[ActiveDir] Add computers to domain
Hi all, Single W2k3 domain We have moved the default Computer Container to a newly created OU called "COMPUTERS". On this OU, we have delegated Create Computer Objects and Delete Computer Objects to a group called "NONDOMAINADMINS" This group is also a member of the local admins group on all member servers. Note that this group is not a member of the domain admins group. I read somewhere that all authenticated users can add up to 10 workstations to the domain by default. Would this group be restricted to the amount of computers it can add to the domain, as it is not a member of the domain admins group? If this group is restricted to 10 computers, how can I increase this? Thanks Frank__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Migration between domains with same NetBios name
Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver). My past experience tells me that this is likely not to be true... I'm sure there are other things that are often overlooked - any ideas? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 07:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it? I will admit, I’ve never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, I’d like to know, so I can recommend it in the future. The other option is logical data migration but not actual “migration” if you will. IE, ldifde and such. But that comes with the normal “lose the SIDs” type of issues, which I assume to be a major headache for your scenario. ~Eric PS: Basically, this mail translates roughly in to me saying, this might or might not work, and I’d like you to be my testing guy to let me know, since I’ve never had occasion to give it a whirl myself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Wednesday, June 15, 2005 10:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido
Re: [ActiveDir] Add computers to domain
There is a pre defined group Account Operators. However this may not be suitable as it will also allow the members to administer user accounts and log on locally to a DC. Instead edit the Default Domain Controllers Policy, or add a policy on the Domain Controllers OU. Under Computer Configuration, Windows Configuration, Security configuration, Local directives, assign user rights add the group NONDOMAINADMINS to right "Add workstations to the domain". Regards Peter (nb above english is approximate as it is translated not literal) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DL Expansion Troubleshooting
Do you have two domains in the same physical site with Exchange servers in both domains? If so read on as we had a very similar issue. Hope this helps. We had your 1st problem here which possibly could be related to your 2nd problem. We have two domains in the same physical site 3 Exchange servers in one domain and 1 Exchange server in the other domain. Whenever we sent out email particularly to our ALL HANDS DL it would sometimes fail and no one would get it, other times people would get it on the first try. It took me the longest time to figure out why. When a DL is “expanded” any server within the organization can technically “expand” the message unless you set the expansion server usually an Exchange server within the site does the expansion. We found that our 1 Exchange server in the other domain was getting the expansion responsibilities sometimes (25% chance) for our Domain level Distribution List. This server knows nothing about Domain specifics so it would fail. As soon as we put that domain in a separate site and reduced the site replication time to 5 minutes we no longer had any problems. One of our 3 Exchange servers in the same domain would always be responsible for the expansion of any DL we had in our domain. I believe I eventually found a technet article on this, let me see if I can find it. I hope this helps. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 16, 2005 1:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DL Expansion Troubleshooting did you compare the members of the respective groups in AD on your 3 GCs? You could potentially have an inconsistency between the DCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Donnerstag, 16. Juni 2005 02:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DL Expansion Troubleshooting Apparently we have had for the past three months a persistent but not predictable issue with large and nested DL expansion. These are always DLs that are nested usually three to four levels deep and ultimately expand to tens of thousands of mailboxes. There are three global catalogs in the Exchange site, and they sit all day around 3%. No load issues, all 2k3 SP1, have been built to spec by yours truly in December I believe. Nothing weird going on with them that I can see. There are two issues that crop up, one newer than the other. Issue #1 (original) is that quite simply it will take a couple tries of sending a message to a DL to get everybody to get it – some folks get it twice, some get it once. When you do a message tracking it just sort of falls off the face of the Earth as far as delivery to the folks that don’t get it twice. Now issue #2 is that as of late some DLs just hang up in the submission to categorizer if you look in message tracking. Takes a couple tries to get the categorizer to categorize. Everything but the OWAs is 2000 SP3 w/ the rollup. I just started looking at this today, and quite frankly I’ve gotten to the end of my short list of things to check. I cranked up diagnostic logging for DSAccess and SMTP on the gateways and the mailbox server hosting the mailbox that blasts these DLs. Haven’t found anything useful. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
Re: [ActiveDir] Add computers to domain
Thanks for your response, My configuration currently works, I can add/unjoin computers from the domain. I suppose my concern is whether I will be hitting the max 10 workstation limit with my current configuration. How will providing my NONDOMAINADMINS group the Add workstations to the domain privilege increase the max amount of workstations? thanks in advance...Peter Jessop <[EMAIL PROTECTED]> wrote: There is a pre defined group Account Operators. However this may notbe suitable as it will also allow the members to administer useraccounts and log on locally to a DC.Instead edit the Default Domain Controllers Policy, or add a policy onthe Domain Controllers OU.Under Computer Configuration, Windows Configuration, Securityconfiguration, Local directives, assign user rights add the groupNONDOMAINADMINS to right "Add workstations to the domain".RegardsPeter(nb above english is approximate as it is translated not literal)List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Yahoo! Mail Stay connected, organized, and protected. Take the tour
RE: [ActiveDir] Add computers to domain
the OU permissions prevail over the "add workstations to domain" user right which is defined in the default DC policy. So you don't need to change anything for your NONDAs. However, the mentioned policy grants auth. users the right to join machines to a domain (up to 10 by default) => I usually remove this right for auth users but you can also change the ms-DS-MachineAccountQuota property of your domain (e.g. via ADSIedit) and set it to 0. Or, set it to a higher value if you want normal users to add even more machines to your domain (which I don't recommend) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Donnerstag, 16. Juni 2005 09:19To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Add computers to domain Hi all, Single W2k3 domain We have moved the default Computer Container to a newly created OU called "COMPUTERS". On this OU, we have delegated Create Computer Objects and Delete Computer Objects to a group called "NONDOMAINADMINS" This group is also a member of the local admins group on all member servers. Note that this group is not a member of the domain admins group. I read somewhere that all authenticated users can add up to 10 workstations to the domain by default. Would this group be restricted to the amount of computers it can add to the domain, as it is not a member of the domain admins group? If this group is restricted to 10 computers, how can I increase this? Thanks Frank __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] GPO configuration
I'm curious, why would you want to keep them from closing any windows that they open? -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration I've not seen one. I think that would be pretty hard to pull off unless you can remove the hot keys and window buttons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO configuration Isn't there a GPO setting that can prevent users from closing any window they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Virtual Domain Controllers
All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
We're running a couple of DCs on ESX, and others on physical hardware. So far we haven't run into any problems. You'll definitely want to watch performance to make sure that the clients are getting adequate response from the DCs. Of course, that applies to any DC and not just virtuals. IIRC, Microsoft doesn't support DCs running on VMWare. That may have changed recently, but it's something to consider as well. Your point about snapshot/disk image rollbacks is very important. Ironically, the only two hits I got from support.microsoft.com on "domain controller vmware" were about USN rollback. Check them out and make sure you have adequate controls in place to prevent this from happening. The USN rollback is really a subset of a larger (potential) problem: moving disk image files around is very easy, which means that anyone with access to the VMWare console has "physical" access to your domain controllers. Huge security implications there... Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 16, 2005 6:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
I haven't deployed virtual DCs and always shy away from this concept, personally. 1. Management tools of virtual machines still appear to be immature (IMHO). i.e. how would you manage / patch / configure / administer all machines in a uniform, centralised fashion, regardless of physical/virtual status 2. DC performance is paramount, esp. in larger organisations I would need to be convinced that a virtual DC could "compete" with its physical counterpart. If I deploy DCs with 4Gb RAM / separate disk spindles for Db and logs etc etc then I'd be surprised if a virtual DC could equal the performance. Note: Some of the above is not DC specific, but cover my main concerns. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 June 2005 13:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Hi Chris, There was a rather lenghty (but extremely interesting) discussion about this subject a few weeks ago on this list. May I suggest that you have a look at the archive (http://www.mail-archive.com/activedir@mail.activedir.org/) for more info? Cheers! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
While not VMWare, Microsoft has an interesting stance with using Domain Controllers and Virtual Server 2005 You can download the full whitepaper: Running Domain Controllers in Virtual Server 2005 On servers running Windows Server 2003 and Virtual Server 2005, you can install multiple domain controllers in separate virtual machines. This platform is well suited for test environments. With strict adherence to requirements described in this paper, domain controller virtual machines can also be used in production. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6B&displaylang=en Regards Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, June 16, 2005 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Hi Chris, There was a rather lenghty (but extremely interesting) discussion about this subject a few weeks ago on this list. May I suggest that you have a look at the archive (http://www.mail-archive.com/activedir@mail.activedir.org/) for more info? Cheers! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Add computers to domain
