Re: [ActiveDir] group policy adm files
Roseta .adm files are found in %systemroot%\inf Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] group policy adm files
Hello, I wanted to know where the template files (.adm) files of default domain group policy is in windows 2000 advance server. Can any one help? Yours truly, Roseta Radfar
RE: [ActiveDir] _msdcs question
I'm sorry that you felt I was arguing. Didn't mean to argue, just thought that we were discussing. Let's close it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 7:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question I don't want to start an argument here but I have installed Exchange 2003 in a pristine environment with and without WINS. 99% of time it failed without WINS. Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I am with you on that. Which is why I said my suggestion is not a replacement > for WINS. But, for the items under discussion, I can say "WINS? What WINS?" > > Remember our discussion about devolution and DNS Suffixes a while back? This > is where the concept comes into play. A process is asked to look for, say, > "Rick", where no WINS exists. It says to itself "Rick is not qualified [1], > so let me see what I have in my suffix list". It sees "Akomolafe.who, > Kingslan.what, anyone.no" - in that order. It immediately devolves the lookup > to "Rick.akomolafe.who". Since "akomolafe.who" has no record of a Rick, the > process moves on and devolves to "Rick.Kingslan.what" and gets a hit. Some > milliseconds added to the lookup, yes, but it found the record anyway. > > Would WINS have helped? Certainly, IF there is a replication of WINS records > between the domains in question. If there is no replication, then . > > [1] I know you are qualified, Rick. That was just a figure of speech ;) > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Rick Kingslan > Sent: Tue 5/31/2005 7:00 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] _msdcs question > > > > But, my experiments have shown that though you might be able to get rid of > WINS for Exchange purposes, the Office team hasn't quite grown past its use. > > Outlook (including 2003) has a bit of a hard time finding its mailbox if > WINS is not active (or, at least an LMHosts file in place). > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, May 31, 2005 8:45 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] _msdcs question > > Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > If you mean in a multi-domain environment, yes but... > > You don't need WINS per se. With appropriate DNS suffixes, you can overcome > the NetBIOS resolution limitations that necessitates the WINS requirement. I > am not saying don't use WINS or that you can get rid of WINS easily. I am > just saying that for purposes like these (Exchange install in a multi-domain > environ, or trust establishment, etc), it is not a necessity IF you do the > necessary home-work. > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 4:59 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > Deji, > > I completely understand your point but from my experience, if you > don't have NetBIOS name resolution you cannot establish a trust. > Also, you need to make sure all the required ports are open between > two Domains. > (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) > > Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Santhosh, I don't understand the significance of WINS here, as opposed to > > getting DNS resolution properly working. Since he's on W2K3, wouldn't it > be > > better that he uses a stub of each domain on the other side of the trust > (or > > even cond fwding for that matter)? Just curious. > > > > On a similar note, I've noticed that the trust process (and other > processes, > > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of > doing > > an FQDN lookup. One way I do this is to simply create an A record in MY > zone
Re: [ActiveDir] _msdcs question
I don't want to start an argument here but I have installed Exchange 2003 in a pristine environment with and without WINS. 99% of time it failed without WINS. Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I am with you on that. Which is why I said my suggestion is not a replacement > for WINS. But, for the items under discussion, I can say "WINS? What WINS?" > > Remember our discussion about devolution and DNS Suffixes a while back? This > is where the concept comes into play. A process is asked to look for, say, > "Rick", where no WINS exists. It says to itself "Rick is not qualified [1], > so let me see what I have in my suffix list". It sees "Akomolafe.who, > Kingslan.what, anyone.no" - in that order. It immediately devolves the lookup > to "Rick.akomolafe.who". Since "akomolafe.who" has no record of a Rick, the > process moves on and devolves to "Rick.Kingslan.what" and gets a hit. Some > milliseconds added to the lookup, yes, but it found the record anyway. > > Would WINS have helped? Certainly, IF there is a replication of WINS records > between the domains in question. If there is no replication, then . > > [1] I know you are qualified, Rick. That was just a figure of speech ;) > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Rick Kingslan > Sent: Tue 5/31/2005 7:00 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] _msdcs question > > > > But, my experiments have shown that though you might be able to get rid of > WINS for Exchange purposes, the Office team hasn't quite grown past its use. > > Outlook (including 2003) has a bit of a hard time finding its mailbox if > WINS is not active (or, at least an LMHosts file in place). > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, May 31, 2005 8:45 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] _msdcs question > > Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > If you mean in a multi-domain environment, yes but... > > You don't need WINS per se. With appropriate DNS suffixes, you can overcome > the NetBIOS resolution limitations that necessitates the WINS requirement. I > am not saying don't use WINS or that you can get rid of WINS easily. I am > just saying that for purposes like these (Exchange install in a multi-domain > environ, or trust establishment, etc), it is not a necessity IF you do the > necessary home-work. > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 4:59 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > Deji, > > I completely understand your point but from my experience, if you > don't have NetBIOS name resolution you cannot establish a trust. > Also, you need to make sure all the required ports are open between > two Domains. > (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) > > Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Santhosh, I don't understand the significance of WINS here, as opposed to > > getting DNS resolution properly working. Since he's on W2K3, wouldn't it > be > > better that he uses a stub of each domain on the other side of the trust > (or > > even cond fwding for that matter)? Just curious. > > > > On a similar note, I've noticed that the trust process (and other > processes, > > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of > doing > > an FQDN lookup. One way I do this is to simply create an A record in MY > zone > > for the DC on the other side. By creating the A record, the query will > simply > > get handed the record for that DC. This works IF the name of the DC on the > > other side is not the same as the name of any of the DC in MY domain. Let > me > > explain with an example. > > > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. > During > > the trust establishment process, I see a query for YourDC, which of course > > does not exist in MyDomain, and because YourDomain is also
