RE: [ActiveDir] Export and import essential AD objects for new forest
Danny, You will need to seize ( Not Transfer ) the roles on the new DC once it is disconnected from your production network. If you transfer your FSMO roles and then move the server to your test network, you will need to seize the roles on a another DC in your production network. Regards, Jose Medeiros -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Danny Sent: Friday, April 22, 2005 12:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Export and import essential AD objects for new forest One follow-up to my last post: Should I be transferring or seizing the FSMO roles during this migration? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Kerberos authentication and 2003 /2000
Domain running 2000 native mode. DC are 2000. Have member servers with 2003. when I run netdiag I see that Kerberos authentication failed. Should I be concerned or is something wrong on either the member server or the Domain controllers. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Export and import essential AD objects for new forest
Transfer the roles, since the existing domain contoller will be running during this pricess (ie, before you dcpromo it out). G. Danny wrote: One follow-up to my last post: Should I be transferring or seizing the FSMO roles during this migration? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
I would point out.the presence of the objects Guido cited does not say that forest/domain prep has been run, it says it completed successfully. If you ran forest/domain prep and it failed, that object would not be present, but instead you'd only have the operational GUIDs for each of the operations that succeeded (in the correct location for the prep run of course). It's important to note the subtle difference, as you might not see that there but still be trying to run forest/domain prep. If so, that means it is failing, and we'd want to pick up the adprep logs to see what the nature of the failure is. Finally, I'd point out that running adprep from SP1 is better than from RTM. We added a lot of verbiage to error conditions to clearly spell out common error conditions which PSS saw in the field. So if you are prepping, SP1 is the best bet, as failure will be better spelled out should you hit any. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 22, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings yes, it doesn't have child objects, but it's not empty - it has some attributes determining it's status => the revision attribute is stamped when all tasks have been completed successfully. What's this set to in your environment you'll get more details as to what was performed by checking the Operations container at the same level as the Windows2003update container => this should contain an entry for every operations which was performed during the upgrade (which are 37 for the forestprep and 50 for the domain prep) and the fact that the objects exist confirms that ADPREP /forestprep and /domainprep was executed in the respective forest/domain (and that the update replicated to other DCs). also check out this KB for more details: http://support.microsoft.com/Default.aspx?kbid=309628 /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings I have the windows2003update folder in both the config and domain NC, but its empty. What does that mean? Thanks Grillenmeier, Guido wrote: > to check prep > > ADPREP /FORESTPREP > cn= > cn=Configuration > cn=ForestUpdates > cn=windows2003update > > ADPREP /DOMAINPREP > cn= > cn=SYSTEM > cn=DomainUpdates > cn=Windows2003Update > > > to check functional level, it's easiest to read rootDSE of a specific > DC > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Freitag, 22. April 2005 22:18 > To: ActiveDir (E-mail) > Subject: [ActiveDir] Windows 2003 setings > > I forgot, but where are the settings kept in AD where you can see if > forest/domain prep has been run and which domain/forest functional > level a domain/forest is on? > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
that's a perfectly valid state: this is a Windows 2003 DC (DC functionality = 2) in a domain that's still running at Win2000 mixed or native functional level (0) and a forest that's running at Win2000 functional level (0). Naturally, the DC won't turn on certain features (e.g. LVR) prior to the other settings being switched to a higher level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings Reading the rootDSE, I get - 1> domainFunctionality: 0; 1> forestFunctionality: 0; 1> domainControllerFunctionality: 2; Grillenmeier, Guido wrote: > to check prep > > ADPREP /FORESTPREP > cn= > cn=Configuration > cn=ForestUpdates > cn=windows2003update > > ADPREP /DOMAINPREP > cn= > cn=SYSTEM > cn=DomainUpdates > cn=Windows2003Update > > > to check functional level, it's easiest to read rootDSE of a specific > DC > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Freitag, 22. April 2005 22:18 > To: ActiveDir (E-mail) > Subject: [ActiveDir] Windows 2003 setings > > I forgot, but where are the settings kept in AD where you can see if > forest/domain prep has been run and which domain/forest functional > level a domain/forest is on? > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
