RE: [ActiveDir] concern about re-ip'd DC
If the UI is showing it in the correct site then the object in the directory has moved and the DC is in the new site you can confirm this by looking and a repadmin /showreps output or by using LDP and looking at the configuration container looking at the objects under the site. As far as the Netlogon.DNS there can be many reasons that it still has the old site, first it could be covering for that site, AutoSite coverage, since you state it was the only DC in the old site. As Dean points out once the machine becomes a DC the values in the registry are really irrelevant and I should have made that more clear. If you are going to DCPromo out the server there is no reason to really worry about what site it is in. The only thing you may have to do after the DCPromo down is to ensure that the SRV records did get deregistered from DNS or they will go away when DNS scavenging runs. You can also stop netlogon delete the files and restart netlogon but if the server is going away not sure I would bother. If you want to see why netlogon is attempting to register the DNS records you can turn up netlogon logging, http://support.microsoft.com/default.aspx?scid=kb;en-us;109626 and set the dbflag to 0x2002 and restart netlogon. Also the netlogon.dns file can contain entries we want to deregister as well as register the deregistered ones are prefixed. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 06, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] concern about re-ip'd DC Having read the highlights of this thread, I'm immediately confused as to why you don't simply delete the errant reg. value[1] since it's functionality, as I've understood it to this point, is relevant to members, not DCs. As for deleting the NETLOGON.DNS and .DNB files; I've found this a solution in the more extreme of DC/DDNS issues, none of which were remotely related to the "DynamicSiteName" value ... having said that, deleting the NETLOGON.DNS has proved a successful remedy more often than not and has shown itself to yield no detrimental lingering behaviors. [1] to clarify my use of the term "value": when used in the context of the registry it defines a named placeholder to maintain some data of a defined type -- in this case "DynamicSiteName", the content of the value is commonly referred to as the "data". "Keys" are the registry equiv. of folders. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, August 06, 2005 6:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, Thanks for your additional pointers! All of the DCs (using the AD Sites and Services GUI) all show this server in the site it was moved to. Yet, the moved DC seems to think that it still in the old site. There are registry entries in the registry that still identify the old site. My goal is to get this DC to a stable condition and then DCPromo it out. Since I don't plan on having this server in any other site, maybe the "sitename" registry would be an OK way to go? I am still confused why things don't happen automatically in a logical fashion. I would expect the netlogon.dns file to reflect the new site. Yet it doesn't. This DC was the only one in the old site. Would that make a difference? I recall at one time (for a completely different reason) deleting the netlogon.dns (and netlogon.dnb too?) files was a solution. Would that be a wise thing to do? Since there are no more computers in the old site, would it make sense at this point to just delete the site or would that mess up the situation even more? I will check out your references tomorrow. (I am at a family function right now and was really anxious to see if anyone had responded to my query.) Thanks for the help! -mike From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Ok I see in your original message that you state you did try to move it via sites and services, missed that. When you did this what server was the Sites and Services MMC focused on your DC or another DC in the domain? Did the UI update to show the server in the correct site after the move or did it simply remain the same? If you focus on another DC and make the change and then wait for replication does the site get updated? Is the server that you are trying to move healthy from a replication standpoint? The SiteName parameter was put in the registry for troubleshooting and testing purposes and while it can be used it can also cause confusion later if
RE: [ActiveDir] concern about re-ip'd DC
Having read the highlights of this thread, I'm immediately confused as to why you don't simply delete the errant reg. value[1] since it's functionality, as I've understood it to this point, is relevant to members, not DCs. As for deleting the NETLOGON.DNS and .DNB files; I've found this a solution in the more extreme of DC/DDNS issues, none of which were remotely related to the "DynamicSiteName" value ... having said that, deleting the NETLOGON.DNS has proved a successful remedy more often than not and has shown itself to yield no detrimental lingering behaviors. [1] to clarify my use of the term "value": when used in the context of the registry it defines a named placeholder to maintain some data of a defined type -- in this case "DynamicSiteName", the content of the value is commonly referred to as the "data". "Keys" are the registry equiv. of folders. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, August 06, 2005 6:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, Thanks for your additional pointers! All of the DCs (using the AD Sites and Services GUI) all show this server in the site it was moved to. Yet, the moved DC seems to think that it still in the old site. There are registry entries in the registry that still identify the old site. My goal is to get this DC to a stable condition and then DCPromo it out. Since I don't plan on having this server in any other site, maybe the "sitename" registry would be an OK way to go? I am still confused why things don't happen automatically in a logical fashion. I would expect the netlogon.dns file to reflect the new site. Yet it doesn't. This DC was the only one in the old site. Would that make a difference? I recall at one time (for a completely different reason) deleting the netlogon.dns (and netlogon.dnb too?) files was a solution. Would that be a wise thing to