RE: [ActiveDir] _msdcs question
I am with you on that. Which is why I said my suggestion is not a replacement for WINS. But, for the items under discussion, I can say "WINS? What WINS?" Remember our discussion about devolution and DNS Suffixes a while back? This is where the concept comes into play. A process is asked to look for, say, "Rick", where no WINS exists. It says to itself "Rick is not qualified [1], so let me see what I have in my suffix list". It sees "Akomolafe.who, Kingslan.what, anyone.no" - in that order. It immediately devolves the lookup to "Rick.akomolafe.who". Since "akomolafe.who" has no record of a Rick, the process moves on and devolves to "Rick.Kingslan.what" and gets a hit. Some milliseconds added to the lookup, yes, but it found the record anyway. Would WINS have helped? Certainly, IF there is a replication of WINS records between the domains in question. If there is no replication, then . [1] I know you are qualified, Rick. That was just a figure of speech ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Tue 5/31/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _msdcs question But, my experiments have shown that though you might be able to get rid of WINS for Exchange purposes, the Office team hasn't quite grown past its use. Outlook (including 2003) has a bit of a hard time finding its mailbox if WINS is not active (or, at least an LMHosts file in place). Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 31, 2005 8:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _msdcs question Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. If you mean in a multi-domain environment, yes but... You don't need WINS per se. With appropriate DNS suffixes, you can overcome the NetBIOS resolution limitations that necessitates the WINS requirement. I am not saying don't use WINS or that you can get rid of WINS easily. I am just saying that for purposes like these (Exchange install in a multi-domain environ, or trust establishment, etc), it is not a necessity IF you do the necessary home-work. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question Deji, I completely understand your point but from my experience, if you don't have NetBIOS name resolution you cannot establish a trust. Also, you need to make sure all the required ports are open between two Domains. (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Santhosh, I don't understand the significance of WINS here, as opposed to > getting DNS resolution properly working. Since he's on W2K3, wouldn't it be > better that he uses a stub of each domain on the other side of the trust (or > even cond fwding for that matter)? Just curious. > > On a similar note, I've noticed that the trust process (and other processes, > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing > an FQDN lookup. One way I do this is to simply create an A record in MY zone > for the DC on the other side. By creating the A record, the query will simply > get handed the record for that DC. This works IF the name of the DC on the > other side is not the same as the name of any of the DC in MY domain. Let me > explain with an example. > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During > the trust establishment process, I see a query for YourDC, which of course > does not exist in MyDomain, and because YourDomain is also not on my suffix, > no record is located. > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > now the process goes and query for YourDC (instead of YourDC.YourDomain), it > gets resolved to the YourDC that is located in MyDomain, which happens to be > the same as YourDC.YourDomain. > > > Deji > > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > I don't t
RE: [ActiveDir] _msdcs question
--- Begin Message --- So since I can't use stub zones since OUR domain isn't completely win2k3 dns servers yet, how do I successfully get the _msdcs info transferred into our domain from this win2k3 domain? Just use WINS? Or should I set up a zone transfer for the _msdcs.company.com zone as well as company.com? From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Tue 5/31/2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _msdcs question But, my experiments have shown that though you might be able to get rid of WINS for Exchange purposes, the Office team hasn't quite grown past its use. Outlook (including 2003) has a bit of a hard time finding its mailbox if WINS is not active (or, at least an LMHosts file in place). Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 31, 2005 8:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _msdcs question Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. If you mean in a multi-domain environment, yes but... You don't need WINS per se. With appropriate DNS suffixes, you can overcome the NetBIOS resolution limitations that necessitates the WINS requirement. I am not saying don't use WINS or that you can get rid of WINS easily. I am just saying that for purposes like these (Exchange install in a multi-domain environ, or trust establishment, etc), it is not a necessity IF you do the necessary home-work. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question Deji, I completely understand your point but from my experience, if you don't have NetBIOS name resolution you cannot establish a trust. Also, you need to make sure all the required ports are open between two Domains. (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Santhosh, I don't understand the significance of WINS here, as opposed to > getting DNS resolution properly working. Since he's on W2K3, wouldn't it be > better that he uses a stub of each domain on the other side of the trust (or > even cond fwding for that matter)? Just curious. > > On a similar note, I've noticed that the trust process (and other processes, > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing > an FQDN lookup. One way I do this is to simply create an A record in MY zone > for the DC on the other side. By creating the A record, the query will simply > get handed the record for that DC. This works IF the name of the DC on the > other side is not the same as the name of any of the DC in MY domain. Let me > explain with an example. > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During > the trust establishment process, I see a query for YourDC, which of course > does not exist in MyDomain, and because YourDomain is also not on my suffix, > no record is located. > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > now the process goes and query for YourDC (instead of YourDC.YourDomain), it > gets resolved to the YourDC that is located in MyDomain, which happens to be > the same as YourDC.YourDomain. > > > Deji > > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > I don't think you have to do anything with your _msdcs zone. You have > to have WINS name resolution in-order to configure the trust. What is > your WINS configuration? Can you ping both Domain DCs using NetBIOS > and FQDN? > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > > attempting to set up a two-way trust with an outside Win2k3 domain, and > > I found out that _msdcs.company.com in the Win2k3 domain is at the same > > level as the company.com zone. So I found out this means that they > > build this as a Win2k3 domain rather than upgrading from Win2k. > > > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > > _msdcs subdomain to a forest-wide DNS appl
