date:20050524

Yes That's it !! :o)
 
Thank You
 
Regards,
 
Yann



De: [EMAIL PROTECTED] de la part de Free, Bob
Date: mar. 24/05/2005 23:17
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Try  http://redmondmag.com/columns/article.asp?EditorialsID=403



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Tuesday, May 24, 2005 2:00 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Hi tony :-)

I would love to complete my "formation" with your article but your link you 
mailed me seems to be dead :(

Regards,

Yann



De: [EMAIL PROTECTED] de la part de Tony Murray
Date: mar. 24/05/2005 22:54
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Hi Yann

The following article provides a reasonable explanation of the role
of the Infrastructure Master:

http://redmondmag=2Ecom/columns/article=2Easp=3FEditorialsID=3D403 
 

Tony




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, 25 May 2005 7:37 a.m.
To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will 
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in my 
groupa on my DCa. So it's the job of the IM on domaina to compares updated 
information on GCa. IM will then updated the phantom on DCa and the world goes 
on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is 
IM+GC, then the IM can not compares and update information about the phantom 
because it has the latest information, so DCa will then update userb in 
groupa.. right ? and this change will be replicate to all DCs and GCs of the 
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann



De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" (http://support.microsoft.com/?id=248047)

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes
Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and
the Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Dean Wells

 
I'd assumed Jorge was referencing a.n.other article ... thanks though!

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Tuesday, May 24, 2005 4:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Carlos Magalhaes wrote:

> Yeah can you shoot me over a copy too :P I would like to check it out 
> :)

Are you looking for this :)
"Phantoms, Tombstones and the Infrastructure Master"
http://support.microsoft.com/?id=248047

-- 

Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Free, Bob

Try  http://redmondmag.com/columns/article.asp?EditorialsID=403

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Tuesday, May 24, 2005 2:00 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi tony :-)

I would love to complete my "formation" with your article but your link you 
mailed me seems to be dead :(

Regards,

Yann

De: [EMAIL PROTECTED] de la part de Tony Murray
Date: mar. 24/05/2005 22:54
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi Yann

The following article provides a reasonable explanation of the role
of the Infrastructure Master:

http://redmondmag=2Ecom/columns/article=2Easp=3FEditorialsID=3D403 

Tony

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, 25 May 2005 7:37 a.m.
To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will 
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in my 
groupa on my DCa. So it's the job of the IM on domaina to compares updated 
information on GCa. IM will then updated the phantom on DCa and the world goes 
on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is 
IM+GC, then the IM can not compares and update information about the phantom 
because it has the latest information, so DCa will then update userb in 
groupa.. right ? and this change will be replicate to all DCs and GCs of the 
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" (http://support.microsoft.com/?id=248047)

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes
Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and
the Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Tony Murray

Yann
 
Whether or not you have Exchange 2003 deployed in your infrastructure has no
impact on your decision to place the IM on a DC/GC.
 
Tony

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, 25 May 2005 8:58 a.m.
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Oupss... last question about this tip ;-)
 
What direct consequences of placing IM on a DC which is GC will have in my
AD-Exchange 2003 infrastruture ?
 
Regards,
 
Yann
 
PS: i think, you're looking for ... this

http://support.microsoft.com/?id=248047  ;D

  _  

De: [EMAIL PROTECTED] de la part de Dean Wells
Date: mar. 24/05/2005 22:10
À: Send - AD mailing list
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



... who wrote it?

Shoot me over a copy por favor me ol' mate, guv'na and any other ridiculous
British/Euro phrase I can 'fink' of :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 4:02 PM
To: 'TIROA YANN '; Jorge de Almeida Pinto;
'[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in
my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and the
world goes on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is
IM+GC, then the IM can not compares and update information about the phantom
because it has the latest information, so DCa will then update userb in
groupa.. right ? and this change will be replicate to all DCs and GCs of the
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann

  _ 

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and the
Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



This e-mail and any attachment is for authorised use by the intended
recipient(s

REÂ : [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

Title: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.





Hi tony :-)
 
I would love to complete my 
"formation" with your article but your link you mailed me seems to be 
dead :(
 
Regards,
 
Yann


De: [EMAIL PROTECTED] de la 
part de Tony MurrayDate: mar. 24/05/2005 22:54À: 
ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] TR : Golbal 
catalog & Infrasctucutre Master.

Hi YannThe following 
article provides a reasonable explanation of the roleof the Infrastructure 
Master:http://redmondmag=2Ecom/columns/article=2Easp=3FEditorialsID=3D403 Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Wednesday, 25 May 2005 7:37 a.m.To: Jorge de 
Almeida Pinto; [EMAIL PROTECTED]; 
ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.


Ok thanks for the good links 
:-))
 
I must apologize (again ;-), but i missed 
something...
 
Just for my comprehension:
I have 2 domains a and b. I add usera 
in groupa on DCa in domaina. DCa will create a phantom object wich is the 
reference of userb. right ?
No, if i delete or modify userb on domainb, 
the phantom must be updated in my groupa on my DCa. So it's the job of the 
IM on domaina to compares updated information on GCa. IM will then updated 
the phantom on DCa and the world goes on :-)
 
But there is one thing i 
didn't understand yet. sorry :-(  If DCa is IM+GC, then the IM 
can not compares and update information about the phantom because 
it has the latest information, so DCa will then update userb in groupa.. 
right ? and this change will be replicate to all DCs and GCs of 
the forest ? So what's wrong for placing IM on DC which is GC ?
 
Regards,

 
Yann




De: Jorge de Almeida Pinto 
[mailto:[EMAIL PROTECTED]Date: mar. 24/05/2005 
20:13À: TIROA YANN; '[EMAIL PROTECTED] '; 
'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.

Hi,For more info on the infrastructure master see 
"Phantoms, Tombstones and theInfrastructure Master" (http://support.microsoft.com/?id=248047)In 
both W2K and W2K3 AD.. the following rules apply:* if you have only one 
domain -> make all DCs also GCs  as there is noadditional 
overhead* if you have more than one domain in the forest -> for each 
domain in theforest do not place the infrastructure master on a GC if you 
have at leastanother DC in that same domain that is not a GC also!In 
all cases: if all DCs = GCs there is no issue concerning theinfrastructure 
master.In W2K, replication (for DCs/ for GCs) was/is of more importance 
becausewhen a group membership changed the complete members attribute 
gotreplicated. This could be a pain, especially for universal 
groupsIn W2K3, replication (for DCs/ for GCs) is of less importance 
because assoon as you get to forest functional level windows 2003 you get 
linked valuereplication which simply means that only the new member 
replicates... soless impact! LVR also applies to other multi-valued 
attributesCheers#JORGE#-Original Message-From: 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 
5/24/2005 7:57 PMSubject: [ActiveDir] TR : Golbal catalog & 
Infrasctucutre Master.Hello :-)Just a question concernng the 
placement of the global catalog (GC) andthe Infrastructure Master (IM) on a 
DC.Microsoft said not to place the IM on a DC that is already a 
GC...Why? and should it be true for an  AD 2003 forest with only 
one domain ?Regards,YannThis e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

REÂ : [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

Oupss... last question about this tip ;-)
 
What direct consequences of placing IM on a DC which is GC will have in my 
AD-Exchange 2003 infrastruture ?
 
Regards,
 
Yann
 
PS: i think, you're looking for ... this  
http://support.microsoft.com/?id=248047 
   ;D



De: [EMAIL PROTECTED] de la part de Dean Wells
Date: mar. 24/05/2005 22:10
À: Send - AD mailing list
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



... who wrote it?

Shoot me over a copy por favor me ol' mate, guv'na and any other ridiculous
British/Euro phrase I can 'fink' of :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 4:02 PM
To: 'TIROA YANN '; Jorge de Almeida Pinto;
'[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in
my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and the
world goes on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is
IM+GC, then the IM can not compares and update information about the phantom
because it has the latest information, so DCa will then update userb in
groupa.. right ? and this change will be replicate to all DCs and GCs of the
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann

  _ 

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and the
Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/L

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Tony Murray

Title: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi YannThe following 
article provides a reasonable explanation of the roleof the Infrastructure 
Master:http://redmondmag=2Ecom/columns/article=2Easp=3FEditorialsID=3D403 Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Wednesday, 25 May 2005 7:37 a.m.To: Jorge de 
Almeida Pinto; [EMAIL PROTECTED]; 
ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.


Ok thanks for the good links 
:-))
 
I must apologize (again ;-), but i missed 
something...
 
Just for my comprehension:
I have 2 domains a and b. I add usera 
in groupa on DCa in domaina. DCa will create a phantom object wich is the 
reference of userb. right ?
No, if i delete or modify userb on domainb, 
the phantom must be updated in my groupa on my DCa. So it's the job of the 
IM on domaina to compares updated information on GCa. IM will then updated 
the phantom on DCa and the world goes on :-)
 
But there is one thing i 
didn't understand yet. sorry :-(  If DCa is IM+GC, then the IM 
can not compares and update information about the phantom because 
it has the latest information, so DCa will then update userb in groupa.. 
right ? and this change will be replicate to all DCs and GCs of 
the forest ? So what's wrong for placing IM on DC which is GC ?
 
