RE: [ActiveDir] Exchange and AD
Brenda, Try using the Exchange Deployment Tools (on the E2K3 CD) to perform some checks to see what the tools say about your configuration Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: dinsdag 19 april 2005 0:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD I have checked all of the ACL's on the MS EXchange container earlier in the day and had to add the Exchange computer. All is correct now, but we are still getting the same error message. This is the first Exchange 200X server in the org to I have nothing to compare it to. Thanks, Brenda Brenda Casey, Network Manager Lincoln Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, April 18, 2005 2:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD is this your first Exchange 200x server in the org? if not, do others have the same problem? Did you actually check the ACLs on the MS Exchange container in the configuration NC (e.g. via ADSI edit)? I've had an occurrance, where these were corrupt. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Montag, 18. April 2005 20:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD The Exchange server is listed in the Computers OU. We have not moved teh Exchange groups out of the default users container. The entire error in the app log is: Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure the computer account is a member of the "Exchange Domain Servers" security group.For more information, click http://www.microsoft.com/contentredirect.asp.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, April 18, 2005 12:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD What OU is the server in? Have you moved any of the Exchange groups from their default location? What is the complete event? The most common cause of this is moving the Exchange Domain Servers or Exchange Enterprise Servers groups out of the default users container. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Monday, April 18, 2005 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange and AD During the install of Exchange, the Microsoft Exchange System Attendant is unable to start. After bypassing the start of this service during the install and then rebooting the server the following error is generated in the Application Log file.Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure the computer account is a member of the "Exchange Domain Servers" security group.For more information, click http://www.microsoft.com/contentredirect.asp.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.We have read several KB articles, but have been unable to find a solution. Any help would be appreciated! (The Exchange Server computer account is not disable, and does exist in AD). Thanks,Brenda This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] AdminSDHolder and Default button
(1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Installing DNS in Child Domain
Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Sign On Message
Here is a hotfix KB on it 823146 Windows 2000 Clients Do Not Correctly Display Logon Banners That Are http://support.microsoft.com/?id=823146 - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, April 18, 2005 5:15 PM Subject: RE: [ActiveDir] Sign On Message 512 characters? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Monday, April 18, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sign On Message 512 - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, April 18, 2005 3:29 PM Subject: [ActiveDir] Sign On Message On Windows 2000, the sign on message that people can get when they login has a limit of 250 Characters or 250 words? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remote access
Is there anyway to remotely connect to a winxp pc when it does not have file and print services started? I need to connect to this pc and start the service. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Remote access
Kern, Tom wrote: Is there anyway to remotely connect to a winxp pc when it does not have file and print services started? I need to connect to this pc and start the service. You can use RDP if this service is enabled -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote access
Yes, you can start the services remotely. 1. Login on server or any other XP machine with administrator 2. My computer right click manage 3. Right click computer management in manage windows and point to connect to another computer. 4. Give the destination computer XP machine name on which u want to start the services. 4. Now move to services and u can start/stop or disable any service. HTH MAnjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 7:13 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote access Is there anyway to remotely connect to a winxp pc when it does not have file and print services started? I need to connect to this pc and start the service. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remote quarantine Setup
Hi, Did anyone deploy the remote quarantine service provided by Windows 2003 resource kit for scanning the remote machines connecting to corporate network ? Pavan. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify [EMAIL PROTECTED] immediately. You should not copy it or use it for any purpose, nor disclose its contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of ADP. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote access
I think there's something wrong with this box. everytime i try to connect either via computer mangement,unc to admin$ share,or even GPMC, i get access denied or i get prompted for a username/password. when i enter a domain admin account, it just keeps prompting me for a password over and over. file and print sharing is running as is netlogon and it is a domain memeber. thanks Manjeet Singh wrote: Yes, you can start the services remotely. 1. Login on server or any other XP machine with administrator 2. My computer right click manage 3. Right click computer management in manage windows and point to connect to another computer. 4. Give the destination computer XP machine name on which u want to start the services. 4. Now move to services and u can start/stop or disable any service. HTH MAnjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 7:13 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote access Is there anyway to remotely connect to a winxp pc when it does not have file and print services started? I need to connect to this pc and start the service. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sign On Message
I got the hotfix from MS, will this Hotfix allow me to have more then 512 characters? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Tuesday, April 19, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sign On Message Here is a hotfix KB on it 823146 Windows 2000 Clients Do Not Correctly Display Logon Banners That Are http://support.microsoft.com/?id=823146 - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, April 18, 2005 5:15 PM Subject: RE: [ActiveDir] Sign On Message 512 characters? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Monday, April 18, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sign On Message 512 - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, April 18, 2005 3:29 PM Subject: [ActiveDir] Sign On Message On Windows 2000, the sign on message that people can get when they login has a limit of 250 Characters or 250 words? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remote.exe in Windows 2003
Hi, Has any one worked on Remote.exe of windows2003 resource kit...any inputs pls. Regards, attachment: winmail.dat
[ActiveDir] Group Policy
Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. AllenSystems EngineerBMC HealthNet PlanOne Design Center PlaceBoston, MA 02210 617-748-6034617-293-4407
Re: [ActiveDir] Installing DNS in Child Domain
Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy
It affects the use of local machine account passwords, i.e. - those accounts in the SAM of the domain member. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, April 19, 2005 10:41 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Group Policy Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. AllenSystems EngineerBMC HealthNet PlanOne Design Center PlaceBoston, MA 02210 617-748-6034617-293-4407