no the group is not restricted to creating 10 workstations in the domain but don't forget to remove the right from auth. users #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Thursday, June 16, 2005 09:19To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Add computers to domain Hi all, Single W2k3 domain We have moved the default Computer Container to a newly created OU called "COMPUTERS". On this OU, we have delegated Create Computer Objects and Delete Computer Objects to a group called "NONDOMAINADMINS" This group is also a member of the local admins group on all member servers. Note that this group is not a member of the domain admins group. I read somewhere that all authenticated users can add up to 10 workstations to the domain by default. Would this group be restricted to the amount of computers it can add to the domain, as it is not a member of the domain admins group? If this group is restricted to 10 computers, how can I increase this? Thanks Frank __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Migration between domains with same NetBios name
Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two different domains share the same WINS infrastructure I think both domain's DCs wil register in the same record and then you will have some interesting troubleshooting to do. Don't forget that most migration tools use the browser service to enumerate several objects.. again tricky. As allready said renaming the source domain is a possibility (however I'm not sure if E55 likes domain renames). For this you need to inventory all places that use THE NAME OLDOMAIN in user accounts. One of the examples are the logon account for services. I'm sure there more. To do this you are stuck to a "major step moment" Another possibility is to use an interim domain which I think gives you the possibility to do a phase migration. You will me migrating twice though. MIGRATION SCENARIO: * OLDDOMAIN -> INTERIMDOMAIN | NEWDOMAIN * OLDDOMAIN | INTERIMDOMAIN -> NEWDOMAIN INTERIMDOMAIN migration - quick and dirty steps * Pre-install and configure (isolated) NEWDOMAIN, its DNS, its DHCP, its WINS, etc. and shutdown afterwards * 2 DCs (W2K3 AD) for interim * Exch55. in the same org as exch. in OLDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from OLDDOMAIN to INTERIMDOMAIN * Configure INTERIMDOMAIN SERVERS to use WINS infrastructure from OLDDOMAIN * Configure INTERIMDOMAIN CLIENTS to use DHCP infrastructure from OLDDOMAIN * Decommission old exchange in OLDOMAIN * Shutdown old domain * Bring up NEWDOMAIN * Reconfigure servers and clients to use WINS and DHCP from NEWDOMAIN * Install exch2k3 in NEWDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from INTERIMDOMAIN to NEWDOMAIN etc.etc. What do you think abou this one? Cheers #JORGE# I think almost the same scenario as the situation you presented during DEC "Handling_Mergers_and_Acquistions". Let me guess your next presentation at DEC will be "Migrations between domains with the same NetBIOS name"? ;-)) Whatever scenario you choose will be painfull. You must however think about the scenarion to use that is less painfull From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, June 16, 2005 09:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver). My past experience tells me that this is likely not to be true... I'm sure there are other things that are often overlooked - any ideas? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 07:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it? I will admit, I’ve never actually tried this, but I know pe
[ActiveDir] Unexpected WINS registering behavior
I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. >From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Shooting in the dark a little, but would this imply that clients have failed over to the secondary WINS server? i.e. the first WINS server was "unavailable" and thus the secondary was used. If the release/refresh failed on 10.x.x.x, the client would then attempt to perform a similar refresh on 192.x.x.x neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 15:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. >From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Its been a long time since I've thought about WINS (thankfully) but in the "old days" this was somewhat expected behavior. If a client happened to contact its primary WINS server and it couldn't answer a request, for whatever reason, it would temporarily use the seconday as its primary. This is described here http://support.microsoft.com/default.aspx?scid=kb;en-us;173525 and here http://support.microsoft.com/default.aspx?scid=kb;en-us;247559 Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: Thursday, June 16, 2005 7:23 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. >From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
This is expected if the primary server is unavailable. What will really throw you is that the GUI for the client will show the intended order and the CLI will show the actual (reversed) order... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > Sent: Thursday, June 16, 2005 7:23 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unexpected WINS registering behavior > > I hope this email pertains to this mailing list. I apologize if it > isn't. > > Two WINS server, both setup a replication partners with each > other with > push/pulls. > > >From Win2k, XP, and Win2k3 clients: > > 1. ipconfig /all > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x > 3. nbtstat -RR > 4. ipconfig /all > 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > Essentially the Primary and Secondary WINS servers get switched after > doing a nbtstat -RR. Is this to be expected? What am I missing? Has > anyone else seen this? > > Any help is greatly appreciated. > > Thnx, > Kevin > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Everytime I do a nbtstat -RR, the WINS server order flops back. And so on and so on...so they are constantly switched between nbtstat -RR's. I can see the clients getting registered in the WINS server db's as the clients switch back and forth so it looks like the regsistering part is working. -Kevin On Thu, 16 Jun 2005 15:35:05 +0100, "Ruston, Neil" <[EMAIL PROTECTED]> said: > Shooting in the dark a little, but would this imply that clients have > failed over to the secondary WINS server? i.e. the first WINS server was > "unavailable" and thus the secondary was used. > > If the release/refresh failed on 10.x.x.x, the client would then attempt > to perform a similar refresh on 192.x.x.x > > > neil > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > Sent: 16 June 2005 15:23 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unexpected WINS registering behavior > > > I hope this email pertains to this mailing list. I apologize if it > isn't. > > Two WINS server, both setup a replication partners with each other with > push/pulls. > > >From Win2k, XP, and Win2k3 clients: > > 1. ipconfig /all > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x > 3. nbtstat -RR > 4. ipconfig /all > 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > Essentially the Primary and Secondary WINS servers get switched after > doing a nbtstat -RR. Is this to be expected? What am I missing? Has > anyone else seen this? > > Any help is greatly appreciated. > > Thnx, > Kevin > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > == > Please access the attached hyperlink for an important electronic > communications disclaimer: > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > == > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Are you using different DHCP servers that service the same subnet but where the WINS IP addresses are switched? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: donderdag 16 juni 2005 16:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. >From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ESE Perf Mon problems
Steve, I have seen the first counter/last counter info in previous attempts, but it was not in the registry this time. I have deleted and recreated this branch a few times. I have done the lodctr %systemroot%\system32\esentprf.ini. Thanks for the /s, I wasn't aware of that. The command appears to process, but returns no info other than back to the command prompt. I looked at the esentprf.ini as well as the eseperf.hxx file and they appear to be OK. No odd characters or corrupt looking stuff. Not sure what to think. Maybe time to call MS. Thanks, JD Northrop Grumman Information Technology Commercial, State & Local Solutions 512-377-x235 Alphapage 866-521-6091 E-Page [EMAIL PROTECTED] -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 12:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ESE Perf Mon problems Ha! Sorry - I missed the fact you already saw this. (teach me to read the mail closer) Did you remove the First Counter \ Last counter info from this email or is it not in the registry? Did you lodctr against the esentprf.ini? If not , try this: Lodctr /s:backup.ini (backs up yer perf counter info) lodctr %systemroot%\system32\esentprf.ini steve - Original Message - From: "Steve Patrick" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 15, 2005 6:40 PM Subject: Re: [ActiveDir] ESE Perf Mon problems > remove the value for "Disable Performance Counters" > > steve > - Original Message - > From: "WILLIAMS, J.D." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, June 15, 2005 6:48 AM > Subject: RE: [ActiveDir] ESE Perf Mon problems > > > Here's the key, I copied the entries from the KB article, except for the > Squeaky Lobster key, which I have also tried as the 'correct' key name > (escapes me now). I have five DCs, all of which have the same problem. > > The Disable Performance Counters key is added by the system after it fails > to initialize properly. > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance] > "Open"="OpenPerformanceData" > "Collect"="CollectPerformanceData " > "Close"="ClosePerformanceData" > "Library"="c:\\perf\\esentprf.dll" > "Squeaky Lobster"=dword:0001 > "Disable Performance Counters"=dword:0001 > > Thanks, > JD > > > -Original Message- > From: Steve Patrick [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 14, 2005 9:49 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] ESE Perf Mon problems > > > > Did you verify that you had proper settings under: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance > > Perhaps export the key and paste it in here? > > steve > - Original Message - > From: "WILLIAMS, J.D." <[EMAIL PROTECTED]> > To: > Sent: Tuesday, June 14, 2005 11:30 AM > Subject: [ActiveDir] ESE Perf Mon problems > > > Greetings, > > > > I have been trying to get the ESE counters on my DCs with no luck. I get > the following Event Log entry after following the install instructions, > loading perfmon and looking for the counters: > > > > Event Type: Error > > Event Source:Perflib > > Event Category: None > > Event ID: 1006 > > Date:6/14/2005 > > Time:1:13:14 PM > > User:N/A > > Computer: ADC12-E654-001 > > Description: > > Unable to locate the collect procedure " " in DLL "c:\perf\esentprf.dll" > for > the "ESENT" service. Performance data for this service will not be > available. Error Status is data DWORD 0. > > Data: > > : 7f 00 00 00 ... > > > > I can't find anything in Google with regard to troubleshooting; this seems > to work fine for everyone else! We are running W2K, SP4. > > My file version for ESENTPRF.DLL is 6.0.3939.6, file is 40K and dated > 11-30-1999 (had another version, same info but dated 12-7-1999, same > error). > > > > Any assistance is greatly appreciated! > > > > Thanks, > JD > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] disable internet usage for an account
We’d like to disable internet access (not just IE but firefox, mozilla, etc) for a specific account, but still allow the account to have access to network shares, is this possible through GPO? Does any one have any ideas? Thanks- Adam
Re: [ActiveDir] disable internet usage for an account
IPsec filters? There's a good "how to" on MCSEworld.com. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] disable internet usage for an account
Adam Hanel wrote: We’d like to disable internet access (not just IE but firefox, mozilla, etc) for a specific account, but still allow the account to have access to network shares, is this possible through GPO? Does any one have any ideas? Best approach for you will be to deploy in Your network proxy server with requirement to authenticate for a user who wants to get access to internet resources, then deploy proxy settings with GPO and on Your firewall block access to Internet resources for any client host except proxy server. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] disable internet usage for an account
