RE: [ActiveDir] DNS Issue
Title: Re: [ActiveDir] DNS Issue In case you are still reading this, I'm still up for the next 30 minutes in case you need someone to bounce ideas off of. If not, good luck. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 9:26 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down.Aaron VisserOn 9/22/04 7:28 PM, "Deji Akomolafe" [EMAIL PROTECTED] wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to "use lmhosts..." is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services)Take a look at my little "FSMO" pep talk here: http://www.akomolafe.com/docs/xferfsmos.htmYou should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being)Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 5:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS IssueOk here it goes,Windows 2003 ServersToday the Raid controller lost the HD config on my main AD server after houror so of trying to get it back online I decided to opt for the promotion ofAD to my secondary Domain controller and just rebuild the 1st one. Well thebig problem I faced was that I never installed DNS on the second domaincontroller. I decieded to go ahead with the FSMO promotion and everythingwas seized just fine. But now I sit with no DNS (I installed DNS before theSeizer of roles) but it is not creating any Zones. I have tried to create anew Zone but it keeps looking for the downed server?Any help in this would be greatly appreciatedThanks,Aaron VisserList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Container (Folders)
Title: RE: [ActiveDir] Active Directory Container (Folders) 1. To enable creation of new "Container" objects in the interface, change the value of "defaultHidingValue" on the classSchema object "Container" from TRUE to FALSE. In addition and building on one of Joe'spoints; if the original reason for the question was to allow further hierarchy/organization beneath the existing "Users" and "Computers" containers then the techniques outlined earlier and below serve this purpose. I would personally recommend the technique I mentioned earlier (#1) since it carries with it limitations consistent with those we already know. 2. You could, however, approach it from another angle and simply permit the creation of OUs beneath Containers (modify the classSchema object "Container"'s possibleSuperiors property) but either way a schema modification is required. This approach also causes errors related to Group Policy admin. in that GPMC whines a little when focused on OUs nested within Containers and fails to show those same OUs within the node tree. Dean -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, September 22, 2004 11:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Container (Folders) You can do it using the native Admin. tools but it requires a significantforest wide modification. Can you explain? --Brian -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wed 9/22/2004 9:09 PM To: Send - AD mailing list Cc: Subject: RE: [ActiveDir] Active Directory Container (Folders) You can do it using the native Admin. tools but it requires a significantforest wide modification. Like Brian, I'm intrigued to understand yourmotives or what it is that causes your need to differentiate Containers andOUs (there certainly are differences but which of them do you intend toexploit)?--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rob SSent: Wednesday, September 22, 2004 7:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Container (Folders)Hello Everyone,Does anyone know of a way to create additional Active Directory "containerfolders" similar to the default computers and users system folder in AD?I'm trying to avoid using nested OUs to organize my user/computer objects.Thanks in advance!Rob Straley, MCSESenior Systems EngineerMerriman Curhan Ford Co.List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Missing enumeration for DNS Scripting
I'm a little late with this, but I just needed to figure these out myself. So through trial and error, here are the values: const ZONE_SECSECURE_NO_SECURITY = 0const ZONE_SECSECURE_NS_ONLY = 1const ZONE_SECSECURE_LIST_ONLY = 2const ZONE_SECSECURE_NO_XFR = 3 const ZONE_NOTIFY_OFF = 0const ZONE_NOTIFY_ALL_SECONDARIES = 1const ZONE_NOTIFY_LIST_ONLY = 2 BTW, I couldn't find these in the SDK either. Regards, Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/(Active Directory Blog) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 5:34 PMTo: [EMAIL PROTECTED]; joeSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting Uh, not at least on the public page. SecureSecondaries [in] Specifies the security to be applied and must be one of the following: ZONE_SECSECURE_NO_SECURITY ZONE_SECSECURE_NS_ONLY ZONE_SECSECURE_LIST_ONLY ZONE_SECSECURE_NO_XFR What are the numeric values of ZONE_SECSECURE_NO_SECURITY and the others? Similarly, the numeric values for the Notify parameters Thanks! Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, August 04, 2004 4:56 PMTo: joe; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting Im not sure I understand the question. Which enum are you looking for? That page specifies the values for the ins. What am I not seeing that youre looking for? From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:45 PMTo: [EMAIL PROTECTED]Cc: Eric FleischmanSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting I just checked the Beta K3 SP1 SDK and it isn't there... Possibly you can sweet talk ~Eric into giving you the values. I have notified the MSDN folks and told them where to find the constants so they don't have to look too hard but who knows what the time frame will be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, August 04, 2004 12:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting Cute Do you have MSDN Universal access and have you looked in the Beta SDK's? I will send something to MS about it but don't expect a quick fix. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 11:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Missing enumeration for DNS Scripting Oh scripting gurus http://msdn.microsoft.com/library/default.asp?url=""> Contains a number of values that I can't find in the platform SDK (ZONE_*) or on the web or on MSDN. Anyone have access to these values? Thanks.