Re: [ActiveDir] Group Policy
Even though you can change the policy, it won't affect the actual password policy that you specified on the domain level. Your thought is right. -Oliver runIT AG Zuerichstrasse 98 8600 Duebendorf Switzerland On Tue, 19 Apr 2005 10:40:56 -0400 Christine Allen [EMAIL PROTECTED] wrote: Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan One Design Center Place Boston, MA 02210 617-748-6034 617-293-4407 Oliver Ryf Senior Consultant runIT AG Zürichstrasse 98 CH-8600 Duebendorf phone: +41 (44) 806 80 40 mobile: +41 (79) 500 43 21 fax: +41 (44) 806 80 49 www.runit.ch [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy
I always thought password policies at the OU, will only affect the local accounts on computers. Dan -Original Message- From: Christine Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:41 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Group Policy Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan One Design Center Place Boston, MA 02210 617-748-6034 617-293-4407
RE: [ActiveDir] Installing DNS in Child Domain
Also refer to KB Articles/links on setting up DNS to Support AD: http://support.microsoft.com/?kbid=237675 http://support.microsoft.com/?kbid=260371 http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/bpaddsgn.mspx#EGAA Cheers Paresh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 April 2005 15:42 To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Installing DNS in Child Domain
I think Majeet is looking for a local DNS server for child.test.com zone. Then he can point all the local computers to the appropriate local DNS servers. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Dean Wells [EMAIL PROTECTED] wrote: I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
No it won't, Windows DNS simply doesn't work that way. The child DC/DNS server WOULD receive the _msdcs.forest root zone through its enrollment in the forestDNSzones app. NC but would NOT resolve against itself and would not distribute the namespace in the manner that is being requested. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Group Policy
It will only affect the local password policy of the workstations that are in that OU.It has not affect on the domain password settings. It will only change the local password requirements. There is only one password policy per domain. - Original Message - From: Christine Allen To: 'ActiveDir@mail.activedir.org' Sent: Tuesday, April 19, 2005 10:40 AM Subject: [ActiveDir] Group Policy Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. AllenSystems EngineerBMC HealthNet PlanOne Design Center PlaceBoston, MA 02210 617-748-6034617-293-4407
RE: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade
Thank you, Yourreassurance is making this a little easier for me to proceed. asa far as the exchangeissue would i be betteroff running the preps from the exchange 2003 cd ? I though i read the running from the e2k3 cd was better ? jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, April 18, 2005 4:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade 2003's forestprep requires network connectivity. So you'd at least need to connect your "interims" DC to another separate network. Though I am all for a well planned routine that allows an easy fall-back in case of any issues, your sister company's environment doesn't really sound like anything you couldn't handle with less effort. I've never had a single2000/2003 ADPrepfail, if the required prep steps performed correctly -e.g. including the necessary preps to correct the Exchange 2000 schema stuff - check Q314649. For this size environment,I don't expect you'd have much more than 4 DCs (2 for the root and 2 for the unneccessary child) - I'd simply suggest to perform a backup of all of them and then (after adding the Exchange fix and letting it replicate) to perform the ADPREP /forestprep right on your current Schema Master, let this replicate and validate success. Then perform the /domainprep right on your two IFM role holders. The likelyhood of anything going wrong is very very low and will certainly not kill your AD (you can even re-run the ADprep /forestprep as many times as you like - e.g. if certain permissions in the config container are not set correcly - it will never do anything "bad" for your forest). In very unlikely case of something still going wrong, you're in the fortunate position to be able to restore all of your DCs back to the same point in time with rather limited efforts. The chances that this would be required are very slim so that you can save yourself a lot of extra work and unintentional risk by going your proposed way. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Montag, 18. April 2005 19:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade Hi, I am in a situation that I'm trying to make the best of. We have a sister company that we do support for. they need to upgrade from 2000 to 2003. here's the issue they have there own budget and they will not credit our dept for overtime to do the forest/domain prep after hours. moderate size company ,they have their own forest ,150 users 2 sites (default and 1 other), one child domain, and 1 exhcange 2000 server.once people login in inthemornings they pretty much dont logg out till the evening what I'd like to do is use an old server install 2000 makde it a dc, ghost it, then tranfer the fsmo's to that server, disconnect it from the network andrun forest prep. if all goes welland nothing blows up , connect it to the network and let it replicate , wathcit for a day then transfer roles off of it and remove it from the forest. whatare your estemmed opinons ? Jeff Kraus Network Manger NIC Holding Corp. 25 Melville Park Rd Melville NY, 11747 Voice: 631.753.4272 Fax: 631.753.4305 Email: [EMAIL PROTECTED]
RE: [ActiveDir] Group Policy
Thanks all. That's what I thought. -Original Message-From: Gilbert, Daniel L Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED]Sent: Tuesday, April 19, 2005 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy I always thought password policies at the OU, will only affect the local accounts on computers. Dan -Original Message-From: Christine Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:41 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Group Policy Can someone tell me the affects of changing the following GPO Setting at the OU level: Computer Configuration\windows settings\security settings\password policies\ I thought you could not force password changes at the ou level? -Christine Christine N. AllenSystems EngineerBMC HealthNet PlanOne Design Center PlaceBoston, MA 02210 617-748-6034617-293-4407
RE: [ActiveDir] Installing DNS in Child Domain
That's also my understanding of his objective, that being the case, your original recommendation will not achieve that goal. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain I think Majeet is looking for a local DNS server for child.test.com zone. Then he can point all the local computers to the appropriate local DNS servers. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Dean Wells [EMAIL PROTECTED] wrote: I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Installing DNS in Child Domain
i don't understand the problem. a child domain was created and the domain is not delegated but a subdomain of the root domain. Right now the root dns is authoritive for the root and child domain. why can't this person just delegate authority from the root dns/dc to the child dns/dc? just right click the zone and delegate and browse to the dns server you installed in the child domain and windows dns wizard will take care of all the glue records for you... am I completley off base here? Dean Wells wrote: No it won't, Windows DNS simply doesn't work that way. The child DC/DNS server WOULD receive the _msdcs.forest root zone through its enrollment in the forestDNSzones app. NC but would NOT resolve against itself and would not distribute the namespace in the manner that is being requested. On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
