RE: [ActiveDir] Question on Replication Topology
Funny that - I lost mine when I JOINED Microsoft. I was told that it might be hard to get as my job doesn't require access to source... Rick P.S. I say just plain "blech" They're great for throwing As to eating - Have no use for them. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 12:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I am fortunate enough to be provided with source access by Microsoft. Actually, I say "Tom-arto" since I'm British. ;0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 1:37 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the imp
RE: [ActiveDir] EmployeeID AD attribute
Title: EmployeeID AD attribute I don't know of any kludgeless way to to this. As Deji suggested, perhaps Microsoft will come up with a solution in the future. In the meantime, see the attached email for some solutions that have been proposed as a workaround. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RMSent: Wednesday, 17 August 2005 9:12 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] EmployeeID AD attribute Hi, Has anyone discovered a less-kludgy way to turn-on the "hidden" user attributes in AD, such as EmployeeID? I found several sites that document using Schmmgmt, ADSIedit, and a .vbs script. Is there a cleaner way to implement this? Can this field somehow be added to the nomal "properties" menu for a user (instead of being accessed only via right-click)? Thx, RM This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited --- Begin Message --- Title: RE: [ActiveDir] Attribute on AD users called employeeID Hi Johnny, In addition to what Tony listed, you can add to the context menu (i.e., mouse right click) of a user object a feature to modify employeeID. Instructions and the _vbscript_ required are on the bottom of the page http://www.kouti.com/scripts.htm Yours, Sakari > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Figueroa, Johnny > Sent: Friday, July 08, 2005 3:06 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Attribute on AD users called employeeID > > > We are trying to write an interface between our payroll database and > Active Directory. We are planning on using an attribute in AD called > employeeID. However it appears that the attribute is not > exposed in ADUC > so you have to use LDP or a script to view it. > > Any ideas? > > Thanks > > Johnny Figueroa > Enterprise Network Consultant/Integrator > Network Services Banner Health Voice (602) > 495-4195 Fax (602) 495-4406 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited --- End Message ---
RE: [ActiveDir] Property Sets?
Title: Property Sets? Hi Marcus, The best source of information I was able to gather on property sets were from the Sakari Kouti and Mika Seitsonen book called Inside Active Directory from Addison-Wesley. Best 50$ I ever spent in my life. I consider it the AD bible. You get the exact steps on how to create new attributes, assign permissions for them and put them into a property set (in chapter 9) Hope this helps! Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: August 16, 2005 5:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Property Sets? Anyone have a good link detailing how to create and administer (e.g. apply permission) to property sets? Thanks! m
RE: [ActiveDir] Question on Replication Topology
Dean and all; This has been a great topic so far. It seems that the IM infrastructure role isn't quite grasped by everybody and can be a little confusing (me being first confused!) Can I suggest that we gather all of the information from this thread and publish it as a community article on the MS KB we can later refer to? I'm willing to whip up the article if everyone agrees; I can then post back to the list a draft (or publish it somewhere) for technical review. Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: August 16, 2005 3:44 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Sounds good to me Robert. For the sake of clarification and a little more detail, see below - The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single
RE: [ActiveDir] RDP
Hi Tom, Here's what I used to do in another life: -We kept term. Services opened since it was always easier to manage (although most management was done from a remote mmc and/or cli tools -Kept the number of Domain Admins to a minimum :-) -Created an IPSec Policy for all DCs where any incomming connections but a small subnet to 3389(where the windows admins sat) were denied. -iLO w/ integrated AD accounts was enabled and configured as an additional entry point if RDP were to fail for some odd reason. The iLO port was on a totally different physical network (netops only hardware switches) and couldn't be accessed from the "corp" network. So hmm...no, we didn't turn it off :) Oh yeah, while I'm almost OT...If you're running on hp Proliants you can use the iLO->RDP redirector that's be available for a while now in the iLO firmware. Hope this helps! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 16, 2005 12:35 PM To: activedirectory Subject: [ActiveDir] RDP Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dns migration
Well I don't quite understand what you're doing. But as I understand it you're going to take the zone and transplant it to a new server. So, the clients will simply be repointing. The ttl of a dns entry is simply how long it remains in one cache or another. Perhaps you're thinking of lowering the DHCP lease time. Yes, you can do it this way. Or, you can simply move the zone over to the new box, update everything (inc scope), and slave the old server to the new one until you've waited at least 1/2 your longest lease time for everybody to get new IPs... --brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 6:45 PM To: activedirectory Subject: [ActiveDir] dns migration I'm moving my primary non-ad intergrated dns over to a different server. the workstations will be getting the new dns via dhcp and the servers will get it via a VBScript. Is there anything else i should do to insure a smooth transition? should I lower the ttl for the zonejust incase clients have changed ip's via dhcp or anything else? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
How else do you plan to access the server? ILO port? Walk up access to the DC in the Tuvalu field office can sometimes be difficult. It's the first thing I ever turn on, personally. If your servers are in dedicated server VLANs, you can always set the firewall rules as to what hostgroup has access to TCP3389. --brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 11:35 AM To: activedirectory Subject: [ActiveDir] RDP Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dns migration
Hello, Al. I am not getting the TTL angle. Since all he is changing is really the DNS servers and the clients's IP are not changing, I'd say bring up the new DNS server, copy the zone to the new server (secondary promoted to primary), reconfigure the DHCP scope to now hand out this new server as the DNS server, then restart dnsclient services on the clients or reboot them. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Tue 8/16/2005 6:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dns migration I've typically lowered the TTL in the past. Kind of a belts and braces approach. I've typically done this by keeping both DNS servers online until I knew that all clients had been updated. Zone xfer works wonders. Once the clients are using the new server, give it until TTL has expired before sunsetting the original DNS server. Al From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 8/16/2005 7:44 PM To: activedirectory Subject: [ActiveDir] dns migration I'm moving my primary non-ad intergrated dns over to a different server. the workstations will be getting the new dns via dhcp and the servers will get it via a VBScript. Is there anything else i should do to insure a smooth transition? should I lower the ttl for the zonejust incase clients have changed ip's via dhcp or anything else? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dns migration
I've typically lowered the TTL in the past. Kind of a belts and braces approach. I've typically done this by keeping both DNS servers online until I knew that all clients had been updated. Zone xfer works wonders. Once the clients are using the new server, give it until TTL has expired before sunsetting the original DNS server. Al From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 8/16/2005 7:44 PM To: activedirectory Subject: [ActiveDir] dns migration I'm moving my primary non-ad intergrated dns over to a different server. the workstations will be getting the new dns via dhcp and the servers will get it via a VBScript. Is there anything else i should do to insure a smooth transition? should I lower the ttl for the zonejust incase clients have changed ip's via dhcp or anything else? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] RDP
I guess it works with any other ports, if you don’t need it close it…well all of the servers that I’m handling are not local so this is needed for me. You can use 128-bit encryption built into the 2003 if you like, and you can even implement that settings via GPO. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, August 17, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RDP A port scanner will find the port, but I do agree it provides some security. However, I still use a VPN and term. srvice is allowed only from certain IPs. Ravi Dogra wrote: I don't think anybody will be against it. But the thing is that you can make such connections more secure by modifying Registry and configuring it to work on some other port. using default port is an open invitation for bad guys. Well i am taking all benefits out of it. Rest is up to you. On 8/16/05, Tom Kern <[EMAIL PROTECTED]> wrote: Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