RE: [ActiveDir] _msdcs question
But, my experiments have shown that though you might be able to get rid of WINS for Exchange purposes, the Office team hasn't quite grown past its use. Outlook (including 2003) has a bit of a hard time finding its mailbox if WINS is not active (or, at least an LMHosts file in place). Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 31, 2005 8:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _msdcs question Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. If you mean in a multi-domain environment, yes but... You don't need WINS per se. With appropriate DNS suffixes, you can overcome the NetBIOS resolution limitations that necessitates the WINS requirement. I am not saying don't use WINS or that you can get rid of WINS easily. I am just saying that for purposes like these (Exchange install in a multi-domain environ, or trust establishment, etc), it is not a necessity IF you do the necessary home-work. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question Deji, I completely understand your point but from my experience, if you don't have NetBIOS name resolution you cannot establish a trust. Also, you need to make sure all the required ports are open between two Domains. (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Santhosh, I don't understand the significance of WINS here, as opposed to > getting DNS resolution properly working. Since he's on W2K3, wouldn't it be > better that he uses a stub of each domain on the other side of the trust (or > even cond fwding for that matter)? Just curious. > > On a similar note, I've noticed that the trust process (and other processes, > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing > an FQDN lookup. One way I do this is to simply create an A record in MY zone > for the DC on the other side. By creating the A record, the query will simply > get handed the record for that DC. This works IF the name of the DC on the > other side is not the same as the name of any of the DC in MY domain. Let me > explain with an example. > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During > the trust establishment process, I see a query for YourDC, which of course > does not exist in MyDomain, and because YourDomain is also not on my suffix, > no record is located. > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > now the process goes and query for YourDC (instead of YourDC.YourDomain), it > gets resolved to the YourDC that is located in MyDomain, which happens to be > the same as YourDC.YourDomain. > > > Deji > > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > I don't think you have to do anything with your _msdcs zone. You have > to have WINS name resolution in-order to configure the trust. What is > your WINS configuration? Can you ping both Domain DCs using NetBIOS > and FQDN? > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > > attempting to set up a two-way trust with an outside Win2k3 domain, and > > I found out that _msdcs.company.com in the Win2k3 domain is at the same > > level as the company.com zone. So I found out this means that they > > build this as a Win2k3 domain rather than upgrading from Win2k. > > > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > > _msdcs subdomain to a forest-wide DNS application directory partition > > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > > know about it until just now). > > > > Question is - I want to set up a two-way trust with this win2k3 domain, > > but when I set them up as a secondary zone in our empty root domain, we > > didn't get the _msdcs data since it's just a grey reference folder > > rather than actual data. > > > > How do I get the two-way trust working? Do I have to set up two > > secondary zones in my empty root
RE: [ActiveDir] _msdcs question
Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. If you mean in a multi-domain environment, yes but... You don't need WINS per se. With appropriate DNS suffixes, you can overcome the NetBIOS resolution limitations that necessitates the WINS requirement. I am not saying don't use WINS or that you can get rid of WINS easily. I am just saying that for purposes like these (Exchange install in a multi-domain environ, or trust establishment, etc), it is not a necessity IF you do the necessary home-work. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question Deji, I completely understand your point but from my experience, if you don't have NetBIOS name resolution you cannot establish a trust. Also, you need to make sure all the required ports are open between two Domains. (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Santhosh, I don't understand the significance of WINS here, as opposed to > getting DNS resolution properly working. Since he's on W2K3, wouldn't it be > better that he uses a stub of each domain on the other side of the trust (or > even cond fwding for that matter)? Just curious. > > On a similar note, I've noticed that the trust process (and other processes, > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing > an FQDN lookup. One way I do this is to simply create an A record in MY zone > for the DC on the other side. By creating the A record, the query will simply > get handed the record for that DC. This works IF the name of the DC on the > other side is not the same as the name of any of the DC in MY domain. Let me > explain with an example. > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During > the trust establishment process, I see a query for YourDC, which of course > does not exist in MyDomain, and because YourDomain is also not on my suffix, > no record is located. > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > now the process goes and query for YourDC (instead of YourDC.YourDomain), it > gets resolved to the YourDC that is located in MyDomain, which happens to be > the same as YourDC.YourDomain. > > > Deji > > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > I don't think you have to do anything with your _msdcs zone. You have > to have WINS name resolution in-order to configure the trust. What is > your WINS configuration? Can you ping both Domain DCs using NetBIOS > and FQDN? > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > > attempting to set up a two-way trust with an outside Win2k3 domain, and > > I found out that _msdcs.company.com in the Win2k3 domain is at the same > > level as the company.com zone. So I found out this means that they > > build this as a Win2k3 domain rather than upgrading from Win2k. > > > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > > _msdcs subdomain to a forest-wide DNS application directory partition > > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > > know about it until just now). > > > > Question is - I want to set up a two-way trust with this win2k3 domain, > > but when I set them up as a secondary zone in our empty root domain, we > > didn't get the _msdcs data since it's just a grey reference folder > > rather than actual data. > > > > How do I get the two-way trust working? Do I have to set up two > > secondary zones in my empty root domain, one for company.com and one for > > _msdcs.company.com? > > > > ~~ > > This e-mail is confidential, may contain proprietary information > > of the Cooper Cameron Corporation and its operating Divisions > > and may be confidential or privileged. > > > > This e-mail should be read, copied, disseminated and/or used only > > by the addressee. If you have received this message in error please > > delete it, together with any attachments, from your system. >