A quick answer would be to use IPSec filters on the specific clients to disable http going out of the network (this way you don't block internal sites) Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam HanelSent: June 16, 2005 11:16 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] disable internet usage for an account We’d like to disable internet access (not just IE but firefox, mozilla, etc) for a specific account, but still allow the account to have access to network shares, is this possible through GPO? Does any one have any ideas? Thanks- Adam
RE: [ActiveDir] Migration between domains with same NetBios name
AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a resultthey very well might care that a domain they think has some name doesn't know who they are. Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain. Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain. ~Eric From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 6/16/2005 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver). My past experience tells me that this is likely not to be true... I'm sure there are other things that are often overlooked - any ideas? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 07:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it? I will admit, I’ve never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, I’d like to know, so I can recommend it in the future. The other option is logical data migration but not actual “migration” if you will. IE, ldifde and such. But that comes with the normal “lose the SIDs” type of issues, which I assume to be a major headache for your scenario. ~Eric PS: Basically, this mail translates roughly in to me saying, this might or might not work, and I’d like you to be my testing guy to let me know, since I’ve never had occasion to give it a whirl myself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Wednesday, June 15, 2005 10:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. T
RE: [ActiveDir] Unexpected WINS registering behavior
We have two WINS servers and one DHCP server. All are on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> said: > Are you using different DHCP servers that service the same subnet but > where > the WINS IP addresses are switched? > Cheers > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > Sent: donderdag 16 juni 2005 16:23 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unexpected WINS registering behavior > > I hope this email pertains to this mailing list. I apologize if it > isn't. > > Two WINS server, both setup a replication partners with each other with > push/pulls. > > >From Win2k, XP, and Win2k3 clients: > > 1. ipconfig /all > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. > ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > Essentially the Primary and Secondary WINS servers get switched after > doing > a nbtstat -RR. Is this to be expected? What am I missing? Has anyone > else > seen this? > > Any help is greatly appreciated. > > Thnx, > Kevin > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: [ActiveDir] Virtual Domain Controllers We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message-From: Geary, Simon [mailto:[EMAIL PROTECTED]On Behalf Of Geary, SimonSent: Thursday, June 16, 2005 9:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 16/06/2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of VirtualServer? Have there been any problems with this environment? There is a bigpush at my company to virtualize every environment but, I am sure DomainControllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not havefull control over the Domain Controllers and I worry that another Adminwill take a snapshot of the DC and make a few changes and if they don'twork, revert to the snapshot before the changes. Wouldn't this be the sameas using an older ghost image of the DC? I'm just looking for some feedbackto see if this is a viable solution.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately.
RE: [ActiveDir] Virtual Domain Controllers
Thanks for all of the responses. I had a chance to look at the KB article on USN rollback and found it very informative. I will get to the white paper when I have a little time. I am still concerned about the Snapshot feature. How do others handle this? Is it possible to turn it off or apply a deny permission to that feature or is it used? Am I off base in worrying about this aspect? "Harper, Gary" <[EMAIL PROTECTED] hn.org>To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Virtual Domain 06/16/2005 10:27 Controllers AM Please respond to [EMAIL PROTECTED] tivedir.org We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message- From: Geary, Simon [mailto:[EMAIL PROTECTED] Behalf Of Geary, Simon Sent: Thursday, June 16, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: [ActiveDir] Virtual Domain Controllers I believe one of the comments was around snapshots which is how they wanted to use this technology. You should find in that document that it would not be a good idea to perform snapshots if you intend to put those DCs back into production at some point. At least, I would be very careful about recommending or allowing that idea. I do realize that it may reduce some of the value of virtualization if you don't allow the snapshots, but keep in mind the purpose of Active Directory and the distributed architecture chosen to meet those requirements. There was also a great thread about this a little while back that included Brett Shirley and somebody else from Microsoft that said he owned that portion. Take a look in the archives for that information for some background information. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harper, GarySent: Thursday, June 16, 2005 10:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message-From: Geary, Simon [mailto:[EMAIL PROTECTED]On Behalf Of Geary, SimonSent: Thursday, June 16, 2005 9:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 16/06/2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of VirtualServer? Have there been any problems with this environment? There is a bigpush at my company to virtualize every environment but, I am sure DomainControllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not havefull control over the Domain Controllers and I worry that another Adminwill take a snapshot of the DC and make a few changes and if they don'twork, revert to the snapshot before the changes. Wouldn't this be the sameas using an older ghost image of the DC? I'm just looking for some feedbackto see if this is a viable solution.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately.
[ActiveDir] Move Contacts
I want to move some mail enabled contacts from one domain to another domain. They are in the same tree. I plan to use movetree to move the contacts. I'm wondering if the group memberships will be preserved. Contacts are in Domain A and many of them are in universal groups in domain A. They will be moved to Domain B -- using movetree. Will they still be a member of those universal groups after they are moved. The universal groups can have members from any domain in them so I'm leaning towards yes they will retain their group memberships. The universal groups will remain in domain A. I'm going to test it out but have any of you all run into this issue? Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Hi Rick, Point well taken. I also do agree MYSQL is a fine database and a great value. Peace, Jose Medeiros :-) www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 6:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL The reason that it's off the point is because: 1) MySQL is the database in which the application is deployed. 2) Moving it the MSSQL might exceed the realistic 'cost' of the database 3) It might be just as easy to use OpenLDAP (I'm assuming MySQL on Linux) and communicate with AD that way Make no mistake - I'm no bigot when it comes to using MS software. Quite the contrary. But, there are times when the simple economics of a solution scream out that Microsoft is not the right solution. Most schools that I work with are this way. Most of them would have to save a huge chunk of non-salary related expenditures to afford a Standard version of SQL. Hence, Access is a really popular option, even though getting it to work in some of the multi-user scenarios sucks - plainly and simply. In one school that I work with, the majority of the desktop OSs that they run are ones that I've donated. One of the servers OSs is as well. I'm not saying the you're wrong. Far from it, in fact. But, sometimes the solution can't meet the available economic resources. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 7:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this allows him to then use integrated authentication and it would solve his problem ( He may not have been aware that Microsoft SQL has had this feature since as far back as version 6.5 ). If the school can't even afford 2000.00 for an SQL database, I seriously doubt that they would have an 8 way server that would easily cost 20,000 or more. But enough said, as far as I am concerned he has two choices and routes he can take and it is up to him to educate his management at the school district office that he has such a need and that the solution has a small cost. I am sure that any educator with common sense would concur that just because some thing is free it does not always mean it is the best solution and easiest to maintain for every environment. Warmest regards, Jose Medeiros Former CIS instructor San Jose City College --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message
RE: [ActiveDir] DL Expansion Troubleshooting
Jeremy- We have a threed aomin (empty root) structure, they’re all in the same site as the exchange servers, but the exchange servers are all joined to one of the domains… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Thursday, June 16, 2005 5:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DL Expansion Troubleshooting Do you have two domains in the same physical site with Exchange servers in both domains? If so read on as we had a very similar issue. Hope this helps. We had your 1st problem here which possibly could be related to your 2nd problem. We have two domains in the same physical site 3 Exchange servers in one domain and 1 Exchange server in the other domain. Whenever we sent out email particularly to our ALL HANDS DL it would sometimes fail and no one would get it, other times people would get it on the first try. It took me the longest time to figure out why. When a DL is “expanded” any server within the organization can technically “expand” the message unless you set the expansion server usually an Exchange server within the site does the expansion. We found that our 1 Exchange server in the other domain was getting the expansion responsibilities sometimes (25% chance) for our Domain level Distribution List. This server knows nothing about Domain specifics so it would fail. As soon as we put that domain in a separate site and reduced the site replication time to 5 minutes we no longer had any problems. One of our 3 Exchange servers in the same domain would always be responsible for the expansion of any DL we had in our domain. I believe I eventually found a technet article on this, let me see if I can find it. I hope this helps. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 16, 2005 1:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DL Expansion Troubleshooting did you compare the members of the respective groups in AD on your 3 GCs? You could potentially have an inconsistency between the DCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Donnerstag, 16. Juni 2005 02:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DL Expansion Troubleshooting Apparently we have had for the past three months a persistent but not predictable issue with large and nested DL expansion. These are always DLs that are nested usually three to four levels deep and ultimately expand to tens of thousands of mailboxes. There are three global catalogs in the Exchange site, and they sit all day around 3%. No load issues, all 2k3 SP1, have been built to spec by yours truly in December I believe. Nothing weird going on with them that I can see. There are two issues that crop up, one newer than the other. Issue #1 (original) is that quite simply it will take a couple tries of sending a message to a DL to get everybody to get it – some folks get it twice, some get it once. When you do a message tracking it just sort of falls off the face of the Earth as far as delivery to the folks that don’t get it twice. Now issue #2 is that as of late some DLs just hang up in the submission to categorizer if you look in message tracking. Takes a couple tries to get the categorizer to categorize. Everything but the OWAs is 2000 SP3 w/ the rollup. I just started looking at this today, and quite frankly I’ve gotten to the end of my short list of things to check. I cranked up diagnostic logging for DSAccess and SMTP on the gateways and the mailbox server hosting the mailbox that blasts these DLs. Haven’t found anything useful. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] OT: MySQL ... (Was: Passwords from SQL)
