Re: [ActiveDir] Scripting terminology question
At a guess I would say it stands for: Interface to Active Directory services. Tony -- Original Message -- From: Charlie Kaiser [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 19:05:24 -0800 OK, scripting gurus. I'm trying to wrap my brain around more scripting than I currently know. I have Robbie's books open and ScriptCenter on the web. Still can't find an answer to a simple yet obscure question. What does IADs stand for? I'm understanding what the IADs interface consists of, but it would be a lot easier if I knew what the abbreviation meant. Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] More move Schema Master
Assuming that replication is working well between your DC in the DMZ and its replication partners, I can see not problem with your suggestion. Tony -- Original Message -- From: Frank Buechler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 12:51:03 -0500 A hypothetical.. Say I find that I simply cannot move the Schema Master role from the server sitting in the DMZ. I have tried everything, and nothing works. What would be the downside of running ADPREP /FORESTPREP on that server, and proceeding with the 2003 upgrade as planned? Anything? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting terminology question
Title: RE: [ActiveDir] Scripting terminology question Here is a wonderful place to start: http://www.microsoft.com/technet/treeview/default.asp?url=""> It should give you a good foundation to use brilliant tools like Robbie's book. Which by the way I have posted a review on AMAZON , YAHOO etc for those of you thinking of buy it. Active directory programming? - http://groups.yahoo.com/group/adsianddirectoryserivces Carlos Magalhaes -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Scripting terminology question At a guess I would say it stands for: Interface to Active Directory services. Tony -- Original Message -- From: Charlie Kaiser [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 19:05:24 -0800 OK, scripting gurus. I'm trying to wrap my brain around more scripting than I currently know. I have Robbie's books open and ScriptCenter on the web. Still can't find an answer to a simple yet obscure question. What does IADs stand for? I'm understanding what the IADs interface consists of, but it would be a lot easier if I knew what the abbreviation meant. Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
[ActiveDir] slow replication partner / site link config
a server has been joined to the AD infrastructure and promoted to DC for the specific purpose of recovery of AD objects. the intention is to configure the replication topology following what seems to be termed as lazy replication partner model. to this end the following tasks have been completed; it is connected to a subnet on which there are no other AD hosts a site / subnet has been defined site link linking it to a hub site defined netdiag confirms its site membership the server has been reconfigured with the following registry value - DNSAvoidRegisterRecords with the data of DSACname - this change is made with the intention of preventing it authenticating any logon requests - this would seem to be an additional step given that site membership should dictate no clients discover it once the server ids fully replicant, the site link has been configured with an extended value of the number of hours but yet the slow server is still replicating on the normal frequency it would seem that the replication topology has not learnt the configuration of the site link to the slow replication site/server. qu - is this by design and if so do we need to force a refresh of the replication topology - is this what repadmin /kcc does ? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
VirtualPC Baby! It rocks, in some ways... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Charlie Kaiser [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Maybe a VMWare virtual machine? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside, and I don't have a system that I can use as a swing server as Roger suggested. Is there anything else that may be preventing me from doing this? I am really getting frustrated! (And behind schedule...) TIA for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside, and I don't have a system that I can use as a swing server as Roger suggested. Is there anything else that may be preventing me from doing this? I am really getting frustrated! (And behind schedule...) TIA for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like "Targetdomain.com" . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Migration Issues with ADMT I remember someone posted a message here 3 or 4 weeks ago with an ADMT and computer migration question. I have the same problem in the lab. After the computer migration, it won't restart automatically. I have to manually restart the computer. Does anyone remember that question? If you still have a copy of that email thread could you forward it to me? Thanks, Santhosh List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT Thanks Sudhir. I have DHCP in the lab with DNS and WINS entry. I dont have name resolution problem. I can resolve Target and Source domain from the workstation. I think my problem is something else or something related to Time Sync. I used Shutdown.exe to restart workstation remotely without any problem. As mike mentioned, I am going to test Restart after 1 or 5 min option in the lab today. I believe this is something related to time sync configuration. I dont have a time server configured in the DHCP scope. Santhosh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: Thursday, February 05, 2004 12:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like Targetdomain.com . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Migration Issues with ADMT I remember someone posted a message here 3 or 4 weeks ago with an ADMT and computer migration question. I have the same problem in the lab. After the computer migration, it won't restart automatically. I have to manually restart the computer. Does anyone remember that question? If you still have a copy of that email thread could you forward it to me? Thanks, Santhosh List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Assuming you're W2K: http://support.microsoft.com/default.aspx?scid=kb;[LN];241789 Tony -- Original Message -- From: Rimmerman, Russ [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Feb 2004 08:25:35 -0600 Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Hi Russ, Check out the following: Q216970: Global Catalog Server Requirement for User and Computer Logon Q241789: How to Disable the Requirement that a Global Catalog Server Be Available to Validate User Logons Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, February 05, 2004 15:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting terminology question
