RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Steve Linehan 
If the UI is showing it in the correct site then the object in the
directory has moved and the DC is in the new site you can confirm this
by looking and a repadmin /showreps output or by using LDP and looking
at the configuration container looking at the objects under the site.
As far as the Netlogon.DNS there can be many reasons that it still has
the old site, first it could be covering for that site, AutoSite
coverage, since you state it was the only DC in the old site.  As Dean
points out once the machine becomes a DC the values in the registry are
really irrelevant and I should have made that more clear.  If you are
going to DCPromo out the server there is no reason to really worry about
what site it is in.  The only thing you may have to do after the DCPromo
down is to ensure that the SRV records did get deregistered from DNS or
they will go away when DNS scavenging runs.  You can also stop netlogon
delete the files and restart netlogon but if the server is going away
not sure I would bother.  If you want to see why netlogon is attempting
to register the DNS records you can turn up netlogon logging,
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626 and set
the dbflag to 0x2002 and restart netlogon.  Also the netlogon.dns
file can contain entries we want to deregister as well as register the
deregistered ones are prefixed.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, August 06, 2005 6:34 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] concern about re-ip'd DC

Having read the highlights of this thread, I'm immediately confused as
to
why you don't simply delete the errant reg. value[1] since it's
functionality, as I've understood it to this point, is relevant to
members,
not DCs.  

As for deleting the NETLOGON.DNS and .DNB files; I've found this a
solution
in the more extreme of DC/DDNS issues, none of which were remotely
related
to the "DynamicSiteName" value ... having said that, deleting the
NETLOGON.DNS has proved a successful remedy more often than not and has
shown itself to yield no detrimental lingering behaviors.

[1] to clarify my use of the term "value": when used in the context of
the
registry it defines a named placeholder to maintain some data of a
defined
type -- in this case "DynamicSiteName", the content of the value is
commonly
referred to as the "data".  "Keys" are the registry equiv. of folders.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Saturday, August 06, 2005 6:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC

Hi Steve,
 Thanks for your additional pointers! All of the DCs (using the AD
Sites
and Services GUI) all show this server in the site it was moved to.
Yet,
the moved DC seems to think that it still in the old site.  There are
registry entries in the registry that still identify the old site.  My
goal
is to get this DC to a stable condition and then DCPromo it out.  Since
I
don't plan on having this server in any other site, maybe the "sitename"
registry would be an OK way to go? I am still confused why things don't
happen automatically in a logical fashion.  I would expect the
netlogon.dns
file to reflect the new site.  Yet it doesn't.  This DC was the only one
in
the old site.  Would that make a difference?  I recall at one time (for
a
completely different reason) deleting the netlogon.dns (and netlogon.dnb
too?)  files was a solution.  Would that be a wise thing to do?  Since
there
are no more computers in the old site, would it make sense at this point
to
just delete the site or would that mess up the situation even more?
 
I will check out your references tomorrow.  (I am at a family function
right
now and was really anxious to see if anyone had responded to my query.)
Thanks for the help!
 
-mike



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Ok I see in your original message that you state you did try to move it
via
sites and services, missed that.  When you did this what server was the
Sites and Services MMC focused on your DC or another DC in the domain?
Did
the UI update to show the server in the correct site after the move or
did
it simply remain the same?  If you focus on another DC and make the
change
and then wait for replication does the site get updated?  Is the server
that
you are trying to move healthy from a replication standpoint?  The
SiteName
parameter was put in the registry for troubleshooting and testing
purposes
and while it can be used it can also cause confusion later if

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Dean Wells 
Having read the highlights of this thread, I'm immediately confused as to
why you don't simply delete the errant reg. value[1] since it's
functionality, as I've understood it to this point, is relevant to members,
not DCs.  

As for deleting the NETLOGON.DNS and .DNB files; I've found this a solution
in the more extreme of DC/DDNS issues, none of which were remotely related
to the "DynamicSiteName" value ... having said that, deleting the
NETLOGON.DNS has proved a successful remedy more often than not and has
shown itself to yield no detrimental lingering behaviors.

[1] to clarify my use of the term "value": when used in the context of the
registry it defines a named placeholder to maintain some data of a defined
type -- in this case "DynamicSiteName", the content of the value is commonly
referred to as the "data".  "Keys" are the registry equiv. of folders.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, August 06, 2005 6:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC

Hi Steve,
 Thanks for your additional pointers! All of the DCs (using the AD Sites
and Services GUI) all show this server in the site it was moved to.  Yet,
the moved DC seems to think that it still in the old site.  There are
registry entries in the registry that still identify the old site.  My goal
is to get this DC to a stable condition and then DCPromo it out.  Since I
don't plan on having this server in any other site, maybe the "sitename"
registry would be an OK way to go? I am still confused why things don't
happen automatically in a logical fashion.  I would expect the netlogon.dns
file to reflect the new site.  Yet it doesn't.  This DC was the only one in
the old site.  Would that make a difference?  I recall at one time (for a
completely different reason) deleting the netlogon.dns (and netlogon.dnb
too?)  files was a solution.  Would that be a wise thing to do?  Since there
are no more computers in the old site, would it make sense at this point to
just delete the site or would that mess up the situation even more?
 
I will check out your references tomorrow.  (I am at a family function right
now and was really anxious to see if anyone had responded to my query.)
Thanks for the help!
 
-mike



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Ok I see in your original message that you state you did try to move it via
sites and services, missed that.  When you did this what server was the
Sites and Services MMC focused on your DC or another DC in the domain?  Did
the UI update to show the server in the correct site after the move or did
it simply remain the same?  If you focus on another DC and make the change
and then wait for replication does the site get updated?  Is the server that
you are trying to move healthy from a replication standpoint?  The SiteName
parameter was put in the registry for troubleshooting and testing purposes
and while it can be used it can also cause confusion later if you decide to
make another change as that value always overrides.

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:48 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



In addition just so no one thinks this recently changed the behavior was
also described in the Windows 2000 Distributed Systems Guide as well:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en
-us/distrib/DistSystems.asp

"If a domain controller's IP address or the subnet-to-site associations are
changed after Active Directory is installed on the server computer, the
domain controller does not change sites automatically. It must be moved to
the new site manually if that site is the desired location."

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:44 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



The following documentation describes this behavior as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
activedirectory/stepbystep/adsrv.mspx

"All newly promoted DCs are placed in the Site container that applies to
them at the time of installation. For example, a server bound for California
might have been

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Thommes, Michael M. 
Hi Steve,
 Thanks for your additional pointers! All of the DCs (using the AD Sites 
and Services GUI) all show this server in the site it was moved to.  Yet, the 
moved DC seems to think that it still in the old site.  There are registry 
entries in the registry that still identify the old site.  My goal is to get 
this DC to a stable condition and then DCPromo it out.  Since I don't plan on 
having this server in any other site, maybe the "sitename" registry would be an 
OK way to go? I am still confused why things don't happen automatically in a 
logical fashion.  I would expect the netlogon.dns file to reflect the new site. 
 Yet it doesn't.  This DC was the only one in the old site.  Would that make a 
difference?  I recall at one time (for a completely different reason) deleting 
the netlogon.dns (and netlogon.dnb too?)  files was a solution.  Would that be 
a wise thing to do?  Since there are no more computers in the old site, would 
it make sense at this point to just delete the site or would that mess up the 
situation even more?
 
