We did this on several machines 
that were DCs in domains we were consolidating. Worked great for us...but if you 
go this route be sure to test it in a lab setting first.
 
Hunter


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
1:24 PMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] NT4 BDC question

We have a single NT4 
machine that is a BDC in our AD.  Right now the netlogon service has been 
turned off because we are trying to get all machines to authenticate to our 3 
Win2k DCs.  We would shutdown and remove this server but it has Autodesk 
Licence Manager on it and well it's being a PITA to move.  We need to go 
into Native mode so that I can use ADMT with SIDHistory and migrate our other 
domain in.  
 
So my question is 
this.  If we were to promote AD into Native mode and shutoff the netlogon 
service on the NT4 BDC would it get cranky that it can't replicate with the 
other DCs anymore?  Or would it not even try anymore since the netlogon 
service it turned off?  We plan on moving ADLM but right now it's not a 
priority and we need to start migrating in this other NT4 domain.  ADLM 
runs with the local service account and doesn't need access rights to the 
network at all.  Is there anything I am missing here?
 
Mike

RE: [ActiveDir] NT4 BDC question

[Coleman, Hunter]

Mike-
 
You might want to consider using Upromote (http://www.purenetworking.net/Products/UPromote/UPromote.htm) 
to drop your NT4 BDC to a standalone server. We did this on several machines 
that were DCs in domains we were consolidating. Worked great for us...but if you 
go this route be sure to test it in a lab setting first.
 
Hunter


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
1:24 PMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] NT4 BDC question

We have a single NT4 
machine that is a BDC in our AD.  Right now the netlogon service has been 
turned off because we are trying to get all machines to authenticate to our 3 
Win2k DCs.  We would shutdown and remove this server but it has Autodesk 
Licence Manager on it and well it's being a PITA to move.  We need to go 
into Native mode so that I can use ADMT with SIDHistory and migrate our other 
domain in.  
 
So my question is 
this.  If we were to promote AD into Native mode and shutoff the netlogon 
service on the NT4 BDC would it get cranky that it can't replicate with the 
other DCs anymore?  Or would it not even try anymore since the netlogon 
service it turned off?  We plan on moving ADLM but right now it's not a 
priority and we need to start migrating in this other NT4 domain.  ADLM 
runs with the local service account and doesn't need access rights to the 
network at all.  Is there anything I am missing here?
 
Mike

RE: [ActiveDir] Windows 2003 Migration/ADMT

[Arden Pineda]

Here's my best shot based on my experience with ADMT (v1 and v2).  I welcome
corrections re: any misconceptions I may have about the tool.

1.  I really do not see any issue here.  As long as your are not going to
run Windows NT or 2000 DCs in the forest, you should be fine.  
 
2.  No experience here as I was doing NT to 2000 migrations.  However the
ADMT doc specifically states that you will have to turn off SID filtering if
you are using the SIDHistory attribute.  I suggest doing some tests.

3.  Everytime you run ADMT, AFAIK, it creates/updates a db file called
protar.mdb  located in the program directory for ADMT, which by default is
%PROGRAMFILES%\Active Directory  As long as you run the ADMT from the
same machine, all previous migration information are retained.  You do not
have to run all the migration tasks at the same time.  You can do user
migration one time, group migration another time and so on. This, of course,
relies on having the trust relationship between  source and target domains
remaining in place. 

4.  You can run ADMT on any Windows 2000, or higher machine, that is a
member of the target domain.  Again, remember that if you want to retain the
info about previous migrations, run ADMT on 1 machine only.  If you move
ADMT to another machine, you can copy the db file, protar.mdb, to retain
previous migration settings. 

There's a readme.doc file in the I386\ADMT folder of the Server 2003 CD with
some more information.

I hope this helps. 


Regards,

Arden 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Santhosh Sivarajan
> Sent: Tuesday, February 03, 2004 11:06 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Windows 2003 Migration/ADMT
> 
> Hi folks,
> 
> I need to clarify a few things about the Windows 2003 
> migration. I am on a Windows NT to Windows 2003 and Ex 5.5 to 
> Exchange 2003 migration project. The client decided to use 
> ADMT for the migration.  
> 
> 1. Is there a problem if I change the functional level 
> (forest/domain) to Windows 2003 native?  I don’t plan to 
> install BDC or Windows 2000 DC in the new Windows 2003 AD 
> environment.  The minimum requirement for SID history 
> migration is Windows 2000 native but I wanted to make sure I 
> wasn't going to break anything if I changed the functional 
> mode to Windows 2003 native. 
> 
> 2. Do I really need to disable SID filtering if I am using 
> SID history migration and plan to access resources in NT using SID? 
> 
> 3. I know ADMT has limited functionality.  How long will ADMT 
> keep the previously migrated information?  If I migrate a few 
> sets of users this week, can I Re-ACL Exchange or change the 
> File permission next month?  Or must I do the Re-ACL at the 
> same time as the migration? 
> 
> 4. Do I need to install ADMT on a domain controller if I am 
> using SID history? 
> 
> I know this is a lot but I really appreciate your time!
> 
> Thanks,
> Santhosh
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO explanations

[Michael Wassell]

Yeah sorry.  A link was posted afterwards referencing 
the same file through the Microsoft site.
 
My apoligies :)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Celone, 
MikeSent: Tuesday, February 03, 2004 3:15 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO 
explanations

Dead link
 
 
Mike


From: Michael Wassell 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
3:00 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] GPO explanations

Or maybe this one?  http://www.ptmarketing.com/PolicySettings.zip
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Doug 
HampshireSent: Tuesday, February 03, 2004 1:57 PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO 
explanations

This what you're looking for?

  - Original Message - 
  From: 
  Celone, Mike 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Tuesday, February 03, 2004 10:30 
  AM
  Subject: [ActiveDir] GPO 
  explanations
  
  I seem to remember 
  someone on the list had a Excel spreadsheet that had a listing of with all the 
  settings in the default GPOs and explanations for each one.  I could of 
  swore I found it on Microsoft's site but I can't now.  Anyone have this 
  handy?

RE: [ActiveDir] Moving Schema Master

[Frank Buechler]

Okay, I'm trying to take the easy way out. Although I like your idea
Roger, I don't have a box to do that with. I opened some ports in
accordance with the following article:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Using schmmgmt, I still cannot move the Schema Master role. I am getting
the same error. What do you suppose I am missing?

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 1:26 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Moving Schema Master 


Probably not without grief, no. ReIP-ing domain controllers isn't pretty,
and probably not something I'd want to do twice, and still need the box when
its done.

It might be better to build a swing box - take a desktop and make a swing
server out of it. Put it in the DMZ and swing the Schema role onto it. Once
replication settles (overnight?) move the swing box inside, reconfigure it
for the internal network, and then move the Schema role to the interior box.

Assuming you don't do anything stupid with the rulesets, there's no reason
that the IP of that box while in the DMZ couldn't be wide open to the
internal network, or better yet wide open to the internal DC.

And for the record, I've been sticking my neck out in one forum or another
for better than 7 years methinks...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 12:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Roger! How many years have I seen your name floating around these
> (and Dean's) lists? Yours is definitely a trusted voice my friend!
> I agree with you, and Squid is a solution I am familiar with. But, 
> this is a small shop and that particular box does more than just
> OWA. I know what you're thinking, but my hands are tied on this
> one. Can I simply move the FMSO role off that box (by very quickly
> placing it inside), then move it back into the DMZ with no grief? 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 03, 2004 12:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> I'd suggest rearchitecting the network to be a more sane envrionment.
> Putting Exchange in the DMZ is fairly scary.
> 
> IF your users are so intent on OWA from outside, it's a far 
> better option,
> IMO, to put a proxy server (either ISA or Squid-proxy if 
> you're Unix savvy)
> in the DMZ and putting the OWA box inside. You're putting an 
> aweful lot of
> collateral into an untrusted section of your domain, and 
> having to allow a
> LOT of traffic into the inside network. Permanently moving 
> the Exchange box
> inside would make a LOT of sense - even if you end up just 
> passing all OWA
> traffic all the way in.
> 
> Second - the issue with the schema master is most likely because the
> necessary ports aren't open enough from the outside. One 
> alternate, which is
> a bit ugly but could work, would be to set up IPSec tunneling 
> between the
> two boxes - that way its 100% open traffic because all of it would get
> encapsulated and passed through the pipe.
> 
> Personally, I'd permanantly move the Exchange box to address 
> both issues at
> once.
> 
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, February 03, 2004 11:08 AM
> > To: ActiveDir (E-mail)
> > Subject: [ActiveDir] Moving Schema Master 
> > 
> > 
> > Good Morning Folks
> > 
> > I'm having a bit of a problem and I'm wondering if one of you 
> > fine people can help me
> > out. First, let me give you a outline of the structure here. 
> > I have (2) 2000 servers, one
> > in the DMZ (Exchange Server, our clients rely heavily on 
> > OWA), and the other sitting
> > in trusted. The Operations Master is the server sitting on 
> > the inside, the Schema
> > Master is the server sitting in the DMZ. I have been called 
> > here to upgrade everything
> > to 2003 Server. Here's where I'm at:
> > 
> > I have placed a 2003 server (brand new box) on the network. 
> > This box is currently sitting
> > in trusted, but it will eventually be the new Exchange 
> > server. I want to run ADPREP
> > /FORESTPREP on the Schema Master to bring the 2003 server 
> > into the AD. Since I
> > really don't want to take the Exchange server off the network 
> > to do this, and since that box
> > will be getting demoted anyway, I thought I would move the 
> > Schema Master role to the
> > server currently sitting in trusted, and run ADPREP against 
> > it. However, when I attempt to
> > do this, I get an error; "The current FSMO holder c

