[ActiveDir] Group Policy - Overview

[anders . lidman]

Is there any way to 
get a nice overview (on excel etc) on the ADM templates that exist in 
AD?
 
Have been trying to 
export all the settings [even the ones not set] with no 
luck.
 
Any help would be 
appreciated.
 
Regards,
Anders
 

==
This email and any attached files are confidential and may
be legally privileged. It is intended solely for the addressee. 
Access to this email by anyone else is unauthorised. 
If you are not the addressee, any disclosure, reproduction,
copying, distribution, or other dissemination or use of this 
communication is strictly prohibited. If you have received 
this transmission in error please notify the sender immediately 
by telephone at ++353 1 6035800 or email [EMAIL PROTECTED] 
and then delete this email.
Email transmission cannot be guaranteed to be secure or error free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message, and shall have no liability for any loss or damage
suffered by the user, which arise as a result of email transmission.  
If verification is required please request a hard copy version.

RE: [ActiveDir] Group Policy - Overview

[mathif]

Greetings Mr. 
Ander,
You can search that on 
MS-KB or if you can mail me offlist i can send you as attachment coz i think i 
cant send as attachment to the list.
Search for this key word 
"Group Policy Settings Reference Spreadsheet (ADM Files)"
 
Cheers,
AThif
 

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004 
  11:24 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Group Policy - Overview
  Is there any way 
  to get a nice overview (on excel etc) on the ADM templates that exist in 
  AD?
   
  Have been trying 
  to export all the settings [even the ones not set] with no 
  luck.
   
  Any help would be 
  appreciated.
   
  Regards,
  Anders
   ==This 
  email and any attached files are confidential and maybe legally 
  privileged. It is intended solely for the addressee. Access to this email 
  by anyone else is unauthorised. If you are not the addressee, any 
  disclosure, reproduction,copying, distribution, or other dissemination or 
  use of this communication is strictly prohibited. If you have received 
  this transmission in error please notify the sender immediately by 
  telephone at ++353 1 6035800 or email [EMAIL PROTECTED] and then 
  delete this email.Email transmission cannot be guaranteed to be secure or 
  error free as information could be intercepted, corrupted, lost, 
  destroyed, arrive late or incomplete, or contain viruses.The sender 
  therefore does not accept liability for any errors or omissions in the 
  contents of this message, and shall have no liability for any loss or 
  damagesuffered by the user, which arise as a result of email transmission. 
  If verification is required please request a hard copy 
version.



  - 

 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission.  Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. 

  - 

 

RE: [ActiveDir] Exchange 2003 and Firewalls

[Rutherford, Robert]

It wont be a port issue as you wouldn't gain connectivity at all... If
it is a very old firewall then chances are that it may be causing
issues Will they drop it for a testing period to see if it makes a
difference? If it is for their benefit, i.e. their clients then they
may? At least that way you could say it's their firewall and they need
to update it to gain performance?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 19:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


No it is a private T1, point to point.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 1:26 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

I take it this is a public T1 over the internet, comms via a VPN?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 17:35
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


Physically the two orgs are connected by a T1 Line.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 11:16 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

Is this on the same physical site? 

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 14:58
To: ActiveDir (E-mail)
Subject: [ActiveDir] Exchange 2003 and Firewalls


I have a facilities that insists on having a very old 3Com Firewall
between our organizations.  On his side of the firewall is has 400 +
outlook clients, on my side I have the Exchange 2003 server and the
Global Catalog Servers.  Clients are taking an extremely long time to
connect to mail and access resources.  None of my other 9 facilities
have this problems and the only thing different is that none of the
others have a firewall between our two organizations.

What ports do they have to open to allow proper communications between
their clients and my servers?


Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any use (including retransmission or copying)
of this information by persons or entities other than the intended
recipient is prohibited.  If you are not the intended recipient of this
transmission, please contact the sender and delete the material
from any computer. The sender is not responsible for

RE: [ActiveDir] Dialup add-in for ADUC

[Rutherford, Robert]

It's only supported on server.

-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 20:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Dialup add-in for ADUC


Does anyone know where I can find the add-in for dial-in privileges?  I
have them on the actual DCs, but not on my desktop.  Even though, I
installed the admin pack from the DC.

Thanks,
Steve

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any use (including retransmission or copying)
of this information by persons or entities other than the intended
recipient is prohibited.  If you are not the intended recipient of this
transmission, please contact the sender and delete the material
from any computer. The sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange 2003 and Firewalls

[anders . lidman]

have a look at Microsoft.com/kb & search for: Microsoft Knowledge Base
Article - 270836 - you can test this on one client and see if the
performance gets better.

It might be a port issue depending on how the Exchange server communicates
eg Server-client & Client-server and how the firewall is set up. Probably it
does not allow the server to start a tcp/udp session from it's side to the
client if the client not already has a session open.
[do think this applies to resources problem too]

Another thing: Is the Firewall using NAT/PAT? [Ipsec]

-Original Message-
From: Rutherford, Robert
[mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 08:41
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


It wont be a port issue as you wouldn't gain connectivity at all... If
it is a very old firewall then chances are that it may be causing
issues Will they drop it for a testing period to see if it makes a
difference? If it is for their benefit, i.e. their clients then they
may? At least that way you could say it's their firewall and they need
to update it to gain performance?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 19:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


No it is a private T1, point to point.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 1:26 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

I take it this is a public T1 over the internet, comms via a VPN?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 17:35
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


Physically the two orgs are connected by a T1 Line.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 11:16 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

Is this on the same physical site? 

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 14:58
To: ActiveDir (E-mail)
Subject: [ActiveDir] Exchange 2003 and Firewalls


I have a facilities that insists on having a very old 3Com Firewall
between our organizations.  On his side of the firewall is has 400 +
outlook clients, on my side I have the Exchange 2003 server and the
Global Catalog Servers.  Clients are taking an extremely long time to
connect to mail and access resources.  None of my other 9 facilities
have this problems and the only thing different is that none of the
others have a firewall between our two organizations.

What ports do they have to open to allow proper communications between
their clients and my servers?


Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.actived

[ActiveDir] Islands and NAT

[Mike Maple]

Hi,

We have a simple AD. Just one domain and nothing extra (no childs etc). 

BUT what we do have is a domain spread across different IP addressing
systems and DC's behind Firewalls that have to do NAT.

One of our sites uses private IP numbers (site A) and another uses
public (site B)..

What this in effect means is that A DC will get one address from the
site it is in say 10.1.5.1 and everything on that site will see it as
that (including itself) and from site B it is say 115.151.9.10 so the
DC's on that site see it as that.

The first and main DC is in site A 

We have always in the past managed to get round the island issues by
have a primary DNS and Secondarys on each site and pointing servers to
these making the sure the DC DO NOT point to themselves.  BUT it's a
little hit and miss.

We now have a further site which is a subsite of site B and uses private
addresses (so thats private within and site of public attaching to a
site of private).  The New DC in the New site is currently on its own
(and is its own DNS) and was okay .. for about a week and now is an
island.  I can't point it at any other DNS as It's number will be wrong
(due to NAT) in the other sites ones (and they have dynamic updates on).

Will adding a second DnS into the site and using that instead fix it ?
or does anyone have some sage advice (apart from don't do what you are
doing ... it's not an option). I can't point all my DC's at one DNS and
can't use AD dns because of the different IP numbers for the servers
depending on where you look at them from.

Help.

Mike Maple


-
THE INFORMATION IN THIS E-MAIL AND IN ANY ATTACHMENTS IS CONFIDENTIAL

AND MAY BE PRIVILEGED OR OTHERWISE PROTECTED FROM DISCLOSURE. 
IF YOU ARE NOT THE INTENDED RECIPIENT AND HAVE RECEIVED IT IN ERROR YOU ARE ON NOTICE 
OF ITS STATUS. 
PLEASE NOTIFY THE SENDER IMMEDIATELY BY RETURN EMAIL AND THEN DELETE THIS EMAIL AND 
ANY ATTACHMENT FROM YOUR SYSTEM. 
YOU MUST NOT RETAIN, COPY OR USE THIS E-MAIL OR ANY ATTACHMENT FOR ANY PURPOSE, NOR 
DISCLOSE ALL OR ANY PART OF ITS CONTENTS TO ANY OTHER PERSON: 

TO DO SO COULD BE A BREACH OF CONFIDENCE

EMAIL MAY BE SUSCEPTIBLE TO DATA CORRUPTION, INTERCEPTION AND UNAUTHORISED AMENDMENT, 
AND WE DO NOT ACCEPT LIABILITY FOR ANY SUCH CORRUPTION, INTERCEPTION OR AMENDMENT OR 
THE CONSEQUENCES THEREOF. 

WE MAY MONITOR THE CONTENT OF EMAILS SENT AND RECEIVED VIA OUR NETWORK FOR VIRUSES OR 
UNAUTHORISED USE AND FOR OTHER LAWFUL BUSINESS PURPOSES. 
WE DO NOT ACCEPT RESPONSIBILITY FOR ANY LOSS OR DAMAGE ARISING FROM A VIRUS IN ANY 
EMAIL OR ATTACHMENT.

---
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Making another server part of existing DC

[cyrus1]

Greetings, 

Actually I got 2 problems, 

originally we 2 server one is DC other is additional DC for and existing 
Domain. due to virus attacked server 2 was cleaned (reformatted) and 
reinstall window 2000 server. 

Problem are;
(1)
server 2 displays 2 operating system which I need to select, but both r for 
window 2000 server (fist selectio OK, second has error). 

(2)
when I try to configure server 2 to become "Additional DC of Existing 
Domain" , it gives msgs of THE DOMAIN serverone.main.com NOT AN ACTIVE 
DOMAIN OR AN ACTIVE DIRECTORY DOMAIN CONTROLLER FOR THE DOMAIN COULD NOT BE 
CONTACTED. 

I dont know if problem 1 had something to do with problem 1,  on DC 
everything looks OK or am I missing something, 

any help is greatly appreciated 

thanks 

Cyrus
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Group Policy - Overview

[SysPro Support]

Anders,
 
We market a product call PolMan that will produce a 
report of all settings that are enabled within your AD Policy. It provides a 
list of all entries with columns for the Policy name, the extension type, key 
name etc.
 
We also market a nice little ADM Template editor. 
Feel free to download it and get the results you want. If you have any hassles 
or comments, drop us a line.
 
 

Alan Cuthbertson
 
Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:-  http://www.sysprosoft.com/adm_summary.shtml
 
  
 
 
 Original Message - 

  From: 
  [EMAIL PROTECTED] 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, March 24, 2004 7:24 
  PM
  Subject: [ActiveDir] Group Policy - 
  Overview
  
  Is there any way 
  to get a nice overview (on excel etc) on the ADM templates that exist in 
  AD?
   
  Have been trying 
  to export all the settings [even the ones not set] with no 
  luck.
   
  Any help would be 
  appreciated.
   
  Regards,
  Anders
   ==This 
  email and any attached files are confidential and maybe legally 
  privileged. It is intended solely for the addressee. Access to this email 
  by anyone else is unauthorised. If you are not the addressee, any 
  disclosure, reproduction,copying, distribution, or other dissemination or 
  use of this communication is strictly prohibited. If you have received 
  this transmission in error please notify the sender immediately by 
  telephone at ++353 1 6035800 or email [EMAIL PROTECTED] and then 
  delete this email.Email transmission cannot be guaranteed to be secure or 
  error free as information could be intercepted, corrupted, lost, 
  destroyed, arrive late or incomplete, or contain viruses.The sender 
  therefore does not accept liability for any errors or omissions in the 
  contents of this message, and shall have no liability for any loss or 
  damagesuffered by the user, which arise as a result of email transmission. 
  If verification is required please request a hard copy 
version.

RE: [ActiveDir] Accidentally deleted OU with lots of users

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challenges,
mostly related to users being in groups in the other domains of the forest
(e.g. Universal Groups or Domain Local Groups). If you're in a single domain
forest, the recovery is typically easier, as you don't have these
cross-domain issues.

However, the steps below really relate to a Win2000 AD recovery and to
Win2003 AD, when NOT running at Win2003 forest functional level (which is
where Link-Value replication is enabled).

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then
you don't have to take any special precautions, as the group-memberships
will be "revived" with the authoritative restore of your users (as you've
just deleted users, not groups).

Realize, that this only works for the group-memberships, which have been
populated AFTER LVR has been enabled (i.e. you've switched to 2003 FFL) -
so, if you previously had Win2000 and upgraded to 2003, then most of the
group-memberships can't be revived since the extra data added by LVR will
not exist on the entries added when running Win2000 AD. In this case, you'll
also have to repopulate the group-memberships...