yes, it doesn't have child objects, but it's not empty - it has some attributes determining it's status => the revision attribute is stamped when all tasks have been completed successfully. What's this set to in your environment you'll get more details as to what was performed by checking the Operations container at the same level as the Windows2003update container => this should contain an entry for every operations which was performed during the upgrade (which are 37 for the forestprep and 50 for the domain prep) and the fact that the objects exist confirms that ADPREP /forestprep and /domainprep was executed in the respective forest/domain (and that the update replicated to other DCs). also check out this KB for more details: http://support.microsoft.com/Default.aspx?kbid=309628 /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings I have the windows2003update folder in both the config and domain NC, but its empty. What does that mean? Thanks Grillenmeier, Guido wrote: > to check prep > > ADPREP /FORESTPREP > cn= > cn=Configuration > cn=ForestUpdates > cn=windows2003update > > ADPREP /DOMAINPREP > cn= > cn=SYSTEM > cn=DomainUpdates > cn=Windows2003Update > > > to check functional level, it's easiest to read rootDSE of a specific > DC > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Freitag, 22. April 2005 22:18 > To: ActiveDir (E-mail) > Subject: [ActiveDir] Windows 2003 setings > > I forgot, but where are the settings kept in AD where you can see if > forest/domain prep has been run and which domain/forest functional > level a domain/forest is on? > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
Reading the rootDSE, I get - 1> domainFunctionality: 0; 1> forestFunctionality: 0; 1> domainControllerFunctionality: 2; Grillenmeier, Guido wrote: > to check prep > > ADPREP /FORESTPREP > cn= > cn=Configuration > cn=ForestUpdates > cn=windows2003update > > ADPREP /DOMAINPREP > cn= > cn=SYSTEM > cn=DomainUpdates > cn=Windows2003Update > > > to check functional level, it's easiest to read rootDSE of a specific > DC > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Freitag, 22. April 2005 22:18 > To: ActiveDir (E-mail) > Subject: [ActiveDir] Windows 2003 setings > > I forgot, but where are the settings kept in AD where you can see if > forest/domain prep has been run and which domain/forest functional > level a domain/forest is on? > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
I have the windows2003update folder in both the config and domain NC, but its empty. What does that mean? Thanks Grillenmeier, Guido wrote: > to check prep > > ADPREP /FORESTPREP > cn= > cn=Configuration > cn=ForestUpdates > cn=windows2003update > > ADPREP /DOMAINPREP > cn= > cn=SYSTEM > cn=DomainUpdates > cn=Windows2003Update > > > to check functional level, it's easiest to read rootDSE of a specific > DC > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Freitag, 22. April 2005 22:18 > To: ActiveDir (E-mail) > Subject: [ActiveDir] Windows 2003 setings > > I forgot, but where are the settings kept in AD where you can see if > forest/domain prep has been run and which domain/forest functional > level a domain/forest is on? > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
to check prep ADPREP /FORESTPREP cn= cn=Configuration cn=ForestUpdates cn=windows2003update ADPREP /DOMAINPREP cn= cn=SYSTEM cn=DomainUpdates cn=Windows2003Update to check functional level, it's easiest to read rootDSE of a specific DC /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:18 To: ActiveDir (E-mail) Subject: [ActiveDir] Windows 2003 setings I forgot, but where are the settings kept in AD where you can see if forest/domain prep has been run and which domain/forest functional level a domain/forest is on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows 2003 setings
I forgot, but where are the settings kept in AD where you can see if forest/domain prep has been run and which domain/forest functional level a domain/forest is on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Export and import essential AD objects for new forest
One follow-up to my last post: Should I be transferring or seizing the FSMO roles during this migration? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO errors on logon
Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How can I see which processes an XP machine is running?
We have an XP machine on our network that is running automated queries on a search engine. Is there a way that I can see which processes/programs this PC is running without the user knowing?