RE: [ActiveDir] Missing enumeration for DNS Scripting
Cool, now I'll refer to you as the source. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 23, 2004 10:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting I'm a little late with this, but I just needed to figure these out myself. So through trial and error, here are the values: const ZONE_SECSECURE_NO_SECURITY = 0const ZONE_SECSECURE_NS_ONLY = 1const ZONE_SECSECURE_LIST_ONLY = 2const ZONE_SECSECURE_NO_XFR = 3 const ZONE_NOTIFY_OFF = 0const ZONE_NOTIFY_ALL_SECONDARIES = 1const ZONE_NOTIFY_LIST_ONLY = 2 BTW, I couldn't find these in the SDK either. Regards, Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/(Active Directory Blog) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 5:34 PMTo: [EMAIL PROTECTED]; joeSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting Uh, not at least on the public page. SecureSecondaries [in] Specifies the security to be applied and must be one of the following: ZONE_SECSECURE_NO_SECURITY ZONE_SECSECURE_NS_ONLY ZONE_SECSECURE_LIST_ONLY ZONE_SECSECURE_NO_XFR What are the numeric values of ZONE_SECSECURE_NO_SECURITY and the others? Similarly, the numeric values for the Notify parameters Thanks! Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, August 04, 2004 4:56 PMTo: joe; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting Im not sure I understand the question. Which enum are you looking for? That page specifies the values for the ins. What am I not seeing that youre looking for? From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:45 PMTo: [EMAIL PROTECTED]Cc: Eric FleischmanSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting I just checked the Beta K3 SP1 SDK and it isn't there... Possibly you can sweet talk ~Eric into giving you the values. I have notified the MSDN folks and told them where to find the constants so they don't have to look too hard but who knows what the time frame will be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, August 04, 2004 12:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting Cute Do you have MSDN Universal access and have you looked in the Beta SDK's? I will send something to MS about it but don't expect a quick fix. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 11:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Missing enumeration for DNS Scripting Oh scripting gurus http://msdn.microsoft.com/library/default.asp?url=""> Contains a number of values that I can't find in the platform SDK (ZONE_*) or on the web or on MSDN. Anyone have access to these values? Thanks.
[ActiveDir] OT:Exhange size limit require restart?
Does anyone know if there is something that has to be restarted if you change the Sending message size and Receiving message size limits are changed (Global Settings)? I have increased the size of both, and it doesnt seem like they took affect. Exchange 2003 ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] OT:Exhange size limit require restart?
It can take a couple of hours (seriously). If you are in a hurry, restart the I/S. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, September 23, 2004 10:20 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:Exhange size limit require restart? Does anyone know if there is something that has to be restarted if you change the Sending message size and Receiving message size limits are changed (Global Settings)? I have increased the size of both, and it doesnt seem like they took affect. Exchange 2003 ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] OT:Exhange size limit require restart?