You can find more information on this delecate topic in this whitepaper,
which I co-authored with Aelita:
http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Dir
ectory_Recovery.pdf


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 05:46
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

It's not that simple.
To perform an authoritative restore of an OU full of users, here's a rough
step by step:

1) System state restore of a DC; mark OU full of users authoritative (IE
mark the subtree authoritative)
2) Boot DC on to private network
3) Disable inbound replication on the DC (repadmin can do this for you)
4) put DC back on to production network; let users replicate out
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
authoritative
7) Boot DC back to normal mode
8) enable inbound replication

The other option is to repopulate the groups with the affected users rather
than marking the groups authoritative. This approach is particularly
advantageous if you have groups that span the domain boundary. If you want
to repopulate the groups rather than restore them send me a note offline and
I can help you with that.

The same procedure would be followed for computers should the computer
accounts be members of groups above and beyond their primary group
membership. If they are just in the primary group they just need to restore
the computer account. Group restores don't need anything like this either
(except for nested group memberships).

If anyone is unclear as to why you need the double auth restore or auth
restore + repopulation just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
Sent: Tuesday, March 23, 2004 7:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Yep. Try to do an Authoritative Restore of the OU

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

This is not really terrible. Especially since you have a good backup.
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594
 
pay close attention to the "Restore a Subtree" part.
 
If you don't understand any part of it, ask here again.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of David Wentworth
Sent: Tue 3/23/2004 4:08 PM
To: [EMAIL PROTECTED]
Cc: David Wentworth
Subject: [ActiveDir] Accidentally deleted OU with lots of users


Folks,

I really screwed up this time. I meant to delete a user object but
accidentally deleted the OU and all the users. How can I get it all back?

The backup ran last night and I think I can restore all of the Active
Directory, but I really don't want to roll back everything to where it was
last night. I just want the OU back. Please help.

Dave



List info : http://www.activedir.org/mail_list.htm List FAQ :
http://www.activedir.org/list_faq.htm List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.act

RE: [ActiveDir] Dialup add-in for ADUC

[Waters, MW (Mike)]

Have a look at:-

http://www.jsiinc.com/SUBN/tip6900/rh6988.htm

This worked for us

Mike Waters

-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 20:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Dialup add-in for ADUC


Does anyone know where I can find the add-in for dial-in privileges?  I
have them on the actual DCs, but not on my desktop.  Even though, I
installed the admin pack from the DC.

Thanks,
Steve

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AcctInfo.dll doesn't work on XP

[Waters, MW (Mike)]

Thanks for the tip

It worked on one XP/SP1 and still fails on another.

If anyone know of any other workaround ... we still have Exchange 5.5 (for a
while), so don't want to use Exchange2003 tools yet.

Regards

Mike Waters

-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 20:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP


The acctinfo.dll works for me on my Windows XP/SP1. However, I gave the
dll to the other admin and he was unable to view the extra tab.  The
only difference between his ADUC and mine is that I have the exchange
2003 tools loaded.  Once he loaded the exchange tools and re-registered
the dll, he then was able to view the tab.

*
Steve Shaff
Active Directory / Exchange / SMS Administrator
Corillian Corporation
(W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW
(Mike) 
Sent: Tuesday, March 23, 2004 7:07 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AcctInfo.dll doesn't work on XP

Hi everyone,

In the Account Lockout tools download:-

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4
E63-
8629-B999ADDE0B9E&displaylang=en

There is a nice DLL called AcctInfo.dll  (version 1.0.0.) that adds
another tab to Active Directory and User that gives some more detailed
information on the user accounts. Specifically, it displays last logon.

If this DLL is registered on any of our Windows 2003 server domain
controllers it works fine.

However if we install it on our support staff desktops (running XP Sp1
with
the server 2003 Admin tools), it causes the MMC to fall over with
0xc005
within the above DLL (offset 40b6) when the tab is selected.

Has anyone else had this problem? Or beter still have a work around.

Regards

Mike Waters


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accidentally deleted OU with lots of users

[Eric Fleischman]

Guido,  you said:

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't 
have to take any special precautions, as the group-memberships will be "revived" with 
the authoritative restore of your users (as you've just deleted users, not groups).


Where did you get this from?
With LVR we still don't construct the forward link if the back link is received so 
your comment here is not one that is clear to me. Until we do reconstruct that forward 
link, I believe you do still need to worry about this condition.

~Eric


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 3:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challenges,
mostly related to users being in groups in the other domains of the forest
(e.g. Universal Groups or Domain Local Groups). If you're in a single domain
forest, the recovery is typically easier, as you don't have these
cross-domain issues.

However, the steps below really relate to a Win2000 AD recovery and to
Win2003 AD, when NOT running at Win2003 forest functional level (which is
where Link-Value replication is enabled).

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then
you don't have to take any special precautions, as the group-memberships
will be "revived" with the authoritative restore of your users (as you've
just deleted users, not groups).

Realize, that this only works for the group-memberships, which have been
populated AFTER LVR has been enabled (i.e. you've switched to 2003 FFL) -
so, if you previously had Win2000 and upgraded to 2003, then most of the
group-memberships can't be revived since the extra data added by LVR will
not exist on the entries added when running Win2000 AD. In this case, you'll
also have to repopulate the group-memberships...

You can find more information on this delecate topic in this whitepaper,
which I co-authored with Aelita:
http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Dir
ectory_Recovery.pdf


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 05:46
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

It's not that simple.
To perform an authoritative restore of an OU full of users, here's a rough
step by step:

1) System state restore of a DC; mark OU full of users authoritative (IE
mark the subtree authoritative)
2) Boot DC on to private network
3) Disable inbound replication on the DC (repadmin can do this for you)
4) put DC back on to production network; let users replicate out
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
authoritative
7) Boot DC back to normal mode
8) enable inbound replication

The other option is to repopulate the groups with the affected users rather
than marking the groups authoritative. This approach is particularly
advantageous if you have groups that span the domain boundary. If you want
to repopulate the groups rather than restore them send me a note offline and
I can help you with that.

The same procedure would be followed for computers should the computer
accounts be members of groups above and beyond their primary group
membership. If they are just in the primary group they just need to restore
the computer account. Group restores don't need anything like this either
(except for nested group memberships).

If anyone is unclear as to why you need the double auth restore or auth
restore + repopulation just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
Sent: Tuesday, March 23, 2004 7:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Yep. Try to do an Authoritative Restore of the OU

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

This is not really terrible. Especially since you have a good backup.
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594
 
pay close attention to the "Restore a Subtree" part.
 
If you don't understand any part of it, ask here again.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of David Wentworth
Sent: Tue 3/23/2004 4:08 PM
To: [EMAIL PROTECTED]
Cc: David 

RE: [ActiveDir] AcctInfo.dll doesn't work on XP

[Leeuwen van, JWJ (Joost)]

I am using XP Sp1 without the Exchange 2003 tools and the DLL works like a charm om my 
PC.
Just f.y.i.

Try opening the DLL with depends, maybe you are missing some other components.

Joost

> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Waters, MW (Mike) 
> Verzonden: woensdag 24 maart 2004 12:42
> Aan: '[EMAIL PROTECTED]'
> Onderwerp: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
> 
> 
> Thanks for the tip
> 
> It worked on one XP/SP1 and still fails on another.
> 
> If anyone know of any other workaround ... we still have 
> Exchange 5.5 (for a
> while), so don't want to use Exchange2003 tools yet.
> 
> Regards
> 
> Mike Waters
> 
> -Original Message-
> From: Steve Shaff [mailto:[EMAIL PROTECTED]
> Sent: 23 March 2004 20:47
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
> 
> 
> The acctinfo.dll works for me on my Windows XP/SP1. However, 
> I gave the
> dll to the other admin and he was unable to view the extra tab.  The
> only difference between his ADUC and mine is that I have the exchange
> 2003 tools loaded.  Once he loaded the exchange tools and 
> re-registered
> the dll, he then was able to view the tab.
> 
> *
> Steve Shaff
> Active Directory / Exchange / SMS Administrator
> Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW
> (Mike) 
> Sent: Tuesday, March 23, 2004 7:07 AM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] AcctInfo.dll doesn't work on XP
> 
> Hi everyone,
> 
> In the Account Lockout tools download:-
> 
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E
69C-91F3-4
E63-
8629-B999ADDE0B9E&displaylang=en

There is a nice DLL called AcctInfo.dll  (version 1.0.0.) that adds
another tab to Active Directory and User that gives some more detailed
information on the user accounts. Specifically, it displays last logon.

If this DLL is registered on any of our Windows 2003 server domain
controllers it works fine.

However if we install it on our support staff desktops (running XP Sp1
with
the server 2003 Admin tools), it causes the MMC to fall over with
0xc005
within the above DLL (offset 40b6) when the tab is selected.

Has anyone else had this problem? Or beter still have a work around.

Regards

Mike Waters


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/





De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 

The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AcctInfo.dll doesn't work on XP

[Thommes, Michael M.]

If I remember correctly, part of this process is registering acctinfo.dll 
(regsvr32.exe acctinfo.dll) .  Did it register correctly the first time?  Did you try 
re-registering it?  Maybe a reboot?
 
Mike Thommes

-Original Message- 
From: Leeuwen van, JWJ (Joost) [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 6:41 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP



I am using XP Sp1 without the Exchange 2003 tools and the DLL works like a 
charm om my PC.
Just f.y.i.

Try opening the DLL with depends, maybe you are missing some other components.

Joost

> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Waters, MW (Mike)
> Verzonden: woensdag 24 maart 2004 12:42
> Aan: '[EMAIL PROTECTED]'
> Onderwerp: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
>
>
> Thanks for the tip
>
> It worked on one XP/SP1 and still fails on another.
>
> If anyone know of any other workaround ... we still have
> Exchange 5.5 (for a
> while), so don't want to use Exchange2003 tools yet.
>
> Regards
>
> Mike Waters
>
> -Original Message-
> From: Steve Shaff [mailto:[EMAIL PROTECTED]
> Sent: 23 March 2004 20:47
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
>
>
> The acctinfo.dll works for me on my Windows XP/SP1. However,
> I gave the
> dll to the other admin and he was unable to view the extra tab.  The
> only difference between his ADUC and mine is that I have the exchange
> 2003 tools loaded.  Once he loaded the exchange tools and
> re-registered
> the dll, he then was able to view the tab.
>
> *
> Steve Shaff
> Active Directory / Exchange / SMS Administrator
> Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW
> (Mike)
> Sent: Tuesday, March 23, 2004 7:07 AM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] AcctInfo.dll doesn't work on XP
>
> Hi everyone,
>
> In the Account Lockout tools download:-
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E
69C-91F3-4
E63-
8629-B999ADDE0B9E&displaylang=en

There is a nice DLL called AcctInfo.dll  (version 1.0.0.) that adds
another tab to Active Directory and User that gives some more detailed
information on the user accounts. Specifically, it displays last logon.

If this DLL is registered on any of our Windows 2003 server domain
controllers it works fine.

However if we install it on our support staff desktops (running XP Sp1
with
the server 2003 Admin tools), it causes the MMC to fall over with
0xc005
within the above DLL (offset 40b6) when the tab is selected.

Has anyone else had this problem? Or beter still have a work around.

Regards

Mike Waters


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/





De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.

The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.

List info   : http://w

[ActiveDir] Security and AD

[Gagnesh Kumar]

Hi,
  I want to run AD behind a firewall.Can someone please suggest what
ports should I leave open so that all the clients to my AD can access it
successfully?
Any help would be greatly appreciated.
Thanks and regards,
Gagnesh
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security and AD

[Jimmy Andersson]

These articles might help:

A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q289241

AD Replication over Firewalls by Steve Riley,
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

FYI:
Q224196 - Restricting AD Replication Traffice to a Specific Port.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q224196

Q179442 - How to Configure a Firewall for Domains and Trusts.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q179442

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gagnesh Kumar
Sent: Wednesday, March 24, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Security and AD

Hi,
  I want to run AD behind a firewall.Can someone please suggest what
ports should I leave open so that all the clients to my AD can access it
successfully?
Any help would be greatly appreciated.
Thanks and regards,
Gagnesh
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security and AD

[Peeter Ulst]

Return Receipt
   Your
  RE: [ActiveDir] Security and AD  document
   :   
   
   was   Peeter Ulst/BICO-LEKS Kindlustuse AS/EE   
   received
   by: 
  at:   
24.03.2004 15:31:35
 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS registration errors

[Patrick - IT Department]

Peter,
Our dns is configured as a forwarder only, is that the reason i'm having the
problems? Do I need to add our ISP DNS IPs as forwarders or just leave the
internal IPs as forwarders?
thanks!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  I don't believe your problem is related to the presence or absence of
a WINS server.

  Your DHCP clients should only be getting assigned the internal DNS
server address.  The internal DNS server should be forwarding external
requests to the ISP's DNS server.  The DC should only have its internal IP
assigned as a DNS server.