(so other people seem to abuse this alias, so it's my turn ... besides I've added some actual content as well) Does everyone who uses MySQL, use InnoDB as the storage engine layer? Has anyone ever gotten BDB (BerkleyDB) to work under MySQL, and run an app/benchmarks aggressive enough to know which (InnoDB or BDB) is faster/better? Just idlely curious. Cheers, Brett Shirley On Thu, 16 Jun 2005, Medeiros, Jose wrote: > Hi Rick, > > Point well taken. I also do agree MYSQL is a fine database and a great value. > > Peace, > > Jose Medeiros :-) > www.ntea.net > www.tvnug.org > www.sfntug.org > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan > Sent: Wednesday, June 15, 2005 6:08 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Passwords from SQL > > > The reason that it's off the point is because: > > 1) MySQL is the database in which the application is deployed. > 2) Moving it the MSSQL might exceed the realistic 'cost' of the database > 3) It might be just as easy to use OpenLDAP (I'm assuming MySQL on Linux) > and communicate with AD that way > > Make no mistake - I'm no bigot when it comes to using MS software. Quite > the contrary. But, there are times when the simple economics of a solution > scream out that Microsoft is not the right solution. > > Most schools that I work with are this way. Most of them would have to save > a huge chunk of non-salary related expenditures to afford a Standard version > of SQL. Hence, Access is a really popular option, even though getting it to > work in some of the multi-user scenarios sucks - plainly and simply. > > In one school that I work with, the majority of the desktop OSs that they > run are ones that I've donated. One of the servers OSs is as well. > > I'm not saying the you're wrong. Far from it, in fact. But, sometimes the > solution can't meet the available economic resources. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose > Sent: Wednesday, June 15, 2005 7:04 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Passwords from SQL > > Hi Rick , > > Actually how is this off the point? He is looking for a solution that will > allow him to use the same user accounts in AD and authenticate against > MYSQL, right? He wants to save the time and labor of having to manually > update user accounts and passwords since they are maintained by two separate > systems and since there are no built in utilities in AD that allow him to > easily do so with an Open Source Database such as MYSQL. I strongly believe > that by changing to a Microsoft SQL database this allows him to then use > integrated authentication and it would solve his problem ( He may not have > been aware that Microsoft SQL has had this feature since as far back as > version 6.5 ). > > If the school can't even afford 2000.00 for an SQL database, I seriously > doubt that they would have an 8 way server that would easily cost 20,000 or > more. > > But enough said, as far as I am concerned he has two choices and routes he > can take and it is up to him to educate his management at the school > district office that he has such a need and that the solution has a small > cost. I am sure that any educator with common sense would concur that just > because some thing is free it does not always mean it is the best solution > and easiest to maintain for every environment. > > Warmest regards, > > Jose Medeiros > Former CIS instructor > San Jose City College > > > --- > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan > Sent: Wednesday, June 15, 2005 4:37 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Passwords from SQL > > > Maybe they need an 8-way, or more than 2GB of RAM for the database that runs > on it. > > Honestly, though - this has gotten way off the point. He's running MySQL, > and doesn't look like he's going to change just because we thought MSSQL is > a better fit. Or not > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose > Sent: Wednesday, June 15, 2005 4:07 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Passwords from SQL > > Why do you need the Enterprise version, are you running SQL Cluster's for > failover? > > Jose > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl > Sent: Wednesday, June 15, 2005 12:25 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Passwords from SQL > > > Well we purchased the enterprise MSSQL version. Also we have already > purchased exchange here > > > -- > Jake > > -
[ActiveDir] Determining active user accounts
Title: Determining active user accounts We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. What’s the best way to determine how many users we need to have a User CAL for? Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Determining active user accounts
Wouldn't the accounts that don't need server access show up as inactive if you ran them through joe's 'oldcmp'? If so, then couldn't you get a fair approximation from: CALs required = [Total user objects] - [user objects flagged by oldcmp] ? [Insert standard "Call your reseller for definitive licensing advice" disclaimer here.] - Laura > -Original Message- > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 16, 2005 3:40 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Determining active user accounts > > We need to get a count of users that are active, so we can > make sure our purchasing of 2003 User CALs is as accurate as > possible. However, every employee of the company has an > account in Active Directory, but only a certain percentage of > those users ever access a server or need to authenticate. > What's the best way to determine how many users we need to > have a User CAL for? > > Mark Creamer > > Systems Engineer > > Cintas Corporation > > > This e-mail transmission contains information that is > intended to be confidential and privileged. If you receive > this e-mail and you are not a named addressee you are hereby > notified that you are not authorized to read, print, retain, > copy or disseminate this communication without the consent of > the sender and that doing so is prohibited and may be > unlawful. Please reply to the message immediately by > informing the sender that the message was misdirected. After > replying, please delete and otherwise erase it and any > attachments from your computer system. Your assistance in > correcting this error is appreciated. > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
I'm pretty much fearful of exactly the same things - in the meantime it's clear that any change to the source is not allowed and the customer is really keen on doing everything at once over a long weekend and is willing to risk "some extra troubleshooting" for the benefit of keeping both domains intact. Sounds like a lovely scripting job without much help from migration tools... I'll have to think about doing some network tricks to have them in differnt subnets - then it should work having the two DCs available in the location (somehow). Thanks though Eric for your thoughts early in the morning ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 17:30To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a resultthey very well might care that a domain they think has some name doesn't know who they are. Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain. Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain. ~Eric From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 6/16/2005 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver). My past experience tells me that this is likely not to be true... I'm sure there are other things that are often overlooked - any ideas? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 07:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it? I will admit, I’ve never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, I’d like to know, so I can recommend it in the future. The other option is logical data migration but not actual “migration” if you will. IE, ldifde and such. But that comes with the normal “lose the SIDs” type of issues, whi
RE: [ActiveDir] Unexpected WINS registering behavior
More info: I setup a test lab: 1 Windows 2003 Sp1. WINS installed 1 Windows 2003 Sp1. WINS installed 1 XP sp2 client Generic installs of WINS on each server. Setup Push/Pull replication between them. No other server configs done. Client points to the servers ip's for WINS. All boxes are on the same subnet on the same isolated switch. Doing a nbtstat -RR exibits the same behavior. It's swaps the WINS servers each time. Can someone else try: ipconfig /all = note the WINS order nbtstat -RR ipconfig /all = see if the WINS order changed I'm stumped... -alex On Thu, 16 Jun 2005 08:41:57 -0700, "Kevin Taco" <[EMAIL PROTECTED]> said: > We have two WINS servers and one DHCP server. All are on different > subnets. Is this > what you were asking? > > > On Thu, 16 Jun 2005 16:54:22 +0200, "Jorge de Almeida Pinto" > <[EMAIL PROTECTED]> said: > > Are you using different DHCP servers that service the same subnet but > > where > > the WINS IP addresses are switched? > > Cheers > > #JORGE# > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > > Sent: donderdag 16 juni 2005 16:23 > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Unexpected WINS registering behavior > > > > I hope this email pertains to this mailing list. I apologize if it > > isn't. > > > > Two WINS server, both setup a replication partners with each other with > > push/pulls. > > > > >From Win2k, XP, and Win2k3 clients: > > > > 1. ipconfig /all > > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. > > ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > > > Essentially the Primary and Secondary WINS servers get switched after > > doing > > a nbtstat -RR. Is this to be expected? What am I missing? Has anyone > > else > > seen this? > > > > Any help is greatly appreciated. > > > > Thnx, > > Kevin > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > This e-mail and any attachment is for authorised use by the intended > > recipient(s) only. It may contain proprietary material, confidential > > information and/or be subject to legal privilege. It should not be > > copied, disclosed to, retained or used by, any other party. If you are > > not an intended recipient then please promptly delete this e-mail and any > > attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Hey Jorge, thanks for your thoughts - you missed that I'm not going to register the AD DCs in WINS, so that's not an issue. It's having them in the same subnet is what I'm slightly worried about and need to check if it's even possible. Messing with the old domain name is not an option either (don't forget it's production until fully migrated...). And not much time to do it either... The interimdomain scenario was another one going through my head (yes - indeed similar to my DEC session ;-) - but I'm trying to avoid it here as I know what's involved... And it bugs me that they "just" have the same names - MS definitely needs to come up with something like "domain-name aliases" (and I think they're even working on this). But I'll definitely leave the interimdomain/forest option on my list if I get the deal (still bid phase). And definitely a good topic for next DEC (just kidding - I'd say migrations are getting somewhat boring... - however, not one is the same as another...) Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Donnerstag, 16. Juni 2005 16:08To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two different domains share the same WINS infrastructure I think both domain's DCs wil register in the same record and then you will have some interesting troubleshooting to do. Don't forget that most migration tools use the browser service to enumerate several objects.. again tricky. As allready said renaming the source domain is a possibility (however I'm not sure if E55 likes domain renames). For this you need to inventory all places that use THE NAME OLDOMAIN in user accounts. One of the examples are the logon account for services. I'm sure there more. To do this you are stuck to a "major step moment" Another possibility is to use an interim domain which I think gives you the possibility to do a phase migration. You will me migrating twice though. MIGRATION SCENARIO: * OLDDOMAIN -> INTERIMDOMAIN | NEWDOMAIN * OLDDOMAIN | INTERIMDOMAIN -> NEWDOMAIN INTERIMDOMAIN migration - quick and dirty steps * Pre-install and configure (isolated) NEWDOMAIN, its DNS, its DHCP, its WINS, etc. and shutdown afterwards * 2 DCs (W2K3 AD) for interim * Exch55. in the same org as exch. in OLDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from OLDDOMAIN to INTERIMDOMAIN * Configure INTERIMDOMAIN SERVERS to use WINS infrastructure from OLDDOMAIN * Configure INTERIMDOMAIN CLIENTS to use DHCP infrastructure from OLDDOMAIN * Decommission old exchange in OLDOMAIN * Shutdown old domain * Bring up NEWDOMAIN * Reconfigure servers and clients to use WINS and DHCP from NEWDOMAIN * Install exch2k3 in NEWDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from INTERIMDOMAIN to NEWDOMAIN etc.etc. What do you think abou this one? Cheers #JORGE# I think almost the same scenario as the situation you presented during DEC "Handling_Mergers_and_Acquistions". Let me guess your next presentation at DEC will be "Migrations between domains with the same NetBIOS name"? ;-)) Whatever scenario you choose will be painfull. You must however think about the scenarion to use that is less painfull From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, June 16, 2005 09:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 C