It takes a while to take affect (~ 2 hrs). Take a look at the KB below to see how to modify this behavior Diane http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;327378 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, September 23, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:Exhange size limit require restart? Does anyone know if there is something that has to be restarted if you change the Sending message size and Receiving message size limits are changed (Global Settings)? I have increased the size of both, and it doesnt seem like they took affect. Exchange 2003 ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] Computer object generation script question
I've been working on creating an ASP.NET page to create computer objects for servers across our four forests (PROD, DEV, Integration, Sandbox) and ensure that the server names conform with our standards and are unique. I used information from Robbie Allen's cookbook and Pro. NET Active Directory Services Programming to figure out how to do this (have never done it before). I had everything working propery except that I couldn't add an actual server to the domain as the object created by the page. I thought it had to with the dACL so I started working on that and quickly got lost (still trying to figure out how to do all of this). Anyway, I backed away from the work a bit and took a look at a computer object created by the script and by actually adding a computer to the domain and noticed that the script wasn't populating the DNSHostName attribute whereas actually adding a server to the domain was. So I modified the code to do this and then it all came together and now I'm able to add the server to the domain using the object created. My question is this: Is this something new to 2003? I haven't seen anywhere, either of the books above or on Microsoft's site, that this is a required attribute. It sure worked that way though. Anyone else run into this? Thanks, Mike *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] XP Permissioning and Group Policy
Return Receipt Your [ActiveDir] XP Permissioning and Group Policy document : was Justin Leney/US/DCI received by: at: 09/23/2004 10:42:41 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] out of date root
i have a test root dc pulled from a production network and a test child domain dc pulled from same network. un fortunately the root dc was taken off the network first, and the child a few hours later. what are the consquences of a child domain with a more up to date copy of ad. i ask because when the two are connected, changes in the config partition do not replicate. i have moved them into the same site. DNS is functioning and each dc has a secondary copy of the other's zone. however, they do not replicate at all. when i force a replication via sites and services app, i get a the naming context is in the process of being removed or there is no replication from the server on the root dc. on the child dc, the root dc does not even come up in ad sites and services. what can i do? can i run ntdsutil and do an authoriative restore on the root? this is for dr testing. we thought we'd take a copy of the root and a child dc with us to restore a child domain. i'm running win2k. the child is mixed and the root is native. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT] Exchange Best Practices Analyzer Tool
This is an FYI if you aren't already aware. MS put out a pretty cool tool called the Exchange Best Practices Analyzer Tool. This thing is actually pretty cool. If you run exchange, get this and run it against your environment. http://www.microsoft.com/exchange/downloads/2003/exbpa/default.asp So Microsoft Active Directory Dev team... Let's see something similar for AD. joe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [OT] Exchange Best Practices Analyzer Tool
Thanks!!! -ASB On Thu, 23 Sep 2004 12:12:32 -0400, joe [EMAIL PROTECTED] wrote: This is an FYI if you aren't already aware. MS put out a pretty cool tool called the Exchange Best Practices Analyzer Tool. This thing is actually pretty cool. If you run exchange, get this and run it against your environment. http://www.microsoft.com/exchange/downloads/2003/exbpa/default.asp So Microsoft Active Directory Dev team... Let's see something similar for AD. joe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Sean Camilleri is out of the office.
I will be out of the office starting 23/09/2004 and will not return until 05/10/2004. I will respond to your message when I return. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exhange size limit require restart?
Michael and Diane, THANKS, I was getting a little worried about something not working. Like you said, between 1.5-2 hours it was updated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, September 23, 2004 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exhange size limit require restart? It takes a while to take affect (~ 2 hrs). Take a look at the KB below to see how to modify this behavior Diane http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;327378 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, September 23, 2004 7:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:Exhange size limit require restart? Does anyone know if there is something that has to be restarted if you change the Sending message size and Receiving message size limits are changed (Global Settings)? I have increased the size of both, and it doesnt seem like they took affect. Exchange 2003 ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] DNS Issue