Hi, Yes, your summary is absolutely correct. No I did not create any structure manually; all were created automatically during first DC promotion. Now when I see the A host record under child.test.com, there is only one record 'same as parent'. Thanks, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 8:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
My child domain is already configured and working fine. The only thing I want to have child its own DNS, instead of resolving from the root DC. I have manually install the DNS service on my child domain controller through add/remove programs. Now I am looking for the best way how to configure the DNS on this child domain. Thx, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT:Upgrade from 2k to 2k3
Hi, I'm just looking to upgrade our domain controllers from 2k to 2k3. I actually have a 2k with exchange 2k that need to be upgraded to 2k3 and Exchange 2k3. Should I upgrade the exchange system before doing the DCs? Anyone have any docs with pros and cons? What is better or would cause fewer troubles. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote access
Log into your local computer as the Local Administrator. Assuming the remote workstation has a Local Admin account with the same name, it will let you in as Manjeet descrbed. Dave David J. Perdue -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 07:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote access I think there's something wrong with this box. everytime i try to connect either via computer mangement,unc to admin$ share,or even GPMC, i get access denied or i get prompted for a username/password. when i enter a domain admin account, it just keeps prompting me for a password over and over. file and print sharing is running as is netlogon and it is a domain memeber. thanks Manjeet Singh wrote: Yes, you can start the services remotely. 1. Login on server or any other XP machine with administrator 2. My computer right click manage 3. Right click computer management in manage windows and point to connect to another computer. 4. Give the destination computer XP machine name on which u want to start the services. 4. Now move to services and u can start/stop or disable any service. HTH MAnjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 7:13 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote access Is there anyway to remotely connect to a winxp pc when it does not have file and print services started? I need to connect to this pc and start the service. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Installing Exchange in a child domain
Hi, I have Install a new Root domain controller test.com Install a child domain controller in it child.test.com Install a member server in child domain ps.child.test.com Now I want to install Exchange server in my PS member server. The problem is that when I login on my ps in child domain I am not able to run the forest prep because the enterprise/ schema admin rights are required for that. I tried to make the child administrator member of Enterprise and schema admin, but I am not able to add child administrator say the users not found. As both the Enterprise and schema admin group are global security group so how do I delegate the child domain administrator the permission so that I can run the forest prep and domain prep by logging in to my PS using child administrator account? What is the procedure to give the delegation of Schema and Enterprise admin right to other child domain users so that Exchange can be installed without login in to root domain controller? Thanks,Manjeet
Re: [ActiveDir] Installing DNS in Child Domain
I wasn't taking about a separate name space. Child.test.com is a child zone in test.com zone. In Window 2003, you can change the scope of _msdcs.test.com to forest wide. Then all the child domain will receive a local copy of _msdcs.test.com. Santhosh On 4/19/05, Dean Wells [EMAIL PROTECTED] wrote: No it won't, Windows DNS simply doesn't work that way. The child DC/DNS server WOULD receive the _msdcs.forest root zone through its enrollment in the forestDNSzones app. NC but would NOT resolve against itself and would not distribute the namespace in the manner that is being requested. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Installing DNS in Child Domain
What do you mean by its own DNS? If you are talking about a separate DNS from your root Domain, Dean is absolutely right. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: My child domain is already configured and working fine. The only thing I want to have child its own DNS, instead of resolving from the root DC. I have manually install the DNS service on my child domain controller through add/remove programs. Now I am looking for the best way how to configure the DNS on this child domain. Thx, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
If only one record exists, you have encountered the known-bug I mentioned earlier. To resolve this issue, temporarily configure the forest root DNS zone to allow both secure and insecure update, on the child DC, ensure its preferred resolver still points to the root DC, run a command shell and enter ipconfig /registerdns. Return to the root DC and refresh the zone content, you should now see a second A record named after the child DC itself, if so - reset the zone to secure updates. Up until now, your 2 DCs have not been replicating, to accelerate the convergence time, copy and paste the following verbatim in a command shell on each DC (requires Support Tools installed) - 1) ipconfig /flushdns 2) net stop netlogon net start netlogon 3) for /l %a in (1,1,25) do repadmin /kcc repadmin /syncall repadmin /syncall /P NOTE - I DO NOT recommend the use of the 'for in do' loop above in a large enterprise. Run AD Sites and Services and verify that replication is now succeeding. Do you still want to distribute your DNS namespace per your original post? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, Yes, your summary is absolutely correct. No I did not create any structure manually; all were created automatically during first DC promotion. Now when I see the A host record under child.test.com, there is only one record 'same as parent'. Thanks, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 8:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet
[ActiveDir] resetting default values
Within our domain {native 2003} perhaps a third of our users need to have there security reset toa default value. Right now we open each user in ADUC, open security / Advanced / Check the "Inherent from parent..." and hit the default button. This allows our "helpdesk" folks (who are members of the Account Operators group ) access to unlock, reset pwords, etc... Without doing this, these options are greyed out. Unknown what caused it initially but I need to bring it back for many many users. I've created many scriptsand I know my way around much of AD/WMI/ADSI, but does anyone know of a way to automate this? Doug Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Installing DNS in Child Domain
You misunderstand, I didn't mention a separate namespace (nor did you for that matter), I said a distributed namespace. In addition, you don't need to change the _msdcs.forest root's scope to that of the forestDNSzones app. NC, that's its default. As I understand it, the poster's goal is to distribute the DNS infrastructure in order to mimic that of a much larger enterprise deployment. This requires many more steps than have been provided ... a replicating directory is often the gauge used by many to determine if their DNS infrastructure is correctly configured and adequately distributed, in reality, that is by no means sufficient. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 11:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain I wasn't taking about a separate name space. Child.test.com is a child zone in test.com zone. In Window 2003, you can change the scope of _msdcs.test.com to forest wide. Then all the child domain will receive a local copy of _msdcs.test.com. Santhosh On 4/19/05, Dean Wells [EMAIL PROTECTED] wrote: No it won't, Windows DNS simply doesn't work that way. The child DC/DNS server WOULD receive the _msdcs.forest root zone through its enrollment in the forestDNSzones app. NC but would NOT resolve against itself and would not distribute the namespace in the manner that is being requested. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, April 19, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain Are you trying to install and configure DNS on a child Domain Controller? If it is Active Directory Integrated, install DNS service on a Windows 2003 machine and perform DCPROMO. It will automatically populate all the zone information to this new Domain Controller. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] Installing Exchange in a child domain