[ActiveDir] NT4 BDC question

[Celone, Mike]

We have a single NT4 
machine that is a BDC in our AD.  Right now the netlogon service has been 
turned off because we are trying to get all machines to authenticate to our 3 
Win2k DCs.  We would shutdown and remove this server but it has Autodesk 
Licence Manager on it and well it's being a PITA to move.  We need to go 
into Native mode so that I can use ADMT with SIDHistory and migrate our other 
domain in.  
 
So my question is 
this.  If we were to promote AD into Native mode and shutoff the netlogon 
service on the NT4 BDC would it get cranky that it can't replicate with the 
other DCs anymore?  Or would it not even try anymore since the netlogon 
service it turned off?  We plan on moving ADLM but right now it's not a 
priority and we need to start migrating in this other NT4 domain.  ADLM 
runs with the local service account and doesn't need access rights to the 
network at all.  Is there anything I am missing here?
 
Mike

RE: [ActiveDir] GPO explanations

[Celone, Mike]

Dead link
 
 
Mike


From: Michael Wassell 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
3:00 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] GPO explanations

Or maybe this one?  http://www.ptmarketing.com/PolicySettings.zip
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Doug 
HampshireSent: Tuesday, February 03, 2004 1:57 PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO 
explanations

This what you're looking for?

  - Original Message - 
  From: 
  Celone, Mike 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Tuesday, February 03, 2004 10:30 
  AM
  Subject: [ActiveDir] GPO 
  explanations
  
  I seem to remember 
  someone on the list had a Excel spreadsheet that had a listing of with all the 
  settings in the default GPOs and explanations for each one.  I could of 
  swore I found it on Microsoft's site but I can't now.  Anyone have this 
  handy?

RE: [ActiveDir] GPO explanations

[Celone, Mike]

Thanks Bob.  That was it!  
 
Thanks everyone else who sent me other sheets.  
They've all been handy.
 
Mike


From: Free, Bob [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 2:55 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO 
explanations

http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
10:31 AMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] GPO explanations

I seem to remember 
someone on the list had a Excel spreadsheet that had a listing of with all the 
settings in the default GPOs and explanations for each one.  I could of 
swore I found it on Microsoft's site but I can't now.  Anyone have this 
handy?

RE: [ActiveDir] GPO explanations

[Ken Cornetet]

Title: Message



Now, 
if Microsoft would just see fit to put all the available ADM files in one nice 
zip file...

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Doug HampshireSent: Tuesday, February 03, 2004 
  1:57 PMTo: [EMAIL PROTECTED]Subject: Re: 
  [ActiveDir] GPO explanations
  This what you're looking for?
  
- Original Message - 
From: 
Celone, Mike 
To: '[EMAIL PROTECTED]' 

Sent: Tuesday, February 03, 2004 10:30 
AM
Subject: [ActiveDir] GPO 
explanations

I seem to 
remember someone on the list had a Excel spreadsheet that had a listing of 
with all the settings in the default GPOs and explanations for each 
one.  I could of swore I found it on Microsoft's site but I can't 
now.  Anyone have this 
handy?

RE: [ActiveDir] GPO explanations

[Free, Bob]

http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 
10:31 AMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] GPO explanations

I seem to remember 
someone on the list had a Excel spreadsheet that had a listing of with all the 
settings in the default GPOs and explanations for each one.  I could of 
swore I found it on Microsoft's site but I can't now.  Anyone have this 
handy?

RE: [ActiveDir] GPO explanations

[Michael Wassell]

Or maybe this one?  http://www.ptmarketing.com/PolicySettings.zip
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Doug 
HampshireSent: Tuesday, February 03, 2004 1:57 PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO 
explanations

This what you're looking for?

  - Original Message - 
  From: 
  Celone, Mike 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Tuesday, February 03, 2004 10:30 
  AM
  Subject: [ActiveDir] GPO 
  explanations
  
  I seem to remember 
  someone on the list had a Excel spreadsheet that had a listing of with all the 
  settings in the default GPOs and explanations for each one.  I could of 
  swore I found it on Microsoft's site but I can't now.  Anyone have this 
  handy?

RE: [ActiveDir] Integrate Linux with AD

[Jennifer Fountain]

> What are you trying to integrate?  Do you want to 
> authenticate the users against active directory?  If so you 
> can look at the Linux documentation LDAP-HOWTO.  But I don't 
> think there is any specific Active Directory info in there.  
> There was also a paper in the SANS reading room www.sans.org 
> that discussed authenticating HPUX with Active Directory. If 
> you want to have the Linux servers appear in Active 
> Directory, look into SAMBA.  
> http://us3.samba.org/samba/docs/man/ They have > some very good 
> docuementation on interaction of SAMBA servers with AD.
> 
> Denny 

My clients run programs on my linux boxes and connect to them via ssh.
I would like them to login using their AD accounts.

Thanks
Jennifer
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Adams, Kenneth W (Ken)]

IPSec should work, but I'd prefer having all FSMO rolls on a server on
the internal network.  Remember that the Schema Master is the
controlling server for the entire AD schema, so you shouldn't have it
anywhere near a 'danger zone'.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 1:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


I am the firewall guy..  ;^) Thinking in longer terms, I am going to
encounter this same dilemma when I migrate Exchange 2000 to Exchange
2003 on the new server.. Maybe IPSec is the solution..

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


The actual moving the Schema Master roll should take less than 15
minutes.  Moving the server out of the DMZ would take longer.

For the short time it would take to move the Schema Master roll, I would
talk to the firewall guys to see if they would be willing to 'hover'
near by to open the appropriate ports JUST long enough for the roll
move.  That action would be the least disruptive to your clients' access
to OWA and the primary web site.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Windows 2003 Migration/ADMT

[Santhosh Sivarajan]

Hi folks,

I need to clarify a few things about the Windows 2003 migration. I am on a
Windows NT to Windows 2003 and Ex 5.5 to Exchange 2003 migration project. 
The client decided to use ADMT for the migration.  

1. Is there a problem if I change the functional level (forest/domain) to
Windows 2003 native?  I don’t plan to install BDC or Windows 2000 DC in the
new Windows 2003 AD environment.  The minimum requirement for SID history
migration is Windows 2000 native but I wanted to make sure I wasn't going to
break anything if I changed the functional mode to Windows 2003 native. 

2. Do I really need to disable SID filtering if I am using SID history
migration and plan to access resources in NT using SID? 

3. I know ADMT has limited functionality.  How long will ADMT keep the
previously migrated information?  If I migrate a few sets of users this
week, can I Re-ACL Exchange or change the File permission next month?  Or
must I do the Re-ACL at the same time as the migration? 

4. Do I need to install ADMT on a domain controller if I am using SID
history? 

I know this is a lot but I really appreciate your time!

Thanks,
Santhosh


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] logon server discovery

[Graham Turner]

Thanks all for excellent discussion of this - all of this was borne out of
clients at a remote site clients not finding the local DC  which i assume
was under some sort of load causing it not to respond in a timely manner.