Title: Re: [ActiveDir] DNS Issue Deji it worked AWESOME Thanks a ton man,Where are you located?Couple more questions or concerns: 1) I am in the process of rebuiling the downed server and I plan to make it the secondary DC am I able to give it the same computer name or will this cause some problems 2) When setting up a new DNS zone on the new DC I tried to do the top optoin (this server will supply DNS for your forest) but gota 'Server Failure Error' So IRestarted the New Zone wizard and selected the Bottom option(this server will supply DNS for your Domain Controllers) and it is working. :) is this ok? Thanks, Aaron -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: Wednesday, September 22, 2004 11:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Issue In case you are still reading this, I'm still up for the next 30 minutes in case you need someone to bounce ideas off of. If not, good luck. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 9:26 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down.Aaron VisserOn 9/22/04 7:28 PM, "Deji Akomolafe" [EMAIL PROTECTED] wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to "use lmhosts..." is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services)Take a look at my little "FSMO" pep talk here: http://www.akomolafe.com/docs/xferfsmos.htmYou should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being)Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron VisserSent: Wed 9/22/2004 5:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS IssueOk here it goes,Windows 2003 ServersToday the Raid controller lost the HD config on my main AD server after houror so of trying to get it back online I decided to opt for the promotion ofAD to my secondary Domain controller and just rebuild the 1st one. Well thebig problem I faced was that I never installed DNS on the second domaincontroller. I decieded to go ahead with the FSMO promotion and everythingwas seized just fine. But now I sit with no DNS (I installed DNS before theSeizer of roles) but it is not creating any Zones. I have tried to create anew Zone but it keeps looking for the downed server?Any help in this would be greatly appreciatedThanks,Aaron VisserList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC update
how can I force one dc to have the most up to date config partition in the forest? can i just boot into DSRM and do an authorative restore? obiviously, i'm not restoring AD from tape, i just want my root dc to be the most up to date/ its a test dc and i took it off the network before i took off my child domain test dc and now, i think the child feels it has the most up to date copy of AD and its causing rep issues. the child can't see root in AD sites and services. dns is correct and all dns servers have secondary copies of all the other domains. any help would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Removing A W2K Domain Where The Host Server No Lo nger Exists
Title: Removing A W2K Domain Where The Host Server No Longer Exists Check this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;216498 There is another one that I can't find at the moment, if I do I'll send it along too. Tyson. From: McLaughlin, Seamus [mailto:[EMAIL PROTECTED] Sent: Thursday, September 23, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Removing A W2K Domain Where The Host Server No Longer Exists I am in the process of promoting 2 W2K3 servers as domain controllers in an existing W2K Native Mode domain. The dcpromo for both of these boxes has been successful. One of these boxes has been set up to have the Global Catalog but this fails, I get the following Event ID's in the Directory Services event log: 1559, 1578, 1809, 1110. The event ID 1559 refers to a domain called PUBLIC.COM. Apparently this domain was created in error by a bored support guy, who then in his wisdom trashed the server without demoting it. All I want to do is delete this domain so the GC will load correctly but I do not get the option to delete this domain in AD Domains and Trusts. I would appreciate any suggestions. Cheers Séamus This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
RE: [ActiveDir] DNS Issue
Awesome. Glad you got it working :) I am in San Jose, in sunny California. 1. Yes 2. Yes Make sure you manually check and remove any lingering reference to the old computer in ADUC (Domain Controllers OU), AD Site and Services and WINS. After that, you should be good to go. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Thu 9/23/2004 10:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issue Deji it worked AWESOME Thanks a ton man, Where are you located? Couple more questions or concerns: 1) I am in the process of rebuiling the downed server and I plan to make it the secondary DC am I able to give it the same computer name or will this cause some problems 2) When setting up a new DNS zone on the new DC I tried to do the top optoin (this server will supply DNS for your forest) but got a 'Server Failure Error' So I Restarted the New Zone wizard and selected the Bottom option (this server will supply DNS for your Domain Controllers ) and it is working. :) is this ok? Thanks, Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Wednesday, September 22, 2004 11:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issue In case you are still reading this, I'm still up for the next 30 minutes in case you need someone to bounce ideas off of. If not, good luck. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron Visser Sent: Wed 9/22/2004 9:26 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down. Aaron Visser On 9/22/04 7:28 PM, Deji Akomolafe [EMAIL PROTECTED] wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to use lmhosts... is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services) Take a look at my little FSMO pep talk here: http://www.akomolafe.com/docs/xferfsmos.htm You should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron Visser Sent: Wed 9/22/2004 5:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issue Ok here it goes, Windows 2003 Servers Today the Raid controller lost the HD config on my main AD server after hour or so of trying to get it back online I decided to opt for the promotion of AD to my secondary Domain controller and just rebuild the 1st one. Well the big problem I faced was that I never installed DNS on the second domain controller. I decieded to go ahead with the FSMO promotion and everything was seized just fine. But now I sit with no DNS (I installed DNS before the Seizer of roles) but it is not creating any Zones. I have tried to create a new Zone but it keeps looking for the downed server? Any help in this would be greatly appreciated Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List