Just curios.. Why don't you run FrorestPrep from test.com Domain? On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I have Install a new Root domain controller test.com Install a child domain controller in it child.test.com Install a member server in child domain ps.child.test.com Now I want to install Exchange server in my PS member server. The problem is that when I login on my ps in child domain I am not able to run the forest prep because the enterprise/ schema admin rights are required for that. I tried to make the child administrator member of Enterprise and schema admin, but I am not able to add child administrator say the users not found. As both the Enterprise and schema admin group are global security group so how do I delegate the child domain administrator the permission so that I can run the forest prep and domain prep by logging in to my PS using child administrator account? What is the procedure to give the delegation of Schema and Enterprise admin right to other child domain users so that Exchange can be installed without login in to root domain controller? Thanks,Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
That would indeed be a nice capability but I'm afraid it doesn't do that (today at least). For arguments sake I tried your approach, was unable to browse to the child DC (likely due to the fact that the forest is still converging) and received the following error when I tried to delegate the child domain manually once the promotion was complete - --- DNS --- A DNS domain or delegation by this name already exists. To change an existing delegation, right-click on the delegation and select Properties. To change a DNS domain into a delegation, delete the domain and then create the delegation. --- OK --- I may well be misunderstanding your instructions but, regardless, it is by no means as simple as many would hope. The only automated aspect of AD's DNS deployment is the root domain ... that also requires restructuring in larger scenarios. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain i don't understand the problem. a child domain was created and the domain is not delegated but a subdomain of the root domain. Right now the root dns is authoritive for the root and child domain. why can't this person just delegate authority from the root dns/dc to the child dns/dc? just right click the zone and delegate and browse to the dns server you installed in the child domain and windows dns wizard will take care of all the glue records for you... am I completley off base here? Dean Wells wrote: No it won't, Windows DNS simply doesn't work that way. The child DC/DNS server WOULD receive the _msdcs.forest root zone through its enrollment in the forestDNSzones app. NC but would NOT resolve against itself and would not distribute the namespace in the manner that is being requested. On 4/19/05, Manjeet Singh [EMAIL PROTECTED] wrote: Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Installing DNS in Child Domain Hi, I have installed a root domain controller test.com. Then I have installed a child domain controller: child.test.com with primary DNS as test.com. So a zone child.test.com automatically added in my test.com DNS. I want to install a separate DNS for child domain, and want to set child as primary DNS and root as secondary DNS. To do that I Installed DNS service on my child domain controller. So what is the best way to install the DNS on child domain? Do I do a ZONE transfer by delegation or some other easy process? Thanks, manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] OT:Upgrade from 2k to 2k3
Hi, I just copied the text below from another thread I responded to yesterday. See MS-KBQ325379 How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 (http://support.microsoft.com/?id=325379) for all the details you need to know about upgrading w2k to w2k3. If you are considering in upgrading E2K to E2K3 see MS-KBQ822942 Considerations When You Upgrade to Exchange Server 2003 (http://support.microsoft.com/?id=822942) About disconnecting the schema master when doing the schema upgrade see MS-KQ821076 Windows Server 2003 Help Files Contain Incorrect Information About How to Update a Windows 2000 Domain (http://support.microsoft.com/default.aspx?scid=kb;en-us;821076) I once read what the issue was when disconnecting the schema master from the network, but I don't remember anymore. Maybe someone else on this list can share info on the particular issue. The main reason to disconnect the schema master is if the schema upgrade goes wrong for some reason do don't screw up your forest and so you don't need to do a forest recovery to revert to the last uncorrupt schema. One other way to mitigate this risk could be to: * Do a FULL backup of the schema master * disable OUTBOUND replication for the SCHEMA MASTER FSMO first (REPADMIN /OPTIONS FQDN DC +DISABLE_OUTBOUND_REPL) * verify that outbound replication is disabled with REPLMON * upgrade the schema (after meeting ALL prerequisites mentioned in MS-KBQ325379!!!) * check the event viewer for errors * And IF everything is OK enable replication (REPADMIN /OPTIONS FQDN DC -DISABLE_OUTBOUND_REPL) When replication is enabled again on the schema master fsmo all directory changes concerning AD objects will be halted because replication partners see the schema has been changed (the DC performs a check to see if the schema version has changed). The normal changes will only replicate after the schema update has replicated Ohh, and by the way: TEST FIRST IN A TEST ENVIRONMENT TO GET FAMILIAR WITH THE PROCEDURE AND TO SEE WHAT HAPPENS!!! Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/19/2005 5:27 PM Subject: [ActiveDir] OT:Upgrade from 2k to 2k3 Hi, I'm just looking to upgrade our domain controllers from 2k to 2k3. I actually have a 2k with exchange 2k that need to be upgraded to 2k3 and Exchange 2k3. Should I upgrade the exchange system before doing the DCs? Anyone have any docs with pros and cons? What is better or would cause fewer troubles. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Installing DNS in Child Domain
I go to the root DC/DNS server and in that zone is a child domain folder. I right click the folder and click delegate and browse or type in the ip of the child DC running dns and all is golden. The child domain folder then becomes grayed in the root dns zone and when you click on it, you get the soa with the child dc as a nameserver. I'm in a 12 domain forest(win2k mixed) and all my child dc's are dns servers authoritive for their respective domains. The root is only authoritive for the root zone and has gray delegation/glue records for the other domains. I must be missing something really obivious here as I'm no AD expert... Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] resetting default values
