RE: [ActiveDir][OT] Documentation regarding ADLB

[deji]

If you say so ;)
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] Documentation regarding ADLB



That is why people like me. :)

   _  
  (_) 
   _  ___   _   _ _ __ ___
  | |/ _ \ / _ \ \ /\ / / _` | '__/ _ \
  | | (_) |  __/\ V  V / (_| | | |  __/
  | |\___/ \___| \_/\_/ \__,_|_|  \___|
 _/ | 
|__/


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 9:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

Hehe. You are terrible :O)


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB



;o)


 
   ( )  ___  ___   ___  __  ___  
  / / //   ) ) //___) ) //  / /  / / //   ) ) //  ) ) //___) )
 / / //   / / //   //  / /  / / //   / / //  //  
((  / / ((___/ / ((   ((__( (__/ / ((___( ( //  ((


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.


Sincerely,
   _  
  (, /  |  /)   /) /) 
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/ 
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_ 
  (, /  |  /)   /) /)
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)   
   (/
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I
ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC t

RE: [ActiveDir][OT] Documentation regarding ADLB

[Dean Wells]

You assume too much :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 06, 2006 10:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir][OT] Documentation regarding ADLB
> 
> That is why people like me. :) 
> 
>_   
>   (_)  
>_  ___   _   _ _ __ ___ 
>   | |/ _ \ / _ \ \ /\ / / _` | '__/ _ \
>   | | (_) |  __/\ V  V / (_| | | |  __/
>   | |\___/ \___| \_/\_/ \__,_|_|  \___|
>  _/ |  
> |__/
> 
> 
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Thursday, April 06, 2006 9:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Documentation regarding ADLB
> 
> Hehe. You are terrible :O)
>  
> 
> Sincerely, 
>_
>   (, /  |  /)   /) /)   
> /---| (/_  __   ___// _   //  _ 
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)  
>(/   
> Microsoft MVP - Directory Services
> www.readymaids.com   - we know IT 
> www.akomolafe.com  Do you now 
> realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Thu 4/6/2006 1:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Documentation regarding ADLB
> 
> 
> 
> ;o)
> 
> 
>   
>( )  ___  ___   ___  __  ___   
>   / / //   ) ) //___) ) //  / /  / / //   ) ) //  ) ) //___) )
>  / / //   / / //   //  / /  / / //   / / //  //   
> ((  / / ((___/ / ((   ((__( (__/ / ((___( ( //  (( 
> 
> 
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Thursday, April 06, 2006 4:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Documentation regarding ADLB
> 
> The 2 docs I referenced are in the original. I don't believe 
> that the R2 one has adlb materials.
> 
> 
> Sincerely,
>_   
>   (, /  |  /)   /) /)  
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /) 
>(/  
> Microsoft MVP - Directory Services
> www.readymaids.com   - we know IT 
> www.akomolafe.com  Do you now 
> realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Mark Parris
> Sent: Thu 4/6/2006 1:18 PM
> To: ActiveDir.org
> Subject: Re: [ActiveDir] Documentation regarding ADLB
> 
> 
> 
> There are two BOIS doc's the original and the new one for R2, 
> -Original Message-
> From: <[EMAIL PROTECTED]>
> Date: Thu, 6 Apr 2006 13:04:43
> To:
> Subject: RE: [ActiveDir] Documentation regarding ADLB
> 
> Neil, I don't know which doc you are looking at, but the BOIS 
> docs do a good job on this topic IMO. If we are looking at 
> the same docs, are you saying 04_Deploy_BuildBranch.doc and 
> 06_Plan_Monitoring.doc are not enough to get you started?
> 
> 
> Sincerely,
> _  
>   (, /  |  /)   /) /) 
> /---| (/__//_   //_
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
>(/ 
> Microsoft MVP - Directory Services
> www.readymaids.com   - we know IT 
> www.akomolafe.com  Do you now 
> realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Thu 4/6/2006 12:42 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Documentation regarding ADLB
> 
> 
> I haven't seen much docos on ADLB. I was one of the guys who 
> was "beta"
> testing it back in W2K days though and found my share of 
> bugs. The bugs I ran into were all around the connections it 
> wanted to delete and then where it wanted to recreate them 
> to. Basically there were some very bad decisions because it 
> didn't really differentiate between GC and writeable NCs and 
> it would try to connect a DC from DOM2 to a GC from DOM1 for 
> the DOM2 NC to replicate d