Regards,

 
Yann




De: Jorge de Almeida Pinto 
[mailto:[EMAIL PROTECTED]Date: mar. 24/05/2005 
20:13À: TIROA YANN; '[EMAIL PROTECTED] '; 
'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.

Hi,For more info on the infrastructure master see 
"Phantoms, Tombstones and theInfrastructure Master" (http://support.microsoft.com/?id=248047)In 
both W2K and W2K3 AD.. the following rules apply:* if you have only one 
domain -> make all DCs also GCs  as there is noadditional 
overhead* if you have more than one domain in the forest -> for each 
domain in theforest do not place the infrastructure master on a GC if you 
have at leastanother DC in that same domain that is not a GC also!In 
all cases: if all DCs = GCs there is no issue concerning theinfrastructure 
master.In W2K, replication (for DCs/ for GCs) was/is of more importance 
becausewhen a group membership changed the complete members attribute 
gotreplicated. This could be a pain, especially for universal 
groupsIn W2K3, replication (for DCs/ for GCs) is of less importance 
because assoon as you get to forest functional level windows 2003 you get 
linked valuereplication which simply means that only the new member 
replicates... soless impact! LVR also applies to other multi-valued 
attributesCheers#JORGE#-Original Message-From: 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 
5/24/2005 7:57 PMSubject: [ActiveDir] TR : Golbal catalog & 
Infrasctucutre Master.Hello :-)Just a question concernng the 
placement of the global catalog (GC) andthe Infrastructure Master (IM) on a 
DC.Microsoft said not to place the IM on a DC that is already a 
GC...Why? and should it be true for an  AD 2003 forest with only 
one domain ?Regards,YannThis e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Free, Bob

This one?

Phantoms, Tombstones and the Infrastructure Master: 
http://support.microsoft.com/?id=248047  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, May 24, 2005 1:10 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

... who wrote it?

Shoot me over a copy por favor me ol' mate, guv'na and any other ridiculous
British/Euro phrase I can 'fink' of :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 4:02 PM
To: 'TIROA YANN '; Jorge de Almeida Pinto;
'[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in
my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and the
world goes on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is
IM+GC, then the IM can not compares and update information about the phantom
because it has the latest information, so DCa will then update userb in
groupa.. right ? and this change will be replicate to all DCs and GCs of the
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann

  _  

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and the
Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.a

Re: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Tomasz Onyszko


Carlos Magalhaes wrote:


Yeah can you shoot me over a copy too :P I would like to check it out :)


Are you looking for this :)
"Phantoms, Tombstones and the Infrastructure Master"
http://support.microsoft.com/?id=248047

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Carlos Magalhaes

Yeah can you shoot me over a copy too :P I would like to check it out :)
Carlos Magalhaes

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 24 May 2005 10:10 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

... who wrote it?

Shoot me over a copy por favor me ol' mate, guv'na and any other ridiculous
British/Euro phrase I can 'fink' of :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 4:02 PM
To: 'TIROA YANN '; Jorge de Almeida Pinto;
'[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in
my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and the
world goes on :-)

But there is one thing i didn't understand yet. sorry :-(  If DCa is
IM+GC, then the IM can not compares and update information about the phantom
because it has the latest information, so DCa will then update userb in
groupa.. right ? and this change will be replicate to all DCs and GCs of the
forest ? So what's wrong for placing IM on DC which is GC ?

Regards,

Yann

  _  

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and the
Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
Li

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Dean Wells

... who wrote it?

Shoot me over a copy por favor me ol' mate, guv'na and any other ridiculous
British/Euro phrase I can 'fink' of :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 4:02 PM
To: 'TIROA YANN '; Jorge de Almeida Pinto;
'[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))
 
I must apologize (again ;-), but i missed something...
 
Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in
my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and the
world goes on :-)
 
But there is one thing i didn't understand yet. sorry :-(  If DCa is
IM+GC, then the IM can not compares and update information about the phantom
because it has the latest information, so DCa will then update userb in
groupa.. right ? and this change will be replicate to all DCs and GCs of the
forest ? So what's wrong for placing IM on DC which is GC ?
 
Regards,
 
Yann

  _  

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and the
Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

REÂ : [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

YEESSS !!! I now understand !!!
 
Thank you for your explanations
As stated by Jorge, i will reread carefully the article, but sometimes, it is 
helpfull for me to have many "sources" of explanations in order to well 
organized my understanding  :D
 
Regards,
 
Yann.



De: [EMAIL PROTECTED] de la part de Dean Wells
Date: mar. 24/05/2005 21:54
À: Send - AD mailing list
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Assuming you meant you added userB from domainB to groupA in domainA, yes ... a 
phantom _record_ (not object) would have been created within domainA.  The 
phantom maintains only the user's DN, SID and GUID.  The phantom is created in 
order to allow the underlying database (that houses Active Directory) to create 
a cross-reference (known as a link-pair).  A link-pair can only be created if 
the database stores both of the records involved, since the user was in a 
foreign domain we would have failed when creating the link-pair had the DC not 
first injected a phantom representation of the foreign user.  
 
Since GCs do not maintain this kind of phantom because they're supposed to know 
about all the objects within the forest, they will never be able to detect any 
inconsistencies because their content is already up-to-date via normal 
replication processes.  This is peachy for the GC but leaves any remaining 
non-GC DCs within that domain up the creek without the proverbial paddle.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]  
http://msetechnology.com  

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Tuesday, May 24, 2005 3:37 PM
To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.


Ok thanks for the good links :-))
 
I must apologize (again ;-), but i missed something...
 
Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa will 
create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated in my 
groupa on my DCa. So it's the job of the IM on domaina to compares updated 
information on GCa. IM will then updated the phantom on DCa and the world goes 
on :-)
 
But there is one thing i didn't understand yet. sorry :-(  If DCa is 
IM+GC, then the IM can not compares and update information about the phantom 
because it has the latest information, so DCa will then update userb in 
groupa.. right ? and this change will be replicate to all DCs and GCs of the 
forest ? So what's wrong for placing IM on DC which is GC ?
 
Regards,
 
Yann



De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" (http://support.microsoft.com/?id=248047)

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes
Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and
the Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform t

RE: [ActiveDir] When is an AD structure too deep?

2005-05-24 Thread Al Mulnick

I agree.  I also would say that the depth and its impact is
two-dimensional: 
A good rule of thumb is to keep it shallow if possible although no
technical reason is available for that.  It's a best practice mostly but
I seem to recall there were some apps that will care if they try to keep
that path information in a variable :) 
It's also an impact if you make it so complex that you don't efficiently
manage the environment.  That's what OU's are for after all - more
efficient management. 

 
My $0.04 anyway

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, May 24, 2005 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] When is an AD structure too deep?

Do policies change for the same Business Unit from location to location?

I would much prefer to see an OU structure like:

Domain -> Business Unit -> Desktop/Laptop/User

If there are Policies that really do need to be applied by location I
might look at making a GPO for that Site instead of by OU.

Are you concerned that the depth you are proposing here would cause
issues? If so, then you can feel safe that this is not an overly deep
structure and is of a fairly common depth.

Phil




On 5/24/05, Dave Hochstaetter <[EMAIL PROTECTED]> wrote:
> 
> 
> Good Afternoon,
> 
>  
> A specific item was brought up in the following thread regarding deep 
> AD structures,
>  
> 
> http://www.mail-archive.com/activedir@mail.activedir.org/msg28979.html
> 
>  
> 
> Coincidentially I have been thinking about AD structures and the depth

> or complexitiy of them. I was hoping to explore this topic in a bit 
> greater detail. My scenario is, I am involved with desktop 
> administration, but currently do not do the hands on design/policy 
> implementation. This is what I would term a "black hole" in our
organization.
> 
>  
> 
> I am suggesting changes to the AD structure to the management groups 
> followed by delegation of polcy right to allow us to perform the 
> functions that IMO are vital. The current structure stops at the 
> location level with only desktops, servers, users, laptops below each 
> location. Thus all business units would get the same policies, however

> the operations of the units do not currently allow that (nor does the 
> current company culture), thus we are hampered on taking many 
> necessary actions for managing a medium sized organization due to the
wider impact at the location level.
> 
>  
> 
> My example:
> 
>
> 
> Root domain
> 
> 
> 
> 
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> 
> 
> 
> 
>  
> 
> This is a structure I am proposing to increase the manageability of 
> our environment with policies, sofitware assignments, and IMO a more 
> logical structure.
> 
>  
> 
> Questions: 
> 
>  
> 
> Any comments on the structure?
> 
> What is considered a deep structure?
> 
> What is considered too deep a structure?
> 
> How many here are running a deep structure?
> 
> Any problems or caveats to this?
> 
> Can anyone provide some links to resources covering pros and cons of 
> different structures?
> 
>  
> 
> I am new to this list and will be searching the archives in detail as 
> I get more time, however if this has been covered and someone has a 
> quick link handy please let me know.
> 
>  
> Thanks
>  
> Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

have you read the article "Phantoms, Tombstones and the Infrastructure
Master" which I mailed you? This explains the issue you are trying to
understand.