I will check out your references tomorrow.  (I am at a family function right 
now and was really anxious to see if anyone had responded to my query.) Thanks 
for the help!
 
-mike



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Ok I see in your original message that you state you did try to move it via 
sites and services, missed that.  When you did this what server was the Sites 
and Services MMC focused on your DC or another DC in the domain?  Did the UI 
update to show the server in the correct site after the move or did it simply 
remain the same?  If you focus on another DC and make the change and then wait 
for replication does the site get updated?  Is the server that you are trying 
to move healthy from a replication standpoint?  The SiteName parameter was put 
in the registry for troubleshooting and testing purposes and while it can be 
used it can also cause confusion later if you decide to make another change as 
that value always overrides.

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:48 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



In addition just so no one thinks this recently changed the behavior was also 
described in the Windows 2000 Distributed Systems Guide as well:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp

"If a domain controller's IP address or the subnet-to-site associations are 
changed after Active Directory is installed on the server computer, the domain 
controller does not change sites automatically. It must be moved to the new 
site manually if that site is the desired location."

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:44 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



The following documentation describes this behavior as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx

"All newly promoted DCs are placed in the Site container that applies to them 
at the time of installation. For example, a server bound for California might 
have been initially built and configured in the Maui, Hawaii, data 
center-therefore, the Configure Your Server wizard places the server in the 
Maui site. After it arrives in California, the server object can be moved to 
the new site using the Sites and Services snap-in."

If you do not want to use the UI a script was included in the Branch Office 
Guide called movesite.vbs that will accomplish the same thing.

Thanks,

-Steve




From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:38 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



We do not recommend changing the dynamicsitename parameter and hard coding it 
using the SiteName parameter is also not recommended since later you may forget 
that this is set and no matter what you do the DC will assume it is in the site 
you put in the key even if that site does not really exist.  As I stated below 
Domain Controllers are special when they are promoted they look at the site and 
subnet mappings and place themselves in the correct site.  After that you must 
manually move them thr

RE: [ActiveDir] Virtual Domain Controllers

2005-08-06 Thread joe 
Title: Virtual Domain Controllers



Well since it is a single domain and a single DC I would 
say he really doesn't have a worry about USN rollbacks but he does have a 
possible concern with SID reissue.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Saturday, August 06, 2005 5:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain 
Controllers

> Since it's a single domain server I just take 
ghost snapshots of the domain and then backup the files
 
not really a useful approach to backup a DC. Might be 
ok for FS and other roles, but DCs are not really cool with snapshotting and 
being "rolled back in time" due the distributed nature of the data they store. 
You could easily cause USN rollback during recovery of a DC stored in this 
fashion (at least SP1 protects the rest of your DCs now by turning off in- and 
out-bount replication and disabling the netlogon-service if it finds a DC that's 
has a USN rollback status). 
 
But for AD Backup/Restore you'd be much better off to 
work with normal SystemState backup/restore. Which is another reason why 
it's nice to have it on a separate box (virtual or 
hardware).
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
BrownSent: Samstag, 6. August 2005 02:47To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain 
Controllers

I run a single DC in a small environment... only about 10 
users, and since it's just a single server office, and single DC domain... I 
just run everything on the domain controller.  Domain, DNS, File, Print, 
and Accounting Software on the same server... no VM ware... although I 
considered it.  Since it's a single domain server I just take ghost 
snapshots of the domain and then backup the files.
 
Seems to work pretty good, as it's been running solid for 
about a year now.
 


Thanks,
--
Matt 
Brown [EMAIL PROTECTED]Consultant for Student Technology 
Feewebsite: http://techfee.ewu.edu/+--+| 
509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 
99004+--+
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Virtual Domain Controllers

Could 
you just do the file/print on the DC?  In a small environment you could 
probably get away with it.
Al Maurer Service Manager, Naming and Authentication 
Services IT | Information 
Technology Agilent 
Technologies (719) 590-2639; 
Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan 
tomorrow. 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan 
JSent: Friday, August 05, 2005 12:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain 
Controllers
Hi All, 
I have a question about running DCs on GSX 
server.  I understand that MS does not support this configuration, but I've 
heard that many people are running DCs in this fashion.  Can anyone give 
some advice in this arena?  The idea here is to do VM for a file/print, and 
another one for a DC in our remote sites.  Currently, we've got different 
hardware for each box, but we're trying to consolidate a bit out 
there.
Thank you. 
JJ Seely Systems 
Administrator Oregon Department of 
Justice Division of Child Support 
(503) 378-4500 x22277 [EMAIL PROTECTED] 
*CONFIDENTIALITY NOTICE*This e-mail may contain information 
that is privileged, confidential, or otherwise exempt from disclosure under 
applicable law. If you are not the addressee or it appears from the context or 
otherwise that you have received this e-mail in error, please advise me 
immediately by reply e-mail, keep the contents confidential, and immediately 
delete the message and any attachments from your system.

RE: [ActiveDir] OT - Biggest AD Gripes

2005-08-06 Thread David Adner 
I worked for a company with around 15k users.  I would say it's scalable as
a directory service.  Some of its management tools might be arguably better,
but they have their fair share of annoyances, too.  :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Friday, August 05, 2005 6:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Biggest AD Gripes

Were there any comments to Joe's question about large deployments of NDS?
Are/were there any out there?
I am just interested because I still hear comments about how scalable it is.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 05, 2005 7:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was-
Biggest AD Gripes)

Heh  From a pure technical view, quite right.

However - that's where I started - NetWare 2.0  (I mean the FIRST NetWare
2.0).  I still remember the proprietary servers that they used to
manufacture.

However, what really killed Novell was not the brilliant technical ideas of
Drew Majors (who, I still respect as a guy with real vision), but the
Megalomania and obsessive behavior or Ray Noorda.  

Ray so envied Bill Gates that he was going to do anything to better Gates.
This meant that Ray effectively lost focus of what Novell was all about in
the interest of buying up products that he thought would better Microsoft.
Hence, absolutely ridiculous amounts of money (OK, for that time it was
ridiculous...) were spent for WordPerfect and ATT Unix, as well as other
pieces that were picked up.

But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing
machine paid no attention (outwardly, at least) to Noorda.  They just went
after the customers who had lost patience with the very badly off track
NetWare.

What was once a major player - and owned greater than 80% of the server
market all but became a bit player overnight.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 8:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, "Netware is great for file
and print and NT is great for applications". Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that great
technology coupled with bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky
(ultra stable but diff to manage once you deployed more than ~100 servers).
Netware 4/NDS had issues in its first version and quickly lost traction,
leaving MS and NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large env -
NDS was more than capable of supporting 100K users and the
management/maintenance/support would have far simpler that it was for NT.