Re: [ActiveDir] _msdcs question
Deji, I completely understand your point but from my experience, if you don't have NetBIOS name resolution you cannot establish a trust. Also, you need to make sure all the required ports are open between two Domains. (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) Exchange also is relies on WINS name resolution. You cannot install Exchange without WINS name resolution. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Santhosh, I don't understand the significance of WINS here, as opposed to > getting DNS resolution properly working. Since he's on W2K3, wouldn't it be > better that he uses a stub of each domain on the other side of the trust (or > even cond fwding for that matter)? Just curious. > > On a similar note, I've noticed that the trust process (and other processes, > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing > an FQDN lookup. One way I do this is to simply create an A record in MY zone > for the DC on the other side. By creating the A record, the query will simply > get handed the record for that DC. This works IF the name of the DC on the > other side is not the same as the name of any of the DC in MY domain. Let me > explain with an example. > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During > the trust establishment process, I see a query for YourDC, which of course > does not exist in MyDomain, and because YourDomain is also not on my suffix, > no record is located. > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > now the process goes and query for YourDC (instead of YourDC.YourDomain), it > gets resolved to the YourDC that is located in MyDomain, which happens to be > the same as YourDC.YourDomain. > > > Deji > > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 2:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] _msdcs question > > > > I don't think you have to do anything with your _msdcs zone. You have > to have WINS name resolution in-order to configure the trust. What is > your WINS configuration? Can you ping both Domain DCs using NetBIOS > and FQDN? > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > > attempting to set up a two-way trust with an outside Win2k3 domain, and > > I found out that _msdcs.company.com in the Win2k3 domain is at the same > > level as the company.com zone. So I found out this means that they > > build this as a Win2k3 domain rather than upgrading from Win2k. > > > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > > _msdcs subdomain to a forest-wide DNS application directory partition > > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > > know about it until just now). > > > > Question is - I want to set up a two-way trust with this win2k3 domain, > > but when I set them up as a secondary zone in our empty root domain, we > > didn't get the _msdcs data since it's just a grey reference folder > > rather than actual data. > > > > How do I get the two-way trust working? Do I have to set up two > > secondary zones in my empty root domain, one for company.com and one for > > _msdcs.company.com? > > > > ~~ > > This e-mail is confidential, may contain proprietary information > > of the Cooper Cameron Corporation and its operating Divisions > > and may be confidential or privileged. > > > > This e-mail should be read, copied, disseminated and/or used only > > by the addressee. If you have received this message in error please > > delete it, together with any attachments, from your system. > > ~~ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
Are you sure about that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are listed below. > There is a lot of confusion about these perms, b/c there are > inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) they're > pretty well locked down. > > The root share > == > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only ( THIS IS TRICKY AND IS NOT THE > DEFAULT Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have folders under > this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are created > === Home folders: created & perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must create folder in > advance. (Be sure to download newest patched version of SubInACL from > MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share is > pointing to does not have rights for those users to make changes. > They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the following > perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 that maps to > JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following permissions > are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: 'ActiveDir@mai
RE: [ActiveDir] Question on IIS management via AD...
: From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Steven L Dunn : Subject: [ActiveDir] Question on IIS management via AD... : : I want to allow one of our users to manage our : website services (IIS, Indexing Service) without : giving them full administrative access to everything : else. : : What's the best method to do this? Is there a primer : or some examples somewhere that point the way? Google : doesn't seem to be giving me what I : need. Maybe it's just me! What version of IIS? For IIS6, there's no supported delegation, however you have a look at this post on Bernard Cheah (IIS MVP) blog: http://msmvps.com/bernard/archive/2005/05/08/46074.aspx Cheers Ken -- www.adOpenStatic.com/cs/blogs/ken/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are > listed below. There is a lot of confusion about these perms, > b/c there are inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) > they're pretty well locked down. > > The root share > == > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only ( THIS IS TRICKY AND > IS NOT THE DEFAULT Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have > folders under this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are > created === Home folders: created & > perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must > create folder in advance. (Be sure to download newest patched > version of SubInACL from MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share > is pointing to does not have rights for those users to make > changes. They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the > following perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 > that maps to JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following > permissions are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] Home Directories > > But it also allows then to create new folders under the top > level Home share. Is there a way around that? > > -Original Message- > From: [EMAIL PROTECTED]
[ActiveDir] OT / FAO: Tony Murray [apologies for oversized target audience]
Hey Tony, I responded to your emails and have tried a variety of different means of sending but I don't believe they're getting through (we had a similar problem a few years ago). Can you ping me with a contact phone # or IM account or thanks much buddy! To everyone else - if you've read this far, my sincere apologies for the wasted effort :-( Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] _msdcs question