Cheers
#JORGE#

-Original Message-
From: TIROA YANN
To: Jorge de Almeida Pinto; [EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent: 5/24/2005 9:37 PM
Subject: RE : [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links :-))

I must apologize (again ;-), but i missed something...

Just for my comprehension:
I have 2 domains a and b. I add usera in groupa on DCa in domaina. DCa
will create a phantom object wich is the reference of userb. right ?
No, if i delete or modify userb on domainb, the phantom must be updated
in my groupa on my DCa. So it's the job of the IM on domaina to compares
updated information on GCa. IM will then updated the phantom on DCa and
the world goes on :-)

But there is one thing i didn't understand yet. sorry :-(  If
DCa is IM+GC, then the IM can not compares and update information about
the phantom because it has the latest information, so DCa will then
update userb in groupa.. right ? and this change will be replicate to
all DCs and GCs of the forest ? So what's wrong for placing IM on DC
which is GC ?

Regards,

Yann

  _  

De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Date: mar. 24/05/2005 20:13
À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and
the
Infrastructure Master" ( http://support.microsoft.com/?id=248047
 )

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in
the
forest do not place the infrastructure master on a GC if you have at
least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked
value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes
Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)

Just a question concernng the placement of the global catalog (GC) and
the Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...

Why? and should it be true for an  AD 2003 forest with only one domain ?

Regards,

Yann

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] When is an AD structure too deep?

In my opinion when talking about structures an OU structure is based on the
following design rules:
(1) Create the first OU structure based on the needs of delegation of
control (who does what and what is the scope)
(2) Adjust the first structure to your needs to hide certain objects if
applicable
(3) Adjust the second structure to your needs to apply group policy objects
for policy management and/or software distribution

always:
* justify the existence of each OU.. otherwise get rid of it!
* and when finished with the three rules go through them again to see if it
still meets your needs in all three situations.
* don't set up the OU structure primary to reflect the organizational
structure (it is however possible that after following the rules the OU
structure reflects the organizational structure)
* also think about other possible configurations

These are my EUR0.02 (or US$ 0.025) ;-)

Cheers,
#JORGE#




-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 8:45 PM
Subject: [ActiveDir] When is an AD structure too deep?

Good Afternoon,

 

A specific item was brought up in the following thread regarding deep AD
structures,
 

http://www.mail-archive.com/activedir@mail.activedir.org/msg28979.html



 

Coincidentially I have been thinking about AD structures and the depth
or complexitiy of them. I was hoping to explore this topic in a bit
greater detail. My scenario is, I am involved with desktop
administration, but currently do not do the hands on design/policy
implementation. This is what I would term a "black hole" in our
organization. 

 

I am suggesting changes to the AD structure to the management groups
followed by delegation of polcy right to allow us to perform the
functions that IMO are vital. The current structure stops at the
location level with only desktops, servers, users, laptops below each
location. Thus all business units would get the same policies, however
the operations of the units do not currently allow that (nor does the
current company culture), thus we are hampered on taking many necessary
actions for managing a medium sized organization due to the wider impact
at the location level. 

 

My example:

   

Root domain







Desktop

Laptops

Users



Desktop

Laptops

Users



Desktop

Laptops

Users



 

This is a structure I am proposing to increase the manageability of our
environment with policies, sofitware assignments, and IMO a more logical
structure. 

 

Questions: 

 

Any comments on the structure?

What is considered a deep structure?

What is considered too deep a structure?

How many here are running a deep structure?

Any problems or caveats to this?

Can anyone provide some links to resources covering pros and cons of
different structures?

 

I am new to this list and will be searching the archives in detail as I
get more time, however if this has been covered and someone has a quick
link handy please let me know. 

 

Thanks
 
Dave

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Dean Wells

Title: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.



Assuming you meant you added userB from domainB to 
groupA in domainA, yes ... a phantom _record_ (not object) would have been 
created within domainA.  The phantom maintains only the user's DN, SID and 
GUID.  The phantom is created in order to allow the underlying database 
(that houses Active Directory) to create a cross-reference (known as a 
link-pair).  A link-pair can only be created if the database stores both of 
the records involved, since the user was in a foreign domain we would have 
failed when creating the link-pair had the DC not first injected a phantom 
representation of the foreign user.  
 
Since 
GCs do not maintain this kind of phantom because they're supposed to know about 
all the objects within the forest, they will never be able to detect any 
inconsistencies because their content is already up-to-date via normal 
replication processes.  This is peachy for the GC but leaves any remaining 
non-GC DCs within that domain up the creek without the proverbial 
paddle.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Tuesday, May 24, 2005 3:37 PMTo: Jorge de 
Almeida Pinto; [EMAIL PROTECTED]; 
ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.


Ok thanks for the good links 
:-))
 
I must apologize (again ;-), but i missed 
something...
 
Just for my comprehension:
I have 2 domains a and b. I add usera 
in groupa on DCa in domaina. DCa will create a phantom object wich is the 
reference of userb. right ?
No, if i delete or modify userb on domainb, 
the phantom must be updated in my groupa on my DCa. So it's the job of the 
IM on domaina to compares updated information on GCa. IM will then updated 
the phantom on DCa and the world goes on :-)
 
But there is one thing i 
didn't understand yet. sorry :-(  If DCa is IM+GC, then the IM 
can not compares and update information about the phantom because 
it has the latest information, so DCa will then update userb in groupa.. 
right ? and this change will be replicate to all DCs and GCs of 
the forest ? So what's wrong for placing IM on DC which is GC ?
 
Regards,

 
Yann




De: Jorge de Almeida Pinto 
[mailto:[EMAIL PROTECTED]Date: mar. 24/05/2005 
20:13À: TIROA YANN; '[EMAIL PROTECTED] '; 
'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.

Hi,For more info on the infrastructure master see 
"Phantoms, Tombstones and theInfrastructure Master" (http://support.microsoft.com/?id=248047)In 
both W2K and W2K3 AD.. the following rules apply:* if you have only one 
domain -> make all DCs also GCs  as there is noadditional 
overhead* if you have more than one domain in the forest -> for each 
domain in theforest do not place the infrastructure master on a GC if you 
have at leastanother DC in that same domain that is not a GC also!In 
all cases: if all DCs = GCs there is no issue concerning theinfrastructure 
master.In W2K, replication (for DCs/ for GCs) was/is of more importance 
becausewhen a group membership changed the complete members attribute 
gotreplicated. This could be a pain, especially for universal 
groupsIn W2K3, replication (for DCs/ for GCs) is of less importance 
because assoon as you get to forest functional level windows 2003 you get 
linked valuereplication which simply means that only the new member 
replicates... soless impact! LVR also applies to other multi-valued 
attributesCheers#JORGE#-Original Message-From: 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 
5/24/2005 7:57 PMSubject: [ActiveDir] TR : Golbal catalog & 
Infrasctucutre Master.Hello :-)Just a question concernng the 
placement of the global catalog (GC) andthe Infrastructure Master (IM) on a 
DC.Microsoft said not to place the IM on a DC that is already a 
GC...Why? and should it be true for an  AD 2003 forest with only 
one domain ?Regards,YannThis e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

TRÂ : [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master. ->mistake

Title: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.






Oupps.. sorry I had 
a mistake between usera and userb ;o)


So correct just the sentence 
by:
 
"I have 2 domains a and b. I add 
userb (and not usera as stated in my previous 
mail) in groupa on DCa in domaina. DCa will create a phantom object wich is the 
reference of userb. right ?..."
 
Cheers,
 
Yann





De: Jorge de Almeida Pinto 
[mailto:[EMAIL PROTECTED]Date: mar. 24/05/2005 
20:13À: TIROA YANN; '[EMAIL PROTECTED] '; 
'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] TR : 
Golbal catalog & Infrasctucutre Master.

Hi,For more info on the infrastructure master see 
"Phantoms, Tombstones and theInfrastructure Master" (http://support.microsoft.com/?id=248047)In 
both W2K and W2K3 AD.. the following rules apply:* if you have only one 
domain -> make all DCs also GCs  as there is noadditional 
overhead* if you have more than one domain in the forest -> for each 
domain in theforest do not place the infrastructure master on a GC if you 
have at leastanother DC in that same domain that is not a GC also!In 
all cases: if all DCs = GCs there is no issue concerning theinfrastructure 
master.In W2K, replication (for DCs/ for GCs) was/is of more importance 
becausewhen a group membership changed the complete members attribute 
gotreplicated. This could be a pain, especially for universal 
groupsIn W2K3, replication (for DCs/ for GCs) is of less importance 
because assoon as you get to forest functional level windows 2003 you get 
linked valuereplication which simply means that only the new member 
replicates... soless impact! LVR also applies to other multi-valued 
attributesCheers#JORGE#-Original Message-From: 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 
5/24/2005 7:57 PMSubject: [ActiveDir] TR : Golbal catalog & 
Infrasctucutre Master.Hello :-)Just a question concernng the 
placement of the global catalog (GC) andthe Infrastructure Master (IM) on a 
DC.Microsoft said not to place the IM on a DC that is already a 
GC...Why? and should it be true for an  AD 2003 forest with only 
one domain ?Regards,YannThis e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

REÂ : [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

Title: RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Ok thanks for the good links
:-))
I must apologize (again ;-), but i missed
something...
Just for my comprehension:
I have 2 domains a and b. I add usera
in groupa on DCa in domaina. DCa will create a phantom object wich is the
reference of userb. right ?
No, if i delete or modify userb on domainb,
the phantom must be updated in my groupa on my DCa. So it's the job of the
IM on domaina to compares updated information on GCa. IM will then updated
the phantom on DCa and the world goes on :-)
But there is one thing i
didn't understand yet. sorry :-( If DCa is IM+GC, then the IM
can not compares and update information about the phantom because
it has the latest information, so DCa will then update userb in groupa..
right ? and this change will be replicate to all DCs and GCs of
the forest ? So what's wrong for placing IM on DC which is GC ?
Regards,

Yann

De: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]Date: mar. 24/05/2005
20:13À: TIROA YANN; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] TR :
Golbal catalog & Infrasctucutre Master.