do? Since there are no more computers in the old site, would it make sense at this point to just delete the site or would that mess up the situation even more? I will check out your references tomorrow. (I am at a family function right now and was really anxious to see if anyone had responded to my query.) Thanks for the help! -mike From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Ok I see in your original message that you state you did try to move it via sites and services, missed that. When you did this what server was the Sites and Services MMC focused on your DC or another DC in the domain? Did the UI update to show the server in the correct site after the move or did it simply remain the same? If you focus on another DC and make the change and then wait for replication does the site get updated? Is the server that you are trying to move healthy from a replication standpoint? The SiteName parameter was put in the registry for troubleshooting and testing purposes and while it can be used it can also cause confusion later if you decide to make another change as that value always overrides. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:48 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC In addition just so no one thinks this recently changed the behavior was also described in the Windows 2000 Distributed Systems Guide as well: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/ en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en -us/distrib/DistSystems.asp "If a domain controller's IP address or the subnet-to-site associations are changed after Active Directory is installed on the server computer, the domain controller does not change sites automatically. It must be moved to the new site manually if that site is the desired location." Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:44 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC The following documentation describes this behavior as well: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ activedirectory/stepbystep/adsrv.mspx "All newly promoted DCs are placed in the Site container that applies to them at the time of installation. For example, a server bound for California might have been
RE: [ActiveDir] concern about re-ip'd DC
Hi Steve, Thanks for your additional pointers! All of the DCs (using the AD Sites and Services GUI) all show this server in the site it was moved to. Yet, the moved DC seems to think that it still in the old site. There are registry entries in the registry that still identify the old site. My goal is to get this DC to a stable condition and then DCPromo it out. Since I don't plan on having this server in any other site, maybe the "sitename" registry would be an OK way to go? I am still confused why things don't happen automatically in a logical fashion. I would expect the netlogon.dns file to reflect the new site. Yet it doesn't. This DC was the only one in the old site. Would that make a difference? I recall at one time (for a completely different reason) deleting the netlogon.dns (and netlogon.dnb too?) files was a solution. Would that be a wise thing to do? Since there are no more computers in the old site, would it make sense at this point to just delete the site or would that mess up the situation even more? I will check out your references tomorrow. (I am at a family function right now and was really anxious to see if anyone had responded to my query.) Thanks for the help! -mike From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Ok I see in your original message that you state you did try to move it via sites and services, missed that. When you did this what server was the Sites and Services MMC focused on your DC or another DC in the domain? Did the UI update to show the server in the correct site after the move or did it simply remain the same? If you focus on another DC and make the change and then wait for replication does the site get updated? Is the server that you are trying to move healthy from a replication standpoint? The SiteName parameter was put in the registry for troubleshooting and testing purposes and while it can be used it can also cause confusion later if you decide to make another change as that value always overrides. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:48 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC In addition just so no one thinks this recently changed the behavior was also described in the Windows 2000 Distributed Systems Guide as well: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp "If a domain controller's IP address or the subnet-to-site associations are changed after Active Directory is installed on the server computer, the domain controller does not change sites automatically. It must be moved to the new site manually if that site is the desired location." Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:44 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC The following documentation describes this behavior as well: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx "All newly promoted DCs are placed in the Site container that applies to them at the time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii, data center-therefore, the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in." If you do not want to use the UI a script was included in the Branch Office Guide called movesite.vbs that will accomplish the same thing. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:38 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC We do not recommend changing the dynamicsitename parameter and hard coding it using the SiteName parameter is also not recommended since later you may forget that this is set and no matter what you do the DC will assume it is in the site you put in the key even if that site does not really exist. As I stated below Domain Controllers are special when they are promoted they look at the site and subnet mappings and place themselves in the correct site. After that you must manually move them thr
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] OT - Biggest AD Gripes