Once NT gained the upper hand, momentum took over and led us to where we are
today.

neil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 August 2005 00:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes


Yeah, ADAM scared some folks in the widget factory as well. On the positive
side, it can register in AD so you can chase them down that way via their
SCPs. If they don't register, well then that will be fun to chase as it will
be like trying to find rogue AD's, network scanning but even worse,

RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)

2005-08-06 Thread Grillenmeier, Guido 
> However, I've had horrible experiences with __DFS__, and have high 
> expectations for DFS-R. 

I'm sure you meant FRS (even though if requires DFS), but the core DFS
features of Win2003 are actually not changing that much in R2.  I'd
almost vote that the DFS updates from Win2000 to Win2003 were more
important (e.g. multiple roots, better site-awareness) than the
additions to DFS in R2. And it does work rather well already.

Granted, R2 does have a great new MMC SnapIn to manage the roots and
links and I certainly like the capability to create place-holder folders
to create a true hierarchy in DFS (without the requirement to cascade
roots). Other nice features are the target priority and failback options
(if you have multiple targets at all) - realize that failback will only
be made available to XP SP2 clients with a special hotfix (so it may be
of limited use).

The main advantages are truly the file replication engine - i.e. the
advantages of DFS-R over FRS are enormous.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Donnerstag, 4. August 2005 16:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)

Ouch Bad Rick.  I haven't spent as much time as I would like with
R2.  I
appreciate you pointing out the schema update, and I'll have to go look
at
the .ldf to get an idea of what it does.  To be honest - I completely
missed
that.

As to testing and functionality, I highly recommend that anyone looking
to
implement new functionality into an exitisng production environment test
it.

Interaction and co-operation among applications and server components is
a
funny thing.  One should not blindly believe that just because it's a
module
on top of Win2k3 that it will not have any negative side effects is
asking
for trouble.

As to DFS-R, I'd have to say that it - too, is the number one on my list
of
best additions that should have been there a long time ago.  I see it as
having the potential of solving many problems.  However, I've had
horrible
experiences with DFS, and have high expectations for DFS-R.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, August 04, 2005 3:37 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)

Rick,
 
I agree that R2 adds new functionalities. As we all know R2 is an
updated
release of the Windows Server OS and it is not mandatory. My opinion is
that
R2 has some new cool features and my favorite is DFS-R!!! 
 

Update Releases
(http://www.microsoft.com/windowsserver2003/evaluation/overview/roadmap.
mspx
)


Update releases integrate the previous major release with the latest
service
pack, selected feature packs, and new functionality. Because an update
release is based on the previous major release, customers can
incorporate it
into their environment without any additional testing beyond what would
be
required for a typical service pack. Any additional functionality
provided
by an update would be optional and thus not affect application
compatibility
or require customers to re-certify or re-test applications.


 
As you can see above, Microsoft states "Because an update release is
based
on the previous major release, customers can incorporate it into their
environment without any additional testing beyond what would be required
for
a typical service pack"
 
The integration on member servers is easy and straightforward and
requires
no testing as nothing will be enabled. The integration on DCs and the
use of
several component (print connections, DFS-R, etc) demand an extension of
the
AD schema to version 31 so the new objects and attributes are available
for
"print connections", DFS-R and Unix Identity Management. Some components
also demand the installation and use of the new "Microsoft .NET
Framework
v2"..
 
With this in mind, and for those who want to implement R2, my opinion is
to
still test and plan it. Especially for the new framework and the schema
update. By the way: the R2 schema update does not change the PAS.
 
What are your thoughts on this?
 
Cheers,
#JORGE#
 
 


From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Wed 8/3/2005 11:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)



Guido (and all, really)- 

You bring up a good point.  There seems to be some misconception and 
misinformation (BTW, no one here is doing the misinformation - just to
be 
clear) around R2. 

When R2 is installed (or whatever this is going to be called when
released -

it may be just Windows Server 2003 Release 2 - or it might be something 
else) it is really a series of modules that ADD FUNCTIONALITY. 

That's key - it adds functionality.  Remember that Rights Management 
Services when run on Win2k3 really chan

RE: [ActiveDir] Virtual Domain Controllers

2005-08-06 Thread Grillenmeier, Guido 
Title: Virtual Domain Controllers



> Since it's a single domain server I just take 
ghost snapshots of the domain and then backup the files
 
not really a useful approach to backup a DC. Might be 
ok for FS and other roles, but DCs are not really cool with snapshotting and 
being "rolled back in time" due the distributed nature of the data they store. 
You could easily cause USN rollback during recovery of a DC stored in this 
fashion (at least SP1 protects the rest of your DCs now by turning off in- and 
out-bount replication and disabling the netlogon-service if it finds a DC that's 
has a USN rollback status). 
 
But for AD Backup/Restore you'd be much better off to 
work with normal SystemState backup/restore. Which is another reason why 
it's nice to have it on a separate box (virtual or 
hardware).
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
BrownSent: Samstag, 6. August 2005 02:47To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain 
Controllers

I run a single DC in a small environment... only about 10 
users, and since it's just a single server office, and single DC domain... I 
just run everything on the domain controller.  Domain, DNS, File, Print, 
and Accounting Software on the same server... no VM ware... although I 
considered it.  Since it's a single domain server I just take ghost 
snapshots of the domain and then backup the files.
 
Seems to work pretty good, as it's been running solid for 
about a year now.
 


Thanks,
--
Matt 
Brown [EMAIL PROTECTED]Consultant for Student Technology 
Feewebsite: http://techfee.ewu.edu/+--+| 
509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 
99004+--+
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Virtual Domain Controllers

Could 
you just do the file/print on the DC?  In a small environment you could 
probably get away with it.
Al Maurer Service Manager, Naming and Authentication 
Services IT | Information 
Technology Agilent 
Technologies (719) 590-2639; 
Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan 
tomorrow. 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan 
JSent: Friday, August 05, 2005 12:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain 
Controllers
Hi All, 
I have a question about running DCs on GSX 
server.  I understand that MS does not support this configuration, but I've 
heard that many people are running DCs in this fashion.  Can anyone give 
some advice in this arena?  The idea here is to do VM for a file/print, and 
another one for a DC in our remote sites.  Currently, we've got different 
hardware for each box, but we're trying to consolidate a bit out 
there.
Thank you. 
JJ Seely Systems 
Administrator Oregon Department of 
Justice Division of Child Support 
(503) 378-4500 x22277 [EMAIL PROTECTED] 
*CONFIDENTIALITY NOTICE*This e-mail may contain information 
that is privileged, confidential, or otherwise exempt from disclosure under 
applicable law. If you are not the addressee or it appears from the context or 
otherwise that you have received this e-mail in error, please advise me 
immediately by reply e-mail, keep the contents confidential, and immediately 
delete the message and any attachments from your system.