If you don't have custom permissions that you need how about dsacls with the /s or /t options? /S Restore the security on the object to the default for that object class as defined in AD Schema. /T Restore the security on the tree of objects to the default for the object class. This switch is valid only with the /S option. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, DouglasSent: Tuesday, April 19, 2005 8:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] resetting default values Within our domain {native 2003} perhaps a third of our users need to have there security reset toa default value. Right now we open each user in ADUC, open security / Advanced / Check the "Inherent from parent..." and hit the default button. This allows our "helpdesk" folks (who are members of the Account Operators group ) access to unlock, reset pwords, etc... Without doing this, these options are greyed out. Unknown what caused it initially but I need to bring it back for many many users. I've created many scriptsand I know my way around much of AD/WMI/ADSI, but does anyone know of a way to automate this? Doug Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Installing Exchange in a child domain
Hi, In a MIXED mode root domain the Enterprise Admins group and the Schema Admins group are GLOBAL SECURITY GROUPS as in a mixed mode domain you can not use UNIVERSAL SECURITY GROUPS. When you change de domain functional level (or domain mode in w2k) those groups will be converted to UNIVERSAL SECURITY GROUPS. In a GLOBAL SECURITY GROUP from one domain you can noot add users from another domain. To accomplish what you want to do (update schema) log onto the schema master with Schema/Enterprise Admins permissions and update the schema and create the Exchange objext in the config container. You'll also need to run exchange forestprep and domainprep in the forest root domain so for that you will need Enterprise Admins and domain admins. QUOTE### ForestPrep must be run in the domain that contains the Active Directory schema master. By default, this domain is the root domain in the forest. You do not necessarily have to run ForestPrep on the schema master; any Windows 2000 or Windows Server 2003 computer in the domain is adequate. That said, it is a best practice to run ForestPrep on the schema master so that network interruptions and latency do not affect the schema update. QUOTE### YOU CAN READ MORE AT http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3ad .mspx http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ADPerm/cf42 a674-0b75-4de4-b96f-2d22dbdb528e.mspx Remember that when using Exchange you'll need to use UNIVERSAL SECURITY GROUPS (and thus convert that domain to at least domain functional level Windows 2000 native!!!) if you are using distribution lists to secure public folders with MAPI permissions or if you have delegations in place for distribution lists. Those distribution lists will be converted to UNIVERSAL SECURITY GROUPS. The other distribution lists that are not used for public folder security and/or delegation will be converted to UNIVERSAL DISTRIBUTION GROUPS Cheers, jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/19/2005 5:35 PM Subject: [ActiveDir] Installing Exchange in a child domain Hi, 1. I have Install a new Root domain controller test.com 2. Install a child domain controller in it child.test.com 3. Install a member server in child domain ps.child.test.com Now I want to install Exchange server in my PS member server. The problem is that when I login on my ps in child domain I am not able to run the forest prep because the enterprise/ schema admin rights are required for that. I tried to make the child administrator member of Enterprise and schema admin, but I am not able to add child administrator say the users not found. As both the Enterprise and schema admin group are global security group so how do I delegate the child domain administrator the permission so that I can run the forest prep and domain prep by logging in to my PS using child administrator account? What is the procedure to give the delegation of Schema and Enterprise admin right to other child domain users so that Exchange can be installed without login in to root domain controller? Thanks,Manjeet This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
I have no such option on either Windows Server 2003 or 2000 SP4. This facility may have been removed from later SPacks of 2K and from 2K3. Even so, and I am basing this on memory alone (or the lack thereof in this case), that mechanism did not create the zone on the target DNS server (and therefore did not configure it correctly for dynamic update or AD integrate it accordingly), it did not push the existing RRs from the parent zone into the target and it did not (and shouldn't) reconfigure the resolvers of the existing DCs and members (if it had done these things, I'm hopeful that I would remember such a capable feature and would also wonder why on earth it was removed). In short (and IMHO), it would seem only to provide an inadvertent means of erasing an entire subdomain worth of RRs and is in no way a mechanism able to _move_ existing, active, valid AD representative DNS content from a parent zone to a delegated child. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 12:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain I go to the root DC/DNS server and in that zone is a child domain folder. I right click the folder and click delegate and browse or type in the ip of the child DC running dns and all is golden. The child domain folder then becomes grayed in the root dns zone and when you click on it, you get the soa with the child dc as a nameserver. I'm in a 12 domain forest(win2k mixed) and all my child dc's are dns servers authoritive for their respective domains. The root is only authoritive for the root zone and has gray delegation/glue records for the other domains. I must be missing something really obivious here as I'm no AD expert... Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Installing DNS in Child Domain
But, correct me if I'm wrong here, why on earth wouldn't you be allowed to delegate zones to their respective dns servers? That makes no sense. I'm on sp4 now and running ad intergrated dns and ALL zones are delegated to their respective child dns servers. I've been running like this for 2 + years with no issues. Resoultion works, no rep errors. I can ping any host in the forest by fqdn. What's the delegation feature for then? Is it only for standard dns servers? I find that hard to believe. I'm not in the office but I'll send up my root zone record when I get back for you to see. I'm seriously thinking we are talking about 2 totally different things here(and if so, I apologize). Its rare for me to be right on this list. Esp. as compares to you, Dean. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
Please ... please, no apologies are necessary ... Delegation is used in precisely the manner you've outlined, it's only the automated nature of the admin. tools and the process to delegate/distribute the automated content that I'm questioning. I'd agree to a point that such a mechanism may well be a nice facility in that it removes (or lessens) one administrative aspect of distributing DNS but it requires so much more than merely shifting zone content. If clients aren't using the new name server and no other name servers refer to it, what is data doing? If clients _are_ using it and/or other name servers are referring to it, how did that happen? It happened because it was configured to work that way (manually) by an admin. and, as such, the same admin. (fingers crossed) would move the content (or ensure it was regenerated). I can't speak intelligently as to the whys or the why nots regarding the existence of such a feature since I've never asked the question of those responsible for making that decision but I'd hazard a guess that such a feature was deemed likely to cause more problems than it would solve. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 1:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain But, correct me if I'm wrong here, why on earth wouldn't you be allowed to delegate zones to their respective dns servers? That makes no sense. I'm on sp4 now and running ad intergrated dns and ALL zones are delegated to their respective child dns servers. I've been running like this for 2 + years with no issues. Resoultion works, no rep errors. I can ping any host in the forest by fqdn. What's the delegation feature for then? Is it only for standard dns servers? I find that hard to believe. I'm not in the office but I'll send up my root zone record when I get back for you to see. I'm seriously thinking we are talking about 2 totally different things here(and if so, I apologize). Its rare for me to be right on this list. Esp. as compares to you, Dean. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows Server 2003 Access-based Enumeration