-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 02:38 PM
  Please respond to
  ActiveDir





thank you, i think i'll try installing wins. I've already added my ISP DNS
to the forwarders, but do i need to stop and start the netlogon for this to
take affect?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  Here are the KB articles:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;135919

  http://support.microsoft.com/default.aspx?scid=kb;EN-US;261968

  The second article explains why this problem is intermittent.
-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 12:43 PM
  Please respond to
  ActiveDir





it is assigning the ISPs DNS, I called our ISP about it and LAN support is
supposed to be calling me back (right, right). I inherited this mess and
I'm
still learning how this system is setup, so bear with me and thank you!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] DNS registration errors



Patrick,
  Make sure that your DHCP server is not assigning the ISP's DNS server
to clients, it should only be assigning your internal DNS address.  I
assume that your clients are Win2k or XP in which case the IP stack
performs some "optimization" of the DNS server list based on successful /
unsuccessful lookups.  I can't find the KB article or go into detail right
now because of time constraints but this may fix your problem.

-Peter



  " Patrick - IT
  Department"To:   "Active
Directory" <[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  [ActiveDir]
DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 11:32 AM
  Please respond to
  ActiveDir





Hi all,
my scenario:
1 w2k server running AD
Cisco 1721 Router DHCP
ISP provides DNS
We intermittently have logon problems where users lose their profile
information and now i've run into where one user can't logon unless i
assign
a static ip addy and even then he can't access internet. I've checked the
event viewer and i have a ton of event id: 5774
I have tried a few things mentioned on the MS website but most are for if
you run DNS internally. Our DNS is running but with forwarders.
Does anyone know what I can do or why this is happening?
Thanks,


Patrick

(See attached file: winmail.dat)


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_

RE: [ActiveDir] DNS registration errors

[Justin_Leney]

Return Receipt
   
Your  RE: [ActiveDir] DNS registration errors  
document   
:  
   
was   Justin Leney/US/DCI  
received   
by:
   
at:   03/24/2004 09:04:56 AM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PKI Infrastructure Question

[Mulnick, Al]

Well, that's not really an "infrastructure" then is it?  That's a single
server running all the roles with no separation and protection that you get
from separation. More importantly, PKI has many facets that have to be taken
into account.  You can't just leave the root CA machine on the network and
have it available for people to attack (best practice to protect the root
CA)and you have to have components in place to manage the crl's etc.  If a
single box is deployed, it fulfils the CA, RA, (and so on) roles.  Splitting
those roles is a best practice but you'll need them for a PKI; if your CA is
also the RA then it has to be available for clients vs. being off-line and
protected.  

It all depends on the requirements.  If you just need a cert to get a SSL
web page running, then it may not be a big deal.  If you intend to issue and
manage certs, then you really need to consider your approach and best
practices etc and it's likely that a single server CA isn't going to meet
all your needs.

Al 

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 22, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] PKI Infrastructure Question

My coworker wants to forego the pki infrastructure and only install an
enterprise CA root on our DC or a dedicated machine. What are you thoughts
on this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, March 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] PKI Infrastructure Question

good approach, especially when using 2003 which allows you to contrain the
capabilities of the subordinate CAs (should at least configure them with a
basic constraint that contains a pathLenConstraint=2, so that people can't
add other subordinates underneath your planned subordinates)

making the root stand-alone and taking it offline is also common practice.
subordinates as Enterprise CAs will give you the most feature-benefits (Auto
enrolement etc.) and I don't have an issue with putting these on DCs (you'll
have to protect your DCs anyways)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Freitag, 19. März 2004 18:15
To: [EMAIL PROTECTED]
Subject: [ActiveDir] PKI Infrastructure Question

We are finally getting around to implementing the PKI infrastructure here
and would like some advice.  

I had emailed several days ago about Ldap - unix box authenicating to AD
- and I got that working (in my test lab).  

Here is what I was going to implement and would like some advice or
direction if this is way off base.

Root (Stand-alone) CA (offline)
Subordinate Enterprise CA on DC

Is this normal practice or completely wrong.  Would you recommend install on
DC or is that a major NO NO.

Any thoughts, or advice...

Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PKI Infrastructure Question

[Jennifer Fountain]

I would agree.  I recommeded configured a root standalone (offline) and an enterprise 
subordinate issuing CA.   (I realize 3 tier is best but this will work for our 
environment).

Thanks for your opinions.  I don't think my coworker really gets certain things.  


Kind Regards,

Jennifer Fountain

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, March 24, 2004 9:27 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] PKI Infrastructure Question

Well, that's not really an "infrastructure" then is it?  That's a single server 
running all the roles with no separation and protection that you get from separation. 
More importantly, PKI has many facets that have to be taken into account.  You can't 
just leave the root CA machine on the network and have it available for people to 
attack (best practice to protect the root CA)and you have to have components in place 
to manage the crl's etc.  If a single box is deployed, it fulfils the CA, RA, (and so 
on) roles.  Splitting those roles is a best practice but you'll need them for a PKI; 
if your CA is also the RA then it has to be available for clients vs. being off-line 
and protected.  

It all depends on the requirements.  If you just need a cert to get a SSL web page 
running, then it may not be a big deal.  If you intend to issue and manage certs, then 
you really need to consider your approach and best practices etc and it's likely that 
a single server CA isn't going to meet all your needs.

Al 

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Monday, March 22, 2004 2:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] PKI Infrastructure Question

My coworker wants to forego the pki infrastructure and only install an enterprise CA 
root on our DC or a dedicated machine. What are you thoughts on this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, March 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] PKI Infrastructure Question

good approach, especially when using 2003 which allows you to contrain the 
capabilities of the subordinate CAs (should at least configure them with a basic 
constraint that contains a pathLenConstraint=2, so that people can't add other 
subordinates underneath your planned subordinates)

making the root stand-alone and taking it offline is also common practice.
subordinates as Enterprise CAs will give you the most feature-benefits (Auto 
enrolement etc.) and I don't have an issue with putting these on DCs (you'll have to 
protect your DCs anyways)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Freitag, 19. März 2004 18:15
To: [EMAIL PROTECTED]
Subject: [ActiveDir] PKI Infrastructure Question

We are finally getting around to implementing the PKI infrastructure here and would 
like some advice.  

I had emailed several days ago about Ldap - unix box authenicating to AD
- and I got that working (in my test lab).  

Here is what I was going to implement and would like some advice or direction if this 
is way off base.

Root (Stand-alone) CA (offline)
Subordinate Enterprise CA on DC

Is this normal practice or completely wrong.  Would you recommend install on DC or is 
that a major NO NO.

Any thoughts, or advice...

Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group Policy - Overview

[Darren Mar-Elia]

For everyone's reference, the spreadsheet of all ADM 
settings is here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004 12:33 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Group Policy - Overview

Greetings Mr. 
Ander,
You can search that on 
MS-KB or if you can mail me offlist i can send you as attachment coz i think i 
cant send as attachment to the list.
Search for this key word 
"Group Policy Settings Reference Spreadsheet (ADM Files)"
 
Cheers,
AThif
 

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004 
  11:24 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Group Policy - Overview
  Is there any way 
  to get a nice overview (on excel etc) on the ADM templates that exist in 
  AD?
   
  Have been trying 
  to export all the settings [even the ones not set] with no 
  luck.
   
  Any help would be 
  appreciated.
   
  Regards,
  Anders
   ==This 
  email and any attached files are confidential and maybe legally 
  privileged. It is intended solely for the addressee. Access to this email 
  by anyone else is unauthorised. If you are not the addressee, any 
  disclosure, reproduction,copying, distribution, or other dissemination or 
  use of this communication is strictly prohibited. If you have received 
  this transmission in error please notify the sender immediately by 
  telephone at ++353 1 6035800 or email [EMAIL PROTECTED] and then 
  delete this email.Email transmission cannot be guaranteed to be secure or 
  error free as information could be intercepted, corrupted, lost, 
  destroyed, arrive late or incomplete, or contain viruses.The sender 
  therefore does not accept liability for any errors or omissions in the 
  contents of this message, and shall have no liability for any loss or 
  damagesuffered by the user, which arise as a result of email transmission. 
  If verification is required please request a hard copy 
version.
- 

This email and any files transmitted with it are 
confidential and intended solely for the use of the individual or entity to 
whom/which they are addressed. If you have received this email in error please 
notify the system manager at the following email address: [EMAIL PROTECTED] 
. Please note that any views or opinions 
presented in this email are solely those of the author and do not necessarily 
represent those of Al Faisaliah Group. Internet communications cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, arrive late or contain viruses. The sender therefore does not 
accept liability for any errors or omissions in the context of this message, 
which arise as a result of Internet transmission. Finally, the recipient should 
check this email and any attachments for the presence of viruses. Al Faisaliah 
Group accepts no liability for any damage caused by any virus transmitted by 
this email. 
- 

[ActiveDir]

[Network Administrator]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I've brought this topic up previously, but I thought I'd run it across you
folks one more time to make sure I'm on the right track.  We're preparing to
upgrade a single NT4 domain to a 2003 AD domain, and I'll tentatively be
using the following plan. 

The current PDC (Serv01) is running NT4.  Due to poor management by previous
IT staff, it is also running Proxy Server 2, SQL Server 7, Exchange 5.5, and
one critical third-party application.  It also hosts multiple file shares.
The domain consists of approximately 100 users and 80 workstations, so it is
quite small.

The current BDC (Serv02) is a clean box running NT4 TSE.  I just built it a
few weeks ago for this project.  I intend to use this as a "cold spare" in
case this project goes south.  It is currently a BDC running backup on DNS
and WINS and not much else.

I have two new boxes, Serv03 and Serv04, that haven't been touched as of
yet.


1) Remove Serv02 from network, store as cold spare.
2) Build Serv03 as NT4 box.  Apply patches/SP's.
3) Promote Serv03 to PDC.  Allow time for synchronization.

Should Serv03 be running any specific services (DNS, WINS, etc.) at this
point, before I upgrade it to Windows 2003?


4) Upgrade Serv03 to Server 2003.  Give time to synchronize.

Will I need to move any FSMO roles over, or will this be done automatically?
Serv02 should be the only FSMO role-holder at the end   of the migration,
correct?


5) Install Server 2003 (clean) on Serv04.  Promote to DC.

At this point, the domain would sit in mixed mode for no less than two to
three months while I beg management for money to buy new equipment and
licenses to migrate things away from Serv01.  Do you guys foresee any
complications with this?


6) When apps have been migrated, trash Serv01 softly.


Do you guys foresee any complications with my migration strategy?  The most
important IT asset of this organization is e-mail, so keeping the existing
PDC (Serv01) safe is of paramount importance.  Thanks!

-James R. Rogers

 
-BEGIN PGP PUBLIC KEY BLOCK-
mQGiBD8Ejz8RBADyLgYvQ4o6OW2T1O6maExsMgNWw2IJdI47rtogW/vMzLQp/xGG
QLZeY5ea9GB8S3DShOE0f1KXzhN4N0Q9y8UfohQgemFGl618I+LNqRzzX7nVXCI2
zVqX0Nok34A8LM/+Xyb/HFzT8HH1eWJjGNKKzOoBvOi9kS8zSbjT8eawLwCg/0uj
l8ePD4XXF03JuLGAg475RfEEANhld9iLGXm0urGAQokOjp10rkhm1XyqtgVqtn6x
j1BqPQS4nbeTgw+fzT7FrFbwenYBNPsb6ctoJNz2NgJZE4oTSHV/PyztZqBb8MF/
Yqcjc1pFlmiqn8TKBBINlrmnaKh7rFXVLMkJm31K+bf9RFH1UZ+1arf5P1sNMfoK
9kM6A/oCheoNFypeEgZKJflBtNLa8j6SxJ6XoMan90PJyrL9BeSCmN2bKTznBqnI
+N/oSu0NguknnC/HMIHHWvmDvTIl/tlQKgWeTI/0/yASyM4gUTA944J4+sfjoEmj
/Q0JzQGqBzvlUkHMhQWijT//VDuVRwE/DssPjZf6mbtXmXDb9LQqSmFtZXMgUi4g
Um9nZXJzIDxSb2dlcnMtSkBCQ0lOZXR3b3Jrcy5OZXQ+iQBXBBARAgAXBQI/BI8/
BwsJCAcDAgoCGQEFGwMACgkQx7th0kPmEcXuxACfefK4gHIlYemREA7dmfWD
1hbAtI0AnjweHhnWApyN5tvHkMcAyX688P9VtFpKYW1lcyBSb2dlcnMgPC9vPUJD
SSBPcmdhbml6YXRpb24vb3U9Rmlyc3QgQWRtaW5pc3RyYXRpdmUgR3JvdXAvY249
UmVjaXBpZW50cy9jbj1yb2dlcnMtaj6JAE4EEBECAA4FAj8Ej0MHCwkIBwMCCgAK
CRDHu2HSQ+YRxVdhAJwLsi1R8AkmT0UhWFlqXH7wn72cswCdGYqQD3+fBPB99jZS
/dIavPo0dUi5Ag0EPwSPQBAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg
2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO
meFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YA
WCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtV
jLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZ
lp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/RAvgCO0kBdC
LxaPL6VwWzXKPBG7pQrcRCT9G5tuY76mFTps+SlYvlJsctoob1mfMit/DnyGfVhV
1ckxalWQ+73Y8+UMG8HCBv81VBf5X0pKTOnB76YuT+9f0L90XT4KsPiAMREIAKOz
hRNkjP17xQnw9i15BVCA/iCyuvQw1PP3M5Gjox/cDmTqgSdfxQqAaiP5kZmAbLeb
3Rk99lz4Z8crQQlcMtj1b3H7tOe0XcQNuIl/bCCOhdtyA77aKmZXm7ODKJmt58RJ
nDrD8/kSu4haLg+ZNvy5fk8wuFMzNJfl72rRmrrNPJRyotYCpXzSkhhgPv2NrS2f
sqGdOVYJyHeJAEwEGBECAAwFAj8Ej0AFGwwACgkQx7th0kPmEcW9NgCfayLO
HTN5UAzARq7UjOtGNDwKCFoAoJlUxFti690k8p14gsVw9eDRPbPA
=sbd1
-END PGP PUBLIC KEY BLOCK-


smime.p7s
Description: S/MIME cryptographic signature

[ActiveDir] Linking other GPO objects to Domain Controllers

[Devan Pala]

Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking other 
GPO objects to the Domain Controllers OU in addition to the Default Domain 
Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update enabled 
for deploying approved updates from a central SUS server. When an update is 
available, tested and if required, the GPO is linked to the Domain 
Controllers OU and available for install depending on each DC's detection 
cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are pushed 
and importantly, if I would like to retract the updates unlinking this 
'other' GPO is easier and I believe safer than changing configuration 
settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the update 
would also be removed from the Windows Update folder on each client (the 
DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.
_
Find a broadband plan that fits. Great local deals on high-speed Internet 
access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS registration errors

[peter . busque]

You should have your ISP's DNS server in the forwarders tab of the internal
DNS server's properties.  Your internal DNS server must be running a
forward lookup zone for your AD or else you have serious issues.