A port scanner will find the port, but I do agree it provides some security. However, I still use a VPN and term. srvice is allowed only from certain IPs. Ravi Dogra wrote: I don't think anybody will be against it. But the thing is that you can make such connections more secure by modifying Registry and configuring it to work on some other port. using default port is an open invitation for bad guys. Well i am taking all benefits out of it. Rest is up to you. On 8/16/05, Tom Kern <[EMAIL PROTECTED]> wrote: Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] dns migration
I'm moving my primary non-ad intergrated dns over to a different server. the workstations will be getting the new dns via dhcp and the servers will get it via a VBScript. Is there anything else i should do to insure a smooth transition? should I lower the ttl for the zonejust incase clients have changed ip's via dhcp or anything else? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yep. That's why I think it's a Unity bug. Sounds like they've flagged the wrong attribute. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, August 16, 2005 3:12 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > Charlie, the mod you are doing in ADUC Exchange Advanced > corresponds to the > "ShowInAddressBook" attrib, not the "showInAdvancedViewOnly" > attrib. I am not > familiar with Unity, but from what you guys have been saying, > it looks that > Unity is toggling the "showInAdvancedViewOnly" value, not (or maybe in > addition to) the "ShowInAddressBook" attrib. > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Charlie Kaiser > Sent: Tue 8/16/2005 2:44 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > > > OK; I just looked at that and verified that if I set the "Show > subscriber in e-mail server address book " box in unity to be > unchecked, > it sets the flag to true in AD. If I check it, the flag gets set to > false. > Except that our admin didn't touch the Unity config. That's the weird > part. Perhaps it's a combination of disabling the account, > moving it to > another OU, etc. > Might be a unity bug; I'll look farther into that. Problem > is, if we set > the "hide from address list" box in ADUC exchange advanced, it doesn't > set the same flag in Unity. Seems like Unity and Exchange > aren't looking > at the same attribute. > If I get time, I'll call cisco on it tomorrow > > ** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > Sent: Tuesday, August 16, 2005 2:19 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] User accounts with > > showInAdvancedViewOnly=TRUE > > > > Well, here's what we found- > > > > Totally unrelated to Unity, our Unity admin contacted me about not > > seeing an account in object picker to add to a group. I checked and > > showInAdvancedViewOnly=TRUE, I mentioned this discussion to > him, so he > > looked at it from Unity interface- > > > > The setting in Unity for that account was "Do not list subscriber in > > phone directory" and "Show subscriber in e-mail server > address book". > > He changed it to "Do not show in GAL". saved it. Then > enabled both so > > the settings are now "List in phone directory" and "Show > subscriber in > > e-mail server address book" > > > > I looked again and showInAdvancedViewOnly: was toggled to FALSE > > > > He's going to play around with it from the Unity side and see > > if he can > > repro the issue. > > > > hth > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > Sent: Tuesday, August 16, 2005 1:56 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] User accounts with > > showInAdvancedViewOnly=TRUE > > > > This is a bit surreal, I *just* got asked about this exact > situation > > only a couple of minutes after Charlie's message. > > > > We are in a very similar environment although it's E2K > instead of 2K3, > > is Unity a common denominator? > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. > > Smith > > Sent: Tuesday, August 16, 2005 1:33 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] User accounts with > > showInAdvancedViewOnly=TRUE > > > > I can't explain it to you, but you aren't alone. I've seen > exactly the > > same thing happen (and I'm in the same environment you > > describe). But it > > never made it high enough up my priority list to investigate. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Charlie Kaiser > > Sent: Tuesday, August 16, 2005 4:19 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE > > > > I've recently run into a weird problem and can't find anything that > > explains it to me. > > > > W2K3 AD single-domain forest, 2K3 native mode, E2K3 > enterprise, Cisco > > Unity VM schema extensions. > > > > Our junior admin recently handled a couple of user terminations. > > Disabled the account, set self to full mailbox
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
OK, so we know now that Unity is doing the toggling. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Tue 8/16/2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Hope it's not bad juju to reply to myself 2x in the same day :-] Here's what our Unity admin found on his side- When "Show in the GAL" is not checked, it makes the "showInAdvancedViewOnly: TRUE" When it's checked it shows "showInAdvancedViewOnly: FALSE" The "list in phone directory" setting doesn't make any difference. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was "Do not list subscriber in phone directory" and "Show subscriber in e-mail server address book". He changed it to "Do not show in GAL". saved it. Then enabled both so the settings are now "List in phone directory" and "Show subscriber in e-mail server address book" I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mai
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Hope it's not bad juju to reply to myself 2x in the same day :-] Here's what our Unity admin found on his side- When "Show in the GAL" is not checked, it makes the "showInAdvancedViewOnly: TRUE" When it's checked it shows "showInAdvancedViewOnly: FALSE" The "list in phone directory" setting doesn't make any difference. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was "Do not list subscriber in phone directory" and "Show subscriber in e-mail server address book". He changed it to "Do not show in GAL". saved it. Then enabled both so the settings are now "List in phone directory" and "Show subscriber in e-mail server address book" I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Charlie, the mod you are doing in ADUC Exchange Advanced corresponds to the "ShowInAddressBook" attrib, not the "showInAdvancedViewOnly" attrib. I am not familiar with Unity, but from what you guys have been saying, it looks that Unity is toggling the "showInAdvancedViewOnly" value, not (or maybe in addition to) the "ShowInAddressBook" attrib. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Tue 8/16/2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE OK; I just looked at that and verified that if I set the "Show subscriber in e-mail server address book " box in unity to be unchecked, it sets the flag to true in AD. If I check it, the flag gets set to false. Except that our admin didn't touch the Unity config. That's the weird part. Perhaps it's a combination of disabling the account, moving it to another OU, etc. Might be a unity bug; I'll look farther into that. Problem is, if we set the "hide from address list" box in ADUC exchange advanced, it doesn't set the same flag in Unity. Seems like Unity and Exchange aren't looking at the same attribute. If I get time, I'll call cisco on it tomorrow ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Tuesday, August 16, 2005 2:19 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > Well, here's what we found- > > Totally unrelated to Unity, our Unity admin contacted me about not > seeing an account in object picker to add to a group. I checked and > showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he > looked at it from Unity interface- > > The setting in Unity for that account was "Do not list subscriber in > phone directory" and "Show subscriber in e-mail server address book". > He changed it to "Do not show in GAL". saved it. Then enabled both so > the settings are now "List in phone directory" and "Show subscriber in > e-mail server address book" > > I looked again and showInAdvancedViewOnly: was toggled to FALSE > > He's going to play around with it from the Unity side and see > if he can > repro the issue. > > hth > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Tuesday, August 16, 2005 1:56 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > This is a bit surreal, I *just* got asked about this exact situation > only a couple of minutes after Charlie's message. > > We are in a very similar environment although it's E2K instead of 2K3, > is Unity a common denominator? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. > Smith > Sent: Tuesday, August 16, 2005 1:33 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > I can't explain it to you, but you aren't alone. I've seen exactly the > same thing happen (and I'm in the same environment you > describe). But it > never made it high enough up my priority list to investigate. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Tuesday, August 16, 2005 4:19 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE > > I've recently run into a weird problem and can't find anything that > explains it to me. > > W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco > Unity VM schema extensions. > > Our junior admin recently handled a couple of user terminations. > Disabled the account, set self to full mailbox access, moved account > from Employees OU to terminated sub-OU. I had to do something > to one of > those accounts and didn't see it in ADUC. Knew it was there somewhere, > so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had > been set to TRUE. > > Junior admin logs into exchange server to perform the account > management, because it's the only machine that has the exchange admin > tools on it that he can access. (That's changing today; he > WILL load the > tools on his machine. ) He didn't do anything special, doesn't use > ADSIEdit or DSMOD; strictly the ADUC GUI. > > I'm trying to figure out why this would happen, and I don't > have a clue. > Any ideas? Easy enough to set the attribute back, but I'm > wondering why > it would set it in the first place. AFAIK, there isn't a