RE: [ActiveDir][OT] Documentation regarding ADLB

[joe]

That is why people like me. :) 

   _   
  (_)  
   _  ___   _   _ _ __ ___ 
  | |/ _ \ / _ \ \ /\ / / _` | '__/ _ \
  | | (_) |  __/\ V  V / (_| | | |  __/
  | |\___/ \___| \_/\_/ \__,_|_|  \___|
 _/ |  
|__/


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 9:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

Hehe. You are terrible :O)
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB



;o)


  
   ( )  ___  ___   ___  __  ___   
  / / //   ) ) //___) ) //  / /  / / //   ) ) //  ) ) //___) )
 / / //   / / //   //  / /  / / //   / / //  //   
((  / / ((___/ / ((   ((__( (__/ / ((___( ( //  (( 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_  
  (, /  |  /)   /) /) 
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/ 
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I
ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what
I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what
it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
t

RE: [ActiveDir] Documentation regarding ADLB

[deji]

Hehe. You are terrible :O)
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB



;o)


  
   ( )  ___  ___   ___  __  ___   
  / / //   ) ) //___) ) //  / /  / / //   ) ) //  ) ) //___) )
 / / //   / / //   //  / /  / / //   / / //  //   
((  / / ((___/ / ((   ((__( (__/ / ((___( ( //  (( 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_  
  (, /  |  /)   /) /) 
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/ 
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I
ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what
I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what
it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you
don't
like it. Some people will run it every time they add in a new DC, others
will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then
it
is your call if you want to do it or not. My main thoughts in using it was
to
lessen the impact of a bad WAN site DC from backing up a bridgehead's
inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across
bad
WAN links). I used to se

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[joe]

Odd, I didn't think I was writing any documentation on configuring event log
SDs...  


;o)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J
Mr CTNOSC/GD-NS
Sent: Thursday, April 06, 2006 6:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

I'm figuring that Junior SA is probably a really smart and handsome guy.  I
figure he will probably do a superb job on that document.  He might even
deserve a raise or bonus!

Sergio   

P.S. Sorry for going a bit off topic Tony!

-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

We are in the preliminary stages of that right now, in fact I have one of
the junior SA's writing up documentation for the procedure on how to
configure the domain controllers to allow "trusted OU Admins" the ability to
read-only certain domain controller Event View logs.

I figure I can assist the OU Admins troubleshoot user problems and give the
junior SA some documentation writing experience.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Gorder, Lee E Mr CTNOSC/GD-NS" 
> <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 2:46 pm
> To: "'ActiveDir@mail.activedir.org'" 
> 
> Dan,
> 
> You guys doing that now?
> 
> Lee
> 
> 
> 
> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 06, 2006 2:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Yeah Sergio,
> 
> You could even use that that information to say...allow OU Admins the 
> ability to view the logs of the domain controllers local to them.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> > <[EMAIL PROTECTED]>
> > Date: Thu, April 06, 2006 12:49 pm
> > To: ActiveDir@mail.activedir.org
> > 
> > Here is a link of what Ulf is talking about:
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> > 
> > 
> > Thanks,
> > Sergio
> > 
> > -Original Message-
> > From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, April 06, 2006 12:41 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > 
> > Might be - you know that you can delegate any eventlog by adjusting 
> > the CustomSD Registrykey underneath the specific eventlog in the
registry?
> > 
> > Gruesse - Sincerely,
> > 
> > Ulf B. Simon-Weidner
> > 
> >   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >   Weblog: http://msmvps.org/UlfBSimonWeidner
> >   Website: http://www.windowsserverfaq.org
> >   Profile:
> >
>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> > D   
> > 
> >  
> > 
> > |-Original Message-
> > |From: [EMAIL PROTECTED]
> > |[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
> > |Michael M.
> > |Sent: Thursday, April 06, 2006 5:54 PM
> > |To: ActiveDir@mail.activedir.org
> > |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > |
> > |The default "DNS Admins" group has permission to use the DNS GUI
> > |(dnsmgmt.msc) and to make changes in it but does not have 
> > |permission to view the DNS event log (DnsEvent.Evt).  Would this 
> > |just be an oversight on Microsoft's part?
> > |
> > |TIA,
> > |Mike Thommes
> > |List info   : http://www.activedir.org/List.aspx
> > |List FAQ: http://www.activedir.org/ListFAQ.aspx
> > |List archive: 
> > |http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http:/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Olivarez, Sergio J Mr CTNOSC/GD-NS]

I'm figuring that Junior SA is probably a really smart and handsome guy.  I
figure he will probably do a superb job on that document.  He might even
deserve a raise or bonus!