   
  
  " Patrick - IT   
  
  Department"To:   <[EMAIL PROTECTED]> 
   
  <[EMAIL PROTECTED]cc:
 
  com>   Subject:  RE: [ActiveDir] DNS 
registration errors   
  Sent by: 
  
  [EMAIL PROTECTED]

  tivedir.org  
  
   
  
   
  
  03/24/2004 09:02 AM  
  
  Please respond to
  
  ActiveDir
  
   
  




Peter,
Our dns is configured as a forwarder only, is that the reason i'm having
the
problems? Do I need to add our ISP DNS IPs as forwarders or just leave the
internal IPs as forwarders?
thanks!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  I don't believe your problem is related to the presence or absence of
a WINS server.

  Your DHCP clients should only be getting assigned the internal DNS
server address.  The internal DNS server should be forwarding external
requests to the ISP's DNS server.  The DC should only have its internal IP
assigned as a DNS server.

-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 02:38 PM
  Please respond to
  ActiveDir





thank you, i think i'll try installing wins. I've already added my ISP DNS
to the forwarders, but do i need to stop and start the netlogon for this to
take affect?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  Here are the KB articles:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;135919

  http://support.microsoft.com/default.aspx?scid=kb;EN-US;261968

  The second article explains why this problem is intermittent.
-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 12:43 PM
  Please respond to
  ActiveDir





it is assigning the ISPs DNS, I called our ISP about it and LAN support is
supposed to be calling me back (right, right). I inherited this mess and
I'm
still learning how this system is setup, so bear with me and thank you!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: 

RE: [ActiveDir] AcctInfo.dll doesn't work on XP

[Waters, MW (Mike)]

Yes, all those tried  .. including unregister of the dll and re-register. No
errors generated

The XP/Sp1 machine it works on is a machine mainly used in our test domain,
whereas the one that fails is in our production domain. The test one has had
many tools added during testing (including Visual Stuidio ) - my guess is
there is some other dll or option missing on the production workstations.
Not sure which one at the moment.

Mike Waters

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 13:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP


If I remember correctly, part of this process is registering acctinfo.dll
(regsvr32.exe acctinfo.dll) .  Did it register correctly the first time?
Did you try re-registering it?  Maybe a reboot?
 
Mike Thommes

-Original Message- 
From: Leeuwen van, JWJ (Joost) [mailto:[EMAIL PROTECTED]

Sent: Wed 3/24/2004 6:41 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP



I am using XP Sp1 without the Exchange 2003 tools and the DLL works
like a charm om my PC.
Just f.y.i.

Try opening the DLL with depends, maybe you are missing some other
components.

Joost

> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Waters, MW
(Mike)
> Verzonden: woensdag 24 maart 2004 12:42
> Aan: '[EMAIL PROTECTED]'
> Onderwerp: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
>
>
> Thanks for the tip
>
> It worked on one XP/SP1 and still fails on another.
>
> If anyone know of any other workaround ... we still have
> Exchange 5.5 (for a
> while), so don't want to use Exchange2003 tools yet.
>
> Regards
>
> Mike Waters
>
> -Original Message-
> From: Steve Shaff [mailto:[EMAIL PROTECTED]
> Sent: 23 March 2004 20:47
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AcctInfo.dll doesn't work on XP
>
>
> The acctinfo.dll works for me on my Windows XP/SP1. However,
> I gave the
> dll to the other admin and he was unable to view the extra tab.
The
> only difference between his ADUC and mine is that I have the
exchange
> 2003 tools loaded.  Once he loaded the exchange tools and
> re-registered
> the dll, he then was able to view the tab.
>
> *
> Steve Shaff
> Active Directory / Exchange / SMS Administrator
> Corillian Corporation
> (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Waters,
MW
> (Mike)
> Sent: Tuesday, March 23, 2004 7:07 AM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] AcctInfo.dll doesn't work on XP
>
> Hi everyone,
>
> In the Account Lockout tools download:-
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E
69C-91F3-4
E63-
8629-B999ADDE0B9E&displaylang=en

There is a nice DLL called AcctInfo.dll  (version 1.0.0.) that
adds
another tab to Active Directory and User that gives some more
detailed
information on the user accounts. Specifically, it displays last
logon.

If this DLL is registered on any of our Windows 2003 server domain
controllers it works fine.

However if we install it on our support staff desktops (running XP
Sp1
with
the server 2003 Admin tools), it causes the MMC to fall over with
0xc005
within the above DLL (offset 40b6) when the tab is selected.

Has anyone else had this problem? Or beter still have a work around.

Regards

Mike Waters


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/





De informatie opgenomen in dit bericht kan vert

Re: [ActiveDir] Making another server part of existing DC

[peter . busque]

Regarding problem 2, make sure that your DNS settings on Server2 are
correct.

-Peter


   
  
  [EMAIL PROTECTED]

  comTo:   [EMAIL PROTECTED]   
   
  Sent by:   cc:   
  
  [EMAIL PROTECTED]Subject:  [ActiveDir] Making another 
server part of existing DC 
  tivedir.org  
  
   
  
   
  
  03/24/2004 04:39 AM  
  
  Please respond to
  
  ActiveDir
  
   
  




Greetings,

Actually I got 2 problems,

originally we 2 server one is DC other is additional DC for and existing
Domain. due to virus attacked server 2 was cleaned (reformatted) and
reinstall window 2000 server.

Problem are;
(1)
server 2 displays 2 operating system which I need to select, but both r for

window 2000 server (fist selectio OK, second has error).

(2)
when I try to configure server 2 to become "Additional DC of Existing
Domain" , it gives msgs of THE DOMAIN serverone.main.com NOT AN ACTIVE
DOMAIN OR AN ACTIVE DIRECTORY DOMAIN CONTROLLER FOR THE DOMAIN COULD NOT BE

CONTACTED.

I dont know if problem 1 had something to do with problem 1,  on DC
everything looks OK or am I missing something,

any help is greatly appreciated

thanks

Cyrus
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS registration errors

[Peeter Ulst]

Return Receipt
   Your
  RE: [ActiveDir] DNS registration errors  document
   :   
   
   was   Peeter Ulst/BICO-LEKS Kindlustuse AS/EE   
   received
   by: 
  at:   
24.03.2004 18:08:44
 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS registration errors

[Patrick - IT Department]

let me try to clarify everything i have.
w2k server with one nic card configured with a static ip addy and our isp
dns server address.(tcp/ip properties)
dhcp and dns is provided by isp and assigned automatically to clients.
in admin tools dns properties lists the internal dns ip as forwarders and
not the isp dns as forwarders.
and forward lookup zone is pointing towards our internal dns ip.
i added our ISP dns addresses to the forward lookup zone last night and it
thru up event id: 5782 (no dns server on local machine).



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



You should have your ISP's DNS server in the forwarders tab of the internal
DNS server's properties.  Your internal DNS server must be running a
forward lookup zone for your AD or else you have serious issues.



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/24/2004 09:02 AM
  Please respond to
  ActiveDir





Peter,
Our dns is configured as a forwarder only, is that the reason i'm having
the
problems? Do I need to add our ISP DNS IPs as forwarders or just leave the
internal IPs as forwarders?
thanks!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  I don't believe your problem is related to the presence or absence of
a WINS server.

  Your DHCP clients should only be getting assigned the internal DNS
server address.  The internal DNS server should be forwarding external
requests to the ISP's DNS server.  The DC should only have its internal IP
assigned as a DNS server.

-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 02:38 PM
  Please respond to
  ActiveDir





thank you, i think i'll try installing wins. I've already added my ISP DNS
to the forwarders, but do i need to stop and start the netlogon for this to
take affect?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS registration errors



Patrick,
  Here are the KB articles:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;135919

  http://support.microsoft.com/default.aspx?scid=kb;EN-US;261968

  The second article explains why this problem is intermittent.
-Peter



  " Patrick - IT
  Department"To:
<[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subject:  RE:
[ActiveDir] DNS registration errors
  Sent by:
  [EMAIL PROTECTED]
  tivedir.org


  03/23/2004 12:43 PM
  Please respond to
  ActiveDir





it is assigning the ISPs DNS, I called our ISP about it and LAN support is
supposed to be calling me back (right, right). I inherited this mess and
I'm
still learning how this system is setup, so bear with me and thank you!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] DNS registration errors



Patrick,
  Make sure that your DHCP server is not assigning the ISP's DNS server
to clients, it should only be assigning your internal DNS address.  I
assume that your clients are Win2k or XP in which case the IP stack
performs some "optimization" of the DNS server list based on successful /
unsuccessful lookups.  I can't find the KB article or go into detail right
now because of time constraints but this may fix your problem.

-Peter



  " Patrick - IT
  Department"To:   "Active
Directory" <[EMAIL PROTECTED]>
  <[EMAIL PROTECTED]cc:
  com>   Subjec

RE: [ActiveDir] Accidentally deleted OU with lots of users

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Eric, 
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted. This
is similar to the creation of the tombstone of a member object itself, since
the link is not removed from the link-table right away. Just like for
tombstones, the garbage collection process was extended to cleanup these
deactivated links after the tombstone lifetime expires.

The main addition though, which changes the recovery procedures for Win2003,
is the fact that the deactivated links are "revived" when the previously
deleted objects are authoritatively restored - basically the link's
DeletionTime column is removed. There is obviously some additional logic
that differentiates between a link that was removed simply by removing an
existing user from a group, vs. the deletion of the user object in the
database - I assume that this is where back-links of the authoritatively
restored object comes into play (on the DC, that the user is restored on).

The sad thing is, that the link-revival process is only authoritative for
it's own domain, i.e. it's own NC => this means that even if an
authoritative restore was performed on a GC and all the links to UGs in any
part of the forest could be revived locally on that DC/GC, the links to UGs
from the other domains won't replicate back to the authoritative domain
(which hold the writable NC of the UG), as the respective DCs don't
replicate any changes back from GCs of another domain. This is normal
behaviour though, as a writable NC will only allow outbound replication to
the read-only NCs that make up the PAS of a GC.

Prior to RTM version of 2003, the UG links of other domains were actually
revived along with any group links in the own domain, causing quite chaotic
situations in a restore scenario => depending on your AD site-configuration
and DC placement, the revived UG links could replicate out to all other GCs,
except if these were hosted on DCs of the authoritative domain. The result
was that after an authoritative restore your UG memberships in the forest
were totally out of sync, depending on which GC you connected to...  But
this was fixed in RTM, after we (I) made Microsoft aware of this issue =>
for better consistency, if a restore takes place on a GC, the links for
objects in other NCs are not revived at all now.

Needless to say, that you'd be stuck anyways with recovering the
links/memberships in the domain local groups of those other domains in your
multi-domain forest, so you have to take care of handling the correct
re-population of those groups no matter what you do.


In Summary: the link-revival feature in LVR will allow you to restore
objects within a single-domain forest just fine (not only group-links, but
also other important links such as managedObjects and directReports) - but
the cross-domain issues in a multi-domain forest remain to require special
attention.