RE: [ActiveDir] Export and import essential AD objects for new forest
Just for those able to speak German (all others can you babblefish ;). Nils Kaczenski wrote some nice tools to get around most of the problems of exporting and importing AD information with CSVDE.EXE, ie an Excel Makro that adds the "" around DNs (they get lost while importing the CSV-File in Excel). In short he wrote: - Excel CSV-Addin - Carlos - a configurationmask for CSVDE - José - Create HTML based reports of your AD - Carmen - Request data from AD based on SQL commands With all my respects Have fun Oliver http://www.kaczenski.de/component/option,com_docman/Itemid,41/task,view_ category/catid,89/order,dmdate_published/ascdesc,DESC/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Freitag, 22. April 2005 20:32 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Export and import essential AD objects for new forest Thank you all for your most helpful responses! You guys are fantastic. Specifically: Jose Medeiros, Ken Jensen, and Ken Cornentet. Due to time constraints, I think I am going to go with the swing method, so here is my proposed plan of attack: Temp Server/ Server B: 1) Install Windows Server 2003 Standard 2) dcpromo as DC for existing domain 3) Make server as GC 4) Install Exchange Server 2003 Standard - use the same exact same naming convention as production (Server A) server? 5) Migrate mailboxes from production server (Server A) to Server B -- would I simply use the move mailbox function in ESM? 6) Move FSMO Roles from Server A to Server B 7) Verify DNS and WINS Configuration Production Server/Server A: 1) dcpromo original server down -- Ken Cornetet can you please elaborate on this one? 2) Wipe OS clean from Server A, and clean install Windows Server 2003 -- is this safe to do now Ken? 3) dcpromo as DC for existing domain 4) Make server as GC 5) Install Exchange Server 2003 Standard - use the same exact same naming convention as the original production server? 6) Migrate mailboxes from temp server (Server B) to Server A -- would I simply use the move mailbox function in ESM again? 7) Move FSM Roles from Server B to Server A 8) Verify DNS and WINS Configuration 9) Install SP1 for Exchange 10) Install SP1 for Windows 11) Install AV Software and other misc. software 12) Decide what I want to do with Server B. 13) Now everything should work if Server B was powered down for example -- correct? Does this make sense? Hopefully you can move Exchange mailboxes from Enterprise to Standard through the ESM. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How can I see which processes an XP machine is running?
Check out PSTools... http://www.sysinternals.com/ntw2k/freeware/pstools.shtml Dameware utilities will do similar stuff. I'm sure there are other tools that do the same... You can query and view a lot of stuff on remote machines. As far as doing it stealthily? That depends on how tightly the machine owner is watching. If they're sniffing their own network traces, you probably can't. If they're just watching for a remote desktop session, or someone stopping by their desk, then you can. "Without their knowing" is a vague phrase... :-) ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jason B > Sent: Friday, April 22, 2005 9:45 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] How can I see which processes an XP > machine is running? > > We have an XP machine on our network that is running > automated queries on a search engine. Is there a way that I > can see which processes/programs this PC is running without > the user knowing? > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
Tom, Most likely the reason that MS instructed them to remove the GC role from all the DCs, only later to re-enable the role, as well as the answer to your question around why would these deleted objects show up on a GC is "lingering objects." Basically a lingering object is an object that has been previously deleted on a DC with a writeable partition, but for some reason knowledge of that deletion (replication of the tombstone object) never made it to a one or more DC/GCs. 9 times out of 10 there are replication issues in the AD environment that are preventing replication to one or more DC/GCs. That 1 other time usually is resulted to the tombstone lifetime not being long enough to allow the deletion to replicate to all systems. When lingering objects exist within the GC, which is read only, how do you remove them? The answer used to be "remove the GC role from all systems" and after the removal is complete re-enable the role allowing the GCs to rebuild themselves from the writeable domain partitions held by other DCs. For a smaller environment this is not a problem but for a larger environment it will kill your functionality especially when it comes to applications like Exchange - not to mention logging on. The occupancy level as Dean mentioned governs when the GC begins to "act like" a GC. In a large environment with lots of domains fulfilling the occupancy level can take a long time. In the later service packs of W2K and in W2K3 a new switch was implemented in repadmin to help with the removal of lingering objects even from the read-only GC partition. With any luck, Wook Lee will see this thread and will provide us his dissertation on the various types of lingering objects (as defined by him): Zombies, Ghosts, and Poltergeists. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's I never talked to the guy from MS, so I don't know how that conversation went, though it did seem a little like "reboot to fix the problem" type solution. Which brings me to another question- under what circumstances would a deleted object still show up as a valid object in GC's? That was the problem they were having. it was claimed that OU's were deleted and that was never reflected in the GC, among other objects. The only thing i can think of, is some admin said they were using movetree to move objects between domains. I've never used movetree, but i'm aware of its limitations as to global and local groups as well that it can't move computer objects. I don't know if it spits out an error when you try these things, but that could've caused the issues. thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 12:26 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's "Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for