Re: [ActiveDir] RDP
I don't think anybody will be against it. But the thing is that you can make such connections more secure by modifying Registry and configuring it to work on some other port. using default port is an open invitation for bad guys. Well i am taking all benefits out of it. Rest is up to you. On 8/16/05, Tom Kern <[EMAIL PROTECTED]> wrote: Does anyone know of any articles from MS that advise for or againsthaving term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's?Should I leave it on?thanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
OK; I just looked at that and verified that if I set the "Show subscriber in e-mail server address book " box in unity to be unchecked, it sets the flag to true in AD. If I check it, the flag gets set to false. Except that our admin didn't touch the Unity config. That's the weird part. Perhaps it's a combination of disabling the account, moving it to another OU, etc. Might be a unity bug; I'll look farther into that. Problem is, if we set the "hide from address list" box in ADUC exchange advanced, it doesn't set the same flag in Unity. Seems like Unity and Exchange aren't looking at the same attribute. If I get time, I'll call cisco on it tomorrow ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Tuesday, August 16, 2005 2:19 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > Well, here's what we found- > > Totally unrelated to Unity, our Unity admin contacted me about not > seeing an account in object picker to add to a group. I checked and > showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he > looked at it from Unity interface- > > The setting in Unity for that account was "Do not list subscriber in > phone directory" and "Show subscriber in e-mail server address book". > He changed it to "Do not show in GAL". saved it. Then enabled both so > the settings are now "List in phone directory" and "Show subscriber in > e-mail server address book" > > I looked again and showInAdvancedViewOnly: was toggled to FALSE > > He's going to play around with it from the Unity side and see > if he can > repro the issue. > > hth > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Tuesday, August 16, 2005 1:56 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > This is a bit surreal, I *just* got asked about this exact situation > only a couple of minutes after Charlie's message. > > We are in a very similar environment although it's E2K instead of 2K3, > is Unity a common denominator? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. > Smith > Sent: Tuesday, August 16, 2005 1:33 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > I can't explain it to you, but you aren't alone. I've seen exactly the > same thing happen (and I'm in the same environment you > describe). But it > never made it high enough up my priority list to investigate. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Tuesday, August 16, 2005 4:19 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE > > I've recently run into a weird problem and can't find anything that > explains it to me. > > W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco > Unity VM schema extensions. > > Our junior admin recently handled a couple of user terminations. > Disabled the account, set self to full mailbox access, moved account > from Employees OU to terminated sub-OU. I had to do something > to one of > those accounts and didn't see it in ADUC. Knew it was there somewhere, > so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had > been set to TRUE. > > Junior admin logs into exchange server to perform the account > management, because it's the only machine that has the exchange admin > tools on it that he can access. (That's changing today; he > WILL load the > tools on his machine. ) He didn't do anything special, doesn't use > ADSIEdit or DSMOD; strictly the ADUC GUI. > > I'm trying to figure out why this would happen, and I don't > have a clue. > Any ideas? Easy enough to set the attribute back, but I'm > wondering why > it would set it in the first place. AFAIK, there isn't any way to set > that attribute via the ADUC GUI... > This has only happened on two accounts, both dealt with in the past > couple of weeks... > > Thanks! > > ** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http:/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
While we’re on the Unity thread… did you guys have a helluva time getting Cisco to open up with what was happening with that god-awful Permissions Wizard??? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Tuesday, August 16, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've seen this behavior every few months. We have Unity as well and I always blamed it on it as I've never seen this on any of my clients who do not have Unity. Simple fix, but still annoying to have to watch out for it and correct it. It seems to be ramdon as I can find no pattern as to who it will happen to next. Cheers On 8/16/05, Free, Bob <[EMAIL PROTECTED]> wrote: This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Unfortunately, I don't. I just remember it being a "standard" practice when we have to "hide" address lists of one company from all the other companies we were hosting emails for. If I come across a reference, I'll post it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Yes, I have hundreds of restricted address lists. Do you have a reference you could share? Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its "showInAdvancedViewOnly" set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] third party FTP server
Does any one know of a good third party FTP server that does not require local logon access? Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] EmployeeID AD attribute
Not as far as I know. Maybe Joe will do something similar to his ABE tool, thereby nudging MS to come up with something. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of RM Sent: Tue 8/16/2005 2:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] EmployeeID AD attribute Hi, Has anyone discovered a less-kludgy way to turn-on the "hidden" user attributes in AD, such as EmployeeID? I found several sites that document using Schmmgmt, ADSIedit, and a .vbs script. Is there a cleaner way to implement this? Can this field somehow be added to the nomal "properties" menu for a user (instead of being accessed only via right-click)? Thx, RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
I've seen this behavior every few months. We have Unity as well and I always blamed it on it as I've never seen this on any of my clients who do not have Unity. Simple fix, but still annoying to have to watch out for it and correct it. It seems to be ramdon as I can find no pattern as to who it will happen to next. Cheers On 8/16/05, Free, Bob <[EMAIL PROTECTED]> wrote: This is a bit surreal, I *just* got asked about this exact situationonly a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3,is Unity a common denominator?-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B.SmithSent: Tuesday, August 16, 2005 1:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUEI can't explain it to you, but you aren't alone. I've seen exactly thesame thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate.-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Charlie KaiserSent: Tuesday, August 16, 2005 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything thatexplains it to me.W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, CiscoUnity VM schema extensions.Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved accountfrom Employees OU to terminated sub-OU. I had to do something to one ofthose accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute hadbeen set to TRUE.Junior admin logs into exchange server to perform the accountmanagement, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load thetools on his machine. ) He didn't do anything special, doesn't useADSIEdit or DSMOD; strictly the ADUC GUI.I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering whyit would set it in the first place. AFAIK, there isn't any way to setthat attribute via the ADUC GUI...This has only happened on two accounts, both dealt with in the past couple of weeks...Thanks!**Charlie KaiserW2K3 MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083**List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