H...I think this belogs in the class of the "what is the meaning/origin of life?" questions :). I never bothered to ask. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Wed 2/4/2004 7:05 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Scripting terminology question OK, scripting gurus. I'm trying to wrap my brain around more scripting than I currently know. I have Robbie's books open and ScriptCenter on the web. Still can't find an answer to a simple yet obscure question. What does IADs stand for? I'm understanding what the IADs interface consists of, but it would be a lot easier if I knew what the abbreviation meant. Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
AD non-authoritative SYSVOL authoritative (marked as primary!) Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:32 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/Q216/2/43.ASPNoWebContent=1 http://support.microsoft.com/default.aspx?scid=kb;en-us;241594 I found these, but I am not sure I follow. DO I just restore the system state and mark the entire database as an authoritative restore? But if it is the only DC for a domain then do I have to mark it for an authoritative state? -Original Message- From: Salandra, Justin A. Sent: Wednesday, February 04, 2004 11:20 AM To: ActiveDir (E-mail) Subject:[ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
If you are using NTBACKUP Check the things you want to restore including the systemstate. Click on START RESTORE. A dialog box appears an advanced button. Click advanced and then you'll have the option to mark SYSVOL as authoritative Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:52 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main How do you restore the SYSVOL as a primary restore? I did some searches on this and don't come up with anything. I will continue to look. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 11:31 AM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] Restore a failed DC that was the only DC for a domain Restore from backup. You can find most of the information you need here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Tony -- Original Message -- From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 11:20:23 -0500 What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to,
RE: [ActiveDir] Disaster Recovery
He should be possible to log on locally as a domain admin without needing a GC. Without DNS it should also be possible although its very slow Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, February 05, 2004 02:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
Hi, Try/test it in a test environment so you can see what happens Jorge -Original Message- From: Jorge de Almeida Pinto Sent: Thursday, February 05, 2004 17:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent:
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
SO then the command would be Repadmin /unhost child1.blabla.local dc=child1,dc=blabla,dc=local On each DC/GC in the forest? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:59 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -Original
RE: [ActiveDir] Moving Schema Master (continued...)
Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside,
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
I would love to test this, however I do not have a test environment at this time. Tried setting one up but don't have the hardware resources yet to do so. -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:01 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, Try/test it in a test environment so you can see what happens Jorge -Original Message- From: Jorge de Almeida Pinto Sent: Thursday, February 05, 2004 17:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST FQDN TARGET GC DN NC (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on
RE: [ActiveDir] Moving Schema Master (continued...)
Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers,
RE: [ActiveDir] Moving Schema Master (continued...)
Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the
RE: [ActiveDir] Moving Schema Master (continued...)
Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master
RE: [ActiveDir] Moving Schema Master (continued...)
I just did that, it was very easy. Just put in the Exchange 2003 CD and use the install wizard to run /forestprep and /domainprep. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea,
RE: [ActiveDir] Moving Schema Master (continued...)
I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is
RE: [ActiveDir] Moving Schema Master (continued...)
From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
All you need for your test is that one Hardware and something like MS Virtual Server: From http://www.microsoft.com/windowsserver2003/evaluation/trial/virtualserver.msp x To Join the Virtual Server Customer Preview 1. Go to the BetaPlace http://www.betaplace.com/ Web site (http://www.betaplace.com http://www.betaplace.com/ ). 2. Click Sign In. 3. Type your Microsoft .NET Passport sign-in information. If you do not have a .NET Passport, click the Get One Now link in the .NET Passport Sign-in dialog box. After you have signed in, the Welcome to BetaPlace screen appears. 4. Select I have been issued a Guest ID by Microsoft. 5. In the Guest ID box, type vspreview and then click OK. 6. Follow the instructions on-screen to register for the Virtual Server Customer Preview. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 2/5/2004 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main I would love to test this, however I do not have a test environment at this time. Tried setting one up but don't have the hardware resources yet to do so. -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:01 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, Try/test it in a test environment so you can see what happens Jorge -Original Message- From: Jorge de Almeida Pinto Sent: Thursday, February 05, 2004 17:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10 (see to it that the DC/RIDMaster has not allocated a RID pool to itself--- error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id
RE: [ActiveDir] Moving Schema Master (continued...)
Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
Or like VMWare? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:17 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main All you need for your test is that one Hardware and something like MS Virtual Server: From http://www.microsoft.com/windowsserver2003/evaluation/trial/virtualserver.ms p x To Join the Virtual Server Customer Preview 1. Go to the BetaPlace http://www.betaplace.com/ Web site (http://www.betaplace.com http://www.betaplace.com/ ). 2. Click Sign In. 3. Type your Microsoft .NET Passport sign-in information. If you do not have a .NET Passport, click the Get One Now link in the .NET Passport Sign-in dialog box. After you have signed in, the Welcome to BetaPlace screen appears. 4. Select I have been issued a Guest ID by Microsoft. 5. In the Guest ID box, type vspreview and then click OK. 6. Follow the instructions on-screen to register for the Virtual Server Customer Preview. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 2/5/2004 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main I would love to test this, however I do not have a test environment at this time. Tried setting one up but don't have the hardware resources yet to do so. -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:01 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, Try/test it in a test environment so you can see what happens Jorge -Original Message- From: Jorge de Almeida Pinto Sent: Thursday, February 05, 2004 17:59 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 10
RE: [ActiveDir] Moving Schema Master (continued...)
I would suggest doing a bit of homework first then :-) I am going on theory at this point. Anything could potentially happen and unfortunately I think it will be very difficult to regenerate this situation in a testing environment due to its nature. I would research ntdsutil to see the potential impact of deleting an existing role holder and demoting the dc aftewards before doing anything eventhough the existing role holder is not communicating with the AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To:
Re: [ActiveDir] Windows 2000 startup screen
Rimmerman, Russ wrote: I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? This will work for all windows versions http://www.winguides.com/registry/display.php/103/ You can prepare registry setting for this and distribute this in domain via GPO -- Tomasz Onyszko [MVP]- [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore a failed DC that was the only DC for a do main
SAME EXAMPLE AGAIN Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time and all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. For each GC in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL FQDN means Fully Qualified Domain Name FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL means all the DNS HOSTNAMES of the GCs in the other domains that currently host a read-only naming context of CHILD1.BLABLA.LOCAL say that BLABLA.LOCAL has three DCs that also are GCs (GC01, GC02, GC3) say that CHILD1.BLABLA.LOCAL has three DCs that also are GCs (GC04, GC05, GC06) say that CHILD2.BLABLA.LOCAL has three DCs that also are GCs (GC07, GC08, GC9) Taking the example mentioned above into account, the following commands should be executed: REPADMIN /UNHOST GC01.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC02.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC03.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC07.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC08.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC09.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL This should only be needed if you are certain that objects were added to the domain CHILD1.BLABLA.LOCAL or objects were changed Remember: procedures like this should always be available, tested and proven. Besides this, the persons responsible for executing this procedure should know how to perform such a procedure. If you're not experienced with this, the possibility exists that something goes wrong and things are made even worse. So be carefull with what you are doing, and again: TEST, TEST, TEST!!! Regards, Jorge -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 2/5/2004 6:10 PM Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main SO then the command would be Repadmin /unhost child1.blabla.local dc=child1,dc=blabla,dc=local On each DC/GC in the forest? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:59 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST FQDN TARGET GC DN NC So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05,
RE: [ActiveDir] Moving Schema Master (continued...)