Sergio   

P.S. Sorry for going a bit off topic Tony!

-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

We are in the preliminary stages of that right now, in fact I have one
of the junior SA's writing up documentation for the procedure on how to
configure the domain controllers to allow "trusted OU Admins" the
ability to read-only certain domain controller Event View logs.

I figure I can assist the OU Admins troubleshoot user problems and give
the junior SA some documentation writing experience.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Gorder, Lee E Mr CTNOSC/GD-NS" <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 2:46 pm
> To: "'ActiveDir@mail.activedir.org'" 
> 
> Dan,
> 
> You guys doing that now?
> 
> Lee
> 
> 
> 
> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 2:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Yeah Sergio,
> 
> You could even use that that information to say...allow OU Admins the
> ability to view the logs of the domain controllers local to them.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> > <[EMAIL PROTECTED]>
> > Date: Thu, April 06, 2006 12:49 pm
> > To: ActiveDir@mail.activedir.org
> > 
> > Here is a link of what Ulf is talking about:
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> > 
> > 
> > Thanks,
> > Sergio 
> > 
> > -Original Message-
> > From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, April 06, 2006 12:41 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > 
> > Might be - you know that you can delegate any eventlog by adjusting the
> > CustomSD Registrykey underneath the specific eventlog in the registry?
> > 
> > Gruesse - Sincerely, 
> > 
> > Ulf B. Simon-Weidner 
> > 
> >   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >   Weblog: http://msmvps.org/UlfBSimonWeidner
> >   Website: http://www.windowsserverfaq.org
> >   Profile:
> >
>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> > D   
> > 
> >  
> > 
> > |-Original Message-
> > |From: [EMAIL PROTECTED] 
> > |[mailto:[EMAIL PROTECTED] On Behalf Of 
> > |Thommes, Michael M.
> > |Sent: Thursday, April 06, 2006 5:54 PM
> > |To: ActiveDir@mail.activedir.org
> > |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > |
> > |The default "DNS Admins" group has permission to use the DNS GUI
> > |(dnsmgmt.msc) and to make changes in it but does not have 
> > |permission to view the DNS event log (DnsEvent.Evt).  Would 
> > |this just be an oversight on Microsoft's part?
> > |
> > |TIA,
> > |Mike Thommes
> > |List info   : http://www.activedir.org/List.aspx
> > |List FAQ: http://www.activedir.org/ListFAQ.aspx
> > |List archive: 
> > |http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Daniel Gilbert]

We are in the preliminary stages of that right now, in fact I have one
of the junior SA’s writing up documentation for the procedure on how to
configure the domain controllers to allow “trusted OU Admins” the
ability to read-only certain domain controller Event View logs.