We're not using any address lists except the default. I'm the only one in our building who can spell ADSIEdit or do any scripting, so no one would have done anything like that here. I keep coming back to Unity, except that this has only happened on two accounts and we've been running Unity 4.0(4) for the past 6 months with no issue... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, August 16, 2005 1:53 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > Exchange in the mix. Is custom address list in the mix also? > Using restricted > view of address list? Could the user have been part of this > list and the list > has had its "showInAdvancedViewOnly" set to TRUE in the past? > This is common > in the Hosted Exchange space. At least it was when I used to > play there. > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: [EMAIL PROTECTED] on behalf of Michael B. Smith > Sent: Tue 8/16/2005 1:32 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] User accounts with > showInAdvancedViewOnly=TRUE > > > > I can't explain it to you, but you aren't alone. I've seen exactly the > same thing happen (and I'm in the same environment you > describe). But it > never made it high enough up my priority list to investigate. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Tuesday, August 16, 2005 4:19 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE > > I've recently run into a weird problem and can't find anything that > explains it to me. > > W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco > Unity VM schema extensions. > > Our junior admin recently handled a couple of user terminations. > Disabled the account, set self to full mailbox access, moved account > from Employees OU to terminated sub-OU. I had to do something > to one of > those accounts and didn't see it in ADUC. Knew it was there somewhere, > so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had > been set to TRUE. > > Junior admin logs into exchange server to perform the account > management, because it's the only machine that has the exchange admin > tools on it that he can access. (That's changing today; he > WILL load the > tools on his machine. ) He didn't do anything special, doesn't use > ADSIEdit or DSMOD; strictly the ADUC GUI. > > I'm trying to figure out why this would happen, and I don't > have a clue. > Any ideas? Easy enough to set the attribute back, but I'm > wondering why > it would set it in the first place. AFAIK, there isn't any way to set > that attribute via the ADUC GUI... > This has only happened on two accounts, both dealt with in the past > couple of weeks... > > Thanks! > > ** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yes, I have hundreds of restricted address lists. Do you have a reference you could share? Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its "showInAdvancedViewOnly" set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Well, here's what we found- Totally unrelated to Unity, our Unity admin contacted me about not seeing an account in object picker to add to a group. I checked and showInAdvancedViewOnly=TRUE, I mentioned this discussion to him, so he looked at it from Unity interface- The setting in Unity for that account was "Do not list subscriber in phone directory" and "Show subscriber in e-mail server address book". He changed it to "Do not show in GAL". saved it. Then enabled both so the settings are now "List in phone directory" and "Show subscriber in e-mail server address book" I looked again and showInAdvancedViewOnly: was toggled to FALSE He's going to play around with it from the Unity side and see if he can repro the issue. hth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Yes, I run Unity in UM mode. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 16, 2005 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] EmployeeID AD attribute
Title: EmployeeID AD attribute Hi,Has anyone discovered a less-kludgy way to turn-on the "hidden" user attributes in AD, such as EmployeeID? I found several sites that document using Schmmgmt, ADSIedit, and a .vbs script. Is there a cleaner way to implement this? Can this field somehow be added to the nomal "properties" menu for a user (instead of being accessed only via right-click)?Thx,RM
[ActiveDir] Property Sets?
Title: Property Sets? Anyone have a good link detailing how to create and administer (e.g. apply permission) to property sets? Thanks! m
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
This is a bit surreal, I *just* got asked about this exact situation only a couple of minutes after Charlie's message. We are in a very similar environment although it's E2K instead of 2K3, is Unity a common denominator? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, August 16, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
Exchange in the mix. Is custom address list in the mix also? Using restricted view of address list? Could the user have been part of this list and the list has had its "showInAdvancedViewOnly" set to TRUE in the past? This is common in the Hosted Exchange space. At least it was when I used to play there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Tue 8/16/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
I can't explain it to you, but you aren't alone. I've seen exactly the same thing happen (and I'm in the same environment you describe). But it never made it high enough up my priority list to investigate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, August 16, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User accounts with showInAdvancedViewOnly=TRUE I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] User accounts with showInAdvancedViewOnly=TRUE
I've recently run into a weird problem and can't find anything that explains it to me. W2K3 AD single-domain forest, 2K3 native mode, E2K3 enterprise, Cisco Unity VM schema extensions. Our junior admin recently handled a couple of user terminations. Disabled the account, set self to full mailbox access, moved account from Employees OU to terminated sub-OU. I had to do something to one of those accounts and didn't see it in ADUC. Knew it was there somewhere, so fired up ADFind. Turns out the showInAdvancedViewOnly attribute had been set to TRUE. Junior admin logs into exchange server to perform the account management, because it's the only machine that has the exchange admin tools on it that he can access. (That's changing today; he WILL load the tools on his machine. ) He didn't do anything special, doesn't use ADSIEdit or DSMOD; strictly the ADUC GUI. I'm trying to figure out why this would happen, and I don't have a clue. Any ideas? Easy enough to set the attribute back, but I'm wondering why it would set it in the first place. AFAIK, there isn't any way to set that attribute via the ADUC GUI... This has only happened on two accounts, both dealt with in the past couple of weeks... Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Thanks, Robert. Oh, ... and Dean, too :-p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well,
RE: [ActiveDir] Question on Replication Topology
Sounds good to me Robert. For the sake of clarification and a little more detail, see below - The IM process itself does not create phantoms, if it were exclusively responsible for that task, all group modifications referencing non-local-domain members would require origination against the IM -- this is not the case. Phantoms are created locally by each DC (beneath the awareness of the directory itself). The well-known role of the IM is to identify the validity of local phantoms using the process that we've just recently described to death. In addition, a lesser known function of the IM is that of improving its own phantoms and replicating those improvements to the remaining DCs within its own domain. This is achieved by a 'sorta' replication proxy -- my earlier post describing an ADFIND.EXE syntax outlines a means of finding the objects used by this aspect of the IM's behavior (that's assuming you're interested of course). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on R
[ActiveDir] auditing best practices
I need to audit account creation/deletion/modification and logon to AD(interactive and rdp- is it the same thing? is there a diff setting for both? does windows log wheter the logon was via term services or interactive?) Where is the place to set this- i assume the domain controllers' ou? should i create a new pol and not screw with the default? should i audit account management or object access for my aforementioned needs or both? Should i worry about security log bloat? Thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lost and found
I think that maybe the stray users / computers were just direct children of the OU which was deleted...it's virtually impossible to know without digging a bit more...maybe they decommissioned a DC and then brought it back later. If you're not currently experiencing any replication problems and all the DCs are valid, working, sharing sysvol, bla, bla, bla...then it's really a judgement call if you wanna just delete those objects or dig some more to find out their origin. I would be certain that they aren't being used, if they were real user / computer accounts then you may have some users / computers who are mysteriously not getting the right GPO's or who's scripts are failing because the DN of the object is different... May the force be with you! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] lost and found Some OU's are acutally named "old-ou" or "deleted-ou", so they knew they were getting rid of them. I jusy wondered why they would end you there. The ou's are nested at least3 deep. there are also some stray parent-less user and computer accounts. I guess it's just a result of serious on going replication issues or a movetree gone bad? Unfortunately the persons responsible are long gone for not the best of reasons... thanks On 8/16/05, Robert Williams (RRE) <[EMAIL PROTECTED]> wrote: > It's really hard to tell based on that but a few guesses are: > > Someone deleted an OU, then fixed a replication problem after tombstone > lifetime has passed...this OU had many child OU's which might be the > ones you see...maybe the attribute for parent is a back-link or > something like that where it will be blank if the object it references > doesn't exist (that is a complete guess...I don't know that this works > that way...it was used as an example). > > All other explanations are variations of tombstone lifetime, replication > problems, etc... > > Can you give us more detail about these objects? Whether you should be > concerned may depend solely on whether the person you are inherited the > forest from is concerned :-0 > > It's hard to say right now... > > Rob > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 16, 2005 2:27 PM > To: activedirectory > Subject: [ActiveDir] lost and found > > I'm inheriting this forest(which we are migrating away from) which has > a ton of objects in the lost and found container in the domain > NC(users,OU's with about 2000 objects in them,etc). > Know of them have the lastKnownParent attrib set. > > Is this something to be concerned with? > Is there a reason there would be so many objects in here? > > Thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] lost and found