Hi,For more info on the infrastructure master see
"Phantoms, Tombstones and theInfrastructure Master" (http://support.microsoft.com/?id=248047)In
both W2K and W2K3 AD.. the following rules apply:* if you have only one
domain -> make all DCs also GCs as there is noadditional
overhead* if you have more than one domain in the forest -> for each
domain in theforest do not place the infrastructure master on a GC if you
have at leastanother DC in that same domain that is not a GC also!In
all cases: if all DCs = GCs there is no issue concerning theinfrastructure
master.In W2K, replication (for DCs/ for GCs) was/is of more importance
becausewhen a group membership changed the complete members attribute
gotreplicated. This could be a pain, especially for universal
groupsIn W2K3, replication (for DCs/ for GCs) is of less importance
because assoon as you get to forest functional level windows 2003 you get
linked valuereplication which simply means that only the new member
replicates... soless impact! LVR also applies to other multi-valued
attributesCheers#JORGE#-Original Message-From:
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent:
5/24/2005 7:57 PMSubject: [ActiveDir] TR : Golbal catalog &
Infrasctucutre Master.Hello :-)Just a question concernng the
placement of the global catalog (GC) andthe Infrastructure Master (IM) on a
DC.Microsoft said not to place the IM on a DC that is already a
GC...Why? and should it be true for an AD 2003 forest with only
one domain ?Regards,YannThis e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you.

Re: [ActiveDir] When is an AD structure too deep?

2005-05-24 Thread Mark Parris

Dave,

You could always remove authenticated users from the various policies that are 
causing issue and create a few more that are scoped more towards that group of 
users and computers, then permission on a group membership basis.

That's what we do and it works very well.


Mark
-Original Message-
From: Dave Hochstaetter <[EMAIL PROTECTED]>
Date: Tue, 24 May 2005 14:45:30 
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] When is an AD structure too deep?

Good Afternoon,
 
 
 
A specific item was brought up in the following thread regarding deep AD 
structures, 
 
http://www.mail-archive.com/activedir@mail.activedir.org/msg28979.html 
 
 
 
Coincidentially I have been thinking about AD structures and the depth or 
complexitiy of them. I was hoping to explore this topic in a bit greater 
detail. My scenario is, I am involved with desktop administration, but 
currently do not do the hands on design/policy implementation. This is what I 
would term a "black hole" in our organization. 
 
 
 
I am suggesting changes to the AD structure to the management groups followed 
by delegation of polcy right to allow us to perform the functions that IMO are 
vital. The current structure stops at the location level with only desktops, 
servers, users, laptops below each location. Thus all business units would get 
the same policies, however the operations of the units do not currently allow 
that (nor does the current company culture), thus we are hampered on taking 
many necessary actions for managing a medium sized organization due to the 
wider impact at the location level. 
 
 
 
My example:
 
  
 
Root domain
 

 

 

 
Desktop
 
Laptops
 
Users
 

 
Desktop
 
Laptops
 
Users
 

 
Desktop
 
Laptops
 
Users
 

 

 

 
 
 
This is a structure I am proposing to increase the manageability of our 
environment with policies, sofitware assignments, and IMO a more logical 
structure. 
 
 
 
Questions: 
 
 
 
Any comments on the structure?
 
What is considered a deep structure?
 
What is considered too deep a structure?
 
How many here are running a deep structure?
 
Any problems or caveats to this?
 
Can anyone provide some links to resources covering pros and cons of different 
structures?
 
 
 
I am new to this list and will be searching the archives in detail as I get 
more time, however if this has been covered and someone has a quick link handy 
please let me know. 
 
 
 
Thanks 
 
Dave 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] When is an AD structure too deep?

2005-05-24 Thread Phil Renouf

Do policies change for the same Business Unit from location to location?

I would much prefer to see an OU structure like:

Domain -> Business Unit -> Desktop/Laptop/User

If there are Policies that really do need to be applied by location I
might look at making a GPO for that Site instead of by OU.

Are you concerned that the depth you are proposing here would cause
issues? If so, then you can feel safe that this is not an overly deep
structure and is of a fairly common depth.

Phil




On 5/24/05, Dave Hochstaetter <[EMAIL PROTECTED]> wrote:
> 
> 
> Good Afternoon,
> 
>  
> A specific item was brought up in the following thread regarding deep AD
> structures,
>  
> 
> http://www.mail-archive.com/activedir@mail.activedir.org/msg28979.html
> 
>  
> 
> Coincidentially I have been thinking about AD structures and the depth or
> complexitiy of them. I was hoping to explore this topic in a bit greater
> detail. My scenario is, I am involved with desktop administration, but
> currently do not do the hands on design/policy implementation. This is what
> I would term a "black hole" in our organization. 
> 
>  
> 
> I am suggesting changes to the AD structure to the management groups
> followed by delegation of polcy right to allow us to perform the functions
> that IMO are vital. The current structure stops at the location level with
> only desktops, servers, users, laptops below each location. Thus all
> business units would get the same policies, however the operations of the
> units do not currently allow that (nor does the current company culture),
> thus we are hampered on taking many necessary actions for managing a medium
> sized organization due to the wider impact at the location level. 
> 
>  
> 
> My example:
> 
>
> 
> Root domain
> 
> 
> 
> 
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> Desktop
> 
> Laptops
> 
> Users
> 
> 
> 
> 
> 
> 
> 
>  
> 
> This is a structure I am proposing to increase the manageability of our
> environment with policies, sofitware assignments, and IMO a more logical
> structure. 
> 
>  
> 
> Questions: 
> 
>  
> 
> Any comments on the structure?
> 
> What is considered a deep structure?
> 
> What is considered too deep a structure?
> 
> How many here are running a deep structure?
> 
> Any problems or caveats to this?
> 
> Can anyone provide some links to resources covering pros and cons of
> different structures?
> 
>  
> 
> I am new to this list and will be searching the archives in detail as I get
> more time, however if this has been covered and someone has a quick link
> handy please let me know. 
> 
>  
> Thanks
>  
> Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2000 terminal services again

2005-05-24 Thread Kern, Tom

Ok, last term services post(I promise)-
If my clients are win2k/xp and my term server is win2k, I do not need to b uy 
licenses for these clients?
I only need to buy a license for the app running on the term server?

The temp license feature/grace period is for pre-win2k clients for win2k term 
services?

Correct?



[EMAIL PROTECTED] wrote:
> "What's the point in getting licenses if all your clients are 2k/xp
> then?" 
> 
> No point.  The TS License server figures out what the OS is.
> 
> This is (IMHO) needlessly complex, but here's the MS whitepaper:
> 
> http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx
> 
> Good luck!
> 
> AL
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom
> Sent: Sunday, May 22, 2005 6:53 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Windows 2000 terminal services again
> 
> 
> So if I read this correctly, I don't need to get a license for
> win2k/xp clients to work? I only need a license to be legal?
> 
> How do those clients know to use the license I bought and not the
> built in one? 
> 
> What's the point in getting licenses if all your clients are 2k/xp
> then? 
> 
> Thanks
> --
> Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] When is an AD structure too deep?

2005-05-24 Thread Dave Hochstaetter

Good Afternoon,
 
A specific item was brought up in the following thread regarding deep AD structures,
 
http://www.mail-archive.com/activedir@mail.activedir.org/msg28979.html

 
Coincidentially I have been thinking about AD structures and the depth or complexitiy of them. I was hoping to explore this topic in a bit greater detail. My scenario is, I am involved with desktop administration, but currently do not do the hands on design/policy implementation. This is what I would term a "black hole" in our organization. 

 
I am suggesting changes to the AD structure to the management groups followed by delegation of polcy right to allow us to perform the functions that IMO are vital. The current structure stops at the location level with only desktops, servers, users, laptops below each location. Thus all business units would get the same policies, however the operations of the units do not currently allow that (nor does the current company culture), thus we are hampered on taking many necessary actions for managing a medium sized organization due to the wider impact at the location level.

 
My example:
 
 
Root domain

        
        
Desktop
Laptops
Users
        
Desktop
Laptops
Users
        
Desktop
Laptops
Users
        


 
This is a structure I am proposing to increase the manageability of our environment with policies, sofitware assignments, and IMO a more logical structure.