Re: [ActiveDir] DNS Issue
Deji, could you give me a shout at [EMAIL PROTECTED] Thanks On 9/23/04 12:36 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Awesome. Glad you got it working :) I am in San Jose, in sunny California. 1. Yes 2. Yes Make sure you manually check and remove any lingering reference to the old computer in ADUC (Domain Controllers OU), AD Site and Services and WINS. After that, you should be good to go. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Thu 9/23/2004 10:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issue Deji it worked AWESOME Thanks a ton man, Where are you located? Couple more questions or concerns: 1) I am in the process of rebuiling the downed server and I plan to make it the secondary DC am I able to give it the same computer name or will this cause some problems 2) When setting up a new DNS zone on the new DC I tried to do the top optoin (this server will supply DNS for your forest) but got a 'Server Failure Error' So I Restarted the New Zone wizard and selected the Bottom option (this server will supply DNS for your Domain Controllers ) and it is working. :) is this ok? Thanks, Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Wednesday, September 22, 2004 11:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issue In case you are still reading this, I'm still up for the next 30 minutes in case you need someone to bounce ideas off of. If not, good luck. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron Visser Sent: Wed 9/22/2004 9:26 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS Issue Deji, Thanks for the info I am heading back to work to give this a try. My only concern is the fact that I did not have DNS running on the secondary DC before the 1st one went down. Aaron Visser On 9/22/04 7:28 PM, Deji Akomolafe [EMAIL PROTECTED] wrote: Look at the TCP/IP properties of the new server and make sure that it is pointing to itself for DNS (and WINS, if you use WINS). Make sure that the option to use lmhosts... is uncheck. Make sure you've properly removed traces of the dead server from AD. Make sure that you remove all replication links between the new and dead server (AD SItes and Services) Take a look at my little FSMO pep talk here: http://www.akomolafe.com/docs/xferfsmos.htm You should be able to create your zone without the presence of the dead server. Check eventlog for relevant errors. Also be sure to modify your DHCP scope to reflect the fact that this is now your main DNS server (at least for the time being) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron Visser Sent: Wed 9/22/2004 5:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Issue Ok here it goes, Windows 2003 Servers Today the Raid controller lost the HD config on my main AD server after hour or so of trying to get it back online I decided to opt for the promotion of AD to my secondary Domain controller and just rebuild the 1st one. Well the big problem I faced was that I never installed DNS on the second domain controller. I decieded to go ahead with the FSMO promotion and everything was seized just fine. But now I sit with no DNS (I installed DNS before the Seizer of roles) but it is not creating any Zones. I have tried to create a new Zone but it keeps looking for the downed server? Any help in this would be greatly appreciated Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Removing A W2K Domain Where The Host Server No Longer Exists
Title: Removing A W2K Domain Where The Host Server No Longer Exists Use NTDSUTIL to cleanup the metadata associated with bogus domain. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McLaughlin, Seamus Sent: Thursday, September 23, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Removing A W2K Domain Where The Host Server No Longer Exists I am in the process of promoting 2 W2K3 servers as domain controllers in an existing W2K Native Mode domain. The dcpromo for both of these boxes has been successful. One of these boxes has been set up to have the Global Catalog but this fails, I get the following Event IDs in the Directory Services event log: 1559, 1578, 1809, 1110. The event ID 1559 refers to a domain called PUBLIC.COM. Apparently this domain was created in error by a bored support guy, who then in his wisdom trashed the server without demoting it. All I want to do is delete this domain so the GC will load correctly but I do not get the option to delete this domain in AD Domains and Trusts. I would appreciate any suggestions. Cheers Séamus This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
[ActiveDir]DHCP Client service failing
Title: Removing A W2K Domain Where The Host Server No Longer Exists ON a 2k3 server the DHCP client is failing with access denied. This started after importing a policy into a GPO that is assigned to this server. I cannot figure out what policy setting is causing this. Any ideas. Jeff This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
RE: [ActiveDir] Account Lockout resets in large companies
security department requires that we set accounts to lockout after 5 bad attempts - which is VERY low in a distributed environment, specifically if you consider how authentication and the protocoll fallback works. You should be able to argue, that your security department wants you to lock the accounts after 5 real bad attempts: a single false logon attempt from a Win2k/XP client can get the false-logon count to be increased by more than one count (e.g. by first trying to authenticate via Kerberos, then falling back to NTLM and trying again). It is not uncommon to reach the limit of 5 bad logon attempts after trying to logon TWICE. While it is generally arguable how to handle the unlock (automatic vs. manual), you do want to give your users at least the chance to try 5 times to get their password right (i.e. at least twice or three times by memory, before they look at the piece of paper under their keyboard...). Thus