I figure I can assist the OU Admins troubleshoot user problems and give
the junior SA some documentation writing experience.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Gorder, Lee E Mr CTNOSC/GD-NS" <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 2:46 pm
> To: "'ActiveDir@mail.activedir.org'" 
> 
> Dan,
> 
> You guys doing that now?
> 
> Lee
> 
> 
> 
> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 2:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Yeah Sergio,
> 
> You could even use that that information to say...allow OU Admins the
> ability to view the logs of the domain controllers local to them.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> > <[EMAIL PROTECTED]>
> > Date: Thu, April 06, 2006 12:49 pm
> > To: ActiveDir@mail.activedir.org
> > 
> > Here is a link of what Ulf is talking about:
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> > 
> > 
> > Thanks,
> > Sergio 
> > 
> > -Original Message-
> > From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, April 06, 2006 12:41 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > 
> > Might be - you know that you can delegate any eventlog by adjusting the
> > CustomSD Registrykey underneath the specific eventlog in the registry?
> > 
> > Gruesse - Sincerely, 
> > 
> > Ulf B. Simon-Weidner 
> > 
> >   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >   Weblog: http://msmvps.org/UlfBSimonWeidner
> >   Website: http://www.windowsserverfaq.org
> >   Profile:
> >
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> > D   
> > 
> >  
> > 
> > |-Original Message-
> > |From: [EMAIL PROTECTED] 
> > |[mailto:[EMAIL PROTECTED] On Behalf Of 
> > |Thommes, Michael M.
> > |Sent: Thursday, April 06, 2006 5:54 PM
> > |To: ActiveDir@mail.activedir.org
> > |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > |
> > |The default "DNS Admins" group has permission to use the DNS GUI
> > |(dnsmgmt.msc) and to make changes in it but does not have 
> > |permission to view the DNS event log (DnsEvent.Evt).  Would 
> > |this just be an oversight on Microsoft's part?
> > |
> > |TIA,
> > |Mike Thommes
> > |List info   : http://www.activedir.org/List.aspx
> > |List FAQ: http://www.activedir.org/ListFAQ.aspx
> > |List archive: 
> > |http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Olivarez, Sergio J Mr CTNOSC/GD-NS]

Mr. Gilbert, You might just be on to something! ;-)


Sergio 

-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

Yeah Sergio,

You could even use that that information to say...allow OU Admins the
ability to view the logs of the domain controllers local to them.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 12:49 pm
> To: ActiveDir@mail.activedir.org
> 
> Here is a link of what Ulf is talking about:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> 
> 
> Thanks,
> Sergio 
> 
> -Original Message-
> From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 12:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Might be - you know that you can delegate any eventlog by adjusting the
> CustomSD Registrykey underneath the specific eventlog in the registry?
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
>   Profile:
>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> D   
> 
>  
> 
> |-Original Message-
> |From: [EMAIL PROTECTED] 
> |[mailto:[EMAIL PROTECTED] On Behalf Of 
> |Thommes, Michael M.
> |Sent: Thursday, April 06, 2006 5:54 PM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> |
> |The default "DNS Admins" group has permission to use the DNS GUI
> |(dnsmgmt.msc) and to make changes in it but does not have 
> |permission to view the DNS event log (DnsEvent.Evt).  Would 
> |this just be an oversight on Microsoft's part?
> |
> |TIA,
> |Mike Thommes
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive: 
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Gorder, Lee E Mr CTNOSC/GD-NS]

Dan,

You guys doing that now?

Lee



-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

Yeah Sergio,

You could even use that that information to say...allow OU Admins the
ability to view the logs of the domain controllers local to them.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 12:49 pm
> To: ActiveDir@mail.activedir.org
> 
> Here is a link of what Ulf is talking about:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> 
> 
> Thanks,
> Sergio 
> 
> -Original Message-
> From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 12:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Might be - you know that you can delegate any eventlog by adjusting the
> CustomSD Registrykey underneath the specific eventlog in the registry?
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
>   Profile:
>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> D   
> 
>  
> 
> |-Original Message-
> |From: [EMAIL PROTECTED] 
> |[mailto:[EMAIL PROTECTED] On Behalf Of 
> |Thommes, Michael M.
> |Sent: Thursday, April 06, 2006 5:54 PM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> |
> |The default "DNS Admins" group has permission to use the DNS GUI
> |(dnsmgmt.msc) and to make changes in it but does not have 
> |permission to view the DNS event log (DnsEvent.Evt).  Would 
> |this just be an oversight on Microsoft's part?
> |
> |TIA,
> |Mike Thommes
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive: 
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Daniel Gilbert]