RE: [ActiveDir] Limitlogin for users

2005-08-06 Thread Grillenmeier, Guido 
> because some of the users are abusing their privileges

The usefulnes of LimitLogon for your scenario it sort of depends what the users 
are doing that you consider "abuse". 

LimitLogon is mainly meant to hinder your users to use more concurrent 
logon-sessions than you'd like them to use - so if the abuse you mean is users 
who are merely logging onto more than one machine, this can help you. But don't 
forget you need to update your schema, add an app-partition and have an IIS 
server ready to get this whole thing to work.

If your issue is that users are not ONLY logging onto SPECIFIC machines and 
have taken the freedom to logon to other clients they shouldn't touch, then 
this won't really help you, as they may still be "under quota" while logging 
onto these "forbidden" machines. 

If this is the case, then you're likely better of to restrict each user to 
allow logon only to specific machines - this function is built into the OS 
(without the need for LimitLogon) => just configure the list of workstations (I 
think max. 10) a user is allowed to logon to via ADUC => Account properties => 
Account => Log On to...  This is a simple list of netbios machine-names stored 
in the "userworkstations" attribute of a user account (rather easy to script as 
well, if you don't want to add the stuff manually)

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed 
Yunus
Sent: Samstag, 6. August 2005 06:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Limitlogin for users

Hi Everyone

Has anyone installed and configured limitlogin. Is it difficult, did you
face any problems.

We are planning to limit the login sessions for users because some of
the users are abusing their privileges.

Thanks

Mohamed


This message is proprietary to Royal Commisson for Jubail and/or its customers 
and intended solely for the use of the individual or organisation to whom it is 
addressed. It may contain privileged or confidential information. If you have 
received this message in error, please notify the originator immediately. If 
you are not the intended recipient, you are notified that you are strictly 
prohibited from using, copying, altering, or disclosing the contents of this 
message. Royal commission for Jubail accepts no responsibility for loss or 
damage arising from the use of the information transmitted by this email 
including damage from virus, Trojan or [EMAIL PROTECTED]  
šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà

RE: [ActiveDir] Branch Office Question

2005-08-06 Thread Almeida Pinto, Jorge de 
I expected that.. in a few words hub-and-spoke topology in a non fully routed 
network. For this to work you need a site for each location and a site link 
between each spoke (the bracnhes) and the hub and auto site link bridging is off
 
The other thing I can think of:
* Is each DC/GC in the correct site?
* Do you have custom site link bridges?
* Do you have custom connections (auto connections are visible as automatic 
connections and custom connections are visible as GUIDs)
* Check the site membership of the site links. Is it correct
* Other site links connecting the branches somehow
* etc
 
By the way. To see if the KCC/ISTG for a site has been disabled open up the 
properties of the NTDS Site Settings object of each site. If you see yellow 
exclamation marks at the bottom with text explaining it, the KCC is disabled. 
If you don't see anything it is enabled
 
You can also check it with:
repadmin /siteoptions  /site:
 
Default-First-Site-Name
Current Site Options: (none)  -> means the KCC is not disabled
 
 
Default-First-Site-Name
Current Site Options: IS_AUTO_TOPOLOGY_DISABLED IS_INTER_SITE_AUTO_TOPOLOGY_DISA
BLED -> means the KCC is disabled for intrasite and intersite
 
Cheers
#JORGE#



From: Noah Eiger [mailto:[EMAIL PROTECTED]
Sent: Sat 8/6/2005 6:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question


Thanks, Jorge.
 
The topology is as follows: 
- Each office connects to the hub via a point-to-point VPN. That is, there is 
no bridging at the hub -- this is a bandwidth consideration.
- As for AD: we have three sites Hub, B1, B2, and B3. 
- Each has a single DC that is also a GC. 
- There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. I am not sure, but 
at one point there may have been a single site link containing all sites. If 
there was, it is gone now. The ISTG created a "web" topology. However, we were 
getting replication errors. I manually deleted the connection objects that 
connected the hubs to eachother. Those connection objects have not regenerated. 
There are no manually created connections. Finally, I recall that there is a 
setting (reg edit?) that tells the ISTG to _not_ automatically create 
connections. To my knowledge, this setting is not enabled. 
 
Anything else I should check?
 
-- nme




From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 05, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question


May look as I silly question but can you point out (just to be sure) 
how your site and replication topology looks like? How many sites and how many 
site links do you have and how are those connected? I assume one domain and 
each DC = GC...
 
#JORGE# 



From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Sat 8/6/2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question



Hi Jorge: 

Thanks for the suggestion. That checkbox was indeed checked. I have 
unchecked it and waited longer that a day. Replication seems to have 
worked 
and the box is unchecked at all branch sites. The errors persist at all 
branch sites. 

Any further thoughts? 

-- nme 

> -Original Message- 
> From: Almeida Pinto, Jorge de 
> [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 04, 2005 10:21 AM 
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
> Subject: RE: [ActiveDir] Branch Office Question 
> 
> so, your network is not fully routed? is auto site link 
> bridging enabled or disabled. If it is enabled, disable it! 
>  
> To to so: 
> * start sites and services 
> * goto to Inter site transports 
> * right click IP and uncheck "bridge all sitre links" 
>  
> wait until this has replicated to the other DCs 
>  
> Cheers 
> #JORGE# 
> 
>  
> 
> From: [EMAIL PROTECTED] on behalf of Noah Eiger 
> Sent: Thu 8/4/2005 6:41 PM 
> To: ActiveDir@mail.activedir.org 
> Subject: [ActiveDir] Branch Office Question 
> 
> 
> Hi - 
>  
> Ok. Finally, one of my questions is ON topic ;-) 
>  
> I have three branch office sites that connect to a single 
> hub. VPN connectivity, Site links, and connection objects 
> only allows each branch to see the hub. Replication is 
> working smoothly and consistently. Yet, I am still seeing 
> repeated errors in the Event Viewers of the branches 
> complaining that they cannot see one another. 
>  
> T

RE: [ActiveDir] Merging two domains

2005-08-06 Thread Almeida Pinto, Jorge de 
yeah... this is also the first thing I thought.  I also thought of something 
else. Will those users ever need to access their old resources? (like mail, 
files ,etc) If no access is allowed how are you going to do that? Exmerge all 
mailboxes into PSTs en burn files on DVD or something like that?
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sat 8/6/2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging two domains



Interesting issue.  SIDHistory is not much of an issue, obviously. 
Apparently, the users won't have access to the old forest, so it's of little 
value. 

I would suspect, as a 'from the hip' approach - given you limits you really 
only have a .ldf or a .csv dump of the accounts that are to become a part of 
your domain. 

However, if you aren't going to be allowed any access to the old forest, 
then there is no reason to think that the users would be any more than newly 
created principlas, along with the computers that you might acquire. 

Dump the information, but I wouldn't get to terribly concerned about what is 
coming with them.  Other than name, logon name, samAccountName, there isn't 
much that you can use. 