Santhosh, I don't understand the significance of WINS here, as opposed to getting DNS resolution properly working. Since he's on W2K3, wouldn't it be better that he uses a stub of each domain on the other side of the trust (or even cond fwding for that matter)? Just curious. On a similar note, I've noticed that the trust process (and other processes, like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of doing an FQDN lookup. One way I do this is to simply create an A record in MY zone for the DC on the other side. By creating the A record, the query will simply get handed the record for that DC. This works IF the name of the DC on the other side is not the same as the name of any of the DC in MY domain. Let me explain with an example. MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. During the trust establishment process, I see a query for YourDC, which of course does not exist in MyDomain, and because YourDomain is also not on my suffix, no record is located. So, I create an A record for YourDC and give it the true IP of YourDC. So, now the process goes and query for YourDC (instead of YourDC.YourDomain), it gets resolved to the YourDC that is located in MyDomain, which happens to be the same as YourDC.YourDomain. Deji From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 2:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs question I don't think you have to do anything with your _msdcs zone. You have to have WINS name resolution in-order to configure the trust. What is your WINS configuration? Can you ping both Domain DCs using NetBIOS and FQDN? HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > attempting to set up a two-way trust with an outside Win2k3 domain, and > I found out that _msdcs.company.com in the Win2k3 domain is at the same > level as the company.com zone. So I found out this means that they > build this as a Win2k3 domain rather than upgrading from Win2k. > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > _msdcs subdomain to a forest-wide DNS application directory partition > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > know about it until just now). > > Question is - I want to set up a two-way trust with this win2k3 domain, > but when I set them up as a secondary zone in our empty root domain, we > didn't get the _msdcs data since it's just a grey reference folder > rather than actual data. > > How do I get the two-way trust working? Do I have to set up two > secondary zones in my empty root domain, one for company.com and one for > _msdcs.company.com? > > ~~ > This e-mail is confidential, may contain proprietary information > of the Cooper Cameron Corporation and its operating Divisions > and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only > by the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] _msdcs question
I don't think you have to do anything with your _msdcs zone. You have to have WINS name resolution in-order to configure the trust. What is your WINS configuration? Can you ping both Domain DCs using NetBIOS and FQDN? HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > attempting to set up a two-way trust with an outside Win2k3 domain, and > I found out that _msdcs.company.com in the Win2k3 domain is at the same > level as the company.com zone. So I found out this means that they > build this as a Win2k3 domain rather than upgrading from Win2k. > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > _msdcs subdomain to a forest-wide DNS application directory partition > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > know about it until just now). > > Question is - I want to set up a two-way trust with this win2k3 domain, > but when I set them up as a secondary zone in our empty root domain, we > didn't get the _msdcs data since it's just a grey reference folder > rather than actual data. > > How do I get the two-way trust working? Do I have to set up two > secondary zones in my empty root domain, one for company.com and one for > _msdcs.company.com? > > ~~ > This e-mail is confidential, may contain proprietary information > of the Cooper Cameron Corporation and its operating Divisions > and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only > by the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] _msdcs question
We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm attempting to set up a two-way trust with an outside Win2k3 domain, and I found out that _msdcs.company.com in the Win2k3 domain is at the same level as the company.com zone. So I found out this means that they build this as a Win2k3 domain rather than upgrading from Win2k. I found http://support.microsoft.com/?id=817470 on how to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Win2k to Win2k3, but we haven't done that (didn't know about it until just now). Question is - I want to set up a two-way trust with this win2k3 domain, but when I set them up as a secondary zone in our empty root domain, we didn't get the _msdcs data since it's just a grey reference folder rather than actual data. How do I get the two-way trust working? Do I have to set up two secondary zones in my empty root domain, one for company.com and one for _msdcs.company.com? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
You could look at pre-populating the location field for printer searches. This is quite a nice feature that uses the IP subnet of the workstation the user is logged on to to locate the nearest printer. There's a few tasks you need to do to enable this, but it can be worth the effort, especially in distributed organisations. See the following whitepaper for more information on this. http://www.microsoft.com/windows2000/technologies/fileandprint/print/addeplo y.asp As you suggest, there are not a huge number of benefits that are directly visible to the end user. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, 1 June 2005 3:05 a.m. To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enhancement Question
Do you have a new app you need to roll out that you can publish or assign through AD? Users get a kick out of being able to install new software themselves or seeing updated software install auto-magically... You could use LDAP and a little web page to make a simple phone number / email address lookup page that pulls the info from AD... You could re-configure their Internet Explorer home page to point to the corporate intranet (and prevent them from changing it)... :) Just some suggestions. FWIW, AD isn't about making users go "oh, that's cool" It's about making administrators go "damn, that's useful". Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, May 31, 2005 11:05 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Enhancement Question This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters
I've set up iSCSI several times. Do you have an error to cite? ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, May 31, 2005 12:44 PM To: [ExchangeList]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters Good Afternoon, I am trying to configure a HP 1200s NAS server appliance as an iSCSI Target server using Microsoft's iSNS server 3.0 along with a client server that we want to install Microsoft cluster server on that has the Microsoft iSCSI initiator 1.06. I having trouble configuring it, has any one done this yet? I am at a loss as to why I can not see the target server from a server that is running the ISCSI initiator. http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4 585-B385-BEFD1319F825&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=0dbc4af5-9410-4 080-a545-f90b45650e20&DisplayLang=en Thanks in advance. Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters
Good Afternoon, I am trying to configure a HP 1200s NAS server appliance as an iSCSI Target server using Microsoft's iSNS server 3.0 along with a client server that we want to install Microsoft cluster server on that has the Microsoft iSCSI initiator 1.06. I having trouble configuring it, has any one done this yet? I am at a loss as to why I can not see the target server from a server that is running the ISCSI initiator. http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4585-B385-BEFD1319F825&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=0dbc4af5-9410-4080-a545-f90b45650e20&DisplayLang=en Thanks in advance. Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Storing LAN Manager hash values
Hi all, There is supposedly a security option in Windows (I don't see it on my Windows 2000 Domain Controllers but is present on my Windows XP Professional system and I'm assuming on Windows Server 2003). Network Security: Do not store LAN Manager hash value on next password change Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change Am I missing something, do I need to update my security templates like I new GPO Administrative Templates on the Windows 2000 systems as well? Or am I only able to control this setting through reg hacks. Thanks in advance, Devan. "Firefox - Rediscover the web " List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Software restriction quandry
Hey Jeff If i understand you right, I think I'd do a variation of #2... A seperate software restriction policy user basedThen a global group that has deny apply set on the delegation. That way you only manage the group. Remember too, these only apply to XP+, and you have to restart explorer somehow to get them to work. (reboot, logout, and back in) You can deny executebles and allow specific ones...But, like I said, if I understand you right, this sounds easier, at least to me. HTH John "Cothern Jeff D. Team EITC" <[EMAIL PROTECTED] To l> Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] Software restriction quandry 05/29/2005 07:22 PM Please respond to [EMAIL PROTECTED] tivedir.org Hey all I am trying to think of the best course of action on this problem: Management wants to install certain applications on our baseline. They want to restrict all users except those within certain groups from running these applications. possible solutions: 1. Set a machine software restriction policy that disallows all from using the different executibles. Then create a user Software restriction policy that allows the users in these groups to run the programs. This policy would only apply to the group. 2. Set a User software restriction policy as part of the normal user policy settings that disallows users from the different executibles. Create a second policy that applies only to the group with permissions to use the program that allows the software to run. Which do you think would be better. Also is my thinking in the right place that the second policy will override the first policy. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
As I mentioned, USN rollback is quite difficult to detect ('quite' scales
exponentially with the complexity and size of the directory).
As for rebuilding (and assuming you have granted users and groups permission
to use various resources around the domain), you may want to scrap that
approach.
Assuming the information you've provided is both accurate and complete;
removal of the PDC, role seizure, metadata cleanup and re-introduction of
the DC serves to provide a working solution ... really, I see no need to
(nor would I recommend that you) start again.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, May 31, 2005 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
Ok thanks,
I found my original issue was that I had restored my PDC to a ghost image
from the day before because of a windows update that was causing the machine
to reboot like the LSASS virus. Ever since I did that restore my domain has
not properly replicated, although looking at accounts in my OU's where I've
added many new accounts and made hundreds of changes, it appears to be in
sync.
I'm contemplating rebuilding the entire domain, as I have scripts that will
create all the accounts in a matter of minutes, minus passwords, I wonder if
there's a way to get those out of the current accounts so I can re-sync them
up also.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, May 31, 2005 9:20 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
I would strongly advise against that, restoring an AD DC to an earlier point
in time without its knowledge causes an issue known as USN rollback which is
difficult to detect, manifests odd symptoms and may cause more problems than
it resolves.
The role related approaches posted so far are, IMHO, the better next-step.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, May 31, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication
stopped. What do you think of restoring back to those images and then
restoring 1 of my active directory backups? Because were a university, this
is normally the time of year I reset passwords, so I could get away with
doing a master reset of all passwords.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, May 31, 2005 5:50 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
It certainly is finite, everything I have, however, indicates that RID
strength is ~30 bits equating to ~1 billion per domain. I've had a brief
look elsewhere and can find no reference to other constraining factors
though that's not to say there aren't any since this most certainly isn't a
scenario I've personally encountered.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, May 31, 2005 5:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Error in PDC Operations Master
As a by the way:
I remember attending an Active Directory session last year at TechED
Amsterdam, where it was stated that the RID pools were not unlimited and it
was a finite number, somthing like 143 million RIDS per domain, now if it
increase by 1 million everytime automatically plus you have a lot of objects
in your AD 143Million does not seem that many.
The session was a John Craddock session, on AD as part of the pre-conference
programme.
Can anyone confirm this number and confirm the matter?
Regards
Mark
-Original Message-
From: Jorge de Almeida Pinto <[EMAIL PROTECTED]>
Date: Tue, 31 May 2005 10:31:02
To:ActiveDir@mail.activedir.org, Send - AD mailing list
<[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Error in PDC Operations Master
Hi Dean,
You are right... That 1 million is enough. I did not know that when seizing
the RID master the ridavailablepool
RE: [ActiveDir] Error in PDC Operations Master
Ok thanks, I found my original issue was that I had restored my PDC to a ghost image from the day before because of a windows update that was causing the machine to reboot like the LSASS virus. Ever since I did that restore my domain has not properly replicated, although looking at accounts in my OU's where I've added many new accounts and made hundreds of changes, it appears to be in sync. I'm contemplating rebuilding the entire domain, as I have scripts that will create all the accounts in a matter of minutes, minus passwords, I wonder if there's a way to get those out of the current accounts so I can re-sync them up also. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 9:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
RE: [ActiveDir] DHCP failover?