Auth restore is a perfectly normal way to end up with phantoms, w/o replication problems having been present. Delete parent X (including children, and grandchildren). Auth Restore children. Children and grandchildren will be in Lost+Found ... Cheers, -BrettSh On Tue, 16 Aug 2005, Tom Kern wrote: > Some OU's are acutally named "old-ou" or "deleted-ou", so they knew > they were getting rid of them. I jusy wondered why they would end you > there. > The ou's are nested at least3 deep. > there are also some stray parent-less user and computer accounts. > > I guess it's just a result of serious on going replication issues or > a movetree gone bad? > > Unfortunately the persons responsible are long gone for not the best > of reasons... > > > thanks > > On 8/16/05, Robert Williams (RRE) <[EMAIL PROTECTED]> wrote: > > It's really hard to tell based on that but a few guesses are: > > > > Someone deleted an OU, then fixed a replication problem after tombstone > > lifetime has passed...this OU had many child OU's which might be the > > ones you see...maybe the attribute for parent is a back-link or > > something like that where it will be blank if the object it references > > doesn't exist (that is a complete guess...I don't know that this works > > that way...it was used as an example). > > > > All other explanations are variations of tombstone lifetime, replication > > problems, etc... > > > > Can you give us more detail about these objects? Whether you should be > > concerned may depend solely on whether the person you are inherited the > > forest from is concerned :-0 > > > > It's hard to say right now... > > > > Rob > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Tuesday, August 16, 2005 2:27 PM > > To: activedirectory > > Subject: [ActiveDir] lost and found > > > > I'm inheriting this forest(which we are migrating away from) which has > > a ton of objects in the lost and found container in the domain > > NC(users,OU's with about 2000 objects in them,etc). > > Know of them have the lastKnownParent attrib set. > > > > Is this something to be concerned with? > > Is there a reason there would be so many objects in here? > > > > Thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
I like your explanation...please allow me to comment on a snippet just to be sure we're on the same page: IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. The DCs that are NOT GCs still can reference the object since it's replicated in after the phantom is created, however if your GC is on the IM ***AND*** you DO NOT have ALL DCs as GCs then the DCs which are GCs will not ever update the objects when they are renamed since there aren't any phantoms to update on the GC. And Dean, Brett, or Eric will hopefully correct me if I'm wrong but any DC can and will create the phantom when necessary (or will it be the IM or PDC which actually 'creates' the phantom??) but it's the IMs job to update them...I think from the IM's perspective that it really doesn't care how they are created, its job is to just keep them accurate. That part I'm not 100% clear on so I hope someone straightens it out for me / us. Dean, Brett, or Eric...it's getting kinda deep here, can you clarify some of these things if possible? Thanks! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a
Re: [ActiveDir] lost and found
Some OU's are acutally named "old-ou" or "deleted-ou", so they knew they were getting rid of them. I jusy wondered why they would end you there. The ou's are nested at least3 deep. there are also some stray parent-less user and computer accounts. I guess it's just a result of serious on going replication issues or a movetree gone bad? Unfortunately the persons responsible are long gone for not the best of reasons... thanks On 8/16/05, Robert Williams (RRE) <[EMAIL PROTECTED]> wrote: > It's really hard to tell based on that but a few guesses are: > > Someone deleted an OU, then fixed a replication problem after tombstone > lifetime has passed...this OU had many child OU's which might be the > ones you see...maybe the attribute for parent is a back-link or > something like that where it will be blank if the object it references > doesn't exist (that is a complete guess...I don't know that this works > that way...it was used as an example). > > All other explanations are variations of tombstone lifetime, replication > problems, etc... > > Can you give us more detail about these objects? Whether you should be > concerned may depend solely on whether the person you are inherited the > forest from is concerned :-0 > > It's hard to say right now... > > Rob > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 16, 2005 2:27 PM > To: activedirectory > Subject: [ActiveDir] lost and found > > I'm inheriting this forest(which we are migrating away from) which has > a ton of objects in the lost and found container in the domain > NC(users,OU's with about 2000 objects in them,etc). > Know of them have the lastKnownParent attrib set. > > Is this something to be concerned with? > Is there a reason there would be so many objects in here? > > Thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lost and found
It's really hard to tell based on that but a few guesses are: Someone deleted an OU, then fixed a replication problem after tombstone lifetime has passed...this OU had many child OU's which might be the ones you see...maybe the attribute for parent is a back-link or something like that where it will be blank if the object it references doesn't exist (that is a complete guess...I don't know that this works that way...it was used as an example). All other explanations are variations of tombstone lifetime, replication problems, etc... Can you give us more detail about these objects? Whether you should be concerned may depend solely on whether the person you are inherited the forest from is concerned :-0 It's hard to say right now... Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 2:27 PM To: activedirectory Subject: [ActiveDir] lost and found I'm inheriting this forest(which we are migrating away from) which has a ton of objects in the lost and found container in the domain NC(users,OU's with about 2000 objects in them,etc). Know of them have the lastKnownParent attrib set. Is this something to be concerned with? Is there a reason there would be so many objects in here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Your conclusion sounds good to me. When I talk about this IM/GC thingy, this is how I present it (to non- or semi-technical CxOs): In a multi-Domain environment: Each domain needs to know something about objects in the other domain. A GC in one domain knows something about objects in other domains in a multi-domain environment. An IM provides references to objects in OTHER domains by creating phantoms of those objects. These phantoms are used by other DCs in the IM's domain (who are not GCs) when they need to reference those objects that exist in the OTHER domain. These phantoms are NOT used by GCs because they already have a way to reference these objects. Now, IF a GC is also the IM, it will NOT create phantoms BECAUSE it already knows about those objects that exist in the OTHER domain. IF the IM does not create phantoms, then the DCs that are not GCs do not have a way to reference those objects that exist in the OTHER Domain. These DCs who are not GCs rely on the IM to provide this facility, but since the IM has stopped creating phantoms because it is also acting as a GC, then the facility does not exist for the non-GC DCs to use. Now, IF all DCs in that domain are GCs, they will have knowledge of the objects in the OTHER domain and will know how to reference them WITHOUT relying on the existence of phantoms. In other word, they don't need the IM. In a single domain environment: There is no reason to be aware of ANY external object, because there is only one domain. Knowledge of the objects in this domain is shared equally by all the DCs in this domain. Nobody needs an IM. So, it does not matter where the IM resides because nobody uses it since there is no EXTERNAL object to reference. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Tue 8/16/2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered t
[ActiveDir] lost and found
I'm inheriting this forest(which we are migrating away from) which has a ton of objects in the lost and found container in the domain NC(users,OU's with about 2000 objects in them,etc). Know of them have the lastKnownParent attrib set. Is this something to be concerned with? Is there a reason there would be so many objects in here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Your explanation sounds great to me. As I understood it, there was a difference as to whether the IM can co-reside on a GC in a multi-domain forest if all DCs in its domain are GCs. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have
RE: [ActiveDir] Question on Replication Topology
I am fortunate enough to be provided with source access by Microsoft. Actually, I say "Tom-arto" since I'm British. ;0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 1:37 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Repl
RE: [ActiveDir] Question on Replication Topology