/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 13:37
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Guido,  you said:

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then
you don't have to take any special precautions, as the group-memberships
will be "revived" with the authoritative restore of your users (as you've
just deleted users, not groups).


Where did you get this from?
With LVR we still don't construct the forward link if the back link is
received so your comment here is not one that is clear to me. Until we do
reconstruct that forward link, I believe you do still need to worry about
this condition.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 3:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challenges,
mostly related to users being in groups in the other domains of the forest
(e.g. Universal Groups or Domain Local Groups). If you're in a single domain
forest, the recovery is typically easier, as you don't have these
cross-domain issues.

However, the steps below really relate to a Win2000 AD recovery and to
Win2003 AD, when NOT running at Win2003 forest functional level (which is
where Link-Value replication is enabled).

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then
you don't have to take any special precautions, as the group-memberships
will be "revived" with the authoritative restore of your users (as you've
just deleted users, not groups).

Realize, that this only works 

[ActiveDir] off topic a bit - eDirectory to AD migration

[Klara . Neginsky]

Can someone point me to a tool/way that we can extract our highly expanded eDirectory schema ?  We are in the process of looking to migrating eDirectory to AD or AD/AM.  

Klara.










The information contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Notice required by law:  This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service.   You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to [EMAIL PROTECTED]  If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you.  Ernst & Young LLP

RE: [ActiveDir] Accidentally deleted OU with lots of users

[deji]

I confess my lack of understanding of this procedure. I've used the procedure
I posted many times in restoring deleted objects (including OUs). Since you
posted this yesterday, I've been scratching my head and hacking OUs on my
test domains and restoring them following the procedures I posted and the
restore "seems" to be fine to me w/o any issue. This is a multi-Domain, Win2K
SP4, multi-DC, single-forest config. Some users in the hacked OUs belong to
groups in other Domains, and I still see them belonging to those groups and
able to access resources ACL'ed through those Groups.
 
So, obviously I am missing something important. I know to listen to you, so I
am really interested in the explanations behind the repopulation part of the
equation.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Tue 3/23/2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users



It's not that simple.
To perform an authoritative restore of an OU full of users, here's a rough
step by step:

1) System state restore of a DC; mark OU full of users authoritative (IE mark
the subtree authoritative)
2) Boot DC on to private network
3) Disable inbound replication on the DC (repadmin can do this for you)
4) put DC back on to production network; let users replicate out
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
authoritative
7) Boot DC back to normal mode
8) enable inbound replication

The other option is to repopulate the groups with the affected users rather
than marking the groups authoritative. This approach is particularly
advantageous if you have groups that span the domain boundary. If you want to
repopulate the groups rather than restore them send me a note offline and I
can help you with that.

The same procedure would be followed for computers should the computer
accounts be members of groups above and beyond their primary group
membership. If they are just in the primary group they just need to restore
the computer account. Group restores don't need anything like this either
(except for nested group memberships).

If anyone is unclear as to why you need the double auth restore or auth
restore + repopulation just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
Sent: Tuesday, March 23, 2004 7:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Yep. Try to do an Authoritative Restore of the OU

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

This is not really terrible. Especially since you have a good backup.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594

pay close attention to the "Restore a Subtree" part.

If you don't understand any part of it, ask here again.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of David Wentworth
Sent: Tue 3/23/2004 4:08 PM
To: [EMAIL PROTECTED]
Cc: David Wentworth
Subject: [ActiveDir] Accidentally deleted OU with lots of users


Folks,

I really screwed up this time. I meant to delete a user object but
accidentally deleted the OU and all the users. How can I get it all back?

The backup ran last night and I think I can restore all of the Active
Directory, but I really don't want to roll back everything to where it was
last night. I just want the OU back. Please help.

Dave



List info : http://www.activedir.org/mail_list.htm List FAQ :
http://www.activedir.org/list_faq.htm List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Recover a Domain

[Salandra, Justin]

I have a question for everyone.  If you have a 
child domain and for some reason you lose every domain controller in the domain, 
and you have a spare server that you install the OS on, how would you go about 
getting the domain back up and running.
 
Do you install the OS
Restore the System State
Perform an authoritative restore of the 
database
sieze all FSOM roles
 
Please let me know, thanks
 
Justin A. Salandra, MCSESenior Network 
EngineerCatholic Healthcare System212.752.7300 - office917.455.0110 
- cell[EMAIL PROTECTED]

RE: [ActiveDir] Accidentally deleted OU with lots of users

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Deji,
you'll have to go into more details of your test setup.  Does multi-DC mean
more than one DC in the forest (which could also be one per domain), or does
it mean each domain has more than one DC in your lab?  You won't see some of
the issues with just one DC per domain. Also, are these DCs hosting GCs or
not? Big difference.

Rgd. the groups in other domains => are this Universal Groups, or Domain
Local groups? Restoring the users on a GC will also bring back the UGs on
THAT DC - so you may not see the real effects of the restore - but look on
the other DC in your domain...  If you only have a few objects in your OU,
you will also not see some of the group/user issues, as all objects can
replicate in one batch - some issues only come with larger numbers of
objects.

At last, do you allow enought time for replication of the tombstones after
deleting the OU? Especially to the GC of the other domains (if the other
domain doesn't have a GC you'd have to wait for the Infrastructure Master to
become active...). If you don't give enough time (which again depends on
your site-setup), your test may not be realistic.

How much time is enough?  You just have to ensure that your deleted OU is
also replicated to the other domain (can easily be looked at via ADSIedit)
and that you no longer see the respective user objects in the other domain's
groups.

Then perform your restore - and tell us the results.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Mittwoch, 24. März 2004 17:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I confess my lack of understanding of this procedure. I've used the
procedure
I posted many times in restoring deleted objects (including OUs). Since you
posted this yesterday, I've been scratching my head and hacking OUs on my
test domains and restoring them following the procedures I posted and the
restore "seems" to be fine to me w/o any issue. This is a multi-Domain,
Win2K
SP4, multi-DC, single-forest config. Some users in the hacked OUs belong to
groups in other Domains, and I still see them belonging to those groups and
able to access resources ACL'ed through those Groups.
 
So, obviously I am missing something important. I know to listen to you, so
I
am really interested in the explanations behind the repopulation part of the
equation.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Tue 3/23/2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users



It's not that simple.
To perform an authoritative restore of an OU full of users, here's a rough
step by step:

1) System state restore of a DC; mark OU full of users authoritative (IE
mark
the subtree authoritative)
2) Boot DC on to private network
3) Disable inbound replication on the DC (repadmin can do this for you)
4) put DC back on to production network; let users replicate out
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
authoritative
7) Boot DC back to normal mode
8) enable inbound replication

The other option is to repopulate the groups with the affected users rather
than marking the groups authoritative. This approach is particularly
advantageous if you have groups that span the domain boundary. If you want
to
repopulate the groups rather than restore them send me a note offline and I
can help you with that.

The same procedure would be followed for computers should the computer
accounts be members of groups above and beyond their primary group
membership. If they are just in the primary group they just need to restore
the computer account. Group restores don't need anything like this either
(except for nested group memberships).

If anyone is unclear as to why you need the double auth restore or auth
restore + repopulation just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
Sent: Tuesday, March 23, 2004 7:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Yep. Try to do an Authoritative Restore of the OU

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

This is not really terrible. Especially since you have a good backup.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594

pay close attention to the "Restore a Subtree" part.

If you don't understand any part of it, ask here again.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA

RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[Rutherford, Robert]

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED] 
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking
other 
GPO objects to the Domain Controllers OU in addition to the Default
Domain 
Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update
enabled 
for deploying approved updates from a central SUS server. When an update
is 
available, tested and if required, the GPO is linked to the Domain 
Controllers OU and available for install depending on each DC's
detection 
cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are
pushed 
and importantly, if I would like to retract the updates unlinking this 
'other' GPO is easier and I believe safer than changing configuration 
settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the
update 
would also be removed from the Windows Update folder on each client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed
Internet 
access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any use (including retransmission or copying)
of this information by persons or entities other than the intended
recipient is prohibited.  If you are not the intended recipient of this
transmission, please contact the sender and delete the material
from any computer. The sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Recover a Domain

[Rutherford, Robert]

Title: Message



In a 
nutshell yes.. I'd go to the Microsoft site and pull down one of their
procedures... sorry I can list one off now.

  
  -Original Message-From: Salandra, Justin 
  [mailto:[EMAIL PROTECTED] Sent: 24 March 2004 
  17:01To: ActivedirSubject: [ActiveDir] Recover a
  Domain
  I have a question for everyone.  If you have 
  a child domain and for some reason you lose every domain controller in the 
  domain, and you have a spare server that you install the OS on, how would you 
  go about getting the domain back up and running.
   
  Do you install the OS
  Restore the System State
  Perform an authoritative restore of the
  database
  sieze all FSOM roles
   
  Please let me know, thanks
   
  Justin A. Salandra, MCSESenior Network 
  EngineerCatholic Healthcare System212.752.7300 - 
  office917.455.0110 - cell[EMAIL PROTECTED]The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited.  If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes.

RE: [ActiveDir] Accidentally deleted OU with lots of users

[Eric Fleischman]

I see, so you were just covering a single NC condition. Ok, your logic is correct, but 
the caveats are complex. Many users think they have no group memberships across the NC 
boundry when they do, but that's neither here nor there. I would recommend my 
procedure as a safe guard. Further, it isn't always clear if your memberships have 
been LVR-enabled. As such, unless you know you've done this, your procedure is risky.

I still recommend mine.

~Eric



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Eric, 
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted. This
is similar to the creation of the tombstone of a member object itself, since
the link is not removed from the link-table right away. Just like for
tombstones, the garbage collection process was extended to cleanup these
deactivated links after the tombstone lifetime expires.

The main addition though, which changes the recovery procedures for Win2003,
is the fact that the deactivated links are "revived" when the previously
deleted objects are authoritatively restored - basically the link's
DeletionTime column is removed. There is obviously some additional logic
that differentiates between a link that was removed simply by removing an
existing user from a group, vs. the deletion of the user object in the
database - I assume that this is where back-links of the authoritatively
restored object comes into play (on the DC, that the user is restored on).

The sad thing is, that the link-revival process is only authoritative for
it's own domain, i.e. it's own NC => this means that even if an
authoritative restore was performed on a GC and all the links to UGs in any
part of the forest could be revived locally on that DC/GC, the links to UGs
from the other domains won't replicate back to the authoritative domain
(which hold the writable NC of the UG), as the respective DCs don't
replicate any changes back from GCs of another domain. This is normal
behaviour though, as a writable NC will only allow outbound replication to
the read-only NCs that make up the PAS of a GC.

Prior to RTM version of 2003, the UG links of other domains were actually
revived along with any group links in the own domain, causing quite chaotic
situations in a restore scenario => depending on your AD site-configuration
and DC placement, the revived UG links could replicate out to all other GCs,
except if these were hosted on DCs of the authoritative domain. The result
was that after an authoritative restore your UG memberships in the forest
were totally out of sync, depending on which GC you connected to...  But
this was fixed in RTM, after we (I) made Microsoft aware of this issue =>
for better consistency, if a restore takes place on a GC, the links for
objects in other NCs are not revived at all now.

Needless to say, that you'd be stuck anyways with recovering the
links/memberships in the domain local groups of those other domains in your
multi-domain forest, so you have to take care of handling the correct
re-population of those groups no matter what you do.


In Summary: the link-revival feature in LVR will allow you to restore
objects within a single-domain forest just fine (not only group-links, but
also other important links such as managedObjects and directReports) - but
the cross-domain issues in a multi-domain forest remain to require special
attention.


/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 13:37
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Guido,  you said:

If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then
you don't have to take any special precautions, as the group-memberships
will be "revived" with the authoritative restore of your users (as you've
just deleted users, not groups).


Where did you get this from?
With LVR we still don't construct the forward link if the back link is
received so your comment here is not one that is clear to me. Until we do
reconstruct that forward link, I believe you do still need to worry about
this condition.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 3:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

the procedures are different depending on your AD infrastructure - and as
also pointed out by Eric, multi-domain forests have particular challeng

RE: [ActiveDir] off topic a bit - eDirectory to AD migration

[Lou Vega]

Klara,

 

This might help.

http://www.microsoft.com/windows2000/techinfo/interop/dirsync.asp

 

r/

Lou

 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004
10:53 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] off topic a
bit - eDirectory to AD migration

 


Can someone point me to a tool/way that we can extract
our highly expanded eDirectory schema ?  We are in the process of looking
to migrating eDirectory to AD or AD/AM.   

Klara.


 
  
   
  
 
 
  
   
  
  
   
  
  
   
  
  
   
  
  
   
  
 




The
information contained in this message may be privileged and confidential and
protected from disclosure. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. 