Re: [ActiveDir] Export and import essential AD objects for new forest
Thank you all for your most helpful responses! You guys are fantastic. Specifically: Jose Medeiros, Ken Jensen, and Ken Cornentet. Due to time constraints, I think I am going to go with the swing method, so here is my proposed plan of attack: Temp Server/ Server B: 1) Install Windows Server 2003 Standard 2) dcpromo as DC for existing domain 3) Make server as GC 4) Install Exchange Server 2003 Standard - use the same exact same naming convention as production (Server A) server? 5) Migrate mailboxes from production server (Server A) to Server B -- would I simply use the move mailbox function in ESM? 6) Move FSMO Roles from Server A to Server B 7) Verify DNS and WINS Configuration Production Server/Server A: 1) dcpromo original server down -- Ken Cornetet can you please elaborate on this one? 2) Wipe OS clean from Server A, and clean install Windows Server 2003 -- is this safe to do now Ken? 3) dcpromo as DC for existing domain 4) Make server as GC 5) Install Exchange Server 2003 Standard - use the same exact same naming convention as the original production server? 6) Migrate mailboxes from temp server (Server B) to Server A -- would I simply use the move mailbox function in ESM again? 7) Move FSM Roles from Server B to Server A 8) Verify DNS and WINS Configuration 9) Install SP1 for Exchange 10) Install SP1 for Windows 11) Install AV Software and other misc. software 12) Decide what I want to do with Server B. 13) Now everything should work if Server B was powered down for example -- correct? Does this make sense? Hopefully you can move Exchange mailboxes from Enterprise to Standard through the ESM. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Native Mode Switch
I would consider moving all the FSMO roles to this DC. Then doing a P2V snapshot of this DC with VM. Bring up the VM on a machine not connected to the live network and then doing the native mode switch as a Proof of Concept before doing it in the live environment. Ivor Beelders Global Directory Services Group Information Management, Rexam Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 22, 2005 7:10 AM To: ActiveDir@mail.activedir.org; Nicolas Blank ; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Native Mode Switch Hey Nicolas - how is life is South Africa? I see Jorge has basically touched all aspects of why you'd want to prepare for a forest DR, if you really want to undo the switch to native mode of a Win2k domain. He's even given you a usable workaround to test just that "business critical SNA application that HAS to live on a DC" to see if it still works after it was switched to native (disable replication to other DCs). I would add, that you may also consider moving all FSMO roles to that DC so you don't run into issues related to the FSMO's not being on a native mode DC during your tests. However, could you elaborate a little on that "business critical SNA application that HAS to live on a DC" - does it A: have to live on a DC because it's a DC, or B: have to live on THAT machine (name/IP), which happens to be a DC? If B, the workaround is obvious. If A, I'd like to know why? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Freitag, 22. April 2005 13:16 To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Good question! That would not work... Why? With NTDSUTIL you have the following options: ? - Show this help information Help - Show this help information List NC CRs - Lists Partitions and cross-refs. You need the cross-ref of a Application Directory Partition to restore it. Quit - Return to the prior menu Restore database - Authoritatively restore entire database Restore database verinc %d- ... and override version increase Restore object %s - Authoritatively restore an object Restore object %s verinc %d - ... and override version increase Restore subtree %s- Authoritatively restore a subtree Restore subtree %s verinc %d - ... and override version increase "Restore subtree %s- Authoritatively restore a subtree" means: Increase the version of the objects within the subtree in the backup. So if you have made several changes to objects within the subtree and you also created new objects within the subtree, AND you want to revert to an older version of the backupped objects (the ones you changed) in the subtree you Authoritatively restore that subtree. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a subtree" you're simply saying increase the version of the objects within the subtree in the backup. You are NOT saying REPLACE the contents of that subtree! There is a difference in that! "Restore database - Authoritatively restore entire database" means: Increase the version of ALL objects in the database in the backup (all objects in the domain NC, all objects in the config NC and all objects in app NCs, BUT NOT the objects in the schema NC. At the moment it is not possible to authoritatively restore your schema without doing a disaster rec.!!). You also need to take your SYSVOL into account!!! You should be carefull with this one!!! So if you have made several changes to objects within the database and you also created new objects within the database, AND you want to revert to an older version of the backupped objects (the ones you changed) in the database you Authoritatively restore that database. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a database" you're simply saying increase the version of the objects within the database in the backup. You are NOT saying REPLACE the contents of that database with the one from the backup! There is a difference in that! So if you created new objects like USGs, done some group nesting, etc. you could not revert the database back to mixed mode because "configurations exist that are not supported in mixed and then you would have inconsistencies. If that would be possible that would create one hell of a KB article from MS to explain how to solve that one If you want to REPLACE you'll have to do a Disaster Rec. See also: http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/ en-us/Default.asp?url=/resources/documentation/windows/2000/server/reski t/en -us/distrib/dsfl_utl_TDNO.asp