 
Questions: 
 
Any comments on the structure?
What is considered a deep structure?
What is considered too deep a structure?
How many here are running a deep structure?
Any problems or caveats to this?
Can anyone provide some links to resources covering pros and cons of different structures?
 
I am new to this list and will be searching the archives in detail as I get more time, however if this has been covered and someone has a quick link handy please let me know.

 
Thanks
 
Dave

RE: [ActiveDir] TRÂ : Golbal catalog & Infrasctucutre Master.

Hi,

For more info on the infrastructure master see "Phantoms, Tombstones and the
Infrastructure Master" (http://support.microsoft.com/?id=248047)

In both W2K and W2K3 AD.. the following rules apply:
* if you have only one domain -> make all DCs also GCs  as there is no
additional overhead
* if you have more than one domain in the forest -> for each domain in the
forest do not place the infrastructure master on a GC if you have at least
another DC in that same domain that is not a GC also!

In all cases: if all DCs = GCs there is no issue concerning the
infrastructure master.

In W2K, replication (for DCs/ for GCs) was/is of more importance because
when a group membership changed the complete members attribute got
replicated. This could be a pain, especially for universal groups

In W2K3, replication (for DCs/ for GCs) is of less importance because as
soon as you get to forest functional level windows 2003 you get linked value
replication which simply means that only the new member replicates... so
less impact! LVR also applies to other multi-valued attributes
Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 7:57 PM
Subject: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

Hello :-)
 
Just a question concernng the placement of the global catalog (GC) and
the Infrastructure Master (IM) on a DC.
Microsoft said not to place the IM on a DC that is already a GC...
 
Why? and should it be true for an  AD 2003 forest with only one domain ?
 
Regards,
 
Yann
 

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Tomasz Onyszko


TIROA YANN wrote:

Hello :-)
 
Just a question concernng the placement of the global catalog (GC) and 
the Infrastructure Master (IM) on a DC.

Microsoft said not to place the IM on a DC that is already a GC...
 
Why? and should it be true for an  AD 2003 forest with only one domain ?


Here You will find good explenation for this topic:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/08/37975.aspx



--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TR : Golbal catalog & Infrasctucutre Master.

2005-05-24 Thread Gil Kirkpatrick




The infrastructure master is responsible for updating 
cross-domain references, and it doesn't work if running on a GC. In a single 
domain environment, the infrastructure master doesn't do anything, so it doesn't 
matter which DC you give the role to.
 
If there is even a small chance you will add a domain in 
the future, then you should not put the infrastructure master on a GC. You'll 
almost certainly forget to move it when you add the new domain 
:)
 
-gil
 

Gil Kirkpatrick 
CTO, NetPro "To fly, flip away backhanded. 
Flat flip flies straight. Tilted flip curves. Experiment!" 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Tuesday, May 24, 2005 10:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] TR : Golbal 
catalog & Infrasctucutre Master.


Hello :-)
 
Just a question concernng the placement of 
the global catalog (GC) and the Infrastructure Master (IM) on a 
DC.
Microsoft said not to place the IM on a DC 
that is already a GC...
 
Why? and should it be true for an 
 AD 2003 forest with only one domain ?
 


Regards,
 
Yann

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active Directory 2003

Hi Hunter, 

Actually I wanted the secondary account deleted and did delete the account to 
the mailbox, however I did not want the primary account that it was originally 
mapped too also deleted.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Coleman, Hunter
Sent: Tuesday, May 24, 2005 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and
Active Directory 2003


Charlie is correct on the ADC possibility. Check your configuration
agreement's Deletion tab to see if you have it set up to delete the
windows account when the mailbox gets deleted. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, May 24, 2005 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and
Active Directory 2003

It depends on how you've set things up.
Unity (at least the 4.0x versions) will allow you to delete an account
from AD when you delete the subscriber's VM mailbox. I set our Unity
config to never allow this.
I seem to remember that the ADC also allowed 2-way synch, which would
allow you to delete an associated account when you delete a mailbox.
It's been a while since I used the tool, and it's not installed in my
testlab anymore, so I can't check, but I _think_ the ADC is a distinct
possibility. Someone who has used it in the last year or so can probably
verify...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
> Jose
> Sent: Tuesday, May 24, 2005 9:24 AM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry and 
> Active Directory 2003
> 
> Greetings,
> 
> During an Exchange 2003 migration at a startup I was previously 
> working for , I had an issue with several accounts that were on a 
> Exchange 5.5 server that had multiple mailboxes associated with the 
> same user account. To prepare for Exchange 2003, I created new user 
> accounts ( user1, user 2, etc ) and associated the accounts with the 
> mailboxes that had the same user account mapped to it, so that they 
> would have a one to one mapping.
> 
> I installed the AD connector for Exchange 2003, when I went through 
> the AD list after replication occurred it renamed several of the 
> accounts. I corrected the names, and ran AD synchronization.
> 
> I then exported all the mail in the mailboxes that I created the one 
> to one mappings for into PST files and delete the five mailboxes that 
> were no longer needed. Several minutes after replication occurred the 
> accounts that were associate with multiple mailboxes also were 
> deleted.
> 
> Can anyone explain why this could have occurred? Could this have been 
> related to SID history issue?
> Could this be related to the Cisco Unity Connector or the Blackberry 
> Enterprise server connector adding additional hooks into the 
> mailboxes? Has any one else experienced this?
> 
> Sincerely,
> 
> Jose Medeiros
> Former Vice President and Postmaster NTEA
> MCP+I, MCSE, NT4 MCT
> www.ntea.net
> www.tvnug.org
> www.sfntug.org
> 
> --
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] TR : Golbal catalog & Infrasctucutre Master.




Hello :-)
 
Just a question concernng the placement of 
the global catalog (GC) and the Infrastructure Master (IM) on a 
DC.
Microsoft said not to place the IM on a DC 
that is already a GC...
 
Why? and should it be true for an 
 AD 2003 forest with only one domain ?
 


Regards,
 
Yann

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active Directory 2003

Hi Jorge, 

I did run the AD account cleanup tool and it found no duplicate account's prior 
to deleting the extra user accounts that I created to have a one to one 
mappings to the mailboxes that were mapped to a single user account in Exchange 
5.5. The problem I had is that I did not anticipate that it would also delete 
the five primary account's as well and did not have a recent back up. I only 
backed up the mail of the additional mailboxes that I was deleting using 
Exmerge just in case some one still needed the voice mail and mail messages in 
those mailboxes. 
( I lost several hours of email, fortunately only five accounts were affected ).

The reason that we had extra mailboxes associated with the user accounts was 
that Unity requires a mailbox for each voice mail extension and sales and 
marketing had multiple extensions and voice mail boxes shared by the team 
members. 

Thanks for the tip and taking the time to reply.

Jose :-) 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Coleman, Hunter
Sent: Tuesday, May 24, 2005 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and
Active Directory 2003


Charlie is correct on the ADC possibility. Check your configuration
agreement's Deletion tab to see if you have it set up to delete the
windows account when the mailbox gets deleted. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, May 24, 2005 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and
Active Directory 2003

It depends on how you've set things up.
Unity (at least the 4.0x versions) will allow you to delete an account
from AD when you delete the subscriber's VM mailbox. I set our Unity
config to never allow this.
I seem to remember that the ADC also allowed 2-way synch, which would
allow you to delete an associated account when you delete a mailbox.
It's been a while since I used the tool, and it's not installed in my
testlab anymore, so I can't check, but I _think_ the ADC is a distinct
possibility. Someone who has used it in the last year or so can probably
verify...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
> Jose
> Sent: Tuesday, May 24, 2005 9:24 AM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry and 
> Active Directory 2003
> 
> Greetings,
> 
> During an Exchange 2003 migration at a startup I was previously 
> working for , I had an issue with several accounts that were on a 
> Exchange 5.5 server that had multiple mailboxes associated with the 
> same user account. To prepare for Exchange 2003, I created new user 
> accounts ( user1, user 2, etc ) and associated the accounts with the 
> mailboxes that had the same user account mapped to it, so that they 
> would have a one to one mapping.
> 
> I installed the AD connector for Exchange 2003, when I went through 
> the AD list after replication occurred it renamed several of the 
> accounts. I corrected the names, and ran AD synchronization.
> 
> I then exported all the mail in the mailboxes that I created the one 
> to one mappings for into PST files and delete the five mailboxes that 
> were no longer needed. Several minutes after replication occurred the 
> accounts that were associate with multiple mailboxes also were 
> deleted.
> 
> Can anyone explain why this could have occurred? Could this have been 
> related to SID history issue?
> Could this be related to the Cisco Unity Connector or the Blackberry 
> Enterprise server connector adding additional hooks into the 
> mailboxes? Has any one else experienced this?
> 
> Sincerely,
> 
> Jose Medeiros
> Former Vice President and Postmaster NTEA
> MCP+I, MCSE, NT4 MCT
> www.ntea.net
> www.tvnug.org
> www.sfntug.org
> 
> --
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] dsmod & random passwords

2005-05-24 Thread Noah Eiger









Hi –

 

I know that “net user username /RANDOM”
will set a random password for username. Is there a way to set random passwords
using dsmod?