GT

- Original Message -
From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 03, 2004 8:33 AM
Subject: RE: [ActiveDir] logon server discovery


> Bob pointed out all there was to say to the original post, but some useful
> information to add in the whole DC-failover scenario is, how long does a
DC
> wait itself for calculating additional connection objects, in case the
> original replication partner doesn't react and it needs to look for
another
> partner?
>
> There are various settings that can be configured to adapt appropriately
to
> a company's infrastructure, configured in the Registry of each DC:
>
> KCC site generator fail-over (minutes) => how long after the last ISTG
> update
> a DC will wait before nominating a new ISTG
>
> KCC site generator renewal interval (minutes) => how often the ISTG
updates
> its role information (Not used when in w2k3 forest mode for the new istg
> algorithm)
>
> CriticalLinkFailuresAllowed => number of critical link failures the KCC
will
> tolerate before recomputing the topology
>
> MaxFailureTimeForCriticalLink (sec) => time a critical link may be down
> before the KCC will recompute the topology
>
> NonCriticalLinkFailuresAllowed => number of non-critical link failures the
> KCC will tolerate before recomputing the topology
>
> MaxFailureTimeForNonCriticalLink (sec) => time a non-critical link may be
> down before the KCC will recompute the topology
>
> IntersiteFailuresAllowed => number of intersite link failures before the
> ISTG will recompute the intersite topology
>
> MaxFailureTimeForIntersiteLink (sec) => time an intersite link may be down
> before the ISTG will recompute the intersite topology
>
>
> I'm actually not sure which key these have to be configured in (believe
it's
> HKLM\Sys\CCS\Services\Netlogon\Parameters).
>
>
> /Guido
>
> -Original Message-
> From: Free, Bob [mailto:[EMAIL PROTECTED]
> Sent: Dienstag, 3. Februar 2004 08:36
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] logon server discovery
>
> joe  wrote:
> > No one seems to be jumping on this with any authoritative answers, I
> > was hoping Guido or Dean would nail it as I was looking to learn
> > something. :o)
>
> I'm hardly authoritative but what I've picked up on the subject :-)
>
> Blatantly plagiarized from Gil's awesome March 2003 Authentication
> Topology paper-
> http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or
> http://www.netpro.com/forum/files/Authentication_Topology.pdf
>
> The DNS service responds with a list of SRV records that correspond to
> all the DCs in the client's domain. The client takes the records with
> the lowest-priority value and issues an AD ping (which is actually an
> LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond within
> a tenth of a second, the client tries the next DC, and so on, until a DC
> responds.
>
> When a DC receives an AD ping from a client, the DC calculates two
> crucial pieces of information before sending a response. First, the DC
> determines the site closest to the client; to do so, the DC compares the
> IP address in the request packet with an in-memory data structure that
> contains the site and subnet associations defined in AD's site objects.
> The DC also determines whether it's in the site closest (from an IP
> topology point of view) to the client's site. The DC sends this
> information and the name of the responding DC's site in a UDP response
> to the client.
>
> When the client receives this response, it determines whether the
> responding DC is in the site closest to its site. If so, the client
> saves the returned client site name in the
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> registry subkey's DynamicSiteName entry and uses that DC for further
> domain-authentication requests. If the DC response indicates that the DC
> isn't in the site closest to the client's site, the client returns to
> DNS to find a DC in the closest site. This time, because the client
> knows its site name, it queries DNS for _ldap SRV records in the
> _tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds with a
> list of SRV records for DCs in the specified site. The client again
> selects those SRV records with the lowest priority and issues AD pings
> to each in turn until one responds within a tenth of a second.
>
>
> Sean Deuby had a related article in the December 2003 issue I've been
> reading over the weekend-
>
> Designing for DC Failover- How to create the best AD site topology
> possible
> http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html
>
> As far as the timeout value, he repeats the 100ms value for W2K and goes
> on to say tha

[ActiveDir] GPO explanations

[Celone, Mike]

I seem to remember 
someone on the list had a Excel spreadsheet that had a listing of with all the 
settings in the default GPOs and explanations for each one.  I could of 
swore I found it on Microsoft's site but I can't now.  Anyone have this 
handy?

RE: [ActiveDir] Integrate Linux with AD

[Crenshaw, Jason]

Hot off the press.

Solution Guide for Windows Security and Directory Services for UNIX
Using Active Directory and Kerberos for authentication and identity store in
a heterogeneous UNIX and Windows IT environment.

http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-
B60C-44515299797D&displaylang=en

Jason
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 10:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

I have seen Vintela in action. It is a fantastic solution. Very easy to
implement and your *nix users are authenticating to AD. Definitely take
a look at this. 

Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
Sent: Tuesday, February 03, 2004 11:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

And, check out this product which enables single signon between *nix
clients/servers and Active Directory...

http://www.vintela.com/products/vas/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, February 03, 2004 7:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

Look into Microsoft's Services for Unix 3.5.

http://www.microsoft.com/windows/sfu/default.asp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, February 03, 2004 10:20 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

this is the best link I know.-

http://www.securityfocus.com/infocus/1563

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD


Does anyone know where I can locate instructions on how to integrate
Linux
clients with AD?  Has anyone on the list implement this successfully and
would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Roger Seielstad]

Probably not without grief, no. ReIP-ing domain controllers isn't pretty,
and probably not something I'd want to do twice, and still need the box when
its done.

It might be better to build a swing box - take a desktop and make a swing
server out of it. Put it in the DMZ and swing the Schema role onto it. Once
replication settles (overnight?) move the swing box inside, reconfigure it
for the internal network, and then move the Schema role to the interior box.

Assuming you don't do anything stupid with the rulesets, there's no reason
that the IP of that box while in the DMZ couldn't be wide open to the
internal network, or better yet wide open to the internal DC.

And for the record, I've been sticking my neck out in one forum or another
for better than 7 years methinks...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 12:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Roger! How many years have I seen your name floating around these
> (and Dean's) lists? Yours is definitely a trusted voice my friend!
> I agree with you, and Squid is a solution I am familiar with. But, 
> this is a small shop and that particular box does more than just
> OWA. I know what you're thinking, but my hands are tied on this
> one. Can I simply move the FMSO role off that box (by very quickly
> placing it inside), then move it back into the DMZ with no grief? 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 03, 2004 12:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> I'd suggest rearchitecting the network to be a more sane envrionment.
> Putting Exchange in the DMZ is fairly scary.
> 
> IF your users are so intent on OWA from outside, it's a far 
> better option,
> IMO, to put a proxy server (either ISA or Squid-proxy if 
> you're Unix savvy)
> in the DMZ and putting the OWA box inside. You're putting an 
> aweful lot of
> collateral into an untrusted section of your domain, and 
> having to allow a
> LOT of traffic into the inside network. Permanently moving 
> the Exchange box
> inside would make a LOT of sense - even if you end up just 
> passing all OWA
> traffic all the way in.
> 
> Second - the issue with the schema master is most likely because the
> necessary ports aren't open enough from the outside. One 
> alternate, which is
> a bit ugly but could work, would be to set up IPSec tunneling 
> between the
> two boxes - that way its 100% open traffic because all of it would get
> encapsulated and passed through the pipe.
> 
> Personally, I'd permanantly move the Exchange box to address 
> both issues at
> once.
> 
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, February 03, 2004 11:08 AM
> > To: ActiveDir (E-mail)
> > Subject: [ActiveDir] Moving Schema Master 
> > 
> > 
> > Good Morning Folks
> > 
> > I'm having a bit of a problem and I'm wondering if one of you 
> > fine people can help me
> > out. First, let me give you a outline of the structure here. 
> > I have (2) 2000 servers, one
> > in the DMZ (Exchange Server, our clients rely heavily on 
> > OWA), and the other sitting
> > in trusted. The Operations Master is the server sitting on 
> > the inside, the Schema
> > Master is the server sitting in the DMZ. I have been called 
> > here to upgrade everything
> > to 2003 Server. Here's where I'm at:
> > 
> > I have placed a 2003 server (brand new box) on the network. 
> > This box is currently sitting
> > in trusted, but it will eventually be the new Exchange 
> > server. I want to run ADPREP
> > /FORESTPREP on the Schema Master to bring the 2003 server 
> > into the AD. Since I
> > really don't want to take the Exchange server off the network 
> > to do this, and since that box
> > will be getting demoted anyway, I thought I would move the 
> > Schema Master role to the
> > server currently sitting in trusted, and run ADPREP against 
> > it. However, when I attempt to
> > do this, I get an error; "The current FSMO holder could not 
> > be contacted".
> > 
> > Does the Exchange server (Schema Master) need to come out 
> of the DMZ?
> > 
> > TIA!
> > 
> > -Frank
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http:/

RE: [ActiveDir] Moving Schema Master

[Craig Cerino]

The Schema move itself should take less than a minute. But the
(physical)move from the DMZ may interrupt service for a while.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 1:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Not much info.. small shop, few users. I'm looking at Ipsec.