Hi Al, Your very welcome. I just remembered the product that Cisco was using it's called Cisco Network Register. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 31, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP failover? Al, Jose, Thanks for the responses. Personally, I think it's a red herring. I would put different scopes on different machines as Jose suggested. And Al (not me :-) is also right: it would just affect new leases. It's a manageable problem. AL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Thursday, May 26, 2005 9:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP failover? How long do you expect your DHCP server to be down? Longer than your lease time? If so, why? You do have your scopes on other machines as well right (not putting all the eggs in the same basket sort of thing)? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 26, 2005 4:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP failover? I've had the following posed to me by my BIND-minded DNS administrator: DHCP Failover - both NetID and InfoBLOX can share DHCP state information between multiple DHCP servers so that if one goes down, the other can pick up where the first left off. When last I checked, Microsoft didn't support this functionality. But I'm sure there are other ways to make sure a client always has a DHCP server available. What methods do you use? Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [
RE: [ActiveDir] lastlogontimestamp-
I'm staying out of it. I'll let you guys settle it. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 30, 2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hey I was simply agreeing with Diane, she is the one that knew it was wrong. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, May 29, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- You just made joe's head bigger... Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. Got to read more. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- > In NT4, all updates go up to the PDC. This is why you will get a true > last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is "eventually" replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27,
RE: [ActiveDir] DHCP failover?
Al, Jose, Thanks for the responses. Personally, I think it's a red herring. I would put different scopes on different machines as Jose suggested. And Al (not me :-) is also right: it would just affect new leases. It's a manageable problem. AL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Thursday, May 26, 2005 9:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP failover? How long do you expect your DHCP server to be down? Longer than your lease time? If so, why? You do have your scopes on other machines as well right (not putting all the eggs in the same basket sort of thing)? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 26, 2005 4:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP failover? I've had the following posed to me by my BIND-minded DNS administrator: DHCP Failover - both NetID and InfoBLOX can share DHCP state information between multiple DHCP servers so that if one goes down, the other can pick up where the first left off. When last I checked, Microsoft didn't support this functionality. But I'm sure there are other ways to make sure a client always has a DHCP server available. What methods do you use? Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of D
[ActiveDir] Enhancement Question
This is an odd question. We have just about finished up rolling out AD 2003 (from an NT domain) and I have been charged with finding "several ways to utilize Active Directory to optimize the management of our applications and infrastructure. At least one of the solutions should enhance functionality directly for the user community." I'm having problems of finding ways to enhance functionally for the end-users. Besides tying the AD into a one of our outsourced web based applications to reduce their password count I'm stretching. I know of a number of management and infrastructure enhancements that could be made but none enhance the functionality of our end-users to a point where they will notice it and say "Wow, now that's cool". Does anyone know of a location where I can get ideas on this topic? Increased security, stability, management. These core things are not seen by the end-user even though they directly affect them. I need to find something that the end-users will like to see and something that benefits them. I'm just coming up blank on this. In the past, I have always been instructions to use AD in ways that the end-user doesn't notice but increases the functionality. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Question on IIS management via AD...
Good Morning! I want to allow one of our users to manage our website services (IIS, Indexing Service) without giving them full administrative access to everything else. What's the best method to do this? Is there a primer or some examples somewhere that point the way? Google doesn't seem to be giving me what I need. Maybe it's just me! -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Catch all DNS record
>>> I thought that MS (NT 4.0 and later I think) will put a "." at the end of each unqualified multi label query. No, I think you have it backward. Nslookup does not append a ".", it expects one, such that if there is no ".", nslookup then appends the entire domain suffix configured in TCP/IP. If there is no suffix configured and DNS could not locate the record you've requested, it tends to then append the wildcarded domain name in the lookup. I think we need to clarify your "unqualified multi label". If it's multi-labeled, it is qualified. If it has a ".", it is qualified. Now, nslookup considers a qualified (1.2.3) to be NOT FULLY QUALIFIED because there is no "." at the end of "3" (like so, 1.2.3.), so I am not sure if that's that you also refer to as "unqualified". It is important that you know that this is an NSLOOKUP bug, and this bug tends to manifest itself WHEN YOU HAVE A WILD-CARDED ZONE IN YOUR DNS. Do you see the correlation I am trying to point out? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mike Newell Sent: Fri 5/27/2005 8:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Catch all DNS record Thanks Deji, Awesome, thanks for the reply. Everything makes sense except the part about query for domain other than my innternal domain, will resolve to the Wildcard. I thought that MS (NT 4.0 and later I think) will put a "." at the end of each unqualified multi label query. Also, I was under the impression that MS will only append the suffix if it's an unqualified single label query. I'm not second guessing here, I just want to make sure I'm understanding this before I decide to allow the wildcard or not. Again, thanks for the reply and the detailed info. Mike. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
You are ascribing more power to me than I possess, Rick :p There is no known way to get Joe's head to be bigger than it currently is. It's sooo big it has its own separate zip/area code :-0 Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 5/29/2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- You just made joe's head bigger... Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. Got to read more. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- > In NT4, all updates go up to the PDC. This is why you will get a true > last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is "eventually" replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27