Re: [ActiveDir] IPsec policy
Windows IPSEC policies are applied based on IP addresses. You could possibly do this per user if you had a batch file that would create and resind the IPSEC policy. You could then apply the IPSEC policy in a logon script and remove it in a log off script. Dennis On 4/21/05, Kern, Tom <[EMAIL PROTECTED]> wrote: > I set up an IPsec filter to block traffic outgoing on port 80/443. That works > fine. > I was wondering if its possible to do this per user and not just machine > specfic. > Thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Native Mode Switch
Hey Nicolas - how is life is South Africa? I see Jorge has basically touched all aspects of why you'd want to prepare for a forest DR, if you really want to undo the switch to native mode of a Win2k domain. He's even given you a usable workaround to test just that "business critical SNA application that HAS to live on a DC" to see if it still works after it was switched to native (disable replication to other DCs). I would add, that you may also consider moving all FSMO roles to that DC so you don't run into issues related to the FSMO's not being on a native mode DC during your tests. However, could you elaborate a little on that "business critical SNA application that HAS to live on a DC" - does it A: have to live on a DC because it's a DC, or B: have to live on THAT machine (name/IP), which happens to be a DC? If B, the workaround is obvious. If A, I'd like to know why? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Freitag, 22. April 2005 13:16 To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Good question! That would not work... Why? With NTDSUTIL you have the following options: ? - Show this help information Help - Show this help information List NC CRs - Lists Partitions and cross-refs. You need the cross-ref of a Application Directory Partition to restore it. Quit - Return to the prior menu Restore database - Authoritatively restore entire database Restore database verinc %d- ... and override version increase Restore object %s - Authoritatively restore an object Restore object %s verinc %d - ... and override version increase Restore subtree %s- Authoritatively restore a subtree Restore subtree %s verinc %d - ... and override version increase "Restore subtree %s- Authoritatively restore a subtree" means: Increase the version of the objects within the subtree in the backup. So if you have made several changes to objects within the subtree and you also created new objects within the subtree, AND you want to revert to an older version of the backupped objects (the ones you changed) in the subtree you Authoritatively restore that subtree. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a subtree" you're simply saying increase the version of the objects within the subtree in the backup. You are NOT saying REPLACE the contents of that subtree! There is a difference in that! "Restore database - Authoritatively restore entire database" means: Increase the version of ALL objects in the database in the backup (all objects in the domain NC, all objects in the config NC and all objects in app NCs, BUT NOT the objects in the schema NC. At the moment it is not possible to authoritatively restore your schema without doing a disaster rec.!!). You also need to take your SYSVOL into account!!! You should be carefull with this one!!! So if you have made several changes to objects within the database and you also created new objects within the database, AND you want to revert to an older version of the backupped objects (the ones you changed) in the database you Authoritatively restore that database. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a database" you're simply saying increase the version of the objects within the database in the backup. You are NOT saying REPLACE the contents of that database with the one from the backup! There is a difference in that! So if you created new objects like USGs, done some group nesting, etc. you could not revert the database back to mixed mode because "configurations exist that are not supported in mixed and then you would have inconsistencies. If that would be possible that would create one hell of a KB article from MS to explain how to solve that one If you want to REPLACE you'll have to do a Disaster Rec. See also: http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/ en-us/Default.asp?url=/resources/documentation/windows/2000/server/reski t/en -us/distrib/dsfl_utl_TDNO.asp http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/ en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reski t/en -us/distrib/dsbj_brr_zldg.asp Answer to your question? Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/22/2005 9:23 AM Subject: RE: [ActiveDir] Native Mode Switch Perfect sense, thank for the reply. Understand about Lanman rep to downlevel versions. What effect would it have if a DC was authorativelly restored pre native mode and the other dc's were native mode? This presumes no group nesti
RE: [ActiveDir] Native Mode Switch