Rick 


-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ 
Sent: Saturday, August 06, 2005 11:17 AM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Merging two domains 




We have an external domain that we will not be allow to set up a two way 
trust with, not be allowed to migrate users from, etc.  Basically it's a 
partial domain import from one domain to our current Win2k3 domain. 

Getting access to the external domain is out of the question since the 
external domain is not currently ours.  Part of it will become ours. 


Are there any alternative ways to import or migrate users from an 
external domain?  I understand SID history and all the nice things that 
go along with it (profile migrations, etc) will not work.  What about 
doing some type of an LDIFDE export and import?  Will that at least get 
us the account creations?  What other alternatives are there to have the 
least end-user impact when changing their domain?  Any documents out 
there outlining this? 

Thanks to all. 

~~ 
This e-mail is confidential, may contain proprietary information 
of the Cooper Cameron Corporation and its operating Divisions 
and may be confidential or privileged. 

This e-mail should be read, copied, disseminated and/or used only 
by the addressee. If you have received this message in error please 
delete it, together with any attachments, from your system. 
~~ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

RE: [ActiveDir] Merging two domains

2005-08-06 Thread Rick Kingslan 
Interesting issue.  SIDHistory is not much of an issue, obviously.
Apparently, the users won't have access to the old forest, so it's of little
value.

I would suspect, as a 'from the hip' approach - given you limits you really
only have a .ldf or a .csv dump of the accounts that are to become a part of
your domain.

However, if you aren't going to be allowed any access to the old forest,
then there is no reason to think that the users would be any more than newly
created principlas, along with the computers that you might acquire.

Dump the information, but I wouldn't get to terribly concerned about what is
coming with them.  Other than name, logon name, samAccountName, there isn't
much that you can use.

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Saturday, August 06, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Merging two domains




We have an external domain that we will not be allow to set up a two way
trust with, not be allowed to migrate users from, etc.  Basically it's a
partial domain import from one domain to our current Win2k3 domain.

Getting access to the external domain is out of the question since the
external domain is not currently ours.  Part of it will become ours. 


Are there any alternative ways to import or migrate users from an
external domain?  I understand SID history and all the nice things that
go along with it (profile migrations, etc) will not work.  What about
doing some type of an LDIFDE export and import?  Will that at least get
us the account creations?  What other alternatives are there to have the
least end-user impact when changing their domain?  Any documents out
there outlining this?

Thanks to all.

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Branch Office Question

2005-08-06 Thread Noah Eiger 
Thanks, Jorge.
 
The topology is as follows: 
- Each office connects to the hub via a point-to-point VPN. That is, there
is no bridging at the hub -- this is a bandwidth consideration.
- As for AD: we have three sites Hub, B1, B2, and B3. 
- Each has a single DC that is also a GC. 
- There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. I am not sure,
but at one point there may have been a single site link containing all
sites. If there was, it is gone now. The ISTG created a "web" topology.
However, we were getting replication errors. I manually deleted the
connection objects that connected the hubs to eachother. Those connection
objects have not regenerated. There are no manually created connections.
Finally, I recall that there is a setting (reg edit?) that tells the ISTG to
_not_ automatically create connections. To my knowledge, this setting is not
enabled. 
 
Anything else I should check?
 
-- nme


  _  

From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 05, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question


May look as I silly question but can you point out (just to be sure) how
your site and replication topology looks like? How many sites and how many
site links do you have and how are those connected? I assume one domain and
each DC = GC...
 
#JORGE# 

  _  

From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Sat 8/6/2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question



Hi Jorge: 

Thanks for the suggestion. That checkbox was indeed checked. I have 
unchecked it and waited longer that a day. Replication seems to have worked 
and the box is unchecked at all branch sites. The errors persist at all 
branch sites. 

Any further thoughts? 

-- nme 

> -Original Message- 
> From: Almeida Pinto, Jorge de 
> [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 04, 2005 10:21 AM 
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
> Subject: RE: [ActiveDir] Branch Office Question 
> 
> so, your network is not fully routed? is auto site link 
> bridging enabled or disabled. If it is enabled, disable it! 
>  
> To to so: 
> * start sites and services 
> * goto to Inter site transports 
> * right click IP and uncheck "bridge all sitre links" 
>  
> wait until this has replicated to the other DCs 
>  
> Cheers 
> #JORGE# 
> 
>  
> 
> From: [EMAIL PROTECTED] on behalf of Noah Eiger 
> Sent: Thu 8/4/2005 6:41 PM 
> To: ActiveDir@mail.activedir.org 
> Subject: [ActiveDir] Branch Office Question 
> 
> 
> Hi - 
>  
> Ok. Finally, one of my questions is ON topic ;-) 
>  
> I have three branch office sites that connect to a single 
> hub. VPN connectivity, Site links, and connection objects 
> only allows each branch to see the hub. Replication is 
> working smoothly and consistently. Yet, I am still seeing 
> repeated errors in the Event Viewers of the branches 
> complaining that they cannot see one another. 
>  
> The options offered in the errors all seem to point to trying 
> to get the branches to see one another (e.g., "publish 
> sufficient site connectivity information..."). I want to tell 
> it not to look for the other branches at all. 
>  
> Specifically, I see: 
>  
> Event Type: Warning 
> Event Source: NTDS KCC 
> Event Category: (1) 
> Event ID: 1566 
> Date:  7/29/2005 
> Time:  11:45:08 AM 
> User:  N/A 
> Computer: BRANCHDC1 
>  
> Event Type: Error 
> Event Source: NTDS KCC 
> Event Category: (1) 
> Event ID: 1311 
> Date:  7/29/2005 
> Time:  11:45:08 AM 
> User:  N/A 
> Computer: BRANCHDC1 
>  
> Thanks. 
>  
> -- nme 
> 
> 
> This e-mail and any attachment is for authorised use by the 
> intended recipient(s) only. It may contain proprietary 
> material, confidential information and/or be subject to legal 
> privilege. It should not be copied, disclosed to, retained or 
> used by, any other party. If you are not an intended 
> recipient then please promptly delete this e-mail and any 
> attachment and all copies and inform the sender. Thank you. 
> List info   : http://www.activedir.org/List.aspx 
> List FAQ: http://www.activedir.org/ListFAQ.aspx 
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> 
> 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

<>

[ActiveDir] Merging two domains

2005-08-06 Thread Rimmerman, Russ 


We have an external domain that we will not be allow to set up a two way
trust with, not be allowed to migrate users from, etc.  Basically it's a
partial domain import from one domain to our current Win2k3 domain.

Getting access to the external domain is out of the question since the
external domain is not currently ours.  Part of it will become ours. 

Are there any alternative ways to import or migrate users from an
external domain?  I understand SID history and all the nice things that
go along with it (profile migrations, etc) will not work.  What about
doing some type of an LDIFDE export and import?  Will that at least get
us the account creations?  What other alternatives are there to have the
least end-user impact when changing their domain?  Any documents out
there outlining this?

Thanks to all.