I worked for a company with around 15k users. I would say it's scalable as a directory service. Some of its management tools might be arguably better, but they have their fair share of annoyances, too. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 05, 2005 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Biggest AD Gripes Were there any comments to Joe's question about large deployments of NDS? Are/were there any out there? I am just interested because I still hear comments about how scalable it is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 05, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Heh From a pure technical view, quite right. However - that's where I started - NetWare 2.0 (I mean the FIRST NetWare 2.0). I still remember the proprietary servers that they used to manufacture. However, what really killed Novell was not the brilliant technical ideas of Drew Majors (who, I still respect as a guy with real vision), but the Megalomania and obsessive behavior or Ray Noorda. Ray so envied Bill Gates that he was going to do anything to better Gates. This meant that Ray effectively lost focus of what Novell was all about in the interest of buying up products that he thought would better Microsoft. Hence, absolutely ridiculous amounts of money (OK, for that time it was ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces that were picked up. But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine paid no attention (outwardly, at least) to Noorda. They just went after the customers who had lost patience with the very badly off track NetWare. What was once a major player - and owned greater than 80% of the server market all but became a bit player overnight. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 8:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, "Netware is great for file and print and NT is great for applications". Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse,
RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)
> However, I've had horrible experiences with __DFS__, and have high > expectations for DFS-R. I'm sure you meant FRS (even though if requires DFS), but the core DFS features of Win2003 are actually not changing that much in R2. I'd almost vote that the DFS updates from Win2000 to Win2003 were more important (e.g. multiple roots, better site-awareness) than the additions to DFS in R2. And it does work rather well already. Granted, R2 does have a great new MMC SnapIn to manage the roots and links and I certainly like the capability to create place-holder folders to create a true hierarchy in DFS (without the requirement to cascade roots). Other nice features are the target priority and failback options (if you have multiple targets at all) - realize that failback will only be made available to XP SP2 clients with a special hotfix (so it may be of limited use). The main advantages are truly the file replication engine - i.e. the advantages of DFS-R over FRS are enormous. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Donnerstag, 4. August 2005 16:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Ouch Bad Rick. I haven't spent as much time as I would like with R2. I appreciate you pointing out the schema update, and I'll have to go look at the .ldf to get an idea of what it does. To be honest - I completely missed that. As to testing and functionality, I highly recommend that anyone looking to implement new functionality into an exitisng production environment test it. Interaction and co-operation among applications and server components is a funny thing. One should not blindly believe that just because it's a module on top of Win2k3 that it will not have any negative side effects is asking for trouble. As to DFS-R, I'd have to say that it - too, is the number one on my list of best additions that should have been there a long time ago. I see it as having the potential of solving many problems. However, I've had horrible experiences with DFS, and have high expectations for DFS-R. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 3:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Rick, I agree that R2 adds new functionalities. As we all know R2 is an updated release of the Windows Server OS and it is not mandatory. My opinion is that R2 has some new cool features and my favorite is DFS-R!!! Update Releases (http://www.microsoft.com/windowsserver2003/evaluation/overview/roadmap. mspx ) Update releases integrate the previous major release with the latest service pack, selected feature packs, and new functionality. Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack. Any additional functionality provided by an update would be optional and thus not affect application compatibility or require customers to re-certify or re-test applications. As you can see above, Microsoft states "Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack" The integration on member servers is easy and straightforward and requires no testing as nothing will be enabled. The integration on DCs and the use of several component (print connections, DFS-R, etc) demand an extension of the AD schema to version 31 so the new objects and attributes are available for "print connections", DFS-R and Unix Identity Management. Some components also demand the installation and use of the new "Microsoft .NET Framework v2".. With this in mind, and for those who want to implement R2, my opinion is to still test and plan it. Especially for the new framework and the schema update. By the way: the R2 schema update does not change the PAS. What are your thoughts on this? Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 8/3/2005 11:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Guido (and all, really)- You bring up a good point. There seems to be some misconception and misinformation (BTW, no one here is doing the misinformation - just to be clear) around R2. When R2 is installed (or whatever this is going to be called when released - it may be just Windows Server 2003 Release 2 - or it might be something else) it is really a series of modules that ADD FUNCTIONALITY. That's key - it adds functionality. Remember that Rights Management Services when run on Win2k3 really chan
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Limitlogin for users