Re: [ActiveDir] GPO oddity
Hi Russ... Enforced overrides Block Inheritance Enforced means run always and last really. You shouldn't even need the block. Should run last by default without the enforced. John "Rimmerman, Russ" <[EMAIL PROTECTED] rcameron.com> To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] GPO oddity 05/31/2005 08:25 AM Please respond to [EMAIL PROTECTED] tivedir.org We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO oddity
We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Err
RE: [ActiveDir] Error in PDC Operations Master
To launch an attack on this the attacker must be able to create security principals. Although it is a very large number ways to mitigate this is a good implementation of delegation of control and NTDS quotas Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: dinsdag 31 mei 2005 12:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master Thanks Neil, I understand the concepts of seizure but if was the implications of 1 million RID increases that were of concern but as the number 1073,741,823 not 143,000,000 it does not seem that much of an issue - let's hope nobody can launch a DoS to increase a domains RID pool. Mark -Original Message- From: "Ruston, Neil" <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:18:23 To:"'ActiveDir@mail.activedir.org'" Subject: RE: [ActiveDir] Error in PDC Operations Master The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Frid
Re: [ActiveDir] Error in PDC Operations Master
Thanks Neil, I understand the concepts of seizure but if was the implications of 1 million RID increases that were of concern but as the number 1073,741,823 not 143,000,000 it does not seem that much of an issue - let's hope nobody can launch a DoS to increase a domains RID pool. Mark -Original Message- From: "Ruston, Neil" <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:18:23 To:"'ActiveDir@mail.activedir.org'" Subject: RE: [ActiveDir] Error in PDC Operations Master The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced
RE: [ActiveDir] Error in PDC Operations Master
The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B
RE: [ActiveDir] Selective moving/migration of users
Thansk I will try it and let you know how I progress Regards, Lucia Washaya UNAMSIL Tel Ext.: 5497 or Local Tel.: 022-295-526 Int'l Tel.: Via Italy +(39) 083123-5497 Via USA +1(212) 963-9915 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. === "Dan Holme" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/30/2005 11:19 PM Please respond to ActiveDir@mail.activedir.org To cc Subject RE: [ActiveDir] Selective moving/migration of users Take a look at the documentation of the ADMT. You can use a SELECTION FILE to specify the users & groups you wish to modify, so that you don't have to manually select them in the user interface. There are also a number of options to *script* the ADMT, which means you could utilize any language (e.g. _vbscript_, .bat) to create the 'logic' to select your users and groups. To expand on what Jorge mentioned, there are lots of ways to migrate, but by far the *easiest* with the ADMT is to migrate the global groups you want *first*, then, as a second 'pass' through the ADMT, migrate the users you want. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 30, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Selective moving/migration of users As Jorge mentioned earlier Quest DMW has an option to find out the groups that user is a member of and migrate that as well (nice checkbox)...not sure bout ADMT though.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 30, 2005 7:56 PM To: '[EMAIL PROTECTED] '; ''Lucia Washaya ' '; '''ActiveDir@mail.activedir.org' ' ' Subject: RE: [ActiveDir] Selective moving/migration of users almost forgot: think about closed sets (meaning: if I migrate these objects, what other objects should be migrated also) what about the groups the NT users you want to migrate are members of? Don't you need to migrate those as well? cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: 'Lucia Washaya '; '[EMAIL PROTECTED] '; ''ActiveDir@mail.activedir.org' ' Sent: 5/30/2005 1:42 PM Subject: RE: [ActiveDir] Selective moving/migration of users Hi, You can always select the user and/or groups you want to migrate. It all depends on the requirements and situations but it is not needed to migrate the domain at once. There are a lot of tools available that help you with your object migration (user, groups, computers) en resource updating (re-acl, etc.) One of the free tools available is ADMTv2 (ADMTv3 is in beta at the moment) which can migrate objects and standard windows resource updating (incl exchange). If you however need to update resources on SQL or SMS you will likely need to use a third party tool like Quest DMW Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; 'ActiveDir@mail.activedir.org' Sent: 5/30/2005 12:52 PM Subject: [ActiveDir] Selective moving/migration of users Colleagues, Is there a way to selectively move or migrate users between NT and windows2000 domains. I have two domains one on NT and another on Widows 2000. I want to move some of the users form NT to 2000. Is there a way to do it? Thank you in advance for your assistance Regards, Lucia Washaya UNAMSIL Tel Ext.: 5497 or Local Tel.: 022-295-526 Int'l Tel.: Via Italy +(39) 083123-5497 Via USA +1(212) 963-9915 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. === __ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly d
RE: [ActiveDir] Home Directories
The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are > listed below. There is a lot of confusion about these perms, > b/c there are inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) > they're pretty well locked down. > > The root share > == > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only ( THIS IS TRICKY AND > IS NOT THE DEFAULT Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have > folders under this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are > created === Home folders: created & > perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must > create folder in advance. (Be sure to download newest patched > version of SubInACL from MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share > is pointing to does not have rights for those users to make > changes. They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the > following perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 > that maps to JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following > permissions are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] Home Directories > > But it also allows then to create new folders under the top > level Home share. Is there a way around that? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 10:40 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Home Directories > > Now that your share-level permissions are correct, you need > to add the individual user to their respective home folder > and grant modify permissions (ntfs). That should give them > change access to their files. > > :m:dsm:cci:mvp > > -Original Mes
Re: [ActiveDir] Error in PDC Operations Master
As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM
RE: [ActiveDir] Error in PDC Operations Master
Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Origin