-Original Message-
From: Craig Cerino [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


How much info are we talking about Frank?
That is going to come into play when you're talking about "how long" it
will take.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] kerberos failure code 0xE

[Graham Turner]

Dear all, am attempting debug of a logon failure

we have found on the authenticating DC a security event log entry which
gives us a failure code 0xE

have referenced this Kerberos failure code to the following meaning;

"KDC has no support for encryption type"

this seems to be a machine specific issue - can anyone give us a few
pointers on this ?

FWIW no IPSEC policies are configured

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Frank Buechler]

Not much info.. small shop, few users. I'm looking at Ipsec.

-Original Message-
From: Craig Cerino [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


How much info are we talking about Frank?
That is going to come into play when you're talking about "how long" it
will take.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Frank Buechler]

I am the firewall guy..  ;^) Thinking in longer terms, I am going to
encounter this same dilemma when I migrate Exchange 2000 to Exchange
2003 on the new server.. Maybe IPSec is the solution..

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


The actual moving the Schema Master roll should take less than 15
minutes.  Moving the server out of the DMZ would take longer.

For the short time it would take to move the Schema Master roll, I would
talk to the firewall guys to see if they would be willing to 'hover'
near by to open the appropriate ports JUST long enough for the roll
move.  That action would be the least disruptive to your clients' access
to OWA and the primary web site.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Frank Buechler]

Roger! How many years have I seen your name floating around these
(and Dean's) lists? Yours is definitely a trusted voice my friend!
I agree with you, and Squid is a solution I am familiar with. But, 
this is a small shop and that particular box does more than just
OWA. I know what you're thinking, but my hands are tied on this
one. Can I simply move the FMSO role off that box (by very quickly
placing it inside), then move it back into the DMZ with no grief? 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 12:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Moving Schema Master 


I'd suggest rearchitecting the network to be a more sane envrionment.
Putting Exchange in the DMZ is fairly scary.

IF your users are so intent on OWA from outside, it's a far better option,
IMO, to put a proxy server (either ISA or Squid-proxy if you're Unix savvy)
in the DMZ and putting the OWA box inside. You're putting an aweful lot of
collateral into an untrusted section of your domain, and having to allow a
LOT of traffic into the inside network. Permanently moving the Exchange box
inside would make a LOT of sense - even if you end up just passing all OWA
traffic all the way in.

Second - the issue with the schema master is most likely because the
necessary ports aren't open enough from the outside. One alternate, which is
a bit ugly but could work, would be to set up IPSec tunneling between the
two boxes - that way its 100% open traffic because all of it would get
encapsulated and passed through the pipe.

Personally, I'd permanantly move the Exchange box to address both issues at
once.


--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 11:08 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] Moving Schema Master 
> 
> 
> Good Morning Folks
> 
> I'm having a bit of a problem and I'm wondering if one of you 
> fine people can help me
> out. First, let me give you a outline of the structure here. 
> I have (2) 2000 servers, one
> in the DMZ (Exchange Server, our clients rely heavily on 
> OWA), and the other sitting
> in trusted. The Operations Master is the server sitting on 
> the inside, the Schema
> Master is the server sitting in the DMZ. I have been called 
> here to upgrade everything
> to 2003 Server. Here's where I'm at:
> 
> I have placed a 2003 server (brand new box) on the network. 
> This box is currently sitting
> in trusted, but it will eventually be the new Exchange 
> server. I want to run ADPREP
> /FORESTPREP on the Schema Master to bring the 2003 server 
> into the AD. Since I
> really don't want to take the Exchange server off the network 
> to do this, and since that box
> will be getting demoted anyway, I thought I would move the 
> Schema Master role to the
> server currently sitting in trusted, and run ADPREP against 
> it. However, when I attempt to
> do this, I get an error; "The current FSMO holder could not 
> be contacted".
> 
> Does the Exchange server (Schema Master) need to come out of the DMZ?
> 
> TIA!
> 
> -Frank
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Adams, Kenneth W (Ken)]

The actual moving the Schema Master roll should take less than 15
minutes.  Moving the server out of the DMZ would take longer.

For the short time it would take to move the Schema Master roll, I would
talk to the firewall guys to see if they would be willing to 'hover'
near by to open the appropriate ports JUST long enough for the roll
move.  That action would be the least disruptive to your clients' access
to OWA and the primary web site.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Craig Cerino]

How much info are we talking about Frank?
That is going to come into play when you're talking about "how long" it
will take.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Roger Seielstad]

Depends, but my experience with moving FSMO roles is sub-minute times.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 12:21 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Well, taking that machine out of the DMZ is going to have a few
> repurcussions. Not only will it down OWA, but the corporate web
> site is also being hosted there. Opening ports is last resort stuff..
> If I did bring that machine inside, how long would it take to move
> the Schema Master role to the second server? Are there any gotchas
> involved in doing that, then simply placing the machine back 
> in the DMZ?
> 
> -Original Message-
> From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 03, 2004 11:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Either take the current Schema Master out of the DMZ or (shudder) open
> the appropriate ports through the interior firewall and point them
> explicitly to the server you want to become the Schema Master.
> 
> Kenneth W. (Ken) Adams, MCSA, MCSE
> 
> 
> 
> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 11:08 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] Moving Schema Master 
> 
> 
> Good Morning Folks
> 
> I'm having a bit of a problem and I'm wondering if one of you fine
> people can help me
> out. First, let me give you a outline of the structure here. 
> I have (2)
> 2000 servers, one
> in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
> other sitting
> in trusted. The Operations Master is the server sitting on the inside,
> the Schema
> Master is the server sitting in the DMZ. I have been called here to
> upgrade everything
> to 2003 Server. Here's where I'm at:
> 
> I have placed a 2003 server (brand new box) on the network. 
> This box is
> currently sitting
> in trusted, but it will eventually be the new Exchange 
> server. I want to
> run ADPREP
> /FORESTPREP on the Schema Master to bring the 2003 server into the AD.
> Since I
> really don't want to take the Exchange server off the network to do
> this, and since that box
> will be getting demoted anyway, I thought I would move the 
> Schema Master
> role to the
> server currently sitting in trusted, and run ADPREP against 
> it. However,
> when I attempt to
> do this, I get an error; "The current FSMO holder could not be
> contacted".
> 
> Does the Exchange server (Schema Master) need to come out of the DMZ?
> 
> TIA!
> 
> -Frank
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrate Linux with AD

[Sullivan, Kevin]

I have seen Vintela in action. It is a fantastic solution. Very easy to
implement and your *nix users are authenticating to AD. Definitely take
a look at this. 

Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
Sent: Tuesday, February 03, 2004 11:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

And, check out this product which enables single signon between *nix
clients/servers and Active Directory...

http://www.vintela.com/products/vas/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, February 03, 2004 7:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

Look into Microsoft's Services for Unix 3.5.

http://www.microsoft.com/windows/sfu/default.asp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, February 03, 2004 10:20 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

this is the best link I know.-

http://www.securityfocus.com/infocus/1563

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD


Does anyone know where I can locate instructions on how to integrate
Linux
clients with AD?  Has anyone on the list implement this successfully and
would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Roger Seielstad]

Having a production FSMO role in the DMZ doesn't scare you but having a few
(dozen) ports open does??? ;)

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 11:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Moving Schema Master 
> 
> 
> Either take the current Schema Master out of the DMZ or (shudder) open
> the appropriate ports through the interior firewall and point them
> explicitly to the server you want to become the Schema Master.
> 
> Kenneth W. (Ken) Adams, MCSA, MCSE
> 
> 
> 
> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 11:08 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] Moving Schema Master 
> 
> 
> Good Morning Folks
> 
> I'm having a bit of a problem and I'm wondering if one of you fine
> people can help me
> out. First, let me give you a outline of the structure here. 
> I have (2)
> 2000 servers, one
> in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
> other sitting
> in trusted. The Operations Master is the server sitting on the inside,
> the Schema
> Master is the server sitting in the DMZ. I have been called here to
> upgrade everything
> to 2003 Server. Here's where I'm at:
> 
> I have placed a 2003 server (brand new box) on the network. 
> This box is
> currently sitting
> in trusted, but it will eventually be the new Exchange 
> server. I want to
> run ADPREP
> /FORESTPREP on the Schema Master to bring the 2003 server into the AD.
> Since I
> really don't want to take the Exchange server off the network to do
> this, and since that box
> will be getting demoted anyway, I thought I would move the 
> Schema Master
> role to the
> server currently sitting in trusted, and run ADPREP against 
> it. However,
> when I attempt to
> do this, I get an error; "The current FSMO holder could not be
> contacted".
> 
> Does the Exchange server (Schema Master) need to come out of the DMZ?
> 
> TIA!
> 
> -Frank
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Roger Seielstad]

I'd suggest rearchitecting the network to be a more sane envrionment.
Putting Exchange in the DMZ is fairly scary.