> because some of the users are abusing their privileges The usefulnes of LimitLogon for your scenario it sort of depends what the users are doing that you consider "abuse". LimitLogon is mainly meant to hinder your users to use more concurrent logon-sessions than you'd like them to use - so if the abuse you mean is users who are merely logging onto more than one machine, this can help you. But don't forget you need to update your schema, add an app-partition and have an IIS server ready to get this whole thing to work. If your issue is that users are not ONLY logging onto SPECIFIC machines and have taken the freedom to logon to other clients they shouldn't touch, then this won't really help you, as they may still be "under quota" while logging onto these "forbidden" machines. If this is the case, then you're likely better of to restrict each user to allow logon only to specific machines - this function is built into the OS (without the need for LimitLogon) => just configure the list of workstations (I think max. 10) a user is allowed to logon to via ADUC => Account properties => Account => Log On to... This is a simple list of netbios machine-names stored in the "userworkstations" attribute of a user account (rather easy to script as well, if you don't want to add the stuff manually) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed Yunus Sent: Samstag, 6. August 2005 06:39 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Limitlogin for users Hi Everyone Has anyone installed and configured limitlogin. Is it difficult, did you face any problems. We are planning to limit the login sessions for users because some of the users are abusing their privileges. Thanks Mohamed This message is proprietary to Royal Commisson for Jubail and/or its customers and intended solely for the use of the individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Royal commission for Jubail accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus, Trojan or [EMAIL PROTECTED] šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà
RE: [ActiveDir] Branch Office Question
I expected that.. in a few words hub-and-spoke topology in a non fully routed network. For this to work you need a site for each location and a site link between each spoke (the bracnhes) and the hub and auto site link bridging is off The other thing I can think of: * Is each DC/GC in the correct site? * Do you have custom site link bridges? * Do you have custom connections (auto connections are visible as automatic connections and custom connections are visible as GUIDs) * Check the site membership of the site links. Is it correct * Other site links connecting the branches somehow * etc By the way. To see if the KCC/ISTG for a site has been disabled open up the properties of the NTDS Site Settings object of each site. If you see yellow exclamation marks at the bottom with text explaining it, the KCC is disabled. If you don't see anything it is enabled You can also check it with: repadmin /siteoptions /site: Default-First-Site-Name Current Site Options: (none) -> means the KCC is not disabled Default-First-Site-Name Current Site Options: IS_AUTO_TOPOLOGY_DISABLED IS_INTER_SITE_AUTO_TOPOLOGY_DISA BLED -> means the KCC is disabled for intrasite and intersite Cheers #JORGE# From: Noah Eiger [mailto:[EMAIL PROTECTED] Sent: Sat 8/6/2005 6:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Thanks, Jorge. The topology is as follows: - Each office connects to the hub via a point-to-point VPN. That is, there is no bridging at the hub -- this is a bandwidth consideration. - As for AD: we have three sites Hub, B1, B2, and B3. - Each has a single DC that is also a GC. - There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. I am not sure, but at one point there may have been a single site link containing all sites. If there was, it is gone now. The ISTG created a "web" topology. However, we were getting replication errors. I manually deleted the connection objects that connected the hubs to eachother. Those connection objects have not regenerated. There are no manually created connections. Finally, I recall that there is a setting (reg edit?) that tells the ISTG to _not_ automatically create connections. To my knowledge, this setting is not enabled. Anything else I should check? -- nme From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question May look as I silly question but can you point out (just to be sure) how your site and replication topology looks like? How many sites and how many site links do you have and how are those connected? I assume one domain and each DC = GC... #JORGE# From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Sat 8/6/2005 3:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Hi Jorge: Thanks for the suggestion. That checkbox was indeed checked. I have unchecked it and waited longer that a day. Replication seems to have worked and the box is unchecked at all branch sites. The errors persist at all branch sites. Any further thoughts? -- nme > -Original Message- > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 04, 2005 10:21 AM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > so, your network is not fully routed? is auto site link > bridging enabled or disabled. If it is enabled, disable it! > > To to so: > * start sites and services > * goto to Inter site transports > * right click IP and uncheck "bridge all sitre links" > > wait until this has replicated to the other DCs > > Cheers > #JORGE# > > > > From: [EMAIL PROTECTED] on behalf of Noah Eiger > Sent: Thu 8/4/2005 6:41 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Branch Office Question > > > Hi - > > Ok. Finally, one of my questions is ON topic ;-) > > I have three branch office sites that connect to a single > hub. VPN connectivity, Site links, and connection objects > only allows each branch to see the hub. Replication is > working smoothly and consistently. Yet, I am still seeing > repeated errors in the Event Viewers of the branches > complaining that they cannot see one another. > > T
RE: [ActiveDir] Merging two domains