Yeah Sergio,

You could even use that that information to say...allow OU Admins the
ability to view the logs of the domain controllers local to them.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 12:49 pm
> To: ActiveDir@mail.activedir.org
> 
> Here is a link of what Ulf is talking about:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> 
> 
> Thanks,
> Sergio 
> 
> -Original Message-
> From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 12:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Might be - you know that you can delegate any eventlog by adjusting the
> CustomSD Registrykey underneath the specific eventlog in the registry?
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
>   Profile:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> D   
> 
>  
> 
> |-Original Message-
> |From: [EMAIL PROTECTED] 
> |[mailto:[EMAIL PROTECTED] On Behalf Of 
> |Thommes, Michael M.
> |Sent: Thursday, April 06, 2006 5:54 PM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> |
> |The default "DNS Admins" group has permission to use the DNS GUI
> |(dnsmgmt.msc) and to make changes in it but does not have 
> |permission to view the DNS event log (DnsEvent.Evt).  Would 
> |this just be an oversight on Microsoft's part?
> |
> |TIA,
> |Mike Thommes
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive: 
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DFS/open files

[Bernard, Aric]

There is no disturbed locking mechanism built into DFS/R.  If a file is
open, typically it will not get replicated.  If the same file is open in
two different locations the last write will win, although DFSR by
default will store any of these "conflicts" in a folder just in case.
DFS/R is great if you are distributing read-only content or content that
is modified in one place (or more if coordinated) and requires alternate
locations for reading/writing/backup.

If you need to distribute files for read and write to multiple locations
then you need to leverage a central file store or a wide area file
system (WAFS) that provides a distributed locking mechanism.  Most true
WAN Accelerators (Riverbed) *do not* do this.  I have had some limited
experience with Tacit and Brocade who both provide viable WAFS solutions
that integrate well with W2K3R2.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Comeau
Sent: Thursday, April 06, 2006 12:16 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 2003 DFS/open files

This is a good question and I hope it gets answered.  We have 20 sites
and
want to put servers out there and possibly do DFS w/replication to keep
main copies at the HQ for backup purposes, but I am afraid of changes to
a
single file that is opened at several sites.  I was considering WAN
Accelerators/WAN Cache devices that negotiate the file locks, etc., that
makes the file appear it is only open at the HQ file server.  Anyone
have
experience with these type of devices?

Steven Comeau
Sr. Director of IT
Community Options
16 Farber Road
Princeton, NJ  08540
EMail: [EMAIL PROTECTED]
Phone: 609-951-9900  x114
FAX: (609)  919-3889
www.comop.org

Give the gift of  flowers   http://www.Vaseful.com.

~
This message is intended for the use of the individual or entity to
which
it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If the
reader of this message is not the intended recipient or the employee or
agent responsible for delivering the message to the intended recipient,
you are hereby notified that any distribution or copying of the
communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by e-mail and
return
the original message to us at this e-mail address.  Thank you for your
cooperation in supporting confidentiality.
 ~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Documentation regarding ADLB

[Mark Parris]

Bois is this not a garden or something similar in french?
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:25:59 
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.
 

Sincerely, 
_
  (, /  |  /)   /) /)   
/---| (/__//_   //_ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_   
  (, /  |  /)   /) /)  
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you don't
like it. Some people will run it every time they add in a new DC, others will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then it
is your call if you want to do it or not. My main thoughts in using it was to
lessen the impact of a bad WAN site DC from backing up a bridgehead's inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across bad
WAN links). I used to see occasional issues where a bad network connection or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site).

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :)

Are there any good resources which discuss ADLB (AD load balancer), how it
works? It's issues? How to use it? Etc etc

The branch office guide does not appear to cover this in detail.

Thanks,
neil

PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in relian

RE: [ActiveDir] Documentation regarding ADLB

[joe]

;o)


   
   ( )  ___  ___   ___  __  ___
  / / //   ) ) //___) ) //  / /  / / //   ) ) //  ) ) //___) ) 
 / / //   / / //   //  / /  / / //   / / //  //
((  / / ((___/ / ((   ((__( (__/ / ((___( ( //  ((  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_   
  (, /  |  /)   /) /)  
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I
ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what
I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what
it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you
don't
like it. Some people will run it every time they add in a new DC, others
will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then
it
is your call if you want to do it or not. My main thoughts in using it was
to
lessen the impact of a bad WAN site DC from backing up a bridgehead's
inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across
bad
WAN links). I used to see occasional issues where a bad network connection
or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site).

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :)

Are there any good resources which

RE: [ActiveDir] Documentation regarding ADLB

[King, William]

There are also some additional references in 03_Plan_Physical.doc

I was interested in the replication schedule staggering provided by ADLB - are 
there any enhancements over using REPADMIN siteoptions 
+IS_SCHEDULE_HASHING_ENABLED ?