IF your users are so intent on OWA from outside, it's a far better option,
IMO, to put a proxy server (either ISA or Squid-proxy if you're Unix savvy)
in the DMZ and putting the OWA box inside. You're putting an aweful lot of
collateral into an untrusted section of your domain, and having to allow a
LOT of traffic into the inside network. Permanently moving the Exchange box
inside would make a LOT of sense - even if you end up just passing all OWA
traffic all the way in.

Second - the issue with the schema master is most likely because the
necessary ports aren't open enough from the outside. One alternate, which is
a bit ugly but could work, would be to set up IPSec tunneling between the
two boxes - that way its 100% open traffic because all of it would get
encapsulated and passed through the pipe.

Personally, I'd permanantly move the Exchange box to address both issues at
once.


--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Frank Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 11:08 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] Moving Schema Master 
> 
> 
> Good Morning Folks
> 
> I'm having a bit of a problem and I'm wondering if one of you 
> fine people can help me
> out. First, let me give you a outline of the structure here. 
> I have (2) 2000 servers, one
> in the DMZ (Exchange Server, our clients rely heavily on 
> OWA), and the other sitting
> in trusted. The Operations Master is the server sitting on 
> the inside, the Schema
> Master is the server sitting in the DMZ. I have been called 
> here to upgrade everything
> to 2003 Server. Here's where I'm at:
> 
> I have placed a 2003 server (brand new box) on the network. 
> This box is currently sitting
> in trusted, but it will eventually be the new Exchange 
> server. I want to run ADPREP
> /FORESTPREP on the Schema Master to bring the 2003 server 
> into the AD. Since I
> really don't want to take the Exchange server off the network 
> to do this, and since that box
> will be getting demoted anyway, I thought I would move the 
> Schema Master role to the
> server currently sitting in trusted, and run ADPREP against 
> it. However, when I attempt to
> do this, I get an error; "The current FSMO holder could not 
> be contacted".
> 
> Does the Exchange server (Schema Master) need to come out of the DMZ?
> 
> TIA!
> 
> -Frank
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Frank Buechler]

Well, taking that machine out of the DMZ is going to have a few
repurcussions. Not only will it down OWA, but the corporate web
site is also being hosted there. Opening ports is last resort stuff..
If I did bring that machine inside, how long would it take to move
the Schema Master role to the second server? Are there any gotchas
involved in doing that, then simply placing the machine back in the DMZ?

-Original Message-
From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 


Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Craig Cerino]

Hahahaha or - what Ken said 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth
W (Ken)
Sent: Tuesday, February 03, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Moving Schema Master 

Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Craig Cerino]

My response to you would be yes (it should) no it doesn't have to)

Yes - -the most secure non-convoluted way top do this is to bring it
onto the trusted wires and move it over.

No- It doesn't have to- if you want to throw caution to the wind and
allow the traffic to flow through your firewall (yikes) and move it from
the DMZ - -- not the way I would go

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 

Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving Schema Master

[Adams, Kenneth W (Ken)]

Either take the current Schema Master out of the DMZ or (shudder) open
the appropriate ports through the interior firewall and point them
explicitly to the server you want to become the Schema Master.

Kenneth W. (Ken) Adams, MCSA, MCSE



-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 03, 2004 11:08 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Moving Schema Master 


Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine
people can help me
out. First, let me give you a outline of the structure here. I have (2)
2000 servers, one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the
other sitting
in trusted. The Operations Master is the server sitting on the inside,
the Schema
Master is the server sitting in the DMZ. I have been called here to
upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is
currently sitting
in trusted, but it will eventually be the new Exchange server. I want to
run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD.
Since I
really don't want to take the Exchange server off the network to do
this, and since that box
will be getting demoted anyway, I thought I would move the Schema Master
role to the
server currently sitting in trusted, and run ADPREP against it. However,
when I attempt to
do this, I get an error; "The current FSMO holder could not be
contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is this list still active?

[Shawn.Hayes]

I thought after the fact that I should have said  "Rubber Chickens".
Those monitoring the list for a while would understand 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Tuesday, February 03, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is this list still active?

I was gonna give a similar smart-arse answer - but I didn't wanna scare
the dude off :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is this list still active?

Nobody here but us chickens...

Just kidding this is a very active list...very informativelots of
smart people not including myself 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Revising Site Design

[Eric_Jones]

Perfect!  That is exactly what I needed to confirm.

I truly appreciate the help.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com


|-+-->
| |   Roger Seielstad|
| |   <[EMAIL PROTECTED]|
| |   .com>  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/03/2004 10:13 AM|
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
  
>--|
  |
  |
  |   To:   "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>  
|
  |   cc:  
  |
  |   Subject:  RE: [ActiveDir] Revising Site Design   
  |
  
>--|




Bob Free posted a link to Gil Kirkpatrick's excellent logon topology doc:

http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or
http://www.netpro.com/forum/files/Authentication_Topology.pdf

Well worth reading, and if I remember correctly, it covers the exact
question you've got...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 03, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Revising Site Design
>
>
>
>
>
>
> Hello All,
>
> I'm revising our global site design, to further reduce DCs
> and get more
> efficient use of bandwidth.  I'm finding that we have a
> number of physical
> sites that do not necessarily have enough users to constitute
> a DC and who
> also have high-speed connections to multiple other locations
> that do need
> and have DCs.
>
> I know that the bulk of design documentation says to create a
> site only if
> there will be a DC located at that location, but what about to control
> logon traffic?  Having a site defined in AD for the respective subnets
> would allow me to setup costs and correspondingly control where these
> locations would attempt to authenticate as well as better controlling
> DFS...etc.
>
> Since I haven't run across any best practice documentation noting this
> scenario, I was wondering if there are others on this list
> who have come
> pondered or actually done this.
>
> Any nfo or general recommendations would be greatly appreciated.
>
>
>
> Eric Jones, Senior SE
> Intel Server Group
> (W) 336.424.3084
> (M) 336.457.2591
> www.vfc.com
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Moving Schema Master

[Frank Buechler]

Good Morning Folks

I'm having a bit of a problem and I'm wondering if one of you fine people can help me
out. First, let me give you a outline of the structure here. I have (2) 2000 servers, 
one
in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting
in trusted. The Operations Master is the server sitting on the inside, the Schema
Master is the server sitting in the DMZ. I have been called here to upgrade everything
to 2003 Server. Here's where I'm at:

I have placed a 2003 server (brand new box) on the network. This box is currently 
sitting
in trusted, but it will eventually be the new Exchange server. I want to run ADPREP
/FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I
really don't want to take the Exchange server off the network to do this, and since 
that box
will be getting demoted anyway, I thought I would move the Schema Master role to the
server currently sitting in trusted, and run ADPREP against it. However, when I 
attempt to
do this, I get an error; "The current FSMO holder could not be contacted".

Does the Exchange server (Schema Master) need to come out of the DMZ?

TIA!

-Frank
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon server discovery

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Bob pointed out all there was to say to the original post, but some useful
information to add in the whole DC-failover scenario is, how long does a DC
wait itself for calculating additional connection objects, in case the
original replication partner doesn't react and it needs to look for another
partner?  