you should discuss with your security department the need to increase the nr. of bad logon attempts to 10-15 to meet their requirements (only for AD - you can keep it to 5 for other systems). This has significantly limited user-related PW lockouts for our own company and for many of our customers. I'm not sure about our own numbers, but for one of my customers it decreased the incidents by 80% (!!!). Naturally, this also reduced the pain related to unlocking the accounts on a DC remote to the user's site (which we usually handle by allowing the helpdesk to choose the closest DC when performing the unlock) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Snyder, Robert W. Sent: Wednesday, September 22, 2004 7:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockout resets in large companies I don't disagree with the policy suggestions but unfortunately our corporate information security department requires that we set accounts to lockout after 5 bad attempts and accounts to remain locked out until manually reset, so we don't have much choice there. We are using Tivoli Identity Manager (I think that's the name.) and there are plans to put in a web based password reset self-service facility, but the problem is it only communicates with a local domain controller in the corporate data center. It doesn't have the smarts to make a change on a remote DC for a remote user. I did do some testing on password changes and account lockouts with the help of a remote user here. Based on my testing it appeared password changes were immediate as it replicated immediately to the PDC emulator and it looks like if the client failed when checking the local DC it then checked the password against the PDC emulator. Account lockouts on the other hand seemed to depend on replication. Both directions actually. When he locked his account out remotely, I didn't see it as locked out until the change had replicated back to the corporate office, and likewise when I then unlocked it, he couldn't logon until the change had replicated to his DC. We are using Windows 2003 for all our DC's. Are you saying that Lockouts don't necessarily always follow the replication schedule? Bob Snyder Sr. Technical Programmer/Analyst Global Software Support [EMAIL PROTECTED] -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Account Lockout resets in large companies First off, you should look at using intelligent lockout policies that slow down bad guys and mostly leave normal users alone. Policies such as lockout forever or lockout within 5 bad aren't very intelligent because you are pretty much guaranteed to hit normal people on a regular basis and you have to beef up support to compensate. Though consider a self-unlock self-password reset kiosk functionality like MTEC has in PSYNCH. Combine that with a custom GINA that lets you go to the web page to do the reset or unlock. It then asks you some profile questions or asks for a securid and then it unlocks/resets. Consider a 15 or 30 minute lockout with like 15/20 bad passwords. Most normal users will not get caught with that kind of number and if they do, the lockout time is such that they can get a cup of coffee and be off and running again. Though it will substantially slow down someone trying to hack. You do want to make sure though that you have a decent password policy in terms of how often they expire (say 63 or 91 days) and have a decent length and maybe even complexity enabled. You will also do well to have achieved single signon. Of course if you have security requirements, you may not have a choice but to lockout forever or whatever. At that point, your users are going to have understand there is pain associated with entering bad passwords and you should be investigating in detail every occurrence of that happening any way. One point of note, even if you have the machine name, you aren't
RE: [ActiveDir] DC update
did you change the IP addresses of both DCs for your lab? If so, you may want to point both DCs to the root DC for DNS so that the records are updated appropriately in a way that both can resolve each other. Did you also update the replication connections appropriately in Sites Services? You'll have to do this on both DCs, so that they can replicate from each other. It's not a problem for a child DC to have a newer config NC than the root - it would simply replicate it to the root DC. Issues of this kind should only happen if you've changed the schema in-between, which I doubt you have done. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 23, 2004 7:50 PM To: ActiveDir (E-mail) Subject: [ActiveDir] DC update how can I force one dc to have the most up to date config partition in the forest? can i just boot into DSRM and do an authorative restore? obiviously, i'm not restoring AD from tape, i just want my root dc to be the most up to date/ its a test dc and i took it off the network before i took off my child domain test dc and now, i think the child feels it has the most up to date copy of AD and its causing rep issues. the child can't see root in AD sites and services. dns is correct and all dns servers have secondary copies of all the other domains. any help would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]DHCP Client service failing
Title: Removing A W2K Domain Where The Host Server No Longer Exists "If you receive this message in error, please notify the sender immediately and delete all copies of this message."- Do people really do this? ;-)) can you be more specific in your error description? The DHCP client is failing to do what? To start, to register DNS records, to get a lease (hope not on a server)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Friday, September 24, 2004 3:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir]DHCP Client service failing ON a 2k3 server the DHCP client is failing with access denied. This started after importing a policy into a GPO that is assigned to this server. I cannot figure out what policy setting is causing this. Any ideas. Jeff This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