yeah... this is also the first thing I thought. I also thought of something else. Will those users ever need to access their old resources? (like mail, files ,etc) If no access is allowed how are you going to do that? Exmerge all mailboxes into PSTs en burn files on DVD or something like that? Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sat 8/6/2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Merging two domains Interesting issue. SIDHistory is not much of an issue, obviously. Apparently, the users won't have access to the old forest, so it's of little value. I would suspect, as a 'from the hip' approach - given you limits you really only have a .ldf or a .csv dump of the accounts that are to become a part of your domain. However, if you aren't going to be allowed any access to the old forest, then there is no reason to think that the users would be any more than newly created principlas, along with the computers that you might acquire. Dump the information, but I wouldn't get to terribly concerned about what is coming with them. Other than name, logon name, samAccountName, there isn't much that you can use. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, August 06, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Merging two domains We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] Merging two domains
Interesting issue. SIDHistory is not much of an issue, obviously. Apparently, the users won't have access to the old forest, so it's of little value. I would suspect, as a 'from the hip' approach - given you limits you really only have a .ldf or a .csv dump of the accounts that are to become a part of your domain. However, if you aren't going to be allowed any access to the old forest, then there is no reason to think that the users would be any more than newly created principlas, along with the computers that you might acquire. Dump the information, but I wouldn't get to terribly concerned about what is coming with them. Other than name, logon name, samAccountName, there isn't much that you can use. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, August 06, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Merging two domains We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Branch Office Question
Thanks, Jorge. The topology is as follows: - Each office connects to the hub via a point-to-point VPN. That is, there is no bridging at the hub -- this is a bandwidth consideration. - As for AD: we have three sites Hub, B1, B2, and B3. - Each has a single DC that is also a GC. - There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. I am not sure, but at one point there may have been a single site link containing all sites. If there was, it is gone now. The ISTG created a "web" topology. However, we were getting replication errors. I manually deleted the connection objects that connected the hubs to eachother. Those connection objects have not regenerated. There are no manually created connections. Finally, I recall that there is a setting (reg edit?) that tells the ISTG to _not_ automatically create connections. To my knowledge, this setting is not enabled. Anything else I should check? -- nme _ From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question May look as I silly question but can you point out (just to be sure) how your site and replication topology looks like? How many sites and how many site links do you have and how are those connected? I assume one domain and each DC = GC... #JORGE# _ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Sat 8/6/2005 3:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Hi Jorge: Thanks for the suggestion. That checkbox was indeed checked. I have unchecked it and waited longer that a day. Replication seems to have worked and the box is unchecked at all branch sites. The errors persist at all branch sites. Any further thoughts? -- nme > -Original Message- > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 04, 2005 10:21 AM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > so, your network is not fully routed? is auto site link > bridging enabled or disabled. If it is enabled, disable it! > > To to so: > * start sites and services > * goto to Inter site transports > * right click IP and uncheck "bridge all sitre links" > > wait until this has replicated to the other DCs > > Cheers > #JORGE# > > > > From: [EMAIL PROTECTED] on behalf of Noah Eiger > Sent: Thu 8/4/2005 6:41 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Branch Office Question > > > Hi - > > Ok. Finally, one of my questions is ON topic ;-) > > I have three branch office sites that connect to a single > hub. VPN connectivity, Site links, and connection objects > only allows each branch to see the hub. Replication is > working smoothly and consistently. Yet, I am still seeing > repeated errors in the Event Viewers of the branches > complaining that they cannot see one another. > > The options offered in the errors all seem to point to trying > to get the branches to see one another (e.g., "publish > sufficient site connectivity information..."). I want to tell > it not to look for the other branches at all. > > Specifically, I see: > > Event Type: Warning > Event Source: NTDS KCC > Event Category: (1) > Event ID: 1566 > Date: 7/29/2005 > Time: 11:45:08 AM > User: N/A > Computer: BRANCHDC1 > > Event Type: Error > Event Source: NTDS KCC > Event Category: (1) > Event ID: 1311 > Date: 7/29/2005 > Time: 11:45:08 AM > User: N/A > Computer: BRANCHDC1 > > Thanks. > > -- nme > > > This e-mail and any attachment is for authorised use by the > intended recipient(s) only. It may contain proprietary > material, confidential information and/or be subject to legal > privilege. It should not be copied, disclosed to, retained or > used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
[ActiveDir] Merging two domains
We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] concern about re-ip'd DC