I'm kinda confused as to what the confusion is about... What is he saying that is different than what you're saying? Hehe Cheers! rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Que
RE: [ActiveDir] Question on Replication Topology
The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 r
RE: [ActiveDir] Question on Replication Topology
I managed to locate a detailed explanation of the IM's behavior I wrote some time back, I've pasted it below in the hopes that it will clear up some of the confusion. --- The IM locates phantom records within the local DIT. Phantoms are injected database rows, they are structural entities primarily used to maintain database level cross-references between a local object and a foreign-domain/same-forest object. They also serve a couple of other low-level purposes. Note we refer to phantoms as records as opposed to objects since phantoms are effectively outside the scope of the directory itself. Phantoms maintain only 3 attributes: dn, objectGUID and objectSID (where applicable). Since phantoms represent objects in foreign domains, administrative updates to that foreign object's dn or SID cause the phantom to become stale (i.e. the phantom's dn or objectSID no longer reflect that of the object it was created to locally represent -- somewhat like the result when renaming the target file that a Windows Explorer shortcut points to). The IM scans the local DIT/DIB and collates a pre-defined number of phantoms, the phantom's objectGUID is used to locate the (partial copy of the) real object that exists in a GC (the GC is assumed to have an ~up to date copy). The dn and objectSID of the phantom are then compared against the corresponding attributes on the object maintained by the GC. If everything is equal, the IM continues to the next phantom, if the dn or the objectSID do not match, the local phantom is improved with the GC's more up-to-date values. If the object cannot be located, it is deemed to have been deleted and the corresponding local phantom is also deleted. Note that additional measures are taken by the IM in order to ensure that the changes or deletions introduced are replicated to all other DCs within the same domain, I haven't described those actions here since it's somewhat overkill but they're referenced below by the steps I provided to locate the changes made. To determine what the IM did, 2 approaches (outside of attaching a debugger) spring to mind. The first is to crank up DS logging but that would carry an awful lot of event-baggage with it; the second is query for the replicable entries created by the IM. For once in my life I'm going to recommend the use of one of Joe Richards' tools :o) -- specifically ADFIND.EXE (it's not that I don't like his tools, I just don't like him ... I'm teasing ... I prefer, where possible, to use tools supplied with the base media but there simply aren't any capable of doing the job this well). Download and run the following command within a command shell (obviously, the dn needs substituting) - C:\>adfind -b "cn=Deleted Objects,dc=child,dc=test,dc=com" -showdel -f "objectclass=infrastructureUpdate" dnReferenceUpdate whenChanged -extname -rsort whenChanged -nodn -s onelevel The resulting output displays the objectGUID, objectSID and dn of any phantoms that were locally improved (most recent improvements ordered to the top). By default, the result set will contain any phantom-alterations that have occurred within the last 2 months (unless the forest was constructed using 2K3 SP1). Note that you may need to increase query timeouts depending on the size of the DIT and/or the number of infrastructureUpdate instances. The IM itself can be triggered manually using a variety of tools, here's a technique using another of Joe's - C:\>admod -h im_roleholder -b "" checkPhantoms::1 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I mis
RE: [ActiveDir] Question on Replication Topology
That's the way I read it too, Dean. I think the terminology gets confusing because of the wording that "Multidomain forest" and then referencing "every domain controller in a domain". I've personally seen that terminology get completely botched by MCS who inappropriately wrote into a health engagement that our domain was unhealthy because we held our IM on a GC. No matter how much I debated it... he wouldn't let it go. Wherever you are, 80's hair guy, I hope you're reading this post. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.or
RE: [ActiveDir] Question on Replication Topology
I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have co
RE: [ActiveDir] Question on Replication Topology
For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - "Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain." -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show
RE: [ActiveDir] Question on Replication Topology
Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but se
RE: [ActiveDir] Question on Replication Topology
I see... (just trying to understand here) Got back to the docs and it appears I was mistaken about how phantoms work. I was sure that Domain Local groups would have issues with having members from other domains, but now I realize that the membership will get updated via looking at the GC instead of relying on the phantom. (the fact the DLGs are not replicated to GC got me think in the wrong direction) Sorry for the confusion, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 6:22 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Note in the original post, Rocky mentioned that all DCs are GCs ... in instances such as these, co-hosting the IM and GC roles is a non-issue. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RDP
Does anyone know of any articles from MS that advise for or against having term services kept on a win2k3 DC? Does anyone on this list turn it off on DC's? Should I leave it on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2
RE: [ActiveDir] Folder Redirection
Probably a permissions problem. Since you’re just TESTING, start by setting perms on the folder so that the user has full control. This is not the ‘ideal’ permission set, but it will tell you whether that’s causing the problem. Once you know if that’s the issue, we can chat about the exact permissions for future ‘tests’… Also check DNS, etc… try connecting to a normal shared folder on the same server… Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Tuesday, August 16, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Folder Redirection I am a newbie – studying for mcse 2000. I do not claim to know much but could use your patience and help! I logged on to one of the pc’s as the user that has the GPO (no override is checked) for folder redirection (its my docs folder) saved something in it, but did not find the saved file in the redirected folder . Any advice is greatly appreciated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, August 14, 2005 5:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Right click and goto properties… A subject would help your message greatly. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Sunday, August 14, 2005 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How do you setup folder redirection? How does it work? 1. create shared folder 2. start, programs, administrative tools, AD Users & Computers 3. OU right click, properties, Group policy 4. new, any name, click name, edit, user config, windows settings 5. folder redirection, my docs Where do you go from here? Thanks all
RE: [ActiveDir] Question on Replication Topology
Title: Message As I've said, this is incorrect. GCs do not maintain this kind of phantom as they have no need for it. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, August 16, 2005 6:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 11:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE)Sent: Tuesday, August 16, 2005 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I
RE: [ActiveDir] Question on Replication Topology
Title: Message Correct…it can, unless all dc’s are gc’s… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6
RE: [ActiveDir] Question on Replication Topology
Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, "SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manua
RE: [ActiveDir] Question on Replication Topology
Exactly...same conclusion...whew! Glad we got that out of the way...hehe. Have a great afternoon! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Roo
RE: [ActiveDir] Question on Replication Topology
Title: RE: [ActiveDir] Question on Replication Topology I wasn’t answering with any specific setup in mind…the previous poster asked about the single-domain part. I don’t know where it came from and it wasn’t really important to my answer…but yes, if you have more than one domain than you will still have the same requirements (meaning separate the IM from GC or make *all DCs* GCs). Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __
RE: [ActiveDir] Question on Replication Topology
Title: Message In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites
RE: [ActiveDir] Question on Replication Topology
I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List i
RE: [ActiveDir] Question on Replication Topology
Title: Message We have a Forest root domain (technically empty > No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, GuySent: Tuesday, August 16, 2005 11:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE)Sent: Tuesday, August 16, 2005 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Serious
RE: [ActiveDir] Question on Replication Topology
Title: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? "single-domain forest" or "empty root domain + child domain" ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.a
RE: [ActiveDir] Folder Redirection