Enjoy! GUI and CLI tool from Microsoft to enable Access-based Enumeration. http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084displaylang=en Francis
RE: [ActiveDir] Installing DNS in Child Domain
My take is that you two are talking about the same general topic. Dean is stating that yes you can delegate but this does not automagically move the RRs from one server to another (or from the parent zone to the child). The process of splitting an existing zone into two (parent/child) is a manual process. Of course you could use the information in the parent zone before the delegation to initially populate your new delegated zone using a modified zone file, DNSCMD, or something else. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Installing DNS in Child Domain But, correct me if I'm wrong here, why on earth wouldn't you be allowed to delegate zones to their respective dns servers? That makes no sense. I'm on sp4 now and running ad intergrated dns and ALL zones are delegated to their respective child dns servers. I've been running like this for 2 + years with no issues. Resoultion works, no rep errors. I can ping any host in the forest by fqdn. What's the delegation feature for then? Is it only for standard dns servers? I find that hard to believe. I'm not in the office but I'll send up my root zone record when I get back for you to see. I'm seriously thinking we are talking about 2 totally different things here(and if so, I apologize). Its rare for me to be right on this list. Esp. as compares to you, Dean. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade
neither is better or worse: it's important to correctly adjust the LdapDisplayName of the Secretary and the labeledURI attributes in the schema (as added by E2k during setup) so as not to conflict with the new additions of the Win2003 schema, which alsoadds (the RFC compliant version) of these attributes. Thus the existing conflicting LdapDisplayNames of E2k should be changed from Secretary to msExchAssistantName and from labeledURI to msExchLabeledURI. This is achieved many ways, you can even do this manually using ADSIedit. But you certainly don't require the E2k3 schema extensions until you're ready to upgrade E2k to E2k3. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Dienstag, 19. April 2005 17:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade Thank you, Yourreassurance is making this a little easier for me to proceed. asa far as the exchangeissue would i be betteroff running the preps from the exchange 2003 cd ? I though i read the running from the e2k3 cd was better ? jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, April 18, 2005 4:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade 2003's forestprep requires network connectivity. So you'd at least need to connect your "interims" DC to another separate network. Though I am all for a well planned routine that allows an easy fall-back in case of any issues, your sister company's environment doesn't really sound like anything you couldn't handle with less effort. I've never had a single2000/2003 ADPrepfail, if the required prep steps performed correctly -e.g. including the necessary preps to correct the Exchange 2000 schema stuff - check Q314649. For this size environment,I don't expect you'd have much more than 4 DCs (2 for the root and 2 for the unneccessary child) - I'd simply suggest to perform a backup of all of them and then (after adding the Exchange fix and letting it replicate) to perform the ADPREP /forestprep right on your current Schema Master, let this replicate and validate success. Then perform the /domainprep right on your two IFM role holders. The likelyhood of anything going wrong is very very low and will certainly not kill your AD (you can even re-run the ADprep /forestprep as many times as you like - e.g. if certain permissions in the config container are not set correcly - it will never do anything "bad" for your forest). In very unlikely case of something still going wrong, you're in the fortunate position to be able to restore all of your DCs back to the same point in time with rather limited efforts. The chances that this would be required are very slim so that you can save yourself a lot of extra work and unintentional risk by going your proposed way. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Montag, 18. April 2005 19:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] forest /domain prep for win2k to win 2003 upgrade Hi, I am in a situation that I'm trying to make the best of. We have a sister company that we do support for. they need to upgrade from 2000 to 2003. here's the issue they have there own budget and they will not credit our dept for overtime to do the forest/domain prep after hours. moderate size company ,they have their own forest ,150 users 2 sites (default and 1 other), one child domain, and 1 exhcange 2000 server.once people login in inthemornings they pretty much dont logg out till the evening what I'd like to do is use an old server install 2000 makde it a dc, ghost it, then tranfer the fsmo's to that server, disconnect it from the network andrun forest prep. if all goes welland nothing blows up , connect it to the network and let it replicate , wathcit for a day then transfer roles off of it and remove it from the forest. whatare your estemmed opinons ? Jeff Kraus Network Manger NIC Holding Corp. 25 Melville Park Rd Melville NY, 11747 Voice: 631.753.4272 Fax: 631.753.4305 Email: [EMAIL PROTECTED]
RE: [ActiveDir] AdminSDHolder and Default button
I can confirm what Jorge expects below - yes, all explicit permissions are removed and then the default from whatever is defined in the schema is set. You can script the resetting of permissions back to the default using the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of them or both have the /reset permission option) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 19. April 2005 10:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button (1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installing DNS in Child Domain
hey Dean - I see you're on a DNS trip today ;-)) 10 posts on this thread by Dean - must be a record... aren't we forgetting that this is a test-environment? I'd just blow away the child's DNS subzone on in the root DC's DNS config and then create a delegation for the child.test.com zone for the child DC. Then create the child.test.com DNS zone on the child DC, point the DC to use itself as a DNS server and then re-register all records on this server (restart netlogon). Agreed that the process would be slightly differnet for a live environemnt with many other DNS records data in it. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 19. April 2005 17:57 To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain If only one record exists, you have encountered the known-bug I mentioned earlier. To resolve this issue, temporarily configure the forest root DNS zone to allow both secure and insecure update, on the child DC, ensure its preferred resolver still points to the root DC, run a command shell and enter ipconfig /registerdns. Return to the root DC and refresh the zone content, you should now see a second A record named after the child DC itself, if so - reset the zone to secure updates. Up until now, your 2 DCs have not been replicating, to accelerate the convergence time, copy and paste the following verbatim in a command shell on each DC (requires Support Tools installed) - 1) ipconfig /flushdns 2) net stop netlogon net start netlogon 3) for /l %a in (1,1,25) do repadmin /kcc repadmin /syncall repadmin /syncall /P NOTE - I DO NOT recommend the use of the 'for in do' loop above in a large enterprise. Run AD Sites and Services and verify that replication is now succeeding. Do you still want to distribute your DNS namespace per your original post? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, Yes, your summary is absolutely correct. No I did not create any structure manually; all were created automatically during first DC promotion. Now when I see the A host record under child.test.com, there is only one record 'same as parent'. Thanks, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 8:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution for this type of restructuring, the premise being that any organization with a need for a more distributed DNS infrastructure needs 1) the technical staffing sufficient to create it and 2) same said staffing to support it. Before making any recommendations as to the direction you should take, can I ask on what version/flavour of Windows you're building this lab environment? -- Dean Wells MSEtechnology *