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Steve Linehan 
Ok I see in your original message that you state you did try to move it via 
sites and services, missed that.  When you did this what server was the Sites 
and Services MMC focused on your DC or another DC in the domain?  Did the UI 
update to show the server in the correct site after the move or did it simply 
remain the same?  If you focus on another DC and make the change and then wait 
for replication does the site get updated?  Is the server that you are trying 
to move healthy from a replication standpoint?  The SiteName parameter was put 
in the registry for troubleshooting and testing purposes and while it can be 
used it can also cause confusion later if you decide to make another change as 
that value always overrides.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:48 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



In addition just so no one thinks this recently changed the behavior was also 
described in the Windows 2000 Distributed Systems Guide as well:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp

"If a domain controller's IP address or the subnet-to-site associations are 
changed after Active Directory is installed on the server computer, the domain 
controller does not change sites automatically. It must be moved to the new 
site manually if that site is the desired location."

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:44 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



The following documentation describes this behavior as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx

"All newly promoted DCs are placed in the Site container that applies to them 
at the time of installation. For example, a server bound for California might 
have been initially built and configured in the Maui, Hawaii, data 
center-therefore, the Configure Your Server wizard places the server in the 
Maui site. After it arrives in California, the server object can be moved to 
the new site using the Sites and Services snap-in."

If you do not want to use the UI a script was included in the Branch Office 
Guide called movesite.vbs that will accomplish the same thing.

Thanks,

-Steve




From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:38 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



We do not recommend changing the dynamicsitename parameter and hard coding it 
using the SiteName parameter is also not recommended since later you may forget 
that this is set and no matter what you do the DC will assume it is in the site 
you put in the key even if that site does not really exist.  As I stated below 
Domain Controllers are special when they are promoted they look at the site and 
subnet mappings and place themselves in the correct site.  After that you must 
manually move them through the Sites and Services Snapin.  Simply launch the 
MMC navigate to the old site and look under the servers folder, select the 
server you want to move and drop him in your new site.  Are you stating that 
you did this and the server did not show up in the new site?  There are many 
reasons why DCs do not dynamically change sites most revolving around keeping a 
stable replication environment.

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Sat 8/6/2005 7:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Hi Steve,
   (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!)  Each 
of the actions I've taken so far, in my mind, should have gotten this DC back 
to the appropriate site.  But it still thinks it should be in the original 
site!  One item I find is the 
HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to 
"site2".  I did run across a Microsoft article that talks about this and to 
never change a dynamically determined value.  Instead. you can create a a new 
value in the same place in the registry named "SiteName", REG_SZ with the value 
you want.  Have you (or someone else) found the need to do this?

Mike Thommes



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 8/5/2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



DC do not change their sites dynamically.  You will need to move the

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Steve Linehan 
In addition just so no one thinks this recently changed the behavior was also 
described in the Windows 2000 Distributed Systems Guide as well:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/DistSystems.asp
 
"If a domain controller's IP address or the subnet-to-site associations are 
changed after Active Directory is installed on the server computer, the domain 
controller does not change sites automatically. It must be moved to the new 
site manually if that site is the desired location."
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:44 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



The following documentation describes this behavior as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx

"All newly promoted DCs are placed in the Site container that applies to them 
at the time of installation. For example, a server bound for California might 
have been initially built and configured in the Maui, Hawaii, data 
center-therefore, the Configure Your Server wizard places the server in the 
Maui site. After it arrives in California, the server object can be moved to 
the new site using the Sites and Services snap-in."

If you do not want to use the UI a script was included in the Branch Office 
Guide called movesite.vbs that will accomplish the same thing.

Thanks,

-Steve




From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:38 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



We do not recommend changing the dynamicsitename parameter and hard coding it 
using the SiteName parameter is also not recommended since later you may forget 
that this is set and no matter what you do the DC will assume it is in the site 
you put in the key even if that site does not really exist.  As I stated below 
Domain Controllers are special when they are promoted they look at the site and 
subnet mappings and place themselves in the correct site.  After that you must 
manually move them through the Sites and Services Snapin.  Simply launch the 
MMC navigate to the old site and look under the servers folder, select the 
server you want to move and drop him in your new site.  Are you stating that 
you did this and the server did not show up in the new site?  There are many 
reasons why DCs do not dynamically change sites most revolving around keeping a 
stable replication environment.

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Sat 8/6/2005 7:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Hi Steve,
   (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!)  Each 
of the actions I've taken so far, in my mind, should have gotten this DC back 
to the appropriate site.  But it still thinks it should be in the original 
site!  One item I find is the 
HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to 
"site2".  I did run across a Microsoft article that talks about this and to 
never change a dynamically determined value.  Instead. you can create a a new 
value in the same place in the registry named "SiteName", REG_SZ with the value 
you want.  Have you (or someone else) found the need to do this?

Mike Thommes



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 8/5/2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



DC do not change their sites dynamically.  You will need to move the DC
to its new site manually via sites and services.  When they are promoted
they look at the site definitions but after that it is a manual process.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, August 05, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] concern about re-ip'd DC

Hi,
   I have a Domain Controller that was located in a different AD site
(site2) via its IP (naturally!).  This DC was shut down about 2 weeks
ago.  I have since powered it back up offnet, given it a new IP (which
is defined as a different site (site1)), and rebooted it on net.  Some
hours later, it still seems to think it is in the original site (site2),
at least that is what I see in AD Sites and Services.

Some minutes later...based on some googled and eventide.net info, I put
in a specific subnet entry in ADSS for this new IP and associated it
with site1.  A reboot produced no change.  So then I went to AD Sites
and Services and did a GU

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Steve Linehan 
The following documentation describes this behavior as well:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx
 
"All newly promoted DCs are placed in the Site container that applies to them 
at the time of installation. For example, a server bound for California might 
have been initially built and configured in the Maui, Hawaii, data 
center-therefore, the Configure Your Server wizard places the server in the 
Maui site. After it arrives in California, the server object can be moved to 
the new site using the Sites and Services snap-in."
 
If you do not want to use the UI a script was included in the Branch Office 
Guide called movesite.vbs that will accomplish the same thing.
 
Thanks,
 
-Steve
 



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 8/6/2005 9:38 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



We do not recommend changing the dynamicsitename parameter and hard coding it 
using the SiteName parameter is also not recommended since later you may forget 
that this is set and no matter what you do the DC will assume it is in the site 
you put in the key even if that site does not really exist.  As I stated below 
Domain Controllers are special when they are promoted they look at the site and 
subnet mappings and place themselves in the correct site.  After that you must 
manually move them through the Sites and Services Snapin.  Simply launch the 
MMC navigate to the old site and look under the servers folder, select the 
server you want to move and drop him in your new site.  Are you stating that 
you did this and the server did not show up in the new site?  There are many 
reasons why DCs do not dynamically change sites most revolving around keeping a 
stable replication environment.