I am a newbie – studying for mcse 2000. I do not claim to know much but could use your patience and help! I logged on to one of the pc’s as the user that has the GPO (no override is checked) for folder redirection (its my docs folder) saved something in it, but did not find the saved file in the redirected folder . Any advice is greatly appreciated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, August 14, 2005 5:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Right click and goto properties… A subject would help your message greatly. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Sunday, August 14, 2005 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How do you setup folder redirection? How does it work? 1. create shared folder 2. start, programs, administrative tools, AD Users & Computers 3. OU right click, properties, Group policy 4. new, any name, click name, edit, user config, windows settings 5. folder redirection, my docs Where do you go from here? Thanks all
RE: [ActiveDir] Question on Replication Topology
I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Note in the original post, Rocky mentioned that all DCs are GCs ... in instances such as these, co-hosting the IM and GC roles is a non-issue. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO with folder redirection not applying against machines OU
Robert, I can't replicate your situation. I created a GPO, configured folder redirection in the user portion of the GPO and loopback processing in replace mode in the computer portion of the GPO, in Replace mode. When I ran the modeling wizard, the Summary tab shows the policy applying and the Settings tab shows the folder redirection under the computer portion of the GPO. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert DaleSent: Tuesday, August 16, 2005 9:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO with folder redirection not applying against machines OU Dear Andrew, Thanks. I tried this and although it shows the loopback policy option in the modeling report once rerun it does not show the folder redirection, could this be a weakness in the modeler and that it simply will show up when the users login ? Robert Dale From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, AndrewSent: 16 August 2005 15:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO with folder redirection not applying against machines OU Robert, Check out Loopback Processing. This will allow user policies to be applied based upon the AD location of the computer. See the following link for details: http://support.microsoft.com/?kbid=231287 -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert DaleSent: Tuesday, August 16, 2005 8:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO with folder redirection not applying against machines OU Ive setup OU for my citrix farm and for my users then created a GPO called FR that only contains the folder redirection information in it and linked this to the OU that all my Citrix servers are in however when I run the modeling wizard the gpo is never shown unless I place a link for it in the users OU however I only want the folder redirection to apply when the users log into the citrix server not for there local desktops. If I add any entries in the machine part of the GPO none of them are applied only the user parts are applied as the winning GPO. I don’t have folder redirection enable in any other GPOs. Its not just with folder redirection any change I make that is machine related doesn’t show up, inspite of the fact that I have the GPO enabled for both user and computer configuration. Any ideas or work around so that I can have folder redirection only for users logging into specific machines ? smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Hidden objects
It dSHeuristics is , the directory will behave per its defaults. Default behavior does NOT include a means to completely abstract an object from _anybody's_ view (not just an admins.). However, it can be achieved in a roundabout fashion if the user in question does NOT have permission sufficient to navigate through the hidden object's parent hierarchy ... if this is the case, an object within a containment item of some kind to which you do not have permission will effectively be hidden until such time as you restore permission to the parent(s). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have "list contents" on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Hidden objects
Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have "list contents" on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Great! You're welcome!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
KshirsagarSent: Tuesday, August 16, 2005 3:15 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi
Alain,
We set the revision
level in the security descriptor in the meta code. And it indeed works fine.
Thanks for all your time and guidance. This has indeed come out to be a product
defect.
Thanks
again,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alain
LissoirSent: Friday, August
12, 2005 2:49 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Rebuild because the
revision required is not set. When building a security descriptor under Windows,
you are building an object containing ACE (DACL and
SACL).
Doing this on Windows
is easy as we have the APIs for it (Win32, ADSI, WMI, etc
...)
Under Unix by
manipulating an SDDL string to construct the security descriptor is an other
story as don't have the API to build the MS security descriptor... but I'm
pretty sure that your problem comes from the fact that the revision level is not
set properly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 8:15 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
For solving this error,
Microsoft says, rebuild security object. What does this imply? And how can I
rebuild the security object?
Any help, would be
beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 2:36 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi
Alain,
This error is being
returned by the meta directory server. For which I don’t have the access to
code. At them most I can find the reason and try to eliminate
it.
I would be just
converting the binary SID to text transformation and give it to the Meta directory for settings.
Any idea why this would
be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alain
LissoirSent: Friday, August
12, 2005 12:07 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Have you been checking
the script sample I gave in the attached mail? It shows the value required for
the revision level.
ADS_ACL_REVISION_DS is
set to 4.
objDACL.AclRevision = ADS_ACL_REVISION_DS
'
"Self" Trustee Set objACE =
CreateObject("AccessControlEntry") objACE.Trustee =
"Self" objACE.AceType =
ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask =
E2K_MB_READ_PERMISSIONS Or
_
E2K_MB_FULL_MB_ACCESS Or
_
E2K_MB_SEND_AS objACE.AceFlags =
ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce
objACE Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 4:59 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error “the revision
level is unknown”.
Any known issue you
know that might be causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 6:32 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
Hi
All,
Found a perl function
in laman.pm. which converts sid to string:
sub
SidToString
{
return undef
unless unpack("C", substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1,
1));
my $sid_str = "S-1-";
$sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6,
1)) << 8) +
(unpack("C", substr($_[0], 5, 1)) << 16) +
(unpack("C",substr($_[0], 4, 1)) << 24));
for $loop (0 .. unpack("C", substr($_[0], 1, 1)) -
1)
{
$sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the
job.
What all will be
required to do the job, setting mailboxsecurity description and masteraccoundsid
is enough? Or do I also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 7:55 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDi
RE: [ActiveDir] GPO with folder redirection not applying against machines OU
Dear Andrew, Thanks. I tried this and although it shows the loopback policy option in the modeling report once rerun it does not show the folder redirection, could this be a weakness in the modeler and that it simply will show up when the users login ? Robert Dale From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: 16 August 2005 15:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO with folder redirection not applying against machines OU Robert, Check out Loopback Processing. This will allow user policies to be applied based upon the AD location of the computer. See the following link for details: http://support.microsoft.com/?kbid=231287 -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Dale Sent: Tuesday, August 16, 2005 8:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO with folder redirection not applying against machines OU Ive setup OU for my citrix farm and for my users then created a GPO called FR that only contains the folder redirection information in it and linked this to the OU that all my Citrix servers are in however when I run the modeling wizard the gpo is never shown unless I place a link for it in the users OU however I only want the folder redirection to apply when the users log into the citrix server not for there local desktops. If I add any entries in the machine part of the GPO none of them are applied only the user parts are applied as the winning GPO. I don’t have folder redirection enable in any other GPOs. Its not just with folder redirection any change I make that is machine related doesn’t show up, inspite of the fact that I have the GPO enabled for both user and computer configuration. Any ideas or work around so that I can have folder redirection only for users logging into specific machines ?