There are various settings that can be configured to adapt appropriately to
a company's infrastructure, configured in the Registry of each DC:

KCC site generator fail-over (minutes) => how long after the last ISTG
update
a DC will wait before nominating a new ISTG

KCC site generator renewal interval (minutes) => how often the ISTG updates
its role information (Not used when in w2k3 forest mode for the new istg
algorithm) 

CriticalLinkFailuresAllowed => number of critical link failures the KCC will
tolerate before recomputing the topology 

MaxFailureTimeForCriticalLink (sec) => time a critical link may be down
before the KCC will recompute the topology 

NonCriticalLinkFailuresAllowed => number of non-critical link failures the
KCC will tolerate before recomputing the topology

MaxFailureTimeForNonCriticalLink (sec) => time a non-critical link may be
down before the KCC will recompute the topology 

IntersiteFailuresAllowed => number of intersite link failures before the
ISTG will recompute the intersite topology 

MaxFailureTimeForIntersiteLink (sec) => time an intersite link may be down
before the ISTG will recompute the intersite topology


I'm actually not sure which key these have to be configured in (believe it's
HKLM\Sys\CCS\Services\Netlogon\Parameters).


/Guido

-Original Message-
From: Free, Bob [mailto:[EMAIL PROTECTED] 
Sent: Dienstag, 3. Februar 2004 08:36
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] logon server discovery

joe  wrote:
> No one seems to be jumping on this with any authoritative answers, I
> was hoping Guido or Dean would nail it as I was looking to learn
> something. :o)

I'm hardly authoritative but what I've picked up on the subject :-)
 
Blatantly plagiarized from Gil's awesome March 2003 Authentication
Topology paper- 
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or
http://www.netpro.com/forum/files/Authentication_Topology.pdf

The DNS service responds with a list of SRV records that correspond to
all the DCs in the client's domain. The client takes the records with
the lowest-priority value and issues an AD ping (which is actually an
LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond within
a tenth of a second, the client tries the next DC, and so on, until a DC
responds.

When a DC receives an AD ping from a client, the DC calculates two
crucial pieces of information before sending a response. First, the DC
determines the site closest to the client; to do so, the DC compares the
IP address in the request packet with an in-memory data structure that
contains the site and subnet associations defined in AD's site objects.
The DC also determines whether it's in the site closest (from an IP
topology point of view) to the client's site. The DC sends this
information and the name of the responding DC's site in a UDP response
to the client.

When the client receives this response, it determines whether the
responding DC is in the site closest to its site. If so, the client
saves the returned client site name in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
registry subkey's DynamicSiteName entry and uses that DC for further
domain-authentication requests. If the DC response indicates that the DC
isn't in the site closest to the client's site, the client returns to
DNS to find a DC in the closest site. This time, because the client
knows its site name, it queries DNS for _ldap SRV records in the
_tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds with a
list of SRV records for DCs in the specified site. The client again
selects those SRV records with the lowest priority and issues AD pings
to each in turn until one responds within a tenth of a second.
 

Sean Deuby had a related article in the December 2003 issue I've been
reading over the weekend-

Designing for DC Failover- How to create the best AD site topology
possible
http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html

As far as the timeout value, he repeats the 100ms value for W2K and goes
on to say that in 2003 the client waits 400ms between queries for the
first 5 DC's, then 200ms between the next 5 then 100ms for the remaining
DC's in the list.
He further explains the various site coverage scenarios quite well in
the article.

Between the two articles the subjects are covered very handsomely...
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Monday, February 02, 2004 8:33 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] logon server discovery
> 
> As we all know to death by now, local logon server discovery is by
> det

RE: [ActiveDir] Removing Legal Notice Caption Text GPO

[deji Agba]

Before you set it to "Not Define", remove the Notice and, after it's all propagated, then set it to "Disabled". You can then set it to "Not Defined" after a while. What's happening is that the clients are already tattooed with the setting and you need to clear it out first. Another way is to just run a script that removes the entries from the registry on each computer that's been tattooed.
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: Rimmerman, RussSent: Tue 2/3/2004 6:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Removing Legal Notice Caption Text GPO
We had a GPO in place to apply a legal notice at logon.  Now we were
directed to remove it due to political reasons, and I've set it back to Not
Defined.  For some reason, it's still applying.  I tried refreshing using
secedit and its still appearing.  Am I just not patient enough?  Or did the
GPO apply to everyones registries permanently and somehow has to be
'un-done' other than setting the GPO to "Not Defined"?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrate Linux with AD

[Depp, Dennis M.]

Jennifer,

What are you trying to integrate?  Do you want to authenticate the users
against active directory?  If so you can look at the Linux documentation
LDAP-HOWTO.  But I don't think there is any specific Active Directory
info in there.  There was also a paper in the SANS reading room
www.sans.org that discussed authenticating HPUX with Active Directory.
If you want to have the Linux servers appear in Active Directory, look
into SAMBA.  http://us3.samba.org/samba/docs/man/ They have some very
good docuementation on interaction of SAMBA servers with AD.

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD

Does anyone know where I can locate instructions on how to integrate
Linux clients with AD?  Has anyone on the list implement this
successfully and would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrate Linux with AD

[Jackson Shaw]

And, check out this product which enables single signon between *nix
clients/servers and Active Directory...

http://www.vintela.com/products/vas/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Tuesday, February 03, 2004 7:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

Look into Microsoft's Services for Unix 3.5.

http://www.microsoft.com/windows/sfu/default.asp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, February 03, 2004 10:20 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

this is the best link I know.-

http://www.securityfocus.com/infocus/1563

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD


Does anyone know where I can locate instructions on how to integrate
Linux
clients with AD?  Has anyone on the list implement this successfully and
would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is this list still active?

[mathif]

Title: RE: [ActiveDir] Is this list still active?





Huh!


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 03, 2004 6:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is this list still active?



Nobody here but us chickens...


Just kidding this is a very active list...very informativelots of
smart people not including myself 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?


I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



  - 
 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission.  Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. 

  - 
 

RE: [ActiveDir] Is this list still active?

[Frank Buechler]

Thanks Shawn! Then I will post my pesky little problem here shortly..  :^)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is this list still active?


Nobody here but us chickens...

Just kidding this is a very active list...very informativelots of
smart people not including myself 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is this list still active?

[Craig Cerino]

I was gonna give a similar smart-arse answer - but I didn't wanna scare
the dude off :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is this list still active?

Nobody here but us chickens...

Just kidding this is a very active list...very informativelots of
smart people not including myself 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Removing Legal Notice Caption Text GPO

[Rimmerman, Russ]

Nevermind, I guess it just hadn't had time to replicate.  I should learn to
be more patient! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, February 03, 2004 8:39 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Removing Legal Notice Caption Text GPO


We had a GPO in place to apply a legal notice at logon.  Now we were
directed to remove it due to political reasons, and I've set it back to Not
Defined.  For some reason, it's still applying.  I tried refreshing using
secedit and its still appearing.  Am I just not patient enough?  Or did the
GPO apply to everyones registries permanently and somehow has to be
'un-done' other than setting the GPO to "Not Defined"?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is this list still active?

[mathif]

Title: RE: [ActiveDir] Is this list still active?





You can mail your questions...


-Original Message-
From: Frank Buechler [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 03, 2004 6:36 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?



I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



  - 
 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission.  Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. 

  - 
 

RE: [ActiveDir] Is this list still active?

[Craig Cerino]

You may fire when ready Grizzly

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is this list still active?

[Shawn.Hayes]

Nobody here but us chickens...

Just kidding this is a very active list...very informativelots of
smart people not including myself 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler
Sent: Tuesday, February 03, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Is this list still active?

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrate Linux with AD

[Rod Trent]

Look into Microsoft's Services for Unix 3.5.

http://www.microsoft.com/windows/sfu/default.asp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, February 03, 2004 10:20 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Integrate Linux with AD

this is the best link I know.-

http://www.securityfocus.com/infocus/1563

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD


Does anyone know where I can locate instructions on how to integrate Linux
clients with AD?  Has anyone on the list implement this successfully and
would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Is this list still active?

[Frank Buechler]

I have a couple of questions, and I really need help!
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrate Linux with AD

[Kern, Tom]

this is the best link I know.-

http://www.securityfocus.com/infocus/1563

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Integrate Linux with AD


Does anyone know where I can locate instructions on how to integrate
Linux clients with AD?  Has anyone on the list implement this
successfully and would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Latin America Active Directory

[robert.contreras]

Hello Everyone,

I am in the process of extending an existing AD design to encompass locations in the 
South America.  The locations in the SA are all connected to the hub location(NY) via 
VPN.  The branch offices are currently running a mixture of single NT4 domains with no 
trusts setup back to the hub location NT4 domain or small workgroups.  