RE: [ActiveDir] Installing DNS in Child Domain
LOL ... I had oodles of free time waiting for a ridiculously delayed call to take place. Re: the test environment, I'd agree that your suggestion would indeed work with such a limited number of DCs but I find myself asking the question what exactly is the test forest for? ... a) to learn how to circumvent best-practice in test environments :) or b) to learn how to better structure and implement a roughly comparable enterprise environment ... my responses were based on the latter but I'm guessing you'd picked up on that. Seriously, your point is well taken and there are faster approaches than that (some of which I've proven against production environments in order to v. quickly recover from catastrophic failure) but since the default DNS structure created by 2K3's DCpromo will suffice for a 2 DC, 2 domain test forest (and larger), I (uh oh!) assumed that the poster's goal exceeded merely that of a functioning end result. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 19, 2005 3:26 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain hey Dean - I see you're on a DNS trip today ;-)) 10 posts on this thread by Dean - must be a record... aren't we forgetting that this is a test-environment? I'd just blow away the child's DNS subzone on in the root DC's DNS config and then create a delegation for the child.test.com zone for the child DC. Then create the child.test.com DNS zone on the child DC, point the DC to use itself as a DNS server and then re-register all records on this server (restart netlogon). Agreed that the process would be slightly differnet for a live environemnt with many other DNS records data in it. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 19. April 2005 17:57 To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain If only one record exists, you have encountered the known-bug I mentioned earlier. To resolve this issue, temporarily configure the forest root DNS zone to allow both secure and insecure update, on the child DC, ensure its preferred resolver still points to the root DC, run a command shell and enter ipconfig /registerdns. Return to the root DC and refresh the zone content, you should now see a second A record named after the child DC itself, if so - reset the zone to secure updates. Up until now, your 2 DCs have not been replicating, to accelerate the convergence time, copy and paste the following verbatim in a command shell on each DC (requires Support Tools installed) - 1) ipconfig /flushdns 2) net stop netlogon net start netlogon 3) for /l %a in (1,1,25) do repadmin /kcc repadmin /syncall repadmin /syncall /P NOTE - I DO NOT recommend the use of the 'for in do' loop above in a large enterprise. Run AD Sites and Services and verify that replication is now succeeding. Do you still want to distribute your DNS namespace per your original post? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, Yes, your summary is absolutely correct. No I did not create any structure manually; all were created automatically during first DC promotion. Now when I see the A host record under child.test.com, there is only one record 'same as parent'. Thanks, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 8:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email:
[ActiveDir] Email Addresses in AD
If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
RE: [ActiveDir] Installing DNS in Child Domain
Hi Guido, Can you share some info on the Agreed that the process would be slightly differnet for a live environemnt with many other DNS records data in it. I'm trying to figure out what you mean with this. Regards Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org; Send - AD mailing list Sent: 4/19/2005 9:25 PM Subject: RE: [ActiveDir] Installing DNS in Child Domain hey Dean - I see you're on a DNS trip today ;-)) 10 posts on this thread by Dean - must be a record... aren't we forgetting that this is a test-environment? I'd just blow away the child's DNS subzone on in the root DC's DNS config and then create a delegation for the child.test.com zone for the child DC. Then create the child.test.com DNS zone on the child DC, point the DC to use itself as a DNS server and then re-register all records on this server (restart netlogon). Agreed that the process would be slightly differnet for a live environemnt with many other DNS records data in it. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 19. April 2005 17:57 To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain If only one record exists, you have encountered the known-bug I mentioned earlier. To resolve this issue, temporarily configure the forest root DNS zone to allow both secure and insecure update, on the child DC, ensure its preferred resolver still points to the root DC, run a command shell and enter ipconfig /registerdns. Return to the root DC and refresh the zone content, you should now see a second A record named after the child DC itself, if so - reset the zone to secure updates. Up until now, your 2 DCs have not been replicating, to accelerate the convergence time, copy and paste the following verbatim in a command shell on each DC (requires Support Tools installed) - 1) ipconfig /flushdns 2) net stop netlogon net start netlogon 3) for /l %a in (1,1,25) do repadmin /kcc repadmin /syncall repadmin /syncall /P NOTE - I DO NOT recommend the use of the 'for in do' loop above in a large enterprise. Run AD Sites and Services and verify that replication is now succeeding. Do you still want to distribute your DNS namespace per your original post? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 11:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, Yes, your summary is absolutely correct. No I did not create any structure manually; all were created automatically during first DC promotion. Now when I see the A host record under child.test.com, there is only one record 'same as parent'. Thanks, Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 8:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain I'm working on the premise that at present all DCs and members resolve against a single DNS server running on the DC in the forest root that was created during the promotion of the very first DC. You've since promoted a new DC and created a child domain named child.test.com. This DC also resolves against the DNS server running on the DC in the root domain. Is that summary accurate? Have you altered the default configuration created by DCpromo in anyway or did you create the current DNS structure manually? Does the A record for the child DC exist, this is a known bug that would cause anything we do from this point (excluding the use of BIND zone files) to fail - - expand the zone on the root DNS server - locate the entry 'child.test'com' - two A (host) records should exist, one named after the DC itself the other, 'same as parent' Once we have this information, the steps to distribute your DNS namespace become relatively simple. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, April 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Installing DNS in Child Domain Hi, I am using windows 2003 standard edition. This might be the requirement when you have distributed domain model. Say Root and child domain are in separate remote location. So reduce the traffic I need to have separate DNS on my child domain controller. So do I configure DNS on preinstall Child domain controller ? Manjeet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 19, 2005 7:24 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Installing DNS in Child Domain Windows offers no automated solution