RE: [ActiveDir] GPO with folder redirection not applying against machines OU
Robert, Check out Loopback Processing. This will allow user policies to be applied based upon the AD location of the computer. See the following link for details: http://support.microsoft.com/?kbid=231287 -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert DaleSent: Tuesday, August 16, 2005 8:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO with folder redirection not applying against machines OU Ive setup OU for my citrix farm and for my users then created a GPO called FR that only contains the folder redirection information in it and linked this to the OU that all my Citrix servers are in however when I run the modeling wizard the gpo is never shown unless I place a link for it in the users OU however I only want the folder redirection to apply when the users log into the citrix server not for there local desktops. If I add any entries in the machine part of the GPO none of them are applied only the user parts are applied as the winning GPO. I don’t have folder redirection enable in any other GPOs. Its not just with folder redirection any change I make that is machine related doesn’t show up, inspite of the fact that I have the GPO enabled for both user and computer configuration. Any ideas or work around so that I can have folder redirection only for users logging into specific machines ? smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] GPO with folder redirection not applying against machines OU
Ive setup OU for my citrix farm and for my users then created a GPO called FR that only contains the folder redirection information in it and linked this to the OU that all my Citrix servers are in however when I run the modeling wizard the gpo is never shown unless I place a link for it in the users OU however I only want the folder redirection to apply when the users log into the citrix server not for there local desktops. If I add any entries in the machine part of the GPO none of them are applied only the user parts are applied as the winning GPO. I don’t have folder redirection enable in any other GPOs. Its not just with folder redirection any change I make that is machine related doesn’t show up, inspite of the fact that I have the GPO enabled for both user and computer configuration. Any ideas or work around so that I can have folder redirection only for users logging into specific machines ?
RE: [ActiveDir] Question on Replication Topology
Title: Message It is indeed sufficient based on the forest structure you provided ... and you're most welcome. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, August 16, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on Replication Topology Dean, Thank you for responding to my question. I am assuming that because you did not state "worry" (in so many words), that this ring topology is expected and is sufficient. I really appreciate your diagram and posts. I have learned a lot from this list and appreciate the time you and others take to post. Rocky -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, August 16, 2005 7:58 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Question on Replication Topology Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Title: Message Dean, Thank you for responding to my question. I am assuming that because you did not state "worry" (in so many words), that this ring topology is expected and is sufficient. I really appreciate your diagram and posts. I have learned a lot from this list and appreciate the time you and others take to post. Rocky -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, August 16, 2005 7:58 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Question on Replication Topology Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Since all DCs are within the same site, the KCC will construct a ring topology based on the numeric ordering of each of the DCs GUIDs, thus we get something like this when we graphically represent your description of the connection objects - As you can see, the KCC has indeed created a ring for the child in blue, a ring for the root in green (though a ring of 2 is a little more difficult to see) and a ring for the enterprise partitions in red (note that the enterprise partitions are also replicated between any 2 DCs sharing a full domain partition, i.e. - they're in the same domain). The dotted lines imply a partial replication of the domain partition, i.e. - a GC sourcing a foreign domain. A mesh topology is not used by Active Directory without your explicit assistance in order to force its creation. If your scenario incorporated multiple sites, a least cost spanning tree topology is employed between the sites.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, August 15, 2005 2:28 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Question on Replication TopologyDear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators");After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question".Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question;We have:Forest Root Domain (Empty)DC1 (Holds all 5 roles) (the DC offline for 26 hours)DC2One Domain in the ForestDC4DC5 (Holds all 5 Roles)DC6Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server.I was positive that I had the Forest Root and Domain at Windows Server2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get:Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get:Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000I must have miscalculated, but that's not my question.In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie:DC1 goes to DC2 and DC6DC2 goes to DC1 and DC5DC4 goes to DC5 and DC6DC5 goes to DC4 and DC6DC6 goes to DC1 and DC4 and DC5The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL?Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!)__Rocky HabeebMicrosoft Systems AdministratorJames W. Sewall Company136 Center StreetOld Town, Maine 04468207.827.4456[EMAIL PROTECTED]www.jws.com__List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Gil, Thanks for responding. Everything is in the default First Site. Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 15, 2005 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Do you have sites and subnets defined, or is everything in the Default First Site? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 11:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us "not quite up to speed, but severely overtasked Administrators"); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication "in question". Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, "Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object?" Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain,
We set the revision level in the security
descriptor in the meta code. And it indeed works fine. Thanks for all your time
and guidance. This has indeed come out to be a product defect.
Thanks again,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005 2:49
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Rebuild because the revision required is
not set. When building a security descriptor under Windows, you are building an
object containing ACE (DACL and SACL).
Doing this on Windows is easy as we have
the APIs for it (Win32, ADSI, WMI, etc ...)
Under Unix by manipulating an SDDL string
to construct the security descriptor is an other story as don't have the API to
build the MS security descriptor... but I'm pretty sure that your problem comes
from the fact that the revision level is not set properly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 8:15
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
For solving this error, Microsoft says,
rebuild security object. What does this imply? And how can I rebuild the
security object?
Any help, would be beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 2:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi Alain,
This error is being returned by the meta
directory server. For which I don’t have the access to code. At them most
I can find the reason and try to eliminate it.
I would be just converting the binary SID
to text transformation and give it to the Meta
directory for settings.
Any idea why this would be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005
12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Have you been checking the script sample I
gave in the attached mail? It shows the value required for the revision level.
ADS_ACL_REVISION_DS is set to 4.
objDACL.AclRevision =
ADS_ACL_REVISION_DS
' "Self"
Trustee
Set objACE = CreateObject("AccessControlEntry")
objACE.Trustee = "Self"
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _
E2K_MB_FULL_MB_ACCESS Or _
E2K_MB_SEND_AS
objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objACE
Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 4:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error “the
revision level is unknown”.
Any known issue you know that might be
causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 6:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Hi All,
Found a perl function in laman.pm. which
converts sid to string:
sub SidToString
{
return undef
unless unpack("C", substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1));
my $sid_str = "S-1-";
$sid_str .= (unpack("C", substr($_[0], 7, 1)) +
(unpack("C", substr($_[0], 6, 1)) << 8) +
(unpack("C", substr($_[0], 5, 1)) <<
16) + (unpack("C",substr($_[0], 4, 1)) << 24));
for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1)
{
$sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the job.
What all will be required to do the job,
setting mailboxsecurity description and masteraccoundsid is enough? Or do I
also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know any perl module
which converts the binary sid to test sid? The win32 module wont work because
the script will be inoked from HP-UX.
Reg