The hub location is currently migrating to AD and would like to bring SA into the 
fold.  Some questions that have been raised so far are around domains vs sites.  
Should these SA locations be sites connected to the hub location AD domain, should 
they be their own domain, should we create one SA domain and have all the smaller 
sites connect to it(however, the sites connect directly to the hub(NY) and not each 
other).   

Thanks!

Rob

-Original Message- 
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] 
Sent: Tue 2/3/2004 9:31 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] Revising Site Design







Hello All,

I'm revising our global site design, to further reduce DCs and get more
efficient use of bandwidth.  I'm finding that we have a number of physical
sites that do not necessarily have enough users to constitute a DC and who
also have high-speed connections to multiple other locations that do need
and have DCs.

I know that the bulk of design documentation says to create a site only if
there will be a DC located at that location, but what about to control
logon traffic?  Having a site defined in AD for the respective subnets
would allow me to setup costs and correspondingly control where these
locations would attempt to authenticate as well as better controlling
DFS...etc.

Since I haven't run across any best practice documentation noting this
scenario, I was wondering if there are others on this list who have come
pondered or actually done this.

Any nfo or general recommendations would be greatly appreciated.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Revising Site Design

[Roger Seielstad]

Bob Free posted a link to Gil Kirkpatrick's excellent logon topology doc:

http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or
http://www.netpro.com/forum/files/Authentication_Topology.pdf

Well worth reading, and if I remember correctly, it covers the exact
question you've got...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 03, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Revising Site Design
> 
> 
> 
> 
> 
> 
> Hello All,
> 
> I'm revising our global site design, to further reduce DCs 
> and get more
> efficient use of bandwidth.  I'm finding that we have a 
> number of physical
> sites that do not necessarily have enough users to constitute 
> a DC and who
> also have high-speed connections to multiple other locations 
> that do need
> and have DCs.
> 
> I know that the bulk of design documentation says to create a 
> site only if
> there will be a DC located at that location, but what about to control
> logon traffic?  Having a site defined in AD for the respective subnets
> would allow me to setup costs and correspondingly control where these
> locations would attempt to authenticate as well as better controlling
> DFS...etc.
> 
> Since I haven't run across any best practice documentation noting this
> scenario, I was wondering if there are others on this list 
> who have come
> pondered or actually done this.
> 
> Any nfo or general recommendations would be greatly appreciated.
> 
> 
> 
> Eric Jones, Senior SE
> Intel Server Group
> (W) 336.424.3084
> (M) 336.457.2591
> www.vfc.com
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Removing Legal Notice Caption Text GPO

[Rimmerman, Russ]

We had a GPO in place to apply a legal notice at logon.  Now we were
directed to remove it due to political reasons, and I've set it back to Not
Defined.  For some reason, it's still applying.  I tried refreshing using
secedit and its still appearing.  Am I just not patient enough?  Or did the
GPO apply to everyones registries permanently and somehow has to be
'un-done' other than setting the GPO to "Not Defined"?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Integrate Linux with AD

[Jennifer Fountain]

Does anyone know where I can locate instructions on how to integrate
Linux clients with AD?  Has anyone on the list implement this
successfully and would they share this information?  

Thank you for any information!
Jennifer 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Revising Site Design

[Eric_Jones]

Hello All,

I'm revising our global site design, to further reduce DCs and get more
efficient use of bandwidth.  I'm finding that we have a number of physical
sites that do not necessarily have enough users to constitute a DC and who
also have high-speed connections to multiple other locations that do need
and have DCs.

I know that the bulk of design documentation says to create a site only if
there will be a DC located at that location, but what about to control
logon traffic?  Having a site defined in AD for the respective subnets
would allow me to setup costs and correspondingly control where these
locations would attempt to authenticate as well as better controlling
DFS...etc.

Since I haven't run across any best practice documentation noting this
scenario, I was wondering if there are others on this list who have come
pondered or actually done this.

Any nfo or general recommendations would be greatly appreciated.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to recreate SYSVOL?

[Santhosh Sivarajan]

Title: Message








Did you try to restart Netlogon service?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niklas Wikander
Sent: Tuesday, February 03, 2004
4:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] How to recreate
SYSVOL?



 



Hi all!





Is there an easy way (or hard way) to recreate the SYSVOL
share if it has been deleted,





and the domain only has one dc and no backup has been
taken??





 





I'm laborating a little with a server and I can't find any
good documents how to do this.





 





Any help is appreciated.





 





/ Niklas





 

RE: [ActiveDir] How to recreate SYSVOL?

[Jorge de Almeida Pinto]

Hi,

Check out MS-KBQ324175 & MS-KBQ186750 for the structure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324175
http://support.microsoft.com/default.aspx?scid=kb;en-us;186750

To create the junction points use the util LINKD.EXE (Reskit or Support
Tools... don't remember which)
For attributes and permissions see a healthy DC

Concerning the content of the SYSVOL as in the policies you could use
another DC with the same name and the same name for the domain to reproduce
the Default Domain Policy and the Default Domain Controllers Policy. If you
had custom content (self-defined policies) and you have no backupthan
those are lost.
You could also use ADUC to get the GUIDs of all policies (under
-SYSTEM-Policies)

After recreating your SYSVOL structure use GPOTOOL /DC: /V to check
the health of the policies (this tool will probably generate errors
concerning the versions of the policies in the DS and the SYSVOL) Insert the
DS version into the GPT.INI

Regards,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 3-2-2004 11:39
Subject: [ActiveDir] How to recreate SYSVOL?

Hi all!

Is there an easy way (or hard way) to recreate the SYSVOL share if it
has been deleted,
and the domain only has one dc and no backup has been taken??
 
I'm laborating a little with a server and I can't find any good
documents how to do this.
 
Any help is appreciated.
 
/ Niklas
 

This e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or be subject 
to legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete this 
e-mail and any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to recreate SYSVOL?

[Moon, Brendan]

Title: Message



Check these articles:  KB315457 and 
KB316790.

 
- Brendan Moon
  [EMAIL PROTECTED]


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Niklas 
WikanderSent: Tuesday, February 03, 2004 5:40 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] How to recreate 
SYSVOL?

Hi 
all!
Is there an easy way 
(or hard way) to recreate the SYSVOL share if it has been 
deleted,
and the domain only 
has one dc and no backup has been taken??
 
I'm laborating a 
little with a server and I can't find any good documents how to do 
this.
 
Any help is 
appreciated.
 
/ 
Niklas
 

[ActiveDir] How to recreate SYSVOL?

[Niklas Wikander]

Title: Message



Hi 
all!
Is there an easy way 
(or hard way) to recreate the SYSVOL share if it has been 
deleted,
and the domain only 
has one dc and no backup has been taken??
 
I'm laborating a 
little with a server and I can't find any good documents how to do 
this.
 
Any help is 
appreciated.
 
/ 
Niklas
 

RE: [ActiveDir] Contents of GC

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

yes, dangerous indeed - and a lot of fun!  

But this should definitely not cause database corruption, as it's similar to
a situation where other objects lose their parent container (e.g. due to
replication latency when an object is created on one DC, while the
containing OU is deleted on another DC) => this is exactly what the
LostAndFound container is for...

A tree delete does spawn an object delete - however, if there are no
objects, then the last object in the tree (the OU) will still be deleted.
And as the corresponding delete changes for the containing objects on the GC
are missing, these would be container-less => as just said, this is where
the lostAndFound container kicks in. 

The one thing I'm unsure of (but will check out myself) is, if a GC even has
the ability to put items into lostandfound, as that's a write activity which
would have to replicate back to the originating domain (which only has an
outbound replication agreement to this GC for this NC...).  We'll see.

/Guido

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Dienstag, 3. Februar 2004 06:29
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Heh.

This is getting very dangerous even theoretically

My guess on this is that it wouldn't fix the problem nor move them to lost
and found. From what I understand a tree delete is implemented in the
backend by deleting all of the dependent objects and then moving up the
chain to the root object that spawned the whole thing with the tree delete
request. In this case that wouldn't occur because the objects aren't there
so the corresponding delete changes wouldn't flow through the replication
channels. No tombstones generated to tell the other DCs to hide the objects.