 

TIA

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Activ e Directory 2003

for more info on ADC, object matching etc. see:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=16139

Cheers
#JORGE

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Sent: 5/24/2005 6:23 PM
Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active
Directory 2003

Greetings, 

During an Exchange 2003 migration at a startup I was previously working
for , I had an issue with several accounts that were on a Exchange 5.5
server that had multiple mailboxes associated with the same user
account. To prepare for Exchange 2003, I created new user accounts (
user1, user 2, etc ) and associated the accounts with the mailboxes that
had the same user account mapped to it, so that they would have a one to
one mapping.

I installed the AD connector for Exchange 2003, when I went through the
AD list after replication occurred it renamed several of the accounts. I
corrected the names, and ran AD synchronization.

I then exported all the mail in the mailboxes that I created the one to
one mappings for into PST files and delete the five mailboxes that were
no longer needed. Several minutes after replication occurred the
accounts that were associate with multiple mailboxes also were deleted. 

Can anyone explain why this could have occurred? Could this have been
related to SID history issue?
Could this be related to the Cisco Unity Connector or the Blackberry
Enterprise server connector adding additional hooks into the mailboxes?
Has any one else experienced this?

Sincerely, 

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

--

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active Directory 2003

2005-05-24 Thread Coleman, Hunter

Charlie is correct on the ADC possibility. Check your configuration
agreement's Deletion tab to see if you have it set up to delete the
windows account when the mailbox gets deleted. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, May 24, 2005 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and
Active Directory 2003

It depends on how you've set things up.
Unity (at least the 4.0x versions) will allow you to delete an account
from AD when you delete the subscriber's VM mailbox. I set our Unity
config to never allow this.
I seem to remember that the ADC also allowed 2-way synch, which would
allow you to delete an associated account when you delete a mailbox.
It's been a while since I used the tool, and it's not installed in my
testlab anymore, so I can't check, but I _think_ the ADC is a distinct
possibility. Someone who has used it in the last year or so can probably
verify...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
> Jose
> Sent: Tuesday, May 24, 2005 9:24 AM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry and 
> Active Directory 2003
> 
> Greetings,
> 
> During an Exchange 2003 migration at a startup I was previously 
> working for , I had an issue with several accounts that were on a 
> Exchange 5.5 server that had multiple mailboxes associated with the 
> same user account. To prepare for Exchange 2003, I created new user 
> accounts ( user1, user 2, etc ) and associated the accounts with the 
> mailboxes that had the same user account mapped to it, so that they 
> would have a one to one mapping.
> 
> I installed the AD connector for Exchange 2003, when I went through 
> the AD list after replication occurred it renamed several of the 
> accounts. I corrected the names, and ran AD synchronization.
> 
> I then exported all the mail in the mailboxes that I created the one 
> to one mappings for into PST files and delete the five mailboxes that 
> were no longer needed. Several minutes after replication occurred the 
> accounts that were associate with multiple mailboxes also were 
> deleted.
> 
> Can anyone explain why this could have occurred? Could this have been 
> related to SID history issue?
> Could this be related to the Cisco Unity Connector or the Blackberry 
> Enterprise server connector adding additional hooks into the 
> mailboxes? Has any one else experienced this?
> 
> Sincerely,
> 
> Jose Medeiros
> Former Vice President and Postmaster NTEA
> MCP+I, MCSE, NT4 MCT
> www.ntea.net
> www.tvnug.org
> www.sfntug.org
> 
> --
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Activ e Directory 2003

Ola,
The could have acchieve for the one to one mapping using the NTDSnomatch
utility that comes with the deployment tools of exchange 2003. However what
you did works because what you did manually the ADC in combination with the
NTDSnomatch util would have done the same.

It sounds those were resources mailboxes. If you extracted the mail and
after that deleted the mailboxes and the accounts got deleted... what's the
problem?

When you install the ADC and it replicates it will (try to) match the
mailboxes on E55 to existing user accounts. During the matching it checks
the primary user account on the mailbox and checks in AD if a user account
exists that has the same SID in its sidhistory attribute. It this does not
succeed I think it will try ti see if it matches the ALIAS. It that also
doesn't not apply it will create a disabled user account and add the SID to
the msExchMasterAccountsid attribute.

I presume you were still hosting the mailboxes on E55 just before deleting
the mailboxes?! The reason this happens is that you deleted the mailbox on
E55 and E55 thought..."lets delete the mailbox"... the ADC thought.."lets
replicate that deletion to AD"... and there you go the user account in AD
that had the mailbox matched got wacked! If my memory serves me correctly
you needed to unmatch the mailbox on E55 and the user in AD and then delete
the mailbox. For this you could have used part of the procedure described in
http://support.microsoft.com/?id=256862. BE CAREFULL WITH THIS AS YOU CAN
SCREW THINGS UP!

When the ADC replicates it will replace the full name and the display name
of the user account in AD to match the info in E55 (see
http://support.microsoft.com/?id=269843). This normal (at least default
behavior). It you need to prevent this you to change replication rules of
the ADC (attributes of the connection agreement)

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Sent: 5/24/2005 6:23 PM
Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active
Directory 2003

Greetings, 

During an Exchange 2003 migration at a startup I was previously working
for , I had an issue with several accounts that were on a Exchange 5.5
server that had multiple mailboxes associated with the same user
account. To prepare for Exchange 2003, I created new user accounts (
user1, user 2, etc ) and associated the accounts with the mailboxes that
had the same user account mapped to it, so that they would have a one to
one mapping.

I installed the AD connector for Exchange 2003, when I went through the
AD list after replication occurred it renamed several of the accounts. I
corrected the names, and ran AD synchronization.

I then exported all the mail in the mailboxes that I created the one to
one mappings for into PST files and delete the five mailboxes that were
no longer needed. Several minutes after replication occurred the
accounts that were associate with multiple mailboxes also were deleted. 

Can anyone explain why this could have occurred? Could this have been
related to SID history issue?
Could this be related to the Cisco Unity Connector or the Blackberry
Enterprise server connector adding additional hooks into the mailboxes?
Has any one else experienced this?

Sincerely, 

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

--

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need AD Query Suggestion Please

2005-05-24 Thread Rick Kingslan

Oh, Jorge! Please stop!  We can barely get joe's head through most doors as
it is now  He REALLY doesn't need another cheerleader!

;op

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:40 AM
To: 'Jerry Welch '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

don't thank me.. thank the guy who created the tool!. His name is Joe and he
can type more in a message than you can say in one day.. ;-)

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 4:32 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Cool filter !!
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:56 AM
To: 'Krenceski, William '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

 To get all departments (incl DUPs)
try the following:
ADFIND -h  -nodn -nolabel -s subtree -b "" -f
"(&(objectCategory=person)(department=*)" department > OUTPUT.TXT

Load OUTPUT.TXT into excel, sort by name and list only unique values
using a
filter (pull down -menu data->filter->advanced filter Cheers #JORGE#

PS.: you can get ADFIND from www.joeware.net

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:33 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Every AD user and contact has a department assigned Querying by OU would
not
work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and
only
display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,
 
I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.
 
 

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   


 
 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of
the individual or entity named above. If the reader of this message is
not
the intended recipient, or the employee or agent responsible to deliver
it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is
strictly
prohibited. If you have received this communication in error please
notify
the author immediately by replying to this message and deleting the
original
message. Thank you.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
informatio

RE: [ActiveDir] Delivering MSI packages effectively

2005-05-24 Thread Steven Wood

Title: RE: [ActiveDir] Delivering MSI packages effectively






I created a deep structure 
for several reasons; one delegation, making the structure represent our 
environment helps other when managing PC's. The second reason was so I can apply 
policies to a building or floor. It's worked really well for us. There is the 
odd piece of software which needs to go to a dozen or so rooms; hence asking the 
question in the first place. I do use GPMC which is a dream when managing a 
large number of GPO's. 
 
I like Dan's idea and I'll have a play with 
it to see if it'll improve matters.
 