Good question! That would not work... Why? With NTDSUTIL you have the following options: ? - Show this help information Help - Show this help information List NC CRs - Lists Partitions and cross-refs. You need the cross-ref of a Application Directory Partition to restore it. Quit - Return to the prior menu Restore database - Authoritatively restore entire database Restore database verinc %d- ... and override version increase Restore object %s - Authoritatively restore an object Restore object %s verinc %d - ... and override version increase Restore subtree %s- Authoritatively restore a subtree Restore subtree %s verinc %d - ... and override version increase "Restore subtree %s- Authoritatively restore a subtree" means: Increase the version of the objects within the subtree in the backup. So if you have made several changes to objects within the subtree and you also created new objects within the subtree, AND you want to revert to an older version of the backupped objects (the ones you changed) in the subtree you Authoritatively restore that subtree. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a subtree" you're simply saying increase the version of the objects within the subtree in the backup. You are NOT saying REPLACE the contents of that subtree! There is a difference in that! "Restore database - Authoritatively restore entire database" means: Increase the version of ALL objects in the database in the backup (all objects in the domain NC, all objects in the config NC and all objects in app NCs, BUT NOT the objects in the schema NC. At the moment it is not possible to authoritatively restore your schema without doing a disaster rec.!!). You also need to take your SYSVOL into account!!! You should be carefull with this one!!! So if you have made several changes to objects within the database and you also created new objects within the database, AND you want to revert to an older version of the backupped objects (the ones you changed) in the database you Authoritatively restore that database. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a database" you're simply saying increase the version of the objects within the database in the backup. You are NOT saying REPLACE the contents of that database with the one from the backup! There is a difference in that! So if you created new objects like USGs, done some group nesting, etc. you could not revert the database back to mixed mode because "configurations exist that are not supported in mixed and then you would have inconsistencies. If that would be possible that would create one hell of a KB article from MS to explain how to solve that one If you want to REPLACE you'll have to do a Disaster Rec. See also: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/ en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en -us/distrib/dsfl_utl_TDNO.asp http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/ en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en -us/distrib/dsbj_brr_zldg.asp Answer to your question? Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/22/2005 9:23 AM Subject: RE: [ActiveDir] Native Mode Switch Perfect sense, thank for the reply. Understand about Lanman rep to downlevel versions. What effect would it have if a DC was authorativelly restored pre native mode and the other dc's were native mode? This presumes no group nesting had taken place. On the DC, the built in groups (scema admin, ent admin) that had become USG, would be DGG allready. This would re-introduce a value of 1 in the nTMixedDomain attrib on the domain NC. Would the domain "shift back" to mixed mode? Thanks for your time so far Jorge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 21 April 2005 01:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch As you know, changing the mode or FL switch to an upper level introduces new features. One of the consequences is that the DCs will not accept Lanman repl which is used by legacy DCs (NT4). Some of the features that are introduced are also not supported by NT4 DCs. One of the examples is UNIVERSAL SECURITY GROUPS (USGs) (group nesting is another). USGs only exist in at least DFL w2k native mode. If you switch to native mode and create USGs and use them to secure resources. Lets say that you want to go back to mixed mode... you would need to first undo all new introduced functionalities like the USGs and the group nesting
RE: [ActiveDir] Native Mode Switch
Perfect sense, thank for the reply. Understand about Lanman rep to downlevel versions. What effect would it have if a DC was authorativelly restored pre native mode and the other dc's were native mode? This presumes no group nesting had taken place. On the DC, the built in groups (scema admin, ent admin) that had become USG, would be DGG allready. This would re-introduce a value of 1 in the nTMixedDomain attrib on the domain NC. Would the domain "shift back" to mixed mode? Thanks for your time so far Jorge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 21 April 2005 01:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch As you know, changing the mode or FL switch to an upper level introduces new features. One of the consequences is that the DCs will not accept Lanman repl which is used by legacy DCs (NT4). Some of the features that are introduced are also not supported by NT4 DCs. One of the examples is UNIVERSAL SECURITY GROUPS (USGs) (group nesting is another). USGs only exist in at least DFL w2k native mode. If you switch to native mode and create USGs and use them to secure resources. Lets say that you want to go back to mixed mode... you would need to first undo all new introduced functionalities like the USGs and the group nesting. Does this make sense? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/21/2005 12:03 PM Subject: RE: [ActiveDir] Native Mode Switch I hear you. I do know what the switch achieves in terms of functionality, I understand the litterature, have done this, have explained the same to clients, however I am faces with the Question of Why this is a non reversible switch? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 20 April 2005 09:07 PM To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Manually re-writing the attribute will not work. Also see: http://support.microsoft.com/kb/322692 http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad. htm Jorge -Original Message- From: Nicolas Blank To: 'Jorge de Almeida Pinto'; ActiveDir@mail.activedir.org Sent: 4/20/2005 8:25 PM Subject: RE: [ActiveDir] Native Mode Switch Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.actived