RE: [ActiveDir] Move Contacts
yep, group memberships will remain intact in your case. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Donnerstag, 16. Juni 2005 18:30 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move Contacts I want to move some mail enabled contacts from one domain to another domain. They are in the same tree. I plan to use movetree to move the contacts. I'm wondering if the group memberships will be preserved. Contacts are in Domain A and many of them are in universal groups in domain A. They will be moved to Domain B -- using movetree. Will they still be a member of those universal groups after they are moved. The universal groups can have members from any domain in them so I'm leaning towards yes they will retain their group memberships. The universal groups will remain in domain A. I'm going to test it out but have any of you all run into this issue? Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
you're not off-base - you should certainly handle access to the VMs as critical as a physical machine and educate your admins. I'm not sure if you can completely turn it off if your admins also have admin-access on the host (which is likely the case for the DAs). You could potentially run the host on standalone servers, but that just shifts the poblem a different direction. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 16. Juni 2005 18:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Thanks for all of the responses. I had a chance to look at the KB article on USN rollback and found it very informative. I will get to the white paper when I have a little time. I am still concerned about the Snapshot feature. How do others handle this? Is it possible to turn it off or apply a deny permission to that feature or is it used? Am I off base in worrying about this aspect? "Harper, Gary" <[EMAIL PROTECTED] hn.org> To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Virtual Domain 06/16/2005 10:27 Controllers AM Please respond to [EMAIL PROTECTED] tivedir.org We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message- From: Geary, Simon [mailto:[EMAIL PROTECTED] Behalf Of Geary, Simon Sent: Thursday, June 16, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Hi Guido, I have done the rename on a NT4 Domain for Mirapoint and Aironet and it does work. However, you need to rename the PDC first then all your BDC's, then all your member server's and workstations need to be removed from the domain and then re-add them. Now since your just doing a migration, you can just do this on the PDC and shut down the other servers until you complete the migration using the ADMT tool, then just re-add the member server's to the new Active Directory domain. Hope this helps, Jose Medeiros --- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Grillenmeier, GuidoSent: Thursday, June 16, 2005 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name I'm pretty much fearful of exactly the same things - in the meantime it's clear that any change to the source is not allowed and the customer is really keen on doing everything at once over a long weekend and is willing to risk "some extra troubleshooting" for the benefit of keeping both domains intact. Sounds like a lovely scripting job without much help from migration tools... I'll have to think about doing some network tricks to have them in differnt subnets - then it should work having the two DCs available in the location (somehow). Thanks though Eric for your thoughts early in the morning ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 17:30To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a resultthey very well might care that a domain they think has some name doesn't know who they are. Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain. Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain. ~Eric From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 6/16/2005 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Ac
RE: [ActiveDir] Unexpected WINS registering behavior
Sorry I didn't get to your earlier... Both WINS servers and DHCP server are all on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> said: > Are you using different DHCP servers that service the same subnet but > where > the WINS IP addresses are switched? > Cheers > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > Sent: donderdag 16 juni 2005 16:23 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unexpected WINS registering behavior > > I hope this email pertains to this mailing list. I apologize if it > isn't. > > Two WINS server, both setup a replication partners with each other with > push/pulls. > > >From Win2k, XP, and Win2k3 clients: > > 1. ipconfig /all > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. > ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > Essentially the Primary and Secondary WINS servers get switched after > doing > a nbtstat -RR. Is this to be expected? What am I missing? Has anyone > else > seen this? > > Any help is greatly appreciated. > > Thnx, > Kevin > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Guido, I'm not sure but something tells me the AD domain is not used yet. Is this true? Is CORP.COMPANY.COM the forest root? What about the following: (1) (somewhat a big bang) * Create an additional BDC for NT4 corp domain * Isolate the additional BDC from NT4 corp domain * Promote the additional BDC to PDC and rename the domain to something else (e.g. NT4CORP) * Connect to the PDC from NT4CORP to AD CORP (trusts, etc.) * Migrate all users, groups and memberships * Disconnect PDC from NT4CORP * Rejoin all servers/clients to AD CORP domain (not sure how exchange likes this) * Re-acl (2) If the AD CORP domain is not used yet, are there reason to destroy the AD CORP domain and do and in-place upgrade of the NT4 CORP domain to AD. Upgrading only the PDC and from there introduce new W2K3 DCs and remove the old ones. This wat they keep the CORP name, no re-acling including all the other default migration issues. Afterwards only cleanup and configure the AD domain (OUs, delegation, sites, etc.) as soon as possible Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/16/2005 10:12 PM Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hey Jorge, thanks for your thoughts - you missed that I'm not going to register the AD DCs in WINS, so that's not an issue. It's having them in the same subnet is what I'm slightly worried about and need to check if it's even possible. Messing with the old domain name is not an option either (don't forget it's production until fully migrated...). And not much time to do it either... The interimdomain scenario was another one going through my head (yes - indeed similar to my DEC session ;-) - but I'm trying to avoid it here as I know what's involved... And it bugs me that they "just" have the same names - MS definitely needs to come up with something like "domain-name aliases" (and I think they're even working on this). But I'll definitely leave the interimdomain/forest option on my list if I get the deal (still bid phase). And definitely a good topic for next DEC (just kidding - I'd say migrations are getting somewhat boring... - however, not one is the same as another...) Cheers, Guido _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 16. Juni 2005 16:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two different domains share the same WINS infrastructure I think both domain's DCs wil register in the same record and then you will have some interesting troubleshooting to do. Don't forget that most migration tools use the browser service to enumerate several objects.. again tricky. As allready said renaming the source domain is a possibility (however I'm not sure if E55 likes domain renames). For this you need to inventory all places that use THE NAME OLDOMAIN in user accounts. One of the examples are the logon account for services. I'm sure there more. To do this you are stuck to a "major step moment" Another possibility is to use an interim domain which I think gives you the possibility to do a phase migration. You will me migrating twice though. MIGRATION SCENARIO: * OLDDOMAIN -> INTERIMDOMAIN | NEWDOMAIN * OLDDOMAIN | INTERIMDOMAIN -> NEWDOMAIN INTERIMDOMAIN migration - quick and dirty steps * Pre-install and configure (isolated) NEWDOMAIN, its DNS, its DHCP, its WINS, etc. and shutdown afterwards * 2 DCs (W2K3 AD) for interim * Exch55. in the same org as exch. in OLDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from OLDDOMAIN to INTERIMDOMAIN * Configure INTERIMDOMAIN SERVERS to use WINS infrastructure from OLDDOMAIN * Configure INTERIMDOMAIN CLIENTS to use DHCP infrastructure from OLDDOMAIN * Decommission old exchange in OLDOMAIN * Shutdown old domain * Bring up NEWDOMAIN * Reconfigure servers and clients to use WINS and DHCP from NEWDOMAIN * Install exch2k3 in NEWDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from INTERIMDOMAIN to NEWDOMAIN etc.etc. What do you think abou this one? Cheers #JORGE# I think almost the same scenario as the situation you presented during DEC "Handling_Mergers_and_Acquistions". Let me guess your next presentation at DEC will be "Migrations between domains with the same NetBIOS name"? ;-)) Whatever scenario you choose will be painfull. You must however think about the scenarion to use that is less painfull _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 16, 2005 09:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-env
RE: [ActiveDir] Determining active user accounts
Thanks Laura, good suggestion. I forgot I could use oldcmp for users as well. Great tool, Joe. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, June 16, 2005 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Wouldn't the accounts that don't need server access show up as inactive if you ran them through joe's 'oldcmp'? If so, then couldn't you get a fair approximation from: CALs required = [Total user objects] - [user objects flagged by oldcmp] ? [Insert standard "Call your reseller for definitive licensing advice" disclaimer here.] - Laura > -Original Message- > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 16, 2005 3:40 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Determining active user accounts > > We need to get a count of users that are active, so we can > make sure our purchasing of 2003 User CALs is as accurate as > possible. However, every employee of the company has an > account in Active Directory, but only a certain percentage of > those users ever access a server or need to authenticate. > What's the best way to determine how many users we need to > have a User CAL for? > > Mark Creamer > > Systems Engineer > > Cintas Corporation > > > This e-mail transmission contains information that is > intended to be confidential and privileged. If you receive > this e-mail and you are not a named addressee you are hereby > notified that you are not authorized to read, print, retain, > copy or disseminate this communication without the consent of > the sender and that doing so is prohibited and may be > unlawful. Please reply to the message immediately by > informing the sender that the message was misdirected. After > replying, please delete and otherwise erase it and any > attachments from your computer system. Your assistance in > correcting this error is appreciated. > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