Regards
Steven



From: Dan Holme 
[mailto:[EMAIL PROTECTED]Sent: Tue 24/05/2005 
15:24To: ActiveDir@mail.activedir.org; Steven WoodSubject: 
RE: [ActiveDir] Delivering MSI packages effectively

If your domain is in Windows 2000 "native" mode (or Windows 2000 
domainfunctional level) or higher, you can effectively nest global groups 
intoglobal groups.With a dispersed OU structure (I echo Jorge's 
question, "why"), I wouldsuggest:1) A global group containing the 
computers of each classroom2) A global group representing the software 
package3) Nest the classroom groups into the software group4) Filter the 
GPO to apply only to the software group.  Remove (don'tdeny - remove) 
"Authenticated Users" ability to "Apply Group Policy" andallow the Software 
group Read and Apply Group Policy.  If you're usingthe GPMC (which you 
should be), it's even easier: remove Auth Users andadd the software 
group.Dan-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Jorge deAlmeida PintoSent: Tuesday, May 24, 2005 7:08 
AMTo: 'Steven Wood '; '[EMAIL PROTECTED] 
';'ActiveDir@mail.activedir.org 'Subject: RE: [ActiveDir] Delivering MSI 
packages effectivelyYou have two possibilities:For both create a GPO 
with the APP assigned.(1) link the GPO to each classroom and you're 
done(2) link the GPO to the workstations OU and use group filtering 
bygiving agroup (that represents the classroom) read and apply 
permissions to theGPO.Each workstation must be a member of their 
corresponding groupQuestion: why do you have such a deep structure? 
Delegations?, GPOs?something 
elseCheers,#JORGE#-Original Message-From: 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 
5/24/2005 3:48 PMSubject: [ActiveDir] Delivering MSI packages 
effectivelyI'm hoping someone can explain to me the most effective way 
to deliveran MSi package in the following scenairo.My AD structure 
looks something like 
this:Workstations    Building 
One   
Classroom 
1   
Classroom 
2   
etc 
to   
Classroom 99    Building 
Two   
Classroom 
1   
etc 
to   
Classroom 99    Building 
Three   
Classroom 
1   
etc 
to   
Classroom 99I have an GPO connected to most rooms. If I have an MSI 
package that Ineed to deliver to say 25 rooms what would be the most 
effective way toassign to the required classrooms? Currently I have to 
assign the app 25times, once to each 
room.RegardsSteven---This 
email is from Oldham Sixth Form College, but expresses the viewsof the 
sender and not necessarily the views of the college. The emailand any files 
transmitted with it are confidential to the intendedrecipient at the e-mail 
address to which it has been addressed. It maynot be disclosed or used by 
any other than that addressee, nor may itbe copied in any way. If received 
in error, please notify[EMAIL PROTECTED] quoting the name of the 
sender.This message has been scanned for viruses by F-Secure 
Anti-Virus.Please note that we cannot accept any responsibility for 
anytransmitted viruses. It is, therefore, your responsibility to 
scanattachments (if any).This e-mail and any attachment is for 
authorised use by the intendedrecipient(s) only. It may contain proprietary 
material, confidentialinformation and/or be subject to legal privilege. It 
should not becopied, disclosed to, retained or used by, any other party. If 
you arenot an intended recipient then please promptly delete this e-mail 
andany attachment and all copies and inform the sender. Thank you.List 
info   : http://www.activedir.org/List.aspxList 
FAQ    : http://www.activedir.org/ListFAQ.aspxList 
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/

---This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please notify[EMAIL PROTECTED] quoting the name of the sender.This message has bee

RE: [ActiveDir] Cisco Call Manager / Unity / Blackberry and Active Directory 2003

2005-05-24 Thread Charlie Kaiser

It depends on how you've set things up.
Unity (at least the 4.0x versions) will allow you to delete an account
from AD when you delete the subscriber's VM mailbox. I set our Unity
config to never allow this.
I seem to remember that the ADC also allowed 2-way synch, which would
allow you to delete an associated account when you delete a mailbox.
It's been a while since I used the tool, and it's not installed in my
testlab anymore, so I can't check, but I _think_ the ADC is a distinct
possibility. Someone who has used it in the last year or so can probably
verify...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Medeiros, Jose
> Sent: Tuesday, May 24, 2005 9:24 AM
> To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: [ActiveDir] Cisco Call Manager / Unity / Blackberry 
> and Active Directory 2003
> 
> Greetings, 
> 
> During an Exchange 2003 migration at a startup I was 
> previously working for , I had an issue with several accounts 
> that were on a Exchange 5.5 server that had multiple 
> mailboxes associated with the same user account. To prepare 
> for Exchange 2003, I created new user accounts ( user1, user 
> 2, etc ) and associated the accounts with the mailboxes that 
> had the same user account mapped to it, so that they would 
> have a one to one mapping.
> 
> I installed the AD connector for Exchange 2003, when I went 
> through the AD list after replication occurred it renamed 
> several of the accounts. I corrected the names, and ran AD 
> synchronization.
> 
> I then exported all the mail in the mailboxes that I created 
> the one to one mappings for into PST files and delete the 
> five mailboxes that were no longer needed. Several minutes 
> after replication occurred the accounts that were associate 
> with multiple mailboxes also were deleted. 
> 
> Can anyone explain why this could have occurred? Could this 
> have been related to SID history issue?
> Could this be related to the Cisco Unity Connector or the 
> Blackberry Enterprise server connector adding additional 
> hooks into the mailboxes? Has any one else experienced this?
> 
> Sincerely, 
> 
> Jose Medeiros
> Former Vice President and Postmaster NTEA
> MCP+I, MCSE, NT4 MCT
> www.ntea.net
> www.tvnug.org
> www.sfntug.org
> 
> --
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Cisco Call Manager / Unity / Blackberry and Active Directory 2003

Greetings, 

During an Exchange 2003 migration at a startup I was previously working for , I 
had an issue with several accounts that were on a Exchange 5.5 server that had 
multiple mailboxes associated with the same user account. To prepare for 
Exchange 2003, I created new user accounts ( user1, user 2, etc ) and 
associated the accounts with the mailboxes that had the same user account 
mapped to it, so that they would have a one to one mapping.

I installed the AD connector for Exchange 2003, when I went through the AD list 
after replication occurred it renamed several of the accounts. I corrected the 
names, and ran AD synchronization.

I then exported all the mail in the mailboxes that I created the one to one 
mappings for into PST files and delete the five mailboxes that were no longer 
needed. Several minutes after replication occurred the accounts that were 
associate with multiple mailboxes also were deleted. 

Can anyone explain why this could have occurred? Could this have been related 
to SID history issue?
Could this be related to the Cisco Unity Connector or the Blackberry Enterprise 
server connector adding additional hooks into the mailboxes? Has any one else 
experienced this?

Sincerely, 

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

--

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GLOBAL CATALOG- WITH 2 DOMAINS

2005-05-24 Thread Phil Renouf

On 5/23/05, Mohammed_Tantawi <[EMAIL PROTECTED]> wrote:
> Dear All,
> 
> The main thing which i wat to do is:-
> 
> 1. i want to establish OWA for my External user.

The question still hasn't been answered: Are these two domains a part
of the same forest? If they are there in a trust relationship by
default between domains in the same forest.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Question on restricting resources in an OU

2005-05-24 Thread Tomasz Onyszko


Medeiros, Jose wrote:
Good Morning, 


I need some one's opinion. We have a QA lab that has separate OU's in the same 
2003 Active Directory Forrest. The QA engineers want us to limit the resources 
visible in other OU's and in our QA Exchange 2003 environment. I know that I 
can restrict them from accessing those resources, however is it possible to 
prevent them from being visible to users in a different OU?



you can hide some part of Ad from the other users using directory list 
object mode:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_object_visibility.asp

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD Question on restricting resources in an OU

Good Morning, 

I need some one's opinion. We have a QA lab that has separate OU's in the same 
2003 Active Directory Forrest. The QA engineers want us to limit the resources 
visible in other OU's and in our QA Exchange 2003 environment. I know that I 
can restrict them from accessing those resources, however is it possible to 
prevent them from being visible to users in a different OU?


Sincerely, 

Jose Medeiros
408-449-6621 Cell



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need AD Query Suggestion Please

don't thank me.. thank the guy who created the tool!. His name is Joe and he
can type more in a message than you can say in one day.. ;-)

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 4:32 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Cool filter !!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:56 AM
To: 'Krenceski, William '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

 To get all departments (incl DUPs)
try the following:
ADFIND -h  -nodn -nolabel -s subtree -b "" -f
"(&(objectCategory=person)(department=*)" department > OUTPUT.TXT

Load OUTPUT.TXT into excel, sort by name and list only unique values
using a
filter (pull down -menu data->filter->advanced filter Cheers #JORGE#

PS.: you can get ADFIND from www.joeware.net

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:33 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Every AD user and contact has a department assigned Querying by OU would
not
work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and
only
display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,

I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of
the individual or entity named above. If the reader of this message is
not
the intended recipient, or the employee or agent responsible to deliver
it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is
strictly
prohibited. If you have received this communication in error please
notify
the author immediately by replying to this message and deleting the
original
message. Thank you.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.a

RE: [ActiveDir] Need AD Query Suggestion Please

2005-05-24 Thread Jerry Welch

Cool filter !!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:56 AM
To: 'Krenceski, William '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

 To get all departments (incl DUPs)
try the following:
ADFIND -h  -nodn -nolabel -s subtree -b "" -f
"(&(objectCategory=person)(department=*)" department > OUTPUT.TXT

Load OUTPUT.TXT into excel, sort by name and list only unique values using a
filter (pull down -menu data->filter->advanced filter Cheers #JORGE#

PS.: you can get ADFIND from www.joeware.net

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:33 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Every AD user and contact has a department assigned Querying by OU would not
work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and only
display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,

I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the use of
the individual or entity named above. If the reader of this message is not
the intended recipient, or the employee or agent responsible to deliver it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error please notify
the author immediately by replying to this message and deleting the original
message. Thank you.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Delivering MSI packages effectively

2005-05-24 Thread Dan Holme

If your domain is in Windows 2000 "native" mode (or Windows 2000 domain
functional level) or higher, you can effectively nest global groups into
global groups.