Ok I see in your original message that you state you did try to move it via sites and services, missed that. When you did this what server was the Sites and Services MMC focused on your DC or another DC in the domain? Did the UI update to show the server in the correct site after the move or did it simply remain the same? If you focus on another DC and make the change and then wait for replication does the site get updated? Is the server that you are trying to move healthy from a replication standpoint? The SiteName parameter was put in the registry for troubleshooting and testing purposes and while it can be used it can also cause confusion later if you decide to make another change as that value always overrides. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:48 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC In addition just so no one thinks this recently changed the behavior was also described in the Windows 2000 Distributed Systems Guide as well: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp "If a domain controller's IP address or the subnet-to-site associations are changed after Active Directory is installed on the server computer, the domain controller does not change sites automatically. It must be moved to the new site manually if that site is the desired location." Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:44 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC The following documentation describes this behavior as well: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx "All newly promoted DCs are placed in the Site container that applies to them at the time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii, data center-therefore, the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in." If you do not want to use the UI a script was included in the Branch Office Guide called movesite.vbs that will accomplish the same thing. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:38 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC We do not recommend changing the dynamicsitename parameter and hard coding it using the SiteName parameter is also not recommended since later you may forget that this is set and no matter what you do the DC will assume it is in the site you put in the key even if that site does not really exist. As I stated below Domain Controllers are special when they are promoted they look at the site and subnet mappings and place themselves in the correct site. After that you must manually move them through the Sites and Services Snapin. Simply launch the MMC navigate to the old site and look under the servers folder, select the server you want to move and drop him in your new site. Are you stating that you did this and the server did not show up in the new site? There are many reasons why DCs do not dynamically change sites most revolving around keeping a stable replication environment. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Sat 8/6/2005 7:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!) Each of the actions I've taken so far, in my mind, should have gotten this DC back to the appropriate site. But it still thinks it should be in the original site! One item I find is the HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to "site2". I did run across a Microsoft article that talks about this and to never change a dynamically determined value. Instead. you can create a a new value in the same place in the registry named "SiteName", REG_SZ with the value you want. Have you (or someone else) found the need to do this? Mike Thommes From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/5/2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC DC do not change their sites dynamically. You will need to move the
RE: [ActiveDir] concern about re-ip'd DC
In addition just so no one thinks this recently changed the behavior was also described in the Windows 2000 Distributed Systems Guide as well: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp "If a domain controller's IP address or the subnet-to-site associations are changed after Active Directory is installed on the server computer, the domain controller does not change sites automatically. It must be moved to the new site manually if that site is the desired location." Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:44 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC The following documentation describes this behavior as well: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx "All newly promoted DCs are placed in the Site container that applies to them at the time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii, data center-therefore, the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in." If you do not want to use the UI a script was included in the Branch Office Guide called movesite.vbs that will accomplish the same thing. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:38 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC We do not recommend changing the dynamicsitename parameter and hard coding it using the SiteName parameter is also not recommended since later you may forget that this is set and no matter what you do the DC will assume it is in the site you put in the key even if that site does not really exist. As I stated below Domain Controllers are special when they are promoted they look at the site and subnet mappings and place themselves in the correct site. After that you must manually move them through the Sites and Services Snapin. Simply launch the MMC navigate to the old site and look under the servers folder, select the server you want to move and drop him in your new site. Are you stating that you did this and the server did not show up in the new site? There are many reasons why DCs do not dynamically change sites most revolving around keeping a stable replication environment. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Sat 8/6/2005 7:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!) Each of the actions I've taken so far, in my mind, should have gotten this DC back to the appropriate site. But it still thinks it should be in the original site! One item I find is the HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to "site2". I did run across a Microsoft article that talks about this and to never change a dynamically determined value. Instead. you can create a a new value in the same place in the registry named "SiteName", REG_SZ with the value you want. Have you (or someone else) found the need to do this? Mike Thommes From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/5/2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC DC do not change their sites dynamically. You will need to move the DC to its new site manually via sites and services. When they are promoted they look at the site definitions but after that it is a manual process. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, August 05, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] concern about re-ip'd DC Hi, I have a Domain Controller that was located in a different AD site (site2) via its IP (naturally!). This DC was shut down about 2 weeks ago. I have since powered it back up offnet, given it a new IP (which is defined as a different site (site1)), and rebooted it on net. Some hours later, it still seems to think it is in the original site (site2), at least that is what I see in AD Sites and Services. Some minutes later...based on some googled and eventide.net info, I put in a specific subnet entry in ADSS for this new IP and associated it with site1. A reboot produced no change. So then I went to AD Sites and Services and did a GU