Notice
required by law: This e-mail may constitute an advertisement or solicitation
under U.S. law, if its primary purpose is to advertise or promote a commercial
product or service. You may choose not to receive advertising and promotional
messages from Ernst & Young LLP (except for Ernst & Young Online and
the ey.com website, which track e-mail preferences through a separate process)
at this e-mail address by forwarding this message to [EMAIL PROTECTED] If
you do so, the sender of this message will be notified promptly. Our principal
postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst &
Young LLP

RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[Darren Mar-Elia]

Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking
other 
GPO objects to the Domain Controllers OU in addition to the Default
Domain 
Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update
enabled 
for deploying approved updates from a central SUS server. When an update
is 
available, tested and if required, the GPO is linked to the Domain 
Controllers OU and available for install depending on each DC's
detection 
cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are
pushed 
and importantly, if I would like to retract the updates unlinking this 
'other' GPO is easier and I believe safer than changing configuration 
settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the
update 
would also be removed from the Windows Update folder on each client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed
Internet 
access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any use (including retransmission or copying)
of this information by persons or entities other than the intended
recipient is prohibited.  If you are not the intended recipient of this
transmission, please contact the sender and delete the material
from any computer. The sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Recover a Domain

[Anderson Santos Patricio]

Title: Message



Hi Justin,
 
    In the really.. you have only 3 FSMO in this 
child domain..
 

Do you install the OS
Restore the System State
Perform an authoritative restore of the 
database of the child 
domain
If 
necessay seize the Roles
 
Thanks 
for advance!
 


Anderson 
Patricio[EMAIL PROTECTED]
Microsoft Certified Systems Engineer on 2003/2000
Microsoft Certified Systems Administrator on 2003/2000
Red Hat Certified 
Technician


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, 
RobertSent: quarta-feira, 24 de março de 2004 14:19To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Recover a 
Domain

In a 
nutshell yes.. I'd go to the Microsoft site and pull down one of their 
procedures... sorry I can list one off now.

  
  -Original Message-From: Salandra, Justin 
  [mailto:[EMAIL PROTECTED] Sent: 24 March 2004 
  17:01To: ActivedirSubject: [ActiveDir] Recover a 
  Domain
  I have a question for everyone.  If you have 
  a child domain and for some reason you lose every domain controller in the 
  domain, and you have a spare server that you install the OS on, how would you 
  go about getting the domain back up and running.
   
  Do you install the OS
  Restore the System State
  Perform an authoritative restore of the 
  database
  sieze all FSOM roles
   
  Please let me know, thanks
   
  Justin A. Salandra, MCSESenior Network 
  EngineerCatholic Healthcare System212.752.7300 - 
  office917.455.0110 - cell[EMAIL PROTECTED]The 
information transmitted is intended only for the person or entityto which it 
is addressed and may contain confidential and/orprivileged material. Any use 
(including retransmission or copying)of this information by persons or 
entities other than the intendedrecipient is prohibited. If you are not the 
intended recipient of thistransmission, please contact the sender and delete 
the materialfrom any computer. The sender is not responsible for the 
completeness or accuracy of this communication as it has beentransmitted 
over a public network. Any replies to this email may bemonitored by the 
MCPS-PRS Alliance for quality control and other purposes. 

[ActiveDir] disaster recovery

[Kern, Tom]

I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, 
seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with 
adsiedit and all dns records as well.
then at the DR site, i set up new servers with the same names as the old one's, ran 
dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a 
replication.
also, they fail a dcdiag because the guid dns name is not present and the server 
"fails a directory request"
Also the srv records for kerberos and kpasswd do not appear in dns for my domain.
The test laptop had an AD intergrated dns zone pulled directly from my real network. 
However, it just has the zone for my domain, not the forest root.
do i need this record as well to promote DC's. I'm not connected to the forest anyway, 
but should i have the forest root records too.
what am i doing wrong?
thanks
ŠËbú!¶Úÿ0iËb½çb®Šàþf¢–X¬¶f.+-!¶Úÿ0iËb½çb®ŠàþX¬µöª†ÙŠËZ­Èb½èm¶ŸÿÃ
&j)Z­Èb½ç(›öœ¶+Þv*øÒf¢•§-Š÷+ƒ

RE: [ActiveDir] Accidentally deleted OU with lots of users

[Eric Fleischman]

>From my procedure:
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
Authoritative


That need be dome across the domain boundary.
Another option: obtain from backups or the restored dc (like if it is a gc?) DN of all 
groups users were a member of. Turn that around and repopulate groups in each domain 
naming context.

~Eric


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Totally agree that you need to know what you're doing, otherwise you're
easily screwed. And as mentioned before, I specifically state that the
"don't need to do anything else" procedure is only safe in a single domain
forest and when all memberships are "LVR-enabled". It's certainly not
appropriate for multi-domain forests.

But even your procedure won't help much to recover the lost links in Domain
Local Groups of the other NCs as the references to these groups are usually
lost (unless the tombstone record didn't make it to the other NCs => which
could deliberately be the case with a hotsite/lagsite approach).

As such I've been working on a nice tool with some other HP folks, which
will collect all links in a forest for easy recovery after an authoritative
restore. It will also help to ensure that all memberships have been
LVR-enabled in 2003 FFL forests (simply by re-adding all members to the
groups they belong to - could obviously also be done by a simple script).
Nevertheless, it will work for both Win2000 and Win2003 forests as it
doesn't rely on LVR.

So although I'm not saying your procedure is bad, I have to say it's not
complete. At least not for multi-domain forests.

My recommendation is to either implement hotsites/lagsite (which besides
saving you from needing to do a system-state restore, will also not require
to disable inbound replication etc.) and/or think about deploying a tool
that backups the links from the other domains of a forest. This could be as
simple as a daily LDIF dump of at least the domain local groups of every
domain, or a good online recovery tool for AD (although I know only of one
that does domain local group link-collection), or the HP tool I've mentioned
above (when it's finally ready).

/Guido

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 24. März 2004 18:28
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I see, so you were just covering a single NC condition. Ok, your logic is
correct, but the caveats are complex. Many users think they have no group
memberships across the NC boundry when they do, but that's neither here nor
there. I would recommend my procedure as a safe guard. Further, it isn't
always clear if your memberships have been LVR-enabled. As such, unless you
know you've done this, your procedure is risky.

I still recommend mine.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Eric, 
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted. This
is similar to the creation of the tombstone of a member object itself, since
the link is not removed from the link-table right away. Just like for
tombstones, the garbage collection process was extended to cleanup these
deactivated links after the tombstone lifetime expires.

The main addition though, which changes the recovery procedures for Win2003,
is the fact that the deactivated links are "revived" when the previously
deleted objects are authoritatively restored - basically the link's
DeletionTime column is removed. There is obviously some additional logic
that differentiates between a link that was removed simply by removing an
existing user from a group, vs. the deletion of the user object in the
database - I assume that this is where back-links of the authoritatively
restored object comes into play (on the DC, that the user is restored on).

The sad thing is, that the link-revival process is only authoritative for
it's own domain, i.e. it's own NC => this means that even if an
authoritative restore was performed on a GC and all the links to UGs in any
part of the forest could be revived locally on that DC/GC, the links to UGs
from the other domains won't replicate back to the authoritative domain
(which hold the writable NC of the UG), as the respective DCs don't
replicate any changes back from GCs of another domain

RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[Darren Mar-Elia]

Mike-
Yea, the local policy gets over-written by the DC policy because the
local policy processes first in the pecking order, then site, domain and
OU linked GPOs. 
What you could do is create a second GPO with your policy change, linked
to the DC OU but with a higher processing order (i.e. it processes after
the DDC Policy). Then, set permissions on that new GPO such that the DC
in question is the only machine that has Read and Apply GPO rights to
it. You'll have to remove the default Authentiated Users ACE as well.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, March 24, 2004 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

Related question:
Because of some testing we are doing in a production environment (yes, I
know - ahem, ah try a test environment; can't in this situation), we
would like to override the policy "Microsoft Network Server - digitally
sign communications (always)" that is set in the Default Domain
Controllers policy by using the local Domain Controller policy on a
particular DC.  But it appears not to be "overrideable".  Is this the
expected behavior?  If so, how could we accomplish this?  TIA!

Mike Thommes

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers


Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking
other GPO objects to the Domain Controllers OU in addition to the
Default Domain Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update
enabled for deploying approved updates from a central SUS server. When
an update is available, tested and if required, the GPO is linked to the
Domain Controllers OU and available for install depending on each DC's
detection cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are
pushed and importantly, if I would like to retract the updates unlinking
this 'other' GPO is easier and I believe safer than changing
configuration settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the
update would also be removed from the Windows Update folder on each
client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed
Internet access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the completeness or accuracy of this
communication as it has been transmitted over a public network. Any
replies to this email may be monitored by the MCPS-PRS Alliance for
quality control and other purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.ht

RE: [ActiveDir] disaster recovery

[Kern, Tom]

restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have it by 
default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have 
it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. is this 
normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp will ..
 
In Windows 2000 is interesting you have a secondary zone of your root in your 
local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this zone is 
replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]> 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems Administrator on 2003/2000

Red Hat Certified Technician

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i only have a dns 
for my domain.
also dcdiag output says "the server is not responding to directory service 
requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how can i 
get this? can i export it to a text file and import it into my dns server? can i 
somehow pull it from the config container in AD without being connected to the root of 
the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of the 
forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

-Original Message- 
From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] disaster recovery



I just restored AD. I had a test laptop, pulled it off the network, 
ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. 
deleted them with adsiedit and all dns records as well.

then at the DR site, i set up new servers with the same names as the 
old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try 
to force a replication.

also, they fail a dcdiag because the guid dns name is not present and 
the server "fails a directory request" 
Also the srv records for kerberos and kpasswd do not appear in dns for 
my domain. 
The test laptop had an AD intergrated dns zone pulled directly from my 
real network. However, it just has the zone for my domain, not the forest root.

do i need this record as well to promote DC's. I'm not connected to 
the forest anyway, but should i have the forest root records too.

what am i doing wrong? 
thanks 
.+wYØP×.+j joryIV+v* 

<>

RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[Thommes, Michael M.]

Thanks, Darren!

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 1:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers


Mike-
Yea, the local policy gets over-written by the DC policy because the
local policy processes first in the pecking order, then site, domain and
OU linked GPOs. 
What you could do is create a second GPO with your policy change, linked
to the DC OU but with a higher processing order (i.e. it processes after
the DDC Policy). Then, set permissions on that new GPO such that the DC
in question is the only machine that has Read and Apply GPO rights to
it. You'll have to remove the default Authentiated Users ACE as well.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, March 24, 2004 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

Related question:
Because of some testing we are doing in a production environment (yes, I
know - ahem, ah try a test environment; can't in this situation), we
would like to override the policy "Microsoft Network Server - digitally
sign communications (always)" that is set in the Default Domain
Controllers policy by using the local Domain Controller policy on a
particular DC.  But it appears not to be "overrideable".  Is this the
expected behavior?  If so, how could we accomplish this?  TIA!

Mike Thommes

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers


Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking
other GPO objects to the Domain Controllers OU in addition to the
Default Domain Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update
enabled for deploying approved updates from a central SUS server. When
an update is available, tested and if required, the GPO is linked to the
Domain Controllers OU and available for install depending on each DC's
detection cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are
pushed and importantly, if I would like to retract the updates unlinking
this 'other' GPO is easier and I believe safer than changing
configuration settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the
update would also be removed from the Windows Update folder on each
client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed
Internet access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the completeness or accuracy of this
communication as it has been transmitted over a public network. Any
replies to this email may be monitored by the MCPS-PRS Alliance for
quality control and other purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
L

RE: [ActiveDir] disaster recovery

[Anderson Santos Patricio]

Title: [ActiveDir] disaster recovery
ï


You Zones is setting for Dynamic Updates = 
YES???
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: quarta-feira, 24 de marÃo de 2004 16:47To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have 
it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test 
DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. 
is this normal?
thanks for your reply

  -Original Message- From: Anderson Santos 
  Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 
  PM To: [EMAIL PROTECTED] Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  Hi Tom,
   
  All register of AD Zones can recover with two 
  comand:
   
  restart netlogon service or ipconfig 
  /registerdns
   
  and all workstation will update your register in dns, or 
  dhcp will ..
   
  In Windows 2000 is interesting you have a secondary zone 
  of your root in your local dns server,
   
  In Windows 2003 you can set dns zone to level Forest then 
  this zone is replicated for all domain controller in the 
  forest.
   
  Thanks for advanced.
   
  
  
  Anderson 
  Patricio - Analista de Suporte[EMAIL PROTECTED]
  Microsoft Certified Systems Engineer on 
  2003/2000
  Microsoft Certified Systems Administrator on 
  2003/2000
  Red Hat Certified Technician
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: quarta-feira, 24 de marÃo de 2004 16:03To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
  recovery
  
  i also get a "all gc's are down" error.
  gc records are just registered in the root domain, i assume. i only have 
  a dns for my domain.
  also dcdiag output says "the server is not responding to directory 
  service requests" though it holds a copy of AD.
  how can i get around this? do i need a copy of the root dns zone? how can 
  i get this? can i export it to a text file and import it into my dns server? 
  can i somehow pull it from the config container in AD without being connected 
  to the root of the tree?
  is this the cause of my woes?
   
  it would be insane on MS's part to demand connectivity to the root of the 
  forest when restoring or doing DR on AD.
  what did i screw up?
   