Also I seem to recall hearing years ago that AD isn't truly hierarchical in
the backend. It is a completely flat structure and the only thing really
showing hierarchy are the DNs so if that is true losing a branch of a tree
wouldn't necessarily drop the objects in the tree if the system didn't know
to remove them anyway. I would say it would be a great opportunity for
overall data corruption and confusion. :o)

I need more time to play with things like that. :op


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, February 02, 2004 3:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Jorge,
are all of these stale objects in the same (or few) OU(s)?  If so, I wonder
what would happen, when you now delete these "empty" OUs on a DC of DOM_B
(if they're not really empty, it may be worth to move whatever objects it
contains to a different OU first)?  

This change will obviously replicate to the GCs, so that the "stale" objects
on the GC will lose their Parent OU...  I believe what should happen now, is
that the GC moves the "stale" objects to the LostAndFound container which is
usually used to catch these types of "orphaned" objects => this will change
the USN of these objects, just like on a "living object"...

However, now you've got a situation where the GC wants to replicate the
changes back to DOM_B, but can't as DOM_B only has _outbound_ connection
objects to any GC (of another domain) out there => so called "Poltergeists"
;-)

After you've now forced this wacky situation, it would be worth to check if
this is good enough for "Repadmin /removelingeringobjects" to get going...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Montag, 2. Februar 2004 08:49
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Hi,

I just created one new object in DOM_B with the same name as one of the old
objects that still exists in de GC data of DCs in DOM_A. It is not nice what
happens then;-(((

When searching for people in AD the newly created user is shown. The old
object is rename to CN=[]\CNF: because of a conflict in the GC
data.
The event viewer shows: ID 1226: "The following object was created on a
remote domain controller with an object name that already exists on the
local domain controller. " blabla.. 

I tried the following also
"Repadmin /removelingeringobjects" to see if it was possible to delete de
old objects from the GC data "Repadmin /delete" to see if it was possible to
delete the read-only naming context from the GC and have it rebuild it again
afterwards
 
At the moment I think the only solution is to unGC all GCs, wait until GCs
are demoted and then promote all DCs back to GC. This is not nice, but I
think the only solution!

Jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eljin B. Brown
Sent: Friday, January 30, 2004 10:41
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Tony,


An alternative is to do the unGC but the garbage collection only removes
5000 objects per garbage collection cycle unless you use a fast d

RE: [ActiveDir] Contents of GC

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

agreed - it would only help in a specific scenario like the one you
described in your horror-vision...  however, in real-life situations, this
would be of no use as you'd have to know where the "poltergeists" are -
nevertheless, you could do this with a relatively simple compare of GC to DC
queries.  But your point about saving the other  valid objects incl. links
permissions etc. is definitely a good one.

But as you were checking out these scenarios anyways, I thought it a good
idea to check out what happens - and it would be less work for me to test it
myself ;-)

/Guido

-Original Message-
From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] 
Sent: Montag, 2. Februar 2004 10:10
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Hi Guido,

I have not tested what you mention.
In the example I used I know which objects are the "poltergeists" and
therefore I also know what their parent OU is. In a real situation I
probably will not know which objects will be poltergeists. I think the
problem with this is that deleting the parent OU probably also means: move
other valid objects first to another OU, document linked GPOs, document
admin delegation, etc.. This solution may solve one problem, but I think it
will also cause other "points of attention"

Regards,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, February 02, 2004 09:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Jorge,
are all of these stale objects in the same (or few) OU(s)?  If so, I wonder
what would happen, when you now delete these "empty" OUs on a DC of DOM_B
(if they're not really empty, it may be worth to move whatever objects it
contains to a different OU first)?  

This change will obviously replicate to the GCs, so that the "stale" objects
on the GC will lose their Parent OU...  I believe what should happen now, is
that the GC moves the "stale" objects to the LostAndFound container which is
usually used to catch these types of "orphaned" objects => this will change
the USN of these objects, just like on a "living object"...

However, now you've got a situation where the GC wants to replicate the
changes back to DOM_B, but can't as DOM_B only has _outbound_ connection
objects to any GC (of another domain) out there => so called "Poltergeists"
;-)

After you've now forced this wacky situation, it would be worth to check if
this is good enough for "Repadmin /removelingeringobjects" to get going...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Montag, 2. Februar 2004 08:49
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Hi,

I just created one new object in DOM_B with the same name as one of the old
objects that still exists in de GC data of DCs in DOM_A. It is not nice what
happens then;-(((

When searching for people in AD the newly created user is shown. The old
object is rename to CN=[]\CNF: because of a conflict in the GC
data.
The event viewer shows: ID 1226: "The following object was created on a
remote domain controller with an object name that already exists on the
local domain controller. " blabla.. 

I tried the following also
"Repadmin /removelingeringobjects" to see if it was possible to delete de
old objects from the GC data "Repadmin /delete" to see if it was possible to
delete the read-only naming context from the GC and have it rebuild it again
afterwards
 
At the moment I think the only solution is to unGC all GCs, wait until GCs
are demoted and then promote all DCs back to GC. This is not nice, but I
think the only solution!

Jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eljin B. Brown
Sent: Friday, January 30, 2004 10:41
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Tony,


An alternative is to do the unGC but the garbage collection only removes
5000 objects per garbage collection cycle unless you use a fast demote vbs
script.
>From the sound of it, it would be best to do the ungc and regc method.
NOTE: don't reGC until all gc objects are removed or life will be bad.
Matter of fact, now that I think about it. You can ungc just that partition
using the new W2k3 repadmin that I am sure of.
If you need data from these objects then you have to do the dump routine
otherwise use new repadmin would be quickest fix.

Signed
one of those Alliance folks

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, January 30, 2004 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Contents of GC

Nod. Highly recommend a solution of equal parts perl and adfind. Adfind to
well, find, and perl to control flow and delete.

Note script will take an hour or so to write depending how fancy someone
wants to get and flexible and how much protection. Then log in with an admin
id for a m

RE: [ActiveDir] logon server discovery

[Free, Bob]

joe  wrote:
> No one seems to be jumping on this with any authoritative answers, I
> was hoping Guido or Dean would nail it as I was looking to learn
> something. :o)

I'm hardly authoritative but what I've picked up on the subject :-)
 
Blatantly plagiarized from Gil's awesome March 2003 Authentication
Topology paper- 
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or
http://www.netpro.com/forum/files/Authentication_Topology.pdf

The DNS service responds with a list of SRV records that correspond to
all the DCs in the client's domain. The client takes the records with
the lowest-priority value and issues an AD ping (which is actually an
LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond within
a tenth of a second, the client tries the next DC, and so on, until a DC
responds.

When a DC receives an AD ping from a client, the DC calculates two
crucial pieces of information before sending a response. First, the DC
determines the site closest to the client; to do so, the DC compares the
IP address in the request packet with an in-memory data structure that
contains the site and subnet associations defined in AD's site objects.
The DC also determines whether it's in the site closest (from an IP
topology point of view) to the client's site. The DC sends this
information and the name of the responding DC's site in a UDP response
to the client.

When the client receives this response, it determines whether the
responding DC is in the site closest to its site. If so, the client
saves the returned client site name in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
registry subkey's DynamicSiteName entry and uses that DC for further
domain-authentication requests. If the DC response indicates that the DC
isn't in the site closest to the client's site, the client returns to
DNS to find a DC in the closest site. This time, because the client
knows its site name, it queries DNS for _ldap SRV records in the
_tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds with a
list of SRV records for DCs in the specified site. The client again
selects those SRV records with the lowest priority and issues AD pings
to each in turn until one responds within a tenth of a second.
 

Sean Deuby had a related article in the December 2003 issue I've been
reading over the weekend-

Designing for DC Failover- How to create the best AD site topology
possible
http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html

As far as the timeout value, he repeats the 100ms value for W2K and goes
on to say that in 2003 the client waits 400ms between queries for the
first 5 DC's, then 200ms between the next 5 then 100ms for the remaining
DC's in the list.
He further explains the various site coverage scenarios quite well in
the article.

Between the two articles the subjects are covered very handsomely...
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Monday, February 02, 2004 8:33 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] logon server discovery
> 
> As we all know to death by now, local logon server discovery is by
> determination of the DNS RR's for a DC in a computers own site.
> 
> qu. how does the client resolve the scenario of a response not being
> received in a timely fashion. ?
> 
> what is the timeout value for a client not to receive a response from
> a local DC before  it then goes "elsewhere" ?
> 
> have read about concept of an AD "ping"  - does this use ICMP ?
> 
> GT
> 
> 
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/