The issue of reversing WINS entries was unknown to me and I thought you maybe had to DHCP servers that service the subnet with options flipped #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/16/2005 10:05 PM Subject: RE: [ActiveDir] Unexpected WINS registering behavior Sorry I didn't get to your earlier... Both WINS servers and DHCP server are all on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> said: > Are you using different DHCP servers that service the same subnet but > where > the WINS IP addresses are switched? > Cheers > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco > Sent: donderdag 16 juni 2005 16:23 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unexpected WINS registering behavior > > I hope this email pertains to this mailing list. I apologize if it > isn't. > > Two WINS server, both setup a replication partners with each other with > push/pulls. > > >From Win2k, XP, and Win2k3 clients: > > 1. ipconfig /all > 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. > ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x > > Essentially the Primary and Secondary WINS servers get switched after > doing > a nbtstat -RR. Is this to be expected? What am I missing? Has anyone > else > seen this? > > Any help is greatly appreciated. > > Thnx, > Kevin > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Determining active user accounts
Additionally, if it were me and if you've not done so already, I'd disable all of those unused accounts while I was counting. (oldcmp does this as well, no?) Many unused accounts + at least one or two that have probably never changed from some default (or blank) password = monstrous attack vector waiting to happen. (I'm big on the equations today for some reason.) - Laura > -Original Message- > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 16, 2005 4:56 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Determining active user accounts > > Thanks Laura, good suggestion. I forgot I could use oldcmp > for users as well. Great tool, Joe. > > Thanks > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Hunter, Laura E. > Sent: Thursday, June 16, 2005 3:56 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Determining active user accounts > > Wouldn't the accounts that don't need server access show up > as inactive > if you ran them through joe's 'oldcmp'? If so, then couldn't > you get a > fair approximation from: > > CALs required = [Total user objects] - [user objects flagged > by oldcmp] > > ? > > [Insert standard "Call your reseller for definitive licensing advice" > disclaimer here.] > > - Laura > > > -Original Message- > > From: Creamer, Mark [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 16, 2005 3:40 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Determining active user accounts > > > > We need to get a count of users that are active, so we can > > make sure our purchasing of 2003 User CALs is as accurate as > > possible. However, every employee of the company has an > > account in Active Directory, but only a certain percentage of > > those users ever access a server or need to authenticate. > > What's the best way to determine how many users we need to > > have a User CAL for? > > > > Mark Creamer > > > > Systems Engineer > > > > Cintas Corporation > > > > > > This e-mail transmission contains information that is > > intended to be confidential and privileged. If you receive > > this e-mail and you are not a named addressee you are hereby > > notified that you are not authorized to read, print, retain, > > copy or disseminate this communication without the consent of > > the sender and that doing so is prohibited and may be > > unlawful. Please reply to the message immediately by > > informing the sender that the message was misdirected. After > > replying, please delete and otherwise erase it and any > > attachments from your computer system. Your assistance in > > correcting this error is appreciated. > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail transmission contains information that is > intended to be confidential and privileged. If you receive > this e-mail and you are not a named addressee you are hereby > notified that you are not authorized to read, print, retain, > copy or disseminate this communication without the consent of > the sender and that doing so is prohibited and may be > unlawful. Please reply to the message immediately by > informing the sender that the message was misdirected. After > replying, please delete and otherwise erase it and any > attachments from your computer system. Your assistance in > correcting this error is appreciated. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
thanks again Jorge (2) is not an option (set in stone, even though it would be simplest). (1) is a good thought that I hadn't really considered yet and will think a little longer about - it would be a big bang with some risk but less work than the current big bang the customer is seeking... good thinking, although there's still enough work around the apps involved. But this might just be my favorite option until now. Cheers, Guido -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 16. Juni 2005 22:55 To: Grillenmeier, Guido; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, I'm not sure but something tells me the AD domain is not used yet. Is this true? Is CORP.COMPANY.COM the forest root? What about the following: (1) (somewhat a big bang) * Create an additional BDC for NT4 corp domain * Isolate the additional BDC from NT4 corp domain * Promote the additional BDC to PDC and rename the domain to something else (e.g. NT4CORP) * Connect to the PDC from NT4CORP to AD CORP (trusts, etc.) * Migrate all users, groups and memberships * Disconnect PDC from NT4CORP * Rejoin all servers/clients to AD CORP domain (not sure how exchange likes this) * Re-acl (2) If the AD CORP domain is not used yet, are there reason to destroy the AD CORP domain and do and in-place upgrade of the NT4 CORP domain to AD. Upgrading only the PDC and from there introduce new W2K3 DCs and remove the old ones. This wat they keep the CORP name, no re-acling including all the other default migration issues. Afterwards only cleanup and configure the AD domain (OUs, delegation, sites, etc.) as soon as possible Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/16/2005 10:12 PM Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hey Jorge, thanks for your thoughts - you missed that I'm not going to register the AD DCs in WINS, so that's not an issue. It's having them in the same subnet is what I'm slightly worried about and need to check if it's even possible. Messing with the old domain name is not an option either (don't forget it's production until fully migrated...). And not much time to do it either... The interimdomain scenario was another one going through my head (yes - indeed similar to my DEC session ;-) - but I'm trying to avoid it here as I know what's involved... And it bugs me that they "just" have the same names - MS definitely needs to come up with something like "domain-name aliases" (and I think they're even working on this). But I'll definitely leave the interimdomain/forest option on my list if I get the deal (still bid phase). And definitely a good topic for next DEC (just kidding - I'd say migrations are getting somewhat boring... - however, not one is the same as another...) Cheers, Guido _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 16. Juni 2005 16:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two different domains share the same WINS infrastructure I think both domain's DCs wil register in the same record and then you will have some interesting troubleshooting to do. Don't forget that most migration tools use the browser service to enumerate several objects.. again tricky. As allready said renaming the source domain is a possibility (however I'm not sure if E55 likes domain renames). For this you need to inventory all places that use THE NAME OLDOMAIN in user accounts. One of the examples are the logon account for services. I'm sure there more. To do this you are stuck to a "major step moment" Another possibility is to use an interim domain which I think gives you the possibility to do a phase migration. You will me migrating twice though. MIGRATION SCENARIO: * OLDDOMAIN -> INTERIMDOMAIN | NEWDOMAIN * OLDDOMAIN | INTERIMDOMAIN -> NEWDOMAIN INTERIMDOMAIN migration - quick and dirty steps * Pre-install and configure (isolated) NEWDOMAIN, its DNS, its DHCP, its WINS, etc. and shutdown afterwards * 2 DCs (W2K3 AD) for interim * Exch55. in the same org as exch. in OLDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from OLDDOMAIN to INTERIMDOMAIN * Configure INTERIMDOMAIN SERVERS to use WINS infrastructure from OLDDOMAIN * Configure INTERIMDOMAIN CLIENTS to use DHCP infrastructure from OLDDOMAIN * Decommission old exchange in OLDOMAIN * Shutdown old domain * Bring up NEWDOMAIN * Reconfigure servers and clients to use WINS and DHCP from NEWDOMAIN * Install exch2k3 in NEWDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from INTERIMDOMAIN to NEWDOMAIN etc.etc. What do you think abou this one? Cheers #JORGE# I think alm
RE: [ActiveDir] Migration between domains with same NetBios name
Thanks Jose, good to know it you've already done it in a larger environment. Thanks for the feedback. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Donnerstag, 16. Juni 2005 22:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, I have done the rename on a NT4 Domain for Mirapoint and Aironet and it does work. However, you need to rename the PDC first then all your BDC's, then all your member server's and workstations need to be removed from the domain and then re-add them. Now since your just doing a migration, you can just do this on the PDC and shut down the other servers until you complete the migration using the ADMT tool, then just re-add the member server's to the new Active Directory domain. Hope this helps, Jose Medeiros --- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Grillenmeier, GuidoSent: Thursday, June 16, 2005 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name I'm pretty much fearful of exactly the same things - in the meantime it's clear that any change to the source is not allowed and the customer is really keen on doing everything at once over a long weekend and is willing to risk "some extra troubleshooting" for the benefit of keeping both domains intact. Sounds like a lovely scripting job without much help from migration tools... I'll have to think about doing some network tricks to have them in differnt subnets - then it should work having the two DCs available in the location (somehow). Thanks though Eric for your thoughts early in the morning ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 17:30To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a resultthey very well might care that a domain they think has some name doesn't know who they are. Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain. Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain. ~Eric From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 6/16/2005 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. So I was mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, bu
[ActiveDir] Event log settings in GPO
Just want to check to ensure. But I could say have a policy that is configured to set the maxsize of eventlogs to 128M and have that apply to a specific group so that the machines in that group are set to that size. And as long as this policy was set at the top of the list in GP mangement then that policy would take precendence over any policies under it. Correct. ?