  Thanks again for any help
  
-Original Message- From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM To: 
[EMAIL PROTECTED] Cc: Subject: [ActiveDir] 
disaster recovery
I just restored AD. I had a test laptop, pulled it off the 
network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed 
all my old dc's. deleted them with adsiedit and all dns records as 
well.
then at the DR site, i set up new servers with the same 
names as the old one's, ran dcpromo. however, the new servers get 
dnslookup/rpc errors when i try to force a replication.
also, they fail a dcdiag because the guid dns name is not 
present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns 
for my domain. The test laptop had an AD intergrated 
dns zone pulled directly from my real network. However, it just has the zone 
for my domain, not the forest root.
do i need this record as well to promote DC's. I'm not 
connected to the forest anyway, but should i have the forest root records 
too.
what am i doing wrong? thanks 
.+wYØP×.+j joryIV+v* 
  

[ActiveDir] Remote Desktop

[Philadelphia, Lynden - Revios Toronto]

Is there a way to add Domain Admins to the Remote
Users of every pc in our Domain with AD and not go to every PC?






This message is intended for the use of the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and exempt from 
disclosure under applicable law.  If the reader of this message in not the intended 
recipient or the employer or agent responsible for delivering the message to the 
recipient, you are hereby notified that dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in 
error, please notify us immediately by email or telephone, and delete this message and 
all of its attachments.

RE: [ActiveDir] disaster recovery

[Kern, Tom]

yes. 
a quick question- can one restore an entire child domain without connectivity to the 
root domain?

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:58 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


You Zones is setting for Dynamic Updates = YES???
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have it 
by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC 
also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. is 
this normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp will ..
 
In Windows 2000 is interesting you have a secondary zone of your root 
in your local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this zone is 
replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]> 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems Administrator on 2003/2000

Red Hat Certified Technician

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i only 
have a dns for my domain.
also dcdiag output says "the server is not responding to directory 
service requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how 
can i get this? can i export it to a text file and import it into my dns server? can i 
somehow pull it from the config container in AD without being connected to the root of 
the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of 
the forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

-Original Message- 
From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] disaster recovery



I just restored AD. I had a test laptop, pulled it off the 
network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old 
dc's. deleted them with adsiedit and all dns records as well.

then at the DR site, i set up new servers with the same names 
as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when 
i try to force a replication.

also, they fail a dcdiag because the guid dns name is not 
present and the server "fails a directory request" 
Also the srv records for kerberos and kpasswd do not appear in 
dns for my domain. 
The test laptop had an AD intergrated dns zone pulled directly 
from my real network. However, it just has the zone for my domain, not the forest root.

do i need this record as well to promote DC's. I'm not 
connected to the forest anyway, but

RE: [ActiveDir] Remote Desktop

[Seyboldt, Volker]

yes you can
You can use restricted groups in group policies to add any 
group you want to the local "Remote Desktop Users" at each 
PC.
Members (Users and/or groups) of the PC's local 
ADministrator group are also automatically allowed to connect 
remotly


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:16 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] 
Remote Desktop


Is there a way to add Domain Admins to the Remote Users 
of every pc in our Domain with AD and not go to every 
PC?

RE: [ActiveDir] Remote Desktop

[Rod Trent]

VB Script and a GPO, or Login Script.
 
http://www.myitforum.com/articles/11/view.asp?id=2457


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 3:16 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] 
Remote Desktop


Is there a way to add Domain Admins to the Remote Users 
of every pc in our Domain with AD and not go to every 
PC?

RE: [ActiveDir] Remote Desktop

[Philadelphia, Lynden - Revios Toronto]

Do you do this on the domain controller

 



 

Lynden 











From: Seyboldt, Volker
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004
3:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop



 

yes you can

You can use restricted groups in group
policies to add any group you want to the local "Remote Desktop
Users" at each PC.

Members (Users and/or groups) of the PC's
local ADministrator group are also automatically allowed to connect remotly

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto
Sent: Wednesday, March 24, 2004
9:16 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Remote
Desktop

Is there a way to add Domain Admins to the Remote
Users of every pc in our Domain with AD and not go to every PC?






This message is intended for the use of the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and exempt from 
disclosure under applicable law.  If the reader of this message in not the intended 
recipient or the employer or agent responsible for delivering the message to the 
recipient, you are hereby notified that dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in 
error, please notify us immediately by email or telephone, and delete this message and 
all of its attachments.

RE: [ActiveDir] Accidentally deleted OU with lots of users

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

I know - and that GC won't containt the DNs of the domain local groups of
the other domains, that the users were a member of.  I think this is the key
that I'm trying to get accross.  You can get the DNs of the groups for your
own domain and the UGs of other domains when you're restoring a GC - but not
of the DLGs in the other domains!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 20:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

>From my procedure:
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
Authoritative


That need be dome across the domain boundary.
Another option: obtain from backups or the restored dc (like if it is a gc?)
DN of all groups users were a member of. Turn that around and repopulate
groups in each domain naming context.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Totally agree that you need to know what you're doing, otherwise you're
easily screwed. And as mentioned before, I specifically state that the
"don't need to do anything else" procedure is only safe in a single domain
forest and when all memberships are "LVR-enabled". It's certainly not
appropriate for multi-domain forests.

But even your procedure won't help much to recover the lost links in Domain
Local Groups of the other NCs as the references to these groups are usually
lost (unless the tombstone record didn't make it to the other NCs => which
could deliberately be the case with a hotsite/lagsite approach).

As such I've been working on a nice tool with some other HP folks, which
will collect all links in a forest for easy recovery after an authoritative
restore. It will also help to ensure that all memberships have been
LVR-enabled in 2003 FFL forests (simply by re-adding all members to the
groups they belong to - could obviously also be done by a simple script).
Nevertheless, it will work for both Win2000 and Win2003 forests as it
doesn't rely on LVR.

So although I'm not saying your procedure is bad, I have to say it's not
complete. At least not for multi-domain forests.

My recommendation is to either implement hotsites/lagsite (which besides
saving you from needing to do a system-state restore, will also not require
to disable inbound replication etc.) and/or think about deploying a tool
that backups the links from the other domains of a forest. This could be as
simple as a daily LDIF dump of at least the domain local groups of every
domain, or a good online recovery tool for AD (although I know only of one
that does domain local group link-collection), or the HP tool I've mentioned
above (when it's finally ready).

/Guido

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 24. März 2004 18:28
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I see, so you were just covering a single NC condition. Ok, your logic is
correct, but the caveats are complex. Many users think they have no group
memberships across the NC boundry when they do, but that's neither here nor
there. I would recommend my procedure as a safe guard. Further, it isn't
always clear if your memberships have been LVR-enabled. As such, unless you
know you've done this, your procedure is risky.

I still recommend mine.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Eric, 
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted. This
is similar to the creation of the tombstone of a member object itself, since
the link is not removed from the link-table right away. Just like for
tombstones, the garbage collection process was extended to cleanup these
deactivated links after the tombstone lifetime expires.

The main addition though, which changes the recovery procedures for Win2003,
is the fact that the deactivated links are "revived" when the previously
deleted objects are authoritatively restored - basically the link's
DeletionTime column is removed. There is obviously some additional logic
that differentiates between a link that was removed simply by removing an
existing user from a group, vs. the deletion of the user object in the
database - I assume that this is where back-links of the author

RE: [ActiveDir] Remote Desktop

[Seyboldt, Volker]

oh,
I think you should have a look at some whitepapers about 
implementing Group Policies in Active Directory
You should implement this in a group policy of active 
directory and yes typically this is done on a DC


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:45 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Remote Desktop


Do you do this on the domain 
controller
 

 
Lynden 




From: Seyboldt, 
Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote 
Desktop
 
yes you 
can
You can use restricted 
groups in group policies to add any group you want to the local "Remote Desktop 
Users" at each PC.
Members (Users and/or 
groups) of the PC's local ADministrator group are also automatically allowed to 
connect remotly
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Philadelphia, Lynden - 
Revios TorontoSent: Wednesday, 
March 24, 2004 9:16 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Remote 
Desktop
Is there a way to add Domain Admins to the Remote Users 
of every pc in our Domain with AD and not go to every 
PC?

RE: [ActiveDir] Accidentally deleted OU with lots of users

[Eric Fleischman]

Exactly, enter my point that you either need to restore a DC in each domain or 
repopulate the groups.
Is it me or are we saying the same thing over and over? Are you just not happy with 
the language I used to say it?



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 3:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I know - and that GC won't containt the DNs of the domain local groups of
the other domains, that the users were a member of.  I think this is the key
that I'm trying to get accross.  You can get the DNs of the groups for your
own domain and the UGs of other domains when you're restoring a GC - but not
of the DLGs in the other domains!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Mittwoch, 24. März 2004 20:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

>From my procedure:
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
Authoritative


That need be dome across the domain boundary.
Another option: obtain from backups or the restored dc (like if it is a gc?)
DN of all groups users were a member of. Turn that around and repopulate
groups in each domain naming context.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Totally agree that you need to know what you're doing, otherwise you're
easily screwed. And as mentioned before, I specifically state that the
"don't need to do anything else" procedure is only safe in a single domain
forest and when all memberships are "LVR-enabled". It's certainly not
appropriate for multi-domain forests.

But even your procedure won't help much to recover the lost links in Domain
Local Groups of the other NCs as the references to these groups are usually
lost (unless the tombstone record didn't make it to the other NCs => which
could deliberately be the case with a hotsite/lagsite approach).

As such I've been working on a nice tool with some other HP folks, which
will collect all links in a forest for easy recovery after an authoritative
restore. It will also help to ensure that all memberships have been
LVR-enabled in 2003 FFL forests (simply by re-adding all members to the
groups they belong to - could obviously also be done by a simple script).
Nevertheless, it will work for both Win2000 and Win2003 forests as it
doesn't rely on LVR.

So although I'm not saying your procedure is bad, I have to say it's not
complete. At least not for multi-domain forests.

My recommendation is to either implement hotsites/lagsite (which besides
saving you from needing to do a system-state restore, will also not require
to disable inbound replication etc.) and/or think about deploying a tool
that backups the links from the other domains of a forest. This could be as
simple as a daily LDIF dump of at least the domain local groups of every
domain, or a good online recovery tool for AD (although I know only of one
that does domain local group link-collection), or the HP tool I've mentioned
above (when it's finally ready).

/Guido

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 24. März 2004 18:28
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I see, so you were just covering a single NC condition. Ok, your logic is
correct, but the caveats are complex. Many users think they have no group
memberships across the NC boundry when they do, but that's neither here nor
there. I would recommend my procedure as a safe guard. Further, it isn't
always clear if your memberships have been LVR-enabled. As such, unless you
know you've done this, your procedure is risky.

I still recommend mine.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 24, 2004 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Eric, 
there is quite a lot of things, that LVR changes. When activated, it extends
the link-table on each DC with a couple of columns, including one that
records the DeletionTime of a link. This is used to "deactivate" links (in
our case group-memberships) when the corresponding object is deleted. This
is similar to the creation of the tombstone of a member object itself, since
the link is not removed from the link-table right away. Just like for
tombstones, the garbage collection process was extended to cleanup these
deactivated links after the tombstone lifetime expires.

The main addition t

RE: [ActiveDir] disaster recovery

[Mulnick, Al]

Title: [ActiveDir] disaster recovery



No, you need the root domain as it holds some of the roles 
etc.
 
In order for this to work, you need to restore the root 
domain as well.  I've found that doing this with a virtual server is 
sometimes easier but that just saves on hardware 
requirements.
 
 
Al


From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 3:23 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

yes. 
a quick question- can one restore an entire child domain without 
connectivity to the root domain?

  -Original Message- From: Anderson Santos 
  Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 
  PM To: [EMAIL PROTECTED] Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  You Zones is setting for Dynamic Updates = 
  YES???
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: quarta-feira, 24 de marÃo de 2004 16:47To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
  recovery
  
  restarting netlogon or registerdns does not work.
  where is this copy of the root zone in my dns server. i don't think i 
  have it by default. i had to transfer it on my dns server back home.
  also if i had it, wouldnt creating a AD intergrated dns server on my test 
  DC also have it?
  finally, when dc's replicate, do they look each other up in a gc?
  i never had any gc srv records in my local domain zone, only in the root. 
  is this normal?
  thanks for your reply
  
-Original Message- From: Anderson 
Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 
3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: 
Subject: RE: [ActiveDir] disaster recovery
Hi Tom,
 
All register of AD Zones can recover with two 
comand:
 
restart netlogon service or ipconfig 
/registerdns
 
and all workstation will update your register in dns, 
or dhcp will ..
 