With a dispersed OU structure (I echo Jorge's question, "why"), I would
suggest:

1) A global group containing the computers of each classroom
2) A global group representing the software package
3) Nest the classroom groups into the software group
4) Filter the GPO to apply only to the software group.  Remove (don't
deny - remove) "Authenticated Users" ability to "Apply Group Policy" and
allow the Software group Read and Apply Group Policy.  If you're using
the GPMC (which you should be), it's even easier: remove Auth Users and
add the software group.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Tuesday, May 24, 2005 7:08 AM
To: 'Steven Wood '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Delivering MSI packages effectively

You have two possibilities:
For both create a GPO with the APP assigned.
(1) link the GPO to each classroom and you're done
(2) link the GPO to the workstations OU and use group filtering by
giving a
group (that represents the classroom) read and apply permissions to the
GPO.
Each workstation must be a member of their corresponding group

Question: why do you have such a deep structure? Delegations?, GPOs?
something else

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:48 PM
Subject: [ActiveDir] Delivering MSI packages effectively

I'm hoping someone can explain to me the most effective way to deliver
an MSi package in the following scenairo.
 
My AD structure looks something like this:
 
Workstations
Building One
   Classroom 1
   Classroom 2
   etc to
   Classroom 99
Building Two
   Classroom 1
   etc to
   Classroom 99
Building Three
   Classroom 1
   etc to
   Classroom 99
 
I have an GPO connected to most rooms. If I have an MSI package that I
need to deliver to say 25 rooms what would be the most effective way to
assign to the required classrooms? Currently I have to assign the app 25
times, once to each room.
 
Regards
 
Steven
 
---
This email is from Oldham Sixth Form College, but expresses the views
of the sender and not necessarily the views of the college. The email
and any files transmitted with it are confidential to the intended
recipient at the e-mail address to which it has been addressed. It may
not be disclosed or used by any other than that addressee, nor may it
be copied in any way. If received in error, please notify
[EMAIL PROTECTED] quoting the name of the sender.

This message has been scanned for viruses by F-Secure Anti-Virus.

Please note that we cannot accept any responsibility for any
transmitted viruses. It is, therefore, your responsibility to scan
attachments (if any).


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need AD Query Suggestion Please

2005-05-24 Thread Teverovsky, Guy


If the intention is to look at the "department" attribute of user
objects, then the following would do it:

dsquery user -limit 0 | dsget user -dept | sort -u

Sort.exe that I use is part of GNU utilities for Windows:
http://unxutils.sourceforge.net/


Guy


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Tuesday, May 24, 2005 3:53 PM
To: 'Krenceski, William '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,
 
I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.
 
 

William Krenceski
Network Administrator 
Olean General Hospital 
515 Main Street 
Olean, NY 14760 
Tel: 716-375-6475 
Email: [EMAIL PROTECTED]   


 
 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Delivering MSI packages effectively

You have two possibilities:
For both create a GPO with the APP assigned.
(1) link the GPO to each classroom and you're done
(2) link the GPO to the workstations OU and use group filtering by giving a
group (that represents the classroom) read and apply permissions to the GPO.
Each workstation must be a member of their corresponding group

Question: why do you have such a deep structure? Delegations?, GPOs?
something else

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:48 PM
Subject: [ActiveDir] Delivering MSI packages effectively

I'm hoping someone can explain to me the most effective way to deliver
an MSi package in the following scenairo.
 
My AD structure looks something like this:
 
Workstations
Building One
   Classroom 1
   Classroom 2
   etc to
   Classroom 99
Building Two
   Classroom 1
   etc to
   Classroom 99
Building Three
   Classroom 1
   etc to
   Classroom 99
 
I have an GPO connected to most rooms. If I have an MSI package that I
need to deliver to say 25 rooms what would be the most effective way to
assign to the required classrooms? Currently I have to assign the app 25
times, once to each room.
 
Regards
 
Steven
 
---
This email is from Oldham Sixth Form College, but expresses the views
of the sender and not necessarily the views of the college. The email
and any files transmitted with it are confidential to the intended
recipient at the e-mail address to which it has been addressed. It may
not be disclosed or used by any other than that addressee, nor may it
be copied in any way. If received in error, please notify
[EMAIL PROTECTED] quoting the name of the sender.

This message has been scanned for viruses by F-Secure Anti-Virus.

Please note that we cannot accept any responsibility for any
transmitted viruses. It is, therefore, your responsibility to scan
attachments (if any).


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need AD Query Suggestion Please

 To get all departments (incl DUPs) 
try the following:
ADFIND -h  -nodn -nolabel -s subtree -b "" -f
"(&(objectCategory=person)(department=*)" department > OUTPUT.TXT

Load OUTPUT.TXT into excel, sort by name and list only unique values using a
filter (pull down -menu data->filter->advanced filter
Cheers
#JORGE#

PS.: you can get ADFIND from www.joeware.net

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:33 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Every AD user and contact has a department assigned Querying by OU would
not work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and
only display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,
 
I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.
 
 

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   


 
 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Delivering MSI packages effectively

2005-05-24 Thread Steven Wood

I'm hoping someone can explain to me the most 
effective way to deliver an MSi package in the following 
scenairo.
 
My AD structure looks something like 
this:
 
Workstations
    Building 
One
   
Classroom 1
   
Classroom 2
   
etc to
   
Classroom 99
    Building 
Two

   
Classroom 1
   
etc to
   
Classroom 99

    Building 
Three

   
Classroom 1
   
etc to
   
Classroom 99
 
I have an GPO connected to most rooms. If I have an MSI package 
that I need to deliver to say 25 rooms what would be the most effective way to 
assign to the required classrooms? Currently I have to assign the app 25 times, 
once to each room.
 
Regards
 
Steven
 ---This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please notify[EMAIL PROTECTED] quoting the name of the sender.This message has been scanned for viruses by F-Secure Anti-Virus.Please note that we cannot accept any responsibility for anytransmitted viruses. It is, therefore, your responsibility to scanattachments (if any).

RE: [ActiveDir] Need AD Query Suggestion Please

2005-05-24 Thread Krenceski, William

Every AD user and contact has a department assigned Querying by OU would
not work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and
only display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,
 
I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.
 
 

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   


 
 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,

I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.

William Krenceski
Network Administrator 
Olean General Hospital 
515 Main Street 
Olean, NY 14760 
Tel: 716-375-6475 
Email: [EMAIL PROTECTED]   

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Need AD Query Suggestion Please

2005-05-24 Thread Krenceski, William





Hello,
 
I am looking for a 
query or script that will go out and query all departments in active directory 
(the easy part) AND I want to suppress duplicates as to get a list of unique 
departments. Not caring about displaying the users or anything else with the 
query.
 
 



William KrenceskiNetwork 
Administrator 
Olean 
General Hospital 
515 Main 
Street Olean, NY 14760 
Tel: 716-375-6475 
Email: [EMAIL PROTECTED] 


 
 Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] GLOBAL CATALOG- WITH 2 DOMAINS

2005-05-24 Thread Mohammed_Tantawi



Dear All,

The main thing which i wat to do is:-

1. i want to establish OWA for my External user.
==

I have the following :-

1. i have only 2 domains ( mailserver ) & ( webloc), in the same  Network.
2. both domains have 1 DC in each .
3. Exchange server is installed on the First domain only ( Mailserver ).
4. Our web site is only installed on the other domain ( Webloc) and its on the
 IIS 5.0 on the DC of the seconde Domain. 
5. on the second domain, there is a publish Rule which is maping only the Real
IP- Address for web site to that Domain Controller of the second domain.
==

 what we need is, only on the second domain , i want to create Virtual
Directory to map to the Mailbox of the users on the First doamin on the
exchange . so when any one type : http://www.xyz.com/mail he will see his 
e-mails.

i did the virtual directory , but with some notes:-

1. i found that from the second domain - Not from the first domain-, i found i
am able to access the first domain, then access the
exchange server which is located on the domain controller. and also on the
first domain, i can see the second domain and access the shared folder.

2. both DC, on the same Network and they can Ping each other.

3. on the first domain, when i was try to give Permission to this folder,
ifound that , i cant see at all the second domain and also it happen on the
first domain.

i check on the Active directory Domians & Trust, i found that on both domain
controllers there was nothing at all, no Trust at all, and howver i can see
the other resources on both servers 

 on the second domain controller , on its IIS, the  Virtual
Directory  which has been created by me and map it to the MBX folder on the
exchange server on the first domian  ,  i found  there is a
red circule indicate that there is Error on that virtual directory, i do not
know why ???

 but i found that, we are  unable to put the user name & Password and always
display ( you are not authorized ) & sometimes ( Page cant be found ).

so, what is happen, how can we solve this? 

==
as i understood, OWA working with this way,:-

( Microsoft OWA, is tightly integrated component of Exchange server 2000. its
used by Remote Home & external users, OWA Provide web browser access to the
E-mails, Calander , contacts and all the Information stored in Microsoft
exchange Storage System Folder).

so, How can i implement OWA, if the Exchange server installed on another
domain, and the IIS which is only Published is located on onther Domain ?
Can you please Help me ?




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] delegate control in AD