Thanks,

-Steve



From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Sat 8/6/2005 7:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Hi Steve,
   (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!)  Each 
of the actions I've taken so far, in my mind, should have gotten this DC back 
to the appropriate site.  But it still thinks it should be in the original 
site!  One item I find is the 
HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to 
"site2".  I did run across a Microsoft article that talks about this and to 
never change a dynamically determined value.  Instead. you can create a a new 
value in the same place in the registry named "SiteName", REG_SZ with the value 
you want.  Have you (or someone else) found the need to do this?

Mike Thommes



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 8/5/2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



DC do not change their sites dynamically.  You will need to move the DC
to its new site manually via sites and services.  When they are promoted
they look at the site definitions but after that it is a manual process.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, August 05, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] concern about re-ip'd DC

Hi,
   I have a Domain Controller that was located in a different AD site
(site2) via its IP (naturally!).  This DC was shut down about 2 weeks
ago.  I have since powered it back up offnet, given it a new IP (which
is defined as a different site (site1)), and rebooted it on net.  Some
hours later, it still seems to think it is in the original site (site2),
at least that is what I see in AD Sites and Services.

Some minutes later...based on some googled and eventide.net info, I put
in a specific subnet entry in ADSS for this new IP and associated it
with site1.  A reboot produced no change.  So then I went to AD Sites
and Services and did a GUI move of this DC from site2 to site1.  Another
reboot - no change.

I see the dynamically created netlogon.dns file STILL has site2
identified!  Any hints on how to "convince" this DC that it should be in
site1?  Anybody else experience this type of behavior?  TIA!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.a

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Steve Linehan 
We do not recommend changing the dynamicsitename parameter and hard coding it 
using the SiteName parameter is also not recommended since later you may forget 
that this is set and no matter what you do the DC will assume it is in the site 
you put in the key even if that site does not really exist.  As I stated below 
Domain Controllers are special when they are promoted they look at the site and 
subnet mappings and place themselves in the correct site.  After that you must 
manually move them through the Sites and Services Snapin.  Simply launch the 
MMC navigate to the old site and look under the servers folder, select the 
server you want to move and drop him in your new site.  Are you stating that 
you did this and the server did not show up in the new site?  There are many 
reasons why DCs do not dynamically change sites most revolving around keeping a 
stable replication environment.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Sat 8/6/2005 7:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



Hi Steve,
   (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!)  Each 
of the actions I've taken so far, in my mind, should have gotten this DC back 
to the appropriate site.  But it still thinks it should be in the original 
site!  One item I find is the 
HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to 
"site2".  I did run across a Microsoft article that talks about this and to 
never change a dynamically determined value.  Instead. you can create a a new 
value in the same place in the registry named "SiteName", REG_SZ with the value 
you want.  Have you (or someone else) found the need to do this?

Mike Thommes



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 8/5/2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



DC do not change their sites dynamically.  You will need to move the DC
to its new site manually via sites and services.  When they are promoted
they look at the site definitions but after that it is a manual process.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, August 05, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] concern about re-ip'd DC

Hi,
   I have a Domain Controller that was located in a different AD site
(site2) via its IP (naturally!).  This DC was shut down about 2 weeks
ago.  I have since powered it back up offnet, given it a new IP (which
is defined as a different site (site1)), and rebooted it on net.  Some
hours later, it still seems to think it is in the original site (site2),
at least that is what I see in AD Sites and Services.

Some minutes later...based on some googled and eventide.net info, I put
in a specific subnet entry in ADSS for this new IP and associated it
with site1.  A reboot produced no change.  So then I went to AD Sites
and Services and did a GUI move of this DC from site2 to site1.  Another
reboot - no change.

I see the dynamically created netlogon.dns file STILL has site2
identified!  Any hints on how to "convince" this DC that it should be in
site1?  Anybody else experience this type of behavior?  TIA!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-06 Thread joe 



That would tell me that the homeMDB value either isn't 
correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* 
be valid when it is set.
 
If the tool allows you to retreive the extended LDAP error 
that would be great, if not get out a network sniffer and trace the operation. 
If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE 
error in clear text in the return packet from the DC.
 
I would pull out a network sniffer


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Saturday, August 06, 2005 6:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding 
an Exchange User - An operations error occurred


The only sad thing 
about it is that when with the same attributes minus the homeMDB, the users get 
created perfectly.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 11:46 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
 
Yes, again those 
attributes below seem fine, there should be no issues setting them through LDAP, 
certainly AD won't reject them. Again I would change the mailnickname to the 
same as sAMAccountName but that is just me. 
 
If you are just mailbox 
enabling, setting mailnickname and homemdb will do it. That whole thing is 
documented to be unsupported by MS but I don't know of a single large company 
that doesn't do it the same way. The RUS will fire with that info and set up the 
rest of the attributes. 
 
Now if this is a user 
create from the ground up, there could be issues with creating an enabled 
account. I think we went hrough that before here on the list with you 
though didn't we?
 
   
joe
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 6:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
The meta tries to 
create the entry. so it creates the entry in AD and the agent is responsible for 
creating mailbox. Are the attributes seen for the entry correct? Also what all 
is required if I am creating a mailbox user from a meta or a script, etc. 
also  can you suggest if I can find some useful information from the 
exchange server? Any diagnostics, etc?
 
Thanks.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 4:37 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
 
That error log isn't 
very good. You can't even tell if it is an error being floated back from a DC. 
Could be something in the meta directory tool.
 
As for the specific 
data below for the attributes to be set on the user, I don't see anything bad 
though I wouldn't recommend the mailnickname to have that format, I would 
recommend it be the same as the sAMAccountName value. I tend to put the "nice" 
full version of the name in the displayName and that is the only place it 
is.
 
What info specifically 
is the product trying to set and how is it setting it? You may have to do a 
network trace or something like it.
 
 
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
Hi 
 
I am trying to use a metadirectory 
to add an exchange user. An agent sitting on the Exchange server machine, which 
will add the mail box for the user.
 
But when I try to add the user, I am 
getting the following error “An operations error 
occurred”
 
10:38:01.112: [1412.724] DataAccess: 
UP_AddRecord EXCH2K
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify Request
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify operation to Exchange 
operation
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Bind using Configured 
Credentials:
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net 
bind=ADS_SECURE_AUTHENTICATION
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object. Success 
server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD User Object from an an AD 
Object
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... 
Server=

RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes)

2005-08-06 Thread Rick Kingslan 
Sadly, quite true [1].  I remember fondly working with Street Talk - pretty
nice implementation with absolutely NO idea on how to leverage the
technology to the right people (Tech Managers, Business folks, partners and
potential partners, ISV/IHV).

Rick

[1] My opinions, not to be confused with those of my Employer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, August 05, 2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was-
Biggest AD Gripes)

Novell Schmovell, Banyan had their own hardware then too and they even
had had a _directory_. A real one, the 2x & 3x Novell guys used to
wonder how the servers talked to each other :-]

I bet Gil has an old Banyan CNS in his museum...