In Windows 2000 is interesting you have a secondary 
zone of your root in your local dns server,
 
In Windows 2003 you can set dns zone to level Forest 
then this zone is replicated for all domain controller in the 
forest.
 
Thanks for advanced.
 


Anderson 
Patricio - Analista de Suporte[EMAIL PROTECTED]
Microsoft Certified Systems Engineer on 
2003/2000
Microsoft Certified Systems Administrator on 
2003/2000
Red Hat Certified Technician
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: quarta-feira, 24 de marÃo de 2004 16:03To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i only 
have a dns for my domain.
also dcdiag output says "the server is not responding to directory 
service requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how 
can i get this? can i export it to a text file and import it into my dns 
server? can i somehow pull it from the config container in AD without being 
connected to the root of the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of 
the forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

  -Original Message- From: Kern, Tom 
  Sent: Wed 3/24/2004 1:34 PM To: 
  [EMAIL PROTECTED] Cc: Subject: 
  [ActiveDir] disaster recovery
  I just restored AD. I had a test laptop, pulled it off the 
  network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed 
  all my old dc's. deleted them with adsiedit and all dns records as 
  well.
  then at the DR site, i set up new servers with the same 
  names as the old one's, ran dcpromo. however, the new servers get 
  dnslookup/rpc errors when i try to force a replication.
  also, they fail a dcdiag because the guid dns name is not 
  present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns 
  for my domain. The test laptop had an AD 
  intergrated dns zone pulled directly from my real network. However, it 
  just has the zone for my domain, not the forest root.
  do i need this record as well to promote DC's. I'm not 
  connected to the forest anyway, but should i have the forest root records 
  too.
  what am i doing wrong? thanks .+wYØP×.+j 
  joryIV+v* 

RE: [ActiveDir] Accidentally deleted OU with lots of users

[deji]

Guido,
 
The configs I have been testing with since Eric's post are as follows.
One Forest. 4 domains. One Domain has 2 DCs, one has 3 DCs, the other 2 have
1 DC. All DCs are GCs.
 
In one of the Production environment restores I had personally done, I know
for a fact that the OU was fat-fingered on a Friday and the culprit did not
fess up until the following Tuesday (the Moday was a holliday). The LIVE
environment also contained multiple DCs in multiple child domains in one
forest.
 
The tests I've been doing since yesterday have been rapid-fire
deletion/look/restore/look tests. I have not really let it sit for long
enough to verify that the deletion have actually happened across the Forest.
So, I admit they've been somewhat flawed. So, I just "ooop!" a bunch of
OU and container objects now. I will report back tomorrow with my finding.
 
It's not that I don't believe or trust you and Eric, I'm just the curious
type who likes to undersand the "why" of any "how". Also, I hate to think
that I've been misunderstanding this for so long.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wed 3/24/2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users



Deji,
you'll have to go into more details of your test setup.  Does multi-DC mean
more than one DC in the forest (which could also be one per domain), or does
it mean each domain has more than one DC in your lab?  You won't see some of
the issues with just one DC per domain. Also, are these DCs hosting GCs or
not? Big difference.

Rgd. the groups in other domains => are this Universal Groups, or Domain
Local groups? Restoring the users on a GC will also bring back the UGs on
THAT DC - so you may not see the real effects of the restore - but look on
the other DC in your domain...  If you only have a few objects in your OU,
you will also not see some of the group/user issues, as all objects can
replicate in one batch - some issues only come with larger numbers of
objects.

At last, do you allow enought time for replication of the tombstones after
deleting the OU? Especially to the GC of the other domains (if the other
domain doesn't have a GC you'd have to wait for the Infrastructure Master to
become active...). If you don't give enough time (which again depends on
your site-setup), your test may not be realistic.

How much time is enough?  You just have to ensure that your deleted OU is
also replicated to the other domain (can easily be looked at via ADSIedit)
and that you no longer see the respective user objects in the other domain's
groups.

Then perform your restore - and tell us the results.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Mittwoch, 24. März 2004 17:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I confess my lack of understanding of this procedure. I've used the
procedure
I posted many times in restoring deleted objects (including OUs). Since you
posted this yesterday, I've been scratching my head and hacking OUs on my
test domains and restoring them following the procedures I posted and the
restore "seems" to be fine to me w/o any issue. This is a multi-Domain,
Win2K
SP4, multi-DC, single-forest config. Some users in the hacked OUs belong to
groups in other Domains, and I still see them belonging to those groups and
able to access resources ACL'ed through those Groups.

So, obviously I am missing something important. I know to listen to you, so
I
am really interested in the explanations behind the repopulation part of the
equation.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Tue 3/23/2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users



It's not that simple.
To perform an authoritative restore of an OU full of users, here's a rough
step by step:

1) System state restore of a DC; mark OU full of users authoritative (IE
mark
the subtree authoritative)
2) Boot DC on to private network
3) Disable inbound replication on the DC (repadmin can do this for you)
4) put DC back on to production network; let users replicate out
5) Identify groups that the users affected are a member of
6) Boot DC in to ds restore mode; mark affected groups from step 5 as
authoritative
7) Boot DC back to normal mode
8) enable inbound replication

The other option is to repopulate the groups with the affected users rather
than marking the groups

RE: [ActiveDir] Remote Desktop

[Philadelphia, Lynden - Revios Toronto]

Do you have any white papers

 



 

Lynden 











From: Seyboldt, Volker
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004
4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop



 

oh,

I think you should have a look at some
whitepapers about implementing Group Policies in Active Directory

You should implement this in a group
policy of active directory and yes typically this is done on a DC

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto
Sent: Wednesday, March 24, 2004
9:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Remote
Desktop

Do you do this on the domain controller

 



 

Lynden 











From: Seyboldt, Volker
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004
3:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop



 

yes you can

You can use restricted groups in group
policies to add any group you want to the local "Remote Desktop
Users" at each PC.

Members (Users and/or groups) of the PC's
local ADministrator group are also automatically allowed to connect remotly

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto
Sent: Wednesday, March 24, 2004
9:16 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Remote
Desktop

Is there a way to add Domain Admins to the Remote
Users of every pc in our Domain with AD and not go to every PC?






This message is intended for the use of the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and exempt from 
disclosure under applicable law.  If the reader of this message in not the intended 
recipient or the employer or agent responsible for delivering the message to the 
recipient, you are hereby notified that dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in 
error, please notify us immediately by email or telephone, and delete this message and 
all of its attachments.

RE: [ActiveDir] Accidentally deleted OU with lots of users

[Eric Fleischman]

Be sure to ensure that at least one test user is in a dlg, gg, ug and at least one dlg 
across the NC boundary. That gives you the full taste of the problem. ;)

You should find that the GC in the domain shows you UGs that the user is in, but not 
the DLG across the NC boundary. To restore that you either need to auth restore that 
group in the other NC or repopulate the user in to the group (which is why I said what 
I did in my original post).

I still don't understand Guido's gripe with my wording though so I'm curious to hear 
back on that. :)

~Eric


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

Guido,
 
The configs I have been testing with since Eric's post are as follows.
One Forest. 4 domains. One Domain has 2 DCs, one has 3 DCs, the other 2 have
1 DC. All DCs are GCs.
 
In one of the Production environment restores I had personally done, I know
for a fact that the OU was fat-fingered on a Friday and the culprit did not
fess up until the following Tuesday (the Moday was a holliday). The LIVE
environment also contained multiple DCs in multiple child domains in one
forest.
 
The tests I've been doing since yesterday have been rapid-fire
deletion/look/restore/look tests. I have not really let it sit for long
enough to verify that the deletion have actually happened across the Forest.
So, I admit they've been somewhat flawed. So, I just "ooop!" a bunch of
OU and container objects now. I will report back tomorrow with my finding.
 
It's not that I don't believe or trust you and Eric, I'm just the curious
type who likes to undersand the "why" of any "how". Also, I hate to think
that I've been misunderstanding this for so long.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wed 3/24/2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users



Deji,
you'll have to go into more details of your test setup.  Does multi-DC mean
more than one DC in the forest (which could also be one per domain), or does
it mean each domain has more than one DC in your lab?  You won't see some of
the issues with just one DC per domain. Also, are these DCs hosting GCs or
not? Big difference.

Rgd. the groups in other domains => are this Universal Groups, or Domain
Local groups? Restoring the users on a GC will also bring back the UGs on
THAT DC - so you may not see the real effects of the restore - but look on
the other DC in your domain...  If you only have a few objects in your OU,
you will also not see some of the group/user issues, as all objects can
replicate in one batch - some issues only come with larger numbers of
objects.

At last, do you allow enought time for replication of the tombstones after
deleting the OU? Especially to the GC of the other domains (if the other
domain doesn't have a GC you'd have to wait for the Infrastructure Master to
become active...). If you don't give enough time (which again depends on
your site-setup), your test may not be realistic.

How much time is enough?  You just have to ensure that your deleted OU is
also replicated to the other domain (can easily be looked at via ADSIedit)
and that you no longer see the respective user objects in the other domain's
groups.

Then perform your restore - and tell us the results.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Mittwoch, 24. März 2004 17:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users

I confess my lack of understanding of this procedure. I've used the
procedure
I posted many times in restoring deleted objects (including OUs). Since you
posted this yesterday, I've been scratching my head and hacking OUs on my
test domains and restoring them following the procedures I posted and the
restore "seems" to be fine to me w/o any issue. This is a multi-Domain,
Win2K
SP4, multi-DC, single-forest config. Some users in the hacked OUs belong to
groups in other Domains, and I still see them belonging to those groups and
able to access resources ACL'ed through those Groups.

So, obviously I am missing something important. I know to listen to you, so
I
am really interested in the explanations behind the repopulation part of the
equation.


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Tue 

RE: [ActiveDir] Remote Desktop

[Seyboldt, Volker]

try this:
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Wednesday, March 24, 2004 10:45 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Remote Desktop


Do you have any white 
papers
 

 
Lynden 




From: Seyboldt, 
Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 4:18 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote 
Desktop
 
oh,
I think you should have 
a look at some whitepapers about implementing Group Policies in Active 
Directory
You should implement 
this in a group policy of active directory and yes typically this is done on a 
DC
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Philadelphia, Lynden - 
Revios TorontoSent: Wednesday, 
March 24, 2004 9:45 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Remote 
Desktop
Do you do this on the domain 
controller
 

 
Lynden 




From: Seyboldt, 
Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote 
Desktop
 
yes you 
can
You can use restricted 
groups in group policies to add any group you want to the local "Remote Desktop 
Users" at each PC.
Members (Users and/or 
groups) of the PC's local ADministrator group are also automatically allowed to 
connect remotly
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Philadelphia, Lynden - 
Revios TorontoSent: Wednesday, 
March 24, 2004 9:16 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Remote 
Desktop
Is there a way to add Domain Admins to the Remote Users 
of every pc in our Domain with AD and not go to every 
PC?

RE: [ActiveDir] disaster recovery

[Kern, Tom]

i don't need the schema or domain naming roles to restore my domain. i have all the 
other roles. 
yet it still has issues with finding a gc or replicating within a domain.
why?
 
this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or 
even a test, MS expects you to have connectivity to  your root domain wherever it may 
be(on the other side of the world) AND access to that domains Admin passwords or 
accounts OR enterprise admin just to get up and running, then they are clearly not 
living in this world.
AD was meant for the enterprise where a corp could have offices and domains all over 
the world. if in the event of disaster, we have to worry about isdn or T1 lines to the 
root and overcome all the politics of diff IT depts and security to beg for the 
enterprise password(even just for a simple test) JUST to get functional(not add or 
delete domains or modify the schema), then i'm ready to ditch AD for NDS or something 
more realistic.
what other reason could I have to connect to the root? what other secrets does it hold 
aside from the 2 roles?
does anyone know?
why doesn't MS tell you these things in their DR documentation? is it so obivious?
why is connectivity to the root never mentioned as key?
am i the idiot?
i'm willing to accept that, but what else does the root dc hold in terms of AD 
functionality?
thank you for all your help so far.

-Original Message- 
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 4:28 PM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


No, you need the root domain as it holds some of the roles etc.
 
In order for this to work, you need to restore the root domain as well.  I've 
found that doing this with a virtual server is sometimes easier but that just saves on 
hardware requirements.
 
 
Al

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


yes. 
a quick question- can one restore an entire child domain without connectivity 
to the root domain?

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:58 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


You Zones is setting for Dynamic Updates = YES???
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i 
have it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my 
test DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the 
root. is this normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp 
will ..
 
In Windows 2000 is interesting you have a secondary zone of 
your root in your local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this 
zone is replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]> 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems 

[ActiveDir] replication

[Kern, Tom]

when servers replicate within a site OR intrasite, in a multi domain enviorment, do 
they need to contact a GC to find each other?
or for any reason.
what is the role of the gc in AD replication, inter and intra site?
thanks
.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®