RE: [ActiveDir] concern about re-ip'd DC
The following documentation describes this behavior as well: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx "All newly promoted DCs are placed in the Site container that applies to them at the time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii, data center-therefore, the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in." If you do not want to use the UI a script was included in the Branch Office Guide called movesite.vbs that will accomplish the same thing. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Sat 8/6/2005 9:38 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC We do not recommend changing the dynamicsitename parameter and hard coding it using the SiteName parameter is also not recommended since later you may forget that this is set and no matter what you do the DC will assume it is in the site you put in the key even if that site does not really exist. As I stated below Domain Controllers are special when they are promoted they look at the site and subnet mappings and place themselves in the correct site. After that you must manually move them through the Sites and Services Snapin. Simply launch the MMC navigate to the old site and look under the servers folder, select the server you want to move and drop him in your new site. Are you stating that you did this and the server did not show up in the new site? There are many reasons why DCs do not dynamically change sites most revolving around keeping a stable replication environment. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Sat 8/6/2005 7:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!) Each of the actions I've taken so far, in my mind, should have gotten this DC back to the appropriate site. But it still thinks it should be in the original site! One item I find is the HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to "site2". I did run across a Microsoft article that talks about this and to never change a dynamically determined value. Instead. you can create a a new value in the same place in the registry named "SiteName", REG_SZ with the value you want. Have you (or someone else) found the need to do this? Mike Thommes From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/5/2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC DC do not change their sites dynamically. You will need to move the DC to its new site manually via sites and services. When they are promoted they look at the site definitions but after that it is a manual process. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, August 05, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] concern about re-ip'd DC Hi, I have a Domain Controller that was located in a different AD site (site2) via its IP (naturally!). This DC was shut down about 2 weeks ago. I have since powered it back up offnet, given it a new IP (which is defined as a different site (site1)), and rebooted it on net. Some hours later, it still seems to think it is in the original site (site2), at least that is what I see in AD Sites and Services. Some minutes later...based on some googled and eventide.net info, I put in a specific subnet entry in ADSS for this new IP and associated it with site1. A reboot produced no change. So then I went to AD Sites and Services and did a GUI move of this DC from site2 to site1. Another reboot - no change. I see the dynamically created netlogon.dns file STILL has site2 identified! Any hints on how to "convince" this DC that it should be in site1? Anybody else experience this type of behavior? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.a
RE: [ActiveDir] concern about re-ip'd DC
We do not recommend changing the dynamicsitename parameter and hard coding it using the SiteName parameter is also not recommended since later you may forget that this is set and no matter what you do the DC will assume it is in the site you put in the key even if that site does not really exist. As I stated below Domain Controllers are special when they are promoted they look at the site and subnet mappings and place themselves in the correct site. After that you must manually move them through the Sites and Services Snapin. Simply launch the MMC navigate to the old site and look under the servers folder, select the server you want to move and drop him in your new site. Are you stating that you did this and the server did not show up in the new site? There are many reasons why DCs do not dynamically change sites most revolving around keeping a stable replication environment. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Sat 8/6/2005 7:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC Hi Steve, (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!) Each of the actions I've taken so far, in my mind, should have gotten this DC back to the appropriate site. But it still thinks it should be in the original site! One item I find is the HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to "site2". I did run across a Microsoft article that talks about this and to never change a dynamically determined value. Instead. you can create a a new value in the same place in the registry named "SiteName", REG_SZ with the value you want. Have you (or someone else) found the need to do this? Mike Thommes From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/5/2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC DC do not change their sites dynamically. You will need to move the DC to its new site manually via sites and services. When they are promoted they look at the site definitions but after that it is a manual process. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, August 05, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] concern about re-ip'd DC Hi, I have a Domain Controller that was located in a different AD site (site2) via its IP (naturally!). This DC was shut down about 2 weeks ago. I have since powered it back up offnet, given it a new IP (which is defined as a different site (site1)), and rebooted it on net. Some hours later, it still seems to think it is in the original site (site2), at least that is what I see in AD Sites and Services. Some minutes later...based on some googled and eventide.net info, I put in a specific subnet entry in ADSS for this new IP and associated it with site1. A reboot produced no change. So then I went to AD Sites and Services and did a GUI move of this DC from site2 to site1. Another reboot - no change. I see the dynamically created netlogon.dns file STILL has site2 identified! Any hints on how to "convince" this DC that it should be in site1? Anybody else experience this type of behavior? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Saturday, August 06, 2005 6:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 11:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I think we went hrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 6:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error “An operations error occurred” 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=
RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes)
Sadly, quite true [1]. I remember fondly working with Street Talk - pretty nice implementation with absolutely NO idea on how to leverage the technology to the right people (Tech Managers, Business folks, partners and potential partners, ISV/IHV). Rick [1] My opinions, not to be confused with those of my Employer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, August 05, 2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Novell Schmovell, Banyan had their own hardware then too and they even had had a _directory_. A real one, the 2x & 3x Novell guys used to wonder how the servers talked to each other :-] I bet Gil has an old Banyan CNS in his museum... Besides, Novell couldn't touch Banyan in the "Our-Marketing-Sucks" department http://web.mit.edu/redelson/www/media/banad.pdf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 05, 2005 4:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Heh From a pure technical view, quite right. However - that's where I started - NetWare 2.0 (I mean the FIRST NetWare 2.0). I still remember the proprietary servers that they used to manufacture. However, what really killed Novell was not the brilliant technical ideas of Drew Majors (who, I still respect as a guy with real vision), but the Megalomania and obsessive behavior or Ray Noorda. Ray so envied Bill Gates that he was going to do anything to better Gates. This meant that Ray effectively lost focus of what Novell was all about in the interest of buying up products that he thought would better Microsoft. Hence, absolutely ridiculous amounts of money (OK, for that time it was ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces that were picked up. But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine paid no attention (outwardly, at least) to Noorda. They just went after the customers who had lost patience with the very badly off track NetWare. What was once a major player - and owned greater than 80% of the server market all but became a bit player overnight. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 8:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, "Netware is great for file and print and NT is great for applications". Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE
RE: [ActiveDir] concern about re-ip'd DC
Hi Steve, (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!) Each of the actions I've taken so far, in my mind, should have gotten this DC back to the appropriate site. But it still thinks it should be in the original site! One item I find is the HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to "site2". I did run across a Microsoft article that talks about this and to never change a dynamically determined value. Instead. you can create a a new value in the same place in the registry named "SiteName", REG_SZ with the value you want. Have you (or someone else) found the need to do this? Mike Thommes From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/5/2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] concern about re-ip'd DC DC do not change their sites dynamically. You will need to move the DC to its new site manually via sites and services. When they are promoted they look at the site definitions but after that it is a manual process. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, August 05, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] concern about re-ip'd DC Hi, I have a Domain Controller that was located in a different AD site (site2) via its IP (naturally!). This DC was shut down about 2 weeks ago. I have since powered it back up offnet, given it a new IP (which is defined as a different site (site1)), and rebooted it on net. Some hours later, it still seems to think it is in the original site (site2), at least that is what I see in AD Sites and Services. Some minutes later...based on some googled and eventide.net info, I put in a specific subnet entry in ADSS for this new IP and associated it with site1. A reboot produced no change. So then I went to AD Sites and Services and did a GUI move of this DC from site2 to site1. Another reboot - no change. I see the dynamically created netlogon.dns file STILL has site2 identified! Any hints on how to "convince" this DC that it should be in site1? Anybody else experience this type of behavior? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I think we went hrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error “An operations error occurred” 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Yes certainly. The useraccountcontrol is set to 544. how can I do the diagnostics on the exchange side? What diagnostics should I enable? I tried setting diagnostics to verbose for some modules, but didn’t give me sufficient information. Thanks much, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I think we went hrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error “An operations error occurred” 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mappin