[ActiveDir] GC issues
I have a multi domain Win2k forest. My problem is I'm getting a lot of duplicate email accounts on GC's(I guess the other EA's didn't pay close attention) and thus bounced emails. Is there anyway I can have a script remove/detect the dupe addys? Also, I moved/deleted ou's and this has not been reflected in the GC's as well. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC issues
http://blogs.brnets.com/michael/archive/2004/12/30/275.aspx Just changing strDomainDN should give you what you want--for detection. Scripting removal is easy--adding the intelligence to decide WHICH to remove is not easy and very company dependent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 19, 2005 9:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC issues I have a multi domain Win2k forest. My problem is I'm getting a lot of duplicate email accounts on GC's(I guess the other EA's didn't pay close attention) and thus bounced emails. Is there anyway I can have a script remove/detect the dupe addys? Also, I moved/deleted ou's and this has not been reflected in the GC's as well. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC issues
The script I posted last week will do pretty much precisely that ... it's enclosed as is the original post. paste Since a solution hasn't manifested itself to date, I got intrigued and tried to put this together in a simple and relatively fast shell script ... which I've enclosed as a text file (if memory serves I am able to enclose small text files). The script requires two args; a QUOTED DN and the LDAP name of the attribute to look at. Hope this serves your purpose, if not, I'm certain it will serve me at some point in the future :) Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Palenchar Sent: Monday, April 04, 2005 5:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GroupBy type queries in LDAP OK, LDAP evangelists, I need to query our customer-facing AD for a list of all the users who share a particular attribute. Let's call that attribute Attribute1. So, if two people have the same value in Attribute1, I need their DN. The trick is, that I want the results for all possible values of Attribute1. In SQL, I would use group by Attribute1 having count(Attribute1) 1 to get a list of all Attribute1 values where more than one object had the same value. I would then join that back to the table to get a list of all the DN's with those values of Attribute1. Is there a way to do this with an LDAP query. Please note that the directory contains millions of objects and iterating through them will be painful. /paste :: Active Directory Duplicate value detection script / Dean Wells / MSEtechnology / April 2005 :: Requires 2 arguments = 1st is a quoted DN, 2nd is an attribute LDAP name :: Script then queries directory for any 2 or omre objects that share the same value and writes :: their DN to the results file which is displayed upon script completion @echo off setlocal ENABLEDELAYEDEXPANSION if [%2]==[] goto :ERROR set DN=%1 set ATTRIBUTE=%2 set TEMPDIR=%TEMP%\$DUPES$ set TEMPFILE1=%TEMP%\$DUPES$.ldf set TEMPFILE2=%TEMP%\$DUPES$.tmp set RESULTFILE=\DupeResults.TXT rd /s /q %TEMPDIR% 2nul md %TEMPDIR% 2nul ldifde -o objectcategory=* -f %TEMPFILE1% -d %DN% -l %ATTRIBUTE% if errorlevel 1 goto :END set DN= set UNIQUEVALUE= set LINE= for /f tokens=* %%p in ('type %TEMPFILE1% ^| findstr /i dn: %ATTRIBUTE%:') do ( set LINE=%%p if /i !LINE:~0,3!==dn: ( set DN=!LINE:~4! set UNIQUEvALUE= ) else ( set UNIQUEVALUE=!LINE:~0,80! set UNIQUEVALUE=!UNIQUEVALUE:%ATTRIBUTE%: =! set UNIQUEVALUE=!UNIQUEVALUE:\=-! set UNIQUEVALUE=!UNIQUEVALUE:/=-! set UNIQUEVALUE=!UNIQUEVALUE::=-! if not [!UNIQUEVALUE!]==[] echo !DN! %TEMPDIR%\!UNIQUEVALUE! ) ) del %RESULTFILE% 2nul for %%a in (%TEMPDIR%\*.*) do ( set COUNT=0 for /f usebackq tokens=* %%d in (%%a) do ( set /a COUNT+=1 echo%%d%TEMPFILE2% ) if !COUNT! GTR 1 ( echo %ATTRIBUTE%: %%~na%RESULTFILE% type %TEMPFILE2% %RESULTFILE% echo/%RESULTFILE% ) del %TEMPFILE2% 2nul ) %RESULTFILE% goto :END :ERROR echo ERROR - Supply DN in quotes followed by attribute's LDAP name :END del %TEMPFILE1% 2nul
[ActiveDir] DLTpurge.vbs Strict Replication Consistency
Hi I have 550,000 objects under Filelinks Container (rubbish caused by DLT), and was trying to clean them up using the kb below http://support.microsoft.com/?id=312403 While running the script in background (10,000 object every 2 hours) some of my domain controllers stopped replicating, due to lingering object (Event 1988) and is having a different object count under Filelinks container (thanks to joe's adfind) On one of the domain controller its reporting to have only 440,000 object, while on the other one is still reporting as 500,000+ Domain are native 2003, strict replication key enabled on all DC. Repadmin /removelingeringobject came up with 0 objects, and replication was still being stuck. So temporarily I've stopped DLTpurge.vbs and disabled Strict Replication Consistency and have verified that all DC now has the same object count of Filelinks CN and replication is as per normal. (Phew) Any idea what is causing this (too many deletion at the same time)? Should I be running DLTPurge with StrictReplicationConsistency disabled? Inputs please :-) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AdminSDHolder and Default button
Thanks Guido/Jorge As far as I know I should be fine with doing that as there shouldn't be any custom permissions set (I hope). But in any case, is that the recommended way of 'UNDO-ing' the adminsdholder restriction? Or is there a better way?... Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 20, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button I can confirm what Jorge expects below - yes, all explicit permissions are removed and then the default from whatever is defined in the schema is set. You can script the resetting of permissions back to the default using the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of them or both have the /reset permission option) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 19. April 2005 10:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button (1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script Blocking
Hi Peter, Havent really heard that antivirus is blocking login scripts Whats inside the login script anyway? Is it considered as a virus? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 3:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script Blocking Here is the scenario. An AD domain of about 1000 users and computers distributed among over 60 offices. Some users are in the local administrators group of their workstations. The reasons are varied but included a) Some program didn't function without elevated priveleges. b) The user wanted to install something and no one had time to do it for them. c) The user is a boss and insists. On various occasions I have reversed this situation using restricted groups. This always causes lots of calls to the help desk and does nothing to increase my popularity. Even Microsoft Office sometimes doesn't work properly (probably because it wasn't installed correctly) unless the users privileges are restored. Well there you have the reasons (all bad, but...) Here is the problem:- Some users have installed programs which block login scripts that I distribute through group policy. You all know these programs. Antivirus, antispyware and personal firewalls. Do any of you good people have the same problem and what methods are you adopting to solve it. Regards Peter Jessop
Re: [ActiveDir] Script Blocking
Hi Freddy I have deployed limitlogin which depends on a Visual Basic Script on logon and logoff. I don't think it could be considered a virus but certainly some of the users view it in this way! Some versions of Norton antivirus block scripts by default (or ask the user) as do most personal firewalls. Regards Peter Jessop