Not sure how reassuring this will be. But, been there, done that, as I'm sure many people in this field have :-) Of course, not for this exact situation. My second day on the job (just happened to be a Friday) the companies primary Exchange servers' hard drives died, and they just happened to be in a RAID 0. Which mean basically meant no more Exchange server. Thankfully the data was stored on the second array which was in a RAID 1. So I spent the weekend day and night rebuilding the Exchange server and Monday morning it was like nothing happened. Of course, I hadn't gotten much sleep so I don't remember much of what happened aftewards. I was very relaxed however :-) Sadly there is no exaggeration. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Thanks again Michael. I will research this, thoroughly! In the meantime, before I do anything else, I am going to get the most comprehensive back-up of that server that I can possibly obtain tonight. Tomorrow, I will plunge into action. Doing what, I don't know yet. But I have to bust a move and make something happen. Worse case, I have the weekend to recover. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I would suggest doing a bit of homework first then :-) I am going on theory at this point. Anything could potentially happen and unfortunately I think it will be very difficult to regenerate this situation in a testing environment due to its nature. I would research ntdsutil to see the potential impact of deleting an existing role holder and demoting the dc aftewards before doing anything eventhough the existing role holder is not communicating with the AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data
RE: [ActiveDir] Windows 2000 startup screen
Title: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 startup screen
Title: Message That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Russ, Sorry about that...an idea...you can have a legal message integrated into the CTRL+ALT+DEL bitmap... What you could do is use reshacker http://www.users.on.net/johnson/resourcehacker/, getan MSGINA.DLL from a machine of the same type and service pack that you are using and amend the: "bitmap file 1033 image". You then need to intergrate the "new" msgina.dll file into your install i386 dir, you may have to extract and compresscab files here. If you want to head down this path ping me off list and I can help you out... James -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation
RE: [ActiveDir] Windows 2000 startup screen
Title: Message As an aside, I can see how having a message pop up is good because by clicking OK, the user has indicated that they have read the warning. If you just have a splash screen, a user could quite easily say they never read the warning (unless it is explicitly stated that by logging on you accept the conditions of the warning on the splash screen). -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 10:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Yes, and this is what our external auditors dinged us on too. But when the top execs started having to click OK they complained and said the auditors work for us and made us shut it off. Go figure. So now we're back to the background splash at login bmp. But it appears only BMP is supported from my testing. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chakravarty, SaktiSent: Thursday, February 05, 2004 6:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen As an aside, I can see how having a message pop up is good because by clicking OK, the user has indicated that they have read the warning. If you just have a splash screen, a user could quite easily say they never read the warning (unless it is explicitly stated that by logging on you accept the conditions of the warning on the splash screen). -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 10:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Which is not legally binding. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chakravarty, SaktiSent: Thursday, February 05, 2004 7:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen As an aside, I can see how having a message pop up is good because by clicking OK, the user has indicated that they have read the warning. If you just have a splash screen, a user could quite easily say they never read the warning (unless it is explicitly stated that by logging on you accept the conditions of the warning on the splash screen). -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 10:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even afterrebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of thisi concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permissionin the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message-From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]Sent: Thursday, February 05, 2004 7:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I dont think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Thursday, February 05, 2004 7:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like "Targetdomain.com" . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Migration Issues with ADMT I remember someone posted a message here 3 or 4 weeks ago with an ADMT and computer migration question. I have the same problem in the lab. After the computer migration, it won't restart automatically. I have to manually restart the computer. Does anyone remember that question? If you still have a copy of that email thread could you forward it to me? Thanks, Santhosh List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Group Policy issues
Title: Group Policy issues Im having a serious issue with group policy. Im reasonably new to setting it up, however it seems not to work as it should. Using the word 2002 administrative template Ive set the auto recover data setting (how often word background saves in case of crash) to 10 minutes. However when I apply the policy, on the workstations in the word tools - options tab where this setting is located it changes to 266 minutes (which is outside the allowed settings in any case). Further, when trying to use the windows update policy, setting the time for update and other details it simply does not work, even though the policy settings for the policy are found in the registry of the workstation. This does not seem to make sense. Other policy settings work fine. Can anyone help? Lucas Garlepp IT Manager Wisewoulds | Lawyers Tel: +61 3 9612 7218 Fax: +61 3 9629 4035 Eml: [EMAIL PROTECTED] Web: http://www.wisewoulds.com.au * If you are NOT AN AUTHORISED RECIPIENT of this e-mail,please contact Wisewoulds Lawyers by return e-mail or by telephone on +613 9629 8333. In this case, you should not read, print, re-transmit,store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. This e-mail and any attachments are confidential and may contain legally privileged information and/or copyright material of Wisewoulds Lawyers or third parties. You should only re-transmit, distribute or commercialise the material if you are authorised to do so. Wisewoulds Lawyers accepts no responsibility for any viruses this e-mail may contain. This notice should not be removed. *