Besides, Novell couldn't touch Banyan in the "Our-Marketing-Sucks"
department 

http://web.mit.edu/redelson/www/media/banad.pdf


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 05, 2005 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was-
Biggest AD Gripes)

Heh  From a pure technical view, quite right.

However - that's where I started - NetWare 2.0  (I mean the FIRST
NetWare
2.0).  I still remember the proprietary servers that they used to
manufacture.

However, what really killed Novell was not the brilliant technical ideas
of
Drew Majors (who, I still respect as a guy with real vision), but the
Megalomania and obsessive behavior or Ray Noorda.  

Ray so envied Bill Gates that he was going to do anything to better
Gates.
This meant that Ray effectively lost focus of what Novell was all about
in
the interest of buying up products that he thought would better
Microsoft.
Hence, absolutely ridiculous amounts of money (OK, for that time it was
ridiculous...) were spent for WordPerfect and ATT Unix, as well as other
pieces that were picked up.

But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing
machine paid no attention (outwardly, at least) to Noorda.  They just
went
after the customers who had lost patience with the very badly off track
NetWare.

What was once a major player - and owned greater than 80% of the server
market all but became a bit player overnight.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 8:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client
they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic
attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the
battle.
I remember when NT first shipped the mantra was, "Netware is great for
file
and print and NT is great for applications". Netware NLMs were
impossible to
develop and that meant that folks either developed apps on NT or more
likely
Unix (at the time). Apps are sticky, file and print is not. Over time,
as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and
print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that
great
technology coupled with bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky
(ultra stable but diff to manage once you deployed more than ~100
servers).
Netware 4/NDS had issues in its first version and quickly lost traction,
leaving MS and NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large
env -
NDS was more than capable of supporting 100K users and the
management/maintenance/support would have far simpler that it was for
NT.

Once NT gained the upper hand, momentum took over and led us to where we
are
today.

neil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 August 2005 00:35
To: ActiveDir@mail.activedir.org
Subject: RE

RE: [ActiveDir] concern about re-ip'd DC

2005-08-06 Thread Thommes, Michael M. 
Hi Steve,
   (Maybe I should add this issue to the "OT-Biggest AD Gripes" thread!)  Each 
of the actions I've taken so far, in my mind, should have gotten this DC back 
to the appropriate site.  But it still thinks it should be in the original 
site!  One item I find is the 
HKLM\SYSTEM\CCS\Services\Netlogon\Parameters\DynamicSiteName still points to 
"site2".  I did run across a Microsoft article that talks about this and to 
never change a dynamically determined value.  Instead. you can create a a new 
value in the same place in the registry named "SiteName", REG_SZ with the value 
you want.  Have you (or someone else) found the need to do this?
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 8/5/2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] concern about re-ip'd DC



DC do not change their sites dynamically.  You will need to move the DC
to its new site manually via sites and services.  When they are promoted
they look at the site definitions but after that it is a manual process.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, August 05, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] concern about re-ip'd DC

Hi,
   I have a Domain Controller that was located in a different AD site
(site2) via its IP (naturally!).  This DC was shut down about 2 weeks
ago.  I have since powered it back up offnet, given it a new IP (which
is defined as a different site (site1)), and rebooted it on net.  Some
hours later, it still seems to think it is in the original site (site2),
at least that is what I see in AD Sites and Services.

Some minutes later...based on some googled and eventide.net info, I put
in a specific subnet entry in ADSS for this new IP and associated it
with site1.  A reboot produced no change.  So then I went to AD Sites
and Services and did a GUI move of this DC from site2 to site1.  Another
reboot - no change.

I see the dynamically created netlogon.dns file STILL has site2
identified!  Any hints on how to "convince" this DC that it should be in
site1?  Anybody else experience this type of behavior?  TIA!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-06 Thread Mayuresh Kshirsagar 








The only sad thing about it is that when
with the same attributes minus the homeMDB, the users get created perfectly.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred



 

Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 

 

If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes. 

 

Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
think we went hrough that before here on the list with you though
didn't we?

 

   joe

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also  can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?

 

Thanks.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005 4:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred



 

That error log isn't very good. You can't
even tell if it is an error being floated back from a DC. Could be something in
the meta directory tool.

 

As for the specific data below for the
attributes to be set on the user, I don't see anything bad though I wouldn't
recommend the mailnickname to have that format, I would recommend it be the
same as the sAMAccountName value. I tend to put the "nice" full
version of the name in the displayName and that is the only place it is.

 

What info specifically is the product
trying to set and how is it setting it? You may have to do a network trace or
something like it.

 

 

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 1:19
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Hi 

 

I am trying to use a metadirectory to add an exchange user.
An agent sitting on the Exchange server machine, which will add the mail box
for the user.

 

But when I try to add the user, I am getting the following
error “An operations error occurred”

 

10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify Request

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify operation to Exchange operation

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Getting an AD Object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object. Bind using Configured Credentials:

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation:
Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD
Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add
Or Move a Mailbox

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting
an AD User Object from an an AD Object

10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add
Or Move a Mailbox Error: An operations error occurred...
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net

10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping
Add/Modify Request, Error: An operations error occurred...

10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K
Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...

10:38:03.502: [1412.724] RUPS:
Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of
UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K:
Mapping Add/Modify Request, Error: An operations error occurred...)

 

Pasted the part of the tarce only just in an attempt to give
more information. The

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-06 Thread Mayuresh Kshirsagar 








Yes certainly. The useraccountcontrol is
set to 544. how can I do the diagnostics on the exchange side? What diagnostics
should I enable? I tried setting diagnostics to verbose for some modules, but
didn’t give me sufficient information.

 

Thanks much,

Mayuresh.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred



 

Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 

 

If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes. 

 

Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
think we went hrough that before here on the list with you though
didn't we?

 

   joe

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also  can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?

 

Thanks.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005 4:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred



 

That error log isn't very good. You can't
even tell if it is an error being floated back from a DC. Could be something in
the meta directory tool.

 

As for the specific data below for the
attributes to be set on the user, I don't see anything bad though I wouldn't
recommend the mailnickname to have that format, I would recommend it be the
same as the sAMAccountName value. I tend to put the "nice" full
version of the name in the displayName and that is the only place it is.

 

What info specifically is the product
trying to set and how is it setting it? You may have to do a network trace or
something like it.

 

 

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 1:19
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Hi 

 

I am trying to use a metadirectory to add an exchange user.
An agent sitting on the Exchange server machine, which will add the mail box
for the user.

 

But when I try to add the user, I am getting the following
error “An operations error occurred”

 

10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify Request

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify operation to Exchange operation

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Getting an AD Object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object. Bind using Configured Credentials:

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation:
Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD
Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add
Or Move a Mailbox

10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting
an AD User Object from an an AD Object

10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add
Or Move a Mailbox Error: An operations error occurred...
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net

10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping
Add/Modify Request, Error: An operations error occurred...

10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K
Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...

10:38:03.502: [1412.724] RUPS:
Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of
UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K:
Mappin