RE: [ActiveDir] Event log settings in GPO
On each OU level GPOs are processed bottom-up #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/17/2005 12:26 AM Subject: [ActiveDir] Event log settings in GPO Just want to check to ensure. But I could say have a policy that is configured to set the maxsize of eventlogs to 128M and have that apply to a specific group so that the machines in that group are set to that size. And as long as this policy was set at the top of the list in GP mangement then that policy would take precendence over any policies under it. Correct. ? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Event log settings in GPO
Yes – you’re correct in that you can set this on a per OU basis with GPO. As Jorge points out, make sure that you are complying by the processing rules of the GPO list so that your settings are not reverted by another GPO inherited to that OU. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, June 16, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event log settings in GPO Just want to check to ensure. But I could say have a policy that is configured to set the maxsize of eventlogs to 128M and have that apply to a specific group so that the machines in that group are set to that size. And as long as this policy was set at the top of the list in GP mangement then that policy would take precendence over any policies under it. Correct. ?
RE: [ActiveDir] Migration between domains with same NetBios name
Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido <>
RE: [ActiveDir] Same As Parent Folder
Thanks for your assistance Dean. On a DC, it seems that without that reg change, the machine will register all of its addresses in DNS regardless of the status of certain check boxes in the rrasmgmt.msc. The result (at least we have seen) is that workstations get confused about what address they need to find the local domain controller. The problem turned out to be that the admin had changed the password at only one end of the PPTP connection so the other DCs could not replicate to the new one. Once that was fixed, everything seemed to work fine. Thanks again. -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:54 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder I have a similar setup at home and have merely used the RRASMGMT snap in to disable DNS registration for any undesirable NIC without issue (PPPoE etc) ... please further explain your RRAS configuration as I confess I'm not understanding the problem at this point. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Yes. It kills me, but a DC at each site also runs RRAS in order to terminate PPTP connections. I have explained this over and over to the client’s management. There is, arguably, now a plan (or at least a thought) to move this to a router or at least another Winbox. So, yes, I am aware that it is cludgey and bad and all of those things…. That said, until installing this DC we had finally reached a servicable steady state (thanks, in part to Deji) where VPN connections were happening, replication was moving pretty well, and only the local interface was registering in DNS. In other news, now DC2 is kicking out tons of NetBT errors claiming that the IP address is being used by another name. Could there have been something in the promotion process that caused this not to register properly? I did not do that part of the process and am not sure that the guy did knew what he was doing. -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:28 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder May I ask why a DC has PPP interfaces? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 5:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Thanks, Dean. That did not seem to do it either. Ah, but now I see what happened. We have set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords to value = 1 (meaning, don’t register – as per MSKB 246804). We had to do this to prevent RRAS PPP connections from registering in DNS and confusing local workstations. As soon as I change this value to 0, the host record shows up; as soon as I set it back to 1, the host disappears. Unfortunately, the PPP interfaces also register. We don’t seem to have this problem at other sites. Any further thoughts? -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Same As Parent Folder hello, Try to do a "netstop netlogon" and a "netstart netlogon" in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah Eiger Date: mer. 15/06/2005 21:54 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Same As Parent Folder Hi – I have added a DC (let’s call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated D
RE: [ActiveDir] Migration between domains with same NetBios name
Guy, Though it might seem trivial, it's not really easy in any way. If you're not in mixed-mode, or have child domains - forget it (IIRC). You've passed the last bastion of 'easy' in a hard process. The way to do this, and not have tons of lingering issues is to demote all other DCs back to members, stand up a NT 4.0 machine as a BDC in your domain. Demote the last Win2k DC. Change the Win NT 4.0 to be the PDC. Rename the domain. Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest - but it now has the right NetBios domain name. DCPromo all of the other DC 'members' in the domain. It's a royal PITA. I've had to do this a few times in the early days of Win2k as some of my rollouts had last minute (or better - last minute +5 minutes) changes from upper Management in naming. Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, June 16, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy _ From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido <>
RE: [ActiveDir] Event log settings in GPO
You may also want to take a look here if you're trying to make the event logs smaller, rather than larger, on Windows 2003 no SP. http://support.microsoft.com/default.aspx?scid=kb;en-us;824245 rb "Rick Kingslan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/16/2005 04:06 PM Please respond to ActiveDir@mail.activedir.org To cc Subject RE: [ActiveDir] Event log settings in GPO Yes – you’re correct in that you can set this on a per OU basis with GPO. As Jorge points out, make sure that you are complying by the processing rules of the GPO list so that your settings are not reverted by another GPO inherited to that OU. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, June 16, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event log settings in GPO Just want to check to ensure. But I could say have a policy that is configured to set the maxsize of eventlogs to 128M and have that apply to a specific group so that the machines in that group are set to that size. And as long as this policy was set at the top of the list in GP mangement then that policy would take precendence over any policies under it. Correct. ?
[ActiveDir] Proxy Problem
Hi All,I was told to edit GPO for an OU so that users should not be able to access any of the websites accept 2 which are required. I provided a 172.0.0.1 ip and port 80 as proxy address and just bypass the address of those 2 required websites.But here is when i faced a problem. Both sites are opening for the users but when they try to login (which is a secured link), user gets an error message. the link is https://.xxx/login.jsp This VLAN is totally open for Internet. I did a solution but i am not satisfied with that. that allows other such sites also.Kindly Suggest.-- DR
RE: [ActiveDir] Migration between domains with same NetBios name
Hi Rick, The only problem I can see with using your method is if he has new accounts and groups that have been created in his existing AD domain, if that is the case then the method that your proposing will not work as it will delete those AD objects. What Guido fails to mention so that we can best determine which migration path he should take is how many users, groups and machine accounts is he migrating from the NT4 Domain to the AD domain and how large is the AD domain. If the NT4 domain has only several member servers then I concur with Jorge's number 2 suggestion as it sounds like the best choice. Either way this migration is going to have to be done after business hours. I would start the migration on a Friday late afternoon and plan on being up all night. If all goes well you'll have Saturday and Sunday to relax. If not I hope his manager will give him time off to recuperate ( I rather have the time off then a small bonus any day ). Peace, Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Thursday, June 16, 2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guy, Though it might seem trivial, it's not really easy in any way. If you're not in mixed-mode, or have child domains - forget it (IIRC). You've passed the last bastion of 'easy' in a hard process. The way to do this, and not have tons of lingering issues is to demote all other DCs back to members, stand up a NT 4.0 machine as a BDC in your domain. Demote the last Win2k DC. Change the Win NT 4.0 to be the PDC. Rename the domain. Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest - but it now has the right NetBios domain name. DCPromo all of the other DC 'members' in the domain. It's a royal PITA. I've had to do this a few times in the early days of Win2k as some of my rollouts had last minute (or better - last minute +5 minutes) changes from upper Management in naming. Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, June 16, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy _ From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Guido, I had a discussion around this issue with Chris Macaulay (of ADMT3) last year. He said he would look into the possibility of doing something about this in the next build of v3. It's been more than 7 months since, and a new V3 build was released last month. You may want to look and see if they put anything in there. If not, you may want to chat with Chris to get an idea of what he thought they could do. I've been lucky (so far) that TARGET domain is always a 2K3 domain on migrations I've done. I just install the TARGET domain and name it something like "TEMP", do the migration, and whip out my Rendom magic wand. The desire to keep the same name as the old domain is a major requirement, for various obvious reasons. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hey Jorge, thanks for your thoughts - you missed that I'm not going to register the AD DCs in WINS, so that's not an issue. It's having them in the same subnet is what I'm slightly worried about and need to check if it's even possible. Messing with the old domain name is not an option either (don't forget it's production until fully migrated...). And not much time to do it either... The interimdomain scenario was another one going through my head (yes - indeed similar to my DEC session ;-) - but I'm trying to avoid it here as I know what's involved... And it bugs me that they "just" have the same names - MS definitely needs to come up with something like "domain-name aliases" (and I think they're even working on this). But I'll definitely leave the interimdomain/forest option on my list if I get the deal (still bid phase). And definitely a good topic for next DEC (just kidding - I'd say migrations are getting somewhat boring... - however, not one is the same as another...) Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 16. Juni 2005 16:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two different domains share the same WINS infrastructure I think both domain's DCs wil register in the same record and then you will have some interesting troubleshooting to do. Don't forget that most migration tools use the browser service to enumerate several objects.. again tricky. As allready said renaming the source domain is a possibility (however I'm not sure if E55 likes domain renames). For this you need to inventory all places that use THE NAME OLDOMAIN in user accounts. One of the examples are the logon account for services. I'm sure there more. To do this you are stuck to a "major step moment" Another possibility is to use an interim domain which I think gives you the possibility to do a phase migration. You will me migrating twice though. MIGRATION SCENARIO: * OLDDOMAIN -> INTERIMDOMAIN | NEWDOMAIN * OLDDOMAIN | INTERIMDOMAIN -> NEWDOMAIN INTERIMDOMAIN migration - quick and dirty steps * Pre-install and configure (isolated) NEWDOMAIN, its DNS, its DHCP, its WINS, etc. and shutdown afterwards * 2 DCs (W2K3 AD) for interim * Exch55. in the same org as exch. in OLDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from OLDDOMAIN to INTERIMDOMAIN * Configure INTERIMDOMAIN SERVERS to use WINS infrastructure from OLDDOMAIN * Configure INTERIMDOMAIN CLIENTS to use DHCP infrastructure from OLDDOMAIN * Decommission old exchange in OLDOMAIN * Shutdown old domain * Bring up NEWDOMAIN * Reconfigure servers and clients to use WINS and DHCP from NEWDOMAIN * Install exch2k3 in NEWDOMAIN * Migrate servers, clients, users, groups, mailboxes,etc. from INTERIMDOMAIN to NEWDOMAIN etc.etc. What do you think abou this one? Cheers #JORGE# I think almost the same scenario as the situation you presented during DEC "Handling_Mergers_and_Acquistions". Let me guess your next presentation at DEC will be "Migrations between domains with the same NetBIOS name"? ;-)) Whatever scenario you choose will be painfull. You must however think about the scenarion to use that is less painfull From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 16, 2005 09:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger tes
RE: [ActiveDir] Migration between domains with same NetBios name
It's a concern that needs to be taken into account. However, the reason that I stand up a Windows NT BDC is to synch with the AD and be sure that I've collected all of the domain security principals. [1] Mixed-mode is the trick, as it insures that we are still in a mode in which a NT 4.0 BDC will communicate with our Win2k DCs. It'll get most things - not absolutely everything, but it's better than having to recreate all of the security principals. Rick [1] In fact - one step that I missed was to actually stand up BDC's, taking number two offline and locking it away in a safe - just in case something goes horribly wrong - then I have a backout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, June 16, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Rick, The only problem I can see with using your method is if he has new accounts and groups that have been created in his existing AD domain, if that is the case then the method that your proposing will not work as it will delete those AD objects. What Guido fails to mention so that we can best determine which migration path he should take is how many users, groups and machine accounts is he migrating from the NT4 Domain to the AD domain and how large is the AD domain. If the NT4 domain has only several member servers then I concur with Jorge's number 2 suggestion as it sounds like the best choice. Either way this migration is going to have to be done after business hours. I would start the migration on a Friday late afternoon and plan on being up all night. If all goes well you'll have Saturday and Sunday to relax. If not I hope his manager will give him time off to recuperate ( I rather have the time off then a small bonus any day ). Peace, Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Thursday, June 16, 2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guy, Though it might seem trivial, it's not really easy in any way. If you're not in mixed-mode, or have child domains - forget it (IIRC). You've passed the last bastion of 'easy' in a hard process. The way to do this, and not have tons of lingering issues is to demote all other DCs back to members, stand up a NT 4.0 machine as a BDC in your domain. Demote the last Win2k DC. Change the Win NT 4.0 to be the PDC. Rename the domain. Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest - but it now has the right NetBios domain name. DCPromo all of the other DC 'members' in the domain. It's a royal PITA. I've had to do this a few times in the early days of Win2k as some of my rollouts had last minute (or better - last minute +5 minutes) changes from upper Management in naming. Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, June 16, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy _ From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of
RE: [ActiveDir] Migration between domains with same NetBios name
Rick, you are overlooking one important factor - client usually do not have the tolerance for the method you are describing, especially not on an existing, production domain. They don't want to disrupt the existing infrastructure, they don't want to change what the users are used to, they don't want to re-write all the apps they have been using for so long, and in which they've hard-coded the existing netbios name. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 6/16/2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guy, Though it might seem trivial, it's not really easy in any way. If you're not in mixed-mode, or have child domains - forget it (IIRC). You've passed the last bastion of 'easy' in a hard process. The way to do this, and not have tons of lingering issues is to demote all other DCs back to members, stand up a NT 4.0 machine as a BDC in your domain. Demote the last Win2k DC. Change the Win NT 4.0 to be the PDC. Rename the domain. Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest - but it now has the right NetBios domain name. DCPromo all of the other DC 'members' in the domain. It's a royal PITA. I've had to do this a few times in the early days of Win2k as some of my rollouts had last minute (or better - last minute +5 minutes) changes from upper Management in naming. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, June 16, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Yep - you're right. I did overlook the fact that the ultimate goal was to have the two domains (source, target) with the same domain name. Never mind. :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 16, 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Rick, you are overlooking one important factor - client usually do not have the tolerance for the method you are describing, especially not on an existing, production domain. They don't want to disrupt the existing infrastructure, they don't want to change what the users are used to, they don't want to re-write all the apps they have been using for so long, and in which they've hard-coded the existing netbios name. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 6/16/2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guy, Though it might seem trivial, it's not really easy in any way. If you're not in mixed-mode, or have child domains - forget it (IIRC). You've passed the last bastion of 'easy' in a hard process. The way to do this, and not have tons of lingering issues is to demote all other DCs back to members, stand up a NT 4.0 machine as a BDC in your domain. Demote the last Win2k DC. Change the Win NT 4.0 to be the PDC. Rename the domain. Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest - but it now has the right NetBios domain name. DCPromo all of the other DC 'members' in the domain. It's a royal PITA. I've had to do this a few times in the early days of Win2k as some of my rollouts had last minute (or better - last minute +5 minutes) changes from upper Management in naming. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, June 16, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, How about: 1) rename the NetBios name of the target AD 2) perform the migration 3) rename the NetBios name of the AD back to the original Because you are changing only NetBios name and not the DNS name, the fixups at the AD side are rather minor... Or are we talking about target AD being already production and/or W2K ? Guy From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Deji, Rick and all - good to get your feedback - thanks. I've been doing some stuff with ADMTv3 Beta 2 and am in contact with Chris, but a trust between to equally named domains is out of scope of ADMT - it's obviously an OS limitation. However, I've missed the fact that there's supposed to be a new v3 release - I'm on the beta and only know of the Jan 2005 Beta2 release. Guess I have to ping Chris. Rick, you mentioned the option of reverting the target dom to NT4 - which could be generally possible, but not in this case, as it's native (Win2k3). Deji, you mention you've already leveraged rendom in production environments - I don't mind mentioning that I've always tried to avoid it and didn't have the requirement until now. I know quite well what's involved and what will potentially break if used in AD (e.g. Certificate Services and domain based DFS) and the efforts I have to go through on the client and member-server side (reboot all machines twice) besides going through the DNS rename for all DCs... Did I mention Exchange? Ok, it is E2k3 SP1, so I guess it's supported, but yet unclear to me how painful it would be. Never mind the customer's other apps that are yet unknown to me (but accrdg to the customer don't leverage NT auth.) I'd be happy to hear from you that I'm making this too difficult and rendom is no issue... ;-) Currently I'm still on the path of seeking a "more traditional" way to do it without renaming the AD side of the house. I accept and will expect some break/fix situations during the migration of the apps from the old domain. And as I'm limited in not changing/renaming the existing NT4 sourcedom either, the best approach yet (thanks Jorge and Aric) is to add another BDC to the old dom, take it offline, promote to PDC and rename it's domain then migrate account and group objects accross to AD. This will at least allow handling of re-acling FS and most other access issues. Then tackle migration of the member clients and servers either by migrating twice or joining them directly to the target AD domain (e.g. during a cutover weekend) - still enough work, but more "tangible"... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 17. Juni 2005 03:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Guido, I had a discussion around this issue with Chris Macaulay (of ADMT3) last year. He said he would look into the possibility of doing something about this in the next build of v3. It's been more than 7 months since, and a new V3 build was released last month. You may want to look and see if they put anything in there. If not, you may want to chat with Chris to get an idea of what he thought they could do. I've been lucky (so far) that TARGET domain is always a 2K3 domain on migrations I've done. I just install the TARGET domain and name it something like "TEMP", do the migration, and whip out my Rendom magic wand. The desire to keep the same name as the old domain is a major requirement, for various obvious reasons. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hey Jorge, thanks for your thoughts - you missed that I'm not going to register the AD DCs in WINS, so that's not an issue. It's having them in the same subnet is what I'm slightly worried about and need to check if it's even possible. Messing with the old domain name is not an option either (don't forget it's production until fully migrated...). And not much time to do it either... The interimdomain scenario was another one going through my head (yes - indeed similar to my DEC session ;-) - but I'm trying to avoid it here as I know what's involved... And it bugs me that they "just" have the same names - MS definitely needs to come up with something like "domain-name aliases" (and I think they're even working on this). But I'll definitely leave the interimdomain/forest option on my list if I get the deal (still bid phase). And definitely a good topic for next DEC (just kidding - I'd say migrations are getting somewhat boring... - however, not one is the same as another...) Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 16. Juni 2005 16:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Hi Guido, NetBIOS based domains/clients find domain controllers through the WINS record 1Ch. If two dif