William


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 06 April 2006 21:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.


Sincerely,
   _   
  (, /  |  /)   /) /)  
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_  
  (, /  |  /)   /) /) 
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/ 
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you don't
like it. Some people will run it every time they add in a new DC, others will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then it
is your call if you want to do it or not. My main thoughts in using it was to
lessen the impact of a bad WAN site DC from backing up a bridgehead's inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across bad
WAN links). I used to see occasional issues where a bad network connection or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site).

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :)

Are there any good resources which discuss ADLB (AD load balancer), how it
works? It's issues? How to use it? Etc etc

The branch office guide does not appear to cover this in detail.

Thanks,
neil

PLEASE READ: The information contained i

RE: [ActiveDir] Documentation regarding ADLB

[deji]

The 2 docs I referenced are in the original. I don't believe that the R2 one
has adlb materials.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 4/6/2006 1:18 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Documentation regarding ADLB



There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?


Sincerely,
_   
  (, /  |  /)   /) /)  
/---| (/__//_   //_
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /) 
   (/  
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon




From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what I
saw in a very large unnamed organization.

Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files.

Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you don't
like it. Some people will run it every time they add in a new DC, others will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then it
is your call if you want to do it or not. My main thoughts in using it was to
lessen the impact of a bad WAN site DC from backing up a bridgehead's inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across bad
WAN links). I used to see occasional issues where a bad network connection or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site).

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :)

Are there any good resources which discuss ADLB (AD load balancer), how it
works? It's issues? How to use it? Etc etc

The branch office guide does not appear to cover this in detail.

Thanks,
neil

PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accurac

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Thommes, Michael M.]

Thanks, Ulf and Sergio!  I also came across this one:
http://www.mcse.ms/archive45-2004-10-1149114.html

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez,
Sergio J Mr CTNOSC/GD-NS
Sent: Thursday, April 06, 2006 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

Here is a link of what Ulf is talking about:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076


Thanks,
Sergio 

-Original Message-
From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

Might be - you know that you can delegate any eventlog by adjusting the
CustomSD Registrykey underneath the specific eventlog in the registry?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Thommes, Michael M.
|Sent: Thursday, April 06, 2006 5:54 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
|
|The default "DNS Admins" group has permission to use the DNS GUI
|(dnsmgmt.msc) and to make changes in it but does not have 
|permission to view the DNS event log (DnsEvent.Evt).  Would 
|this just be an oversight on Microsoft's part?
|
|TIA,
|Mike Thommes
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Documentation regarding ADLB

[Mark Parris]

There are two BOIS doc's the original and the new one for R2,
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Thu, 6 Apr 2006 13:04:43 
To:
Subject: RE: [ActiveDir] Documentation regarding ADLB

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?
 

Sincerely, 
_
  (, /  |  /)   /) /)   
/---| (/__//_   //_ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what I
saw in a very large unnamed organization. 
 
Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files. 
 
Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you don't
like it. Some people will run it every time they add in a new DC, others will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then it
is your call if you want to do it or not. My main thoughts in using it was to
lessen the impact of a bad WAN site DC from backing up a bridgehead's inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across bad
WAN links). I used to see occasional issues where a bad network connection or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site). 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :) 

Are there any good resources which discuss ADLB (AD load balancer), how it
works? It's issues? How to use it? Etc etc 

The branch office guide does not appear to cover this in detail. 

Thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. R

RE: [ActiveDir] Documentation regarding ADLB

[deji]

Neil, I don't know which doc you are looking at, but the BOIS docs do a good
job on this topic IMO. If we are looking at the same docs, are you saying
04_Deploy_BuildBranch.doc and 06_Plan_Monitoring.doc are not enough to get
you started?
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 4/6/2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documentation regarding ADLB


I haven't seen much docos on ADLB. I was one of the guys who was "beta"
testing it back in W2K days though and found my share of bugs. The bugs I ran
into were all around the connections it wanted to delete and then where it
wanted to recreate them to. Basically there were some very bad decisions
because it didn't really differentiate between GC and writeable NCs and it
would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite
vocal on that problem and it got resolved fairly quickly and the last rev I
ended up playing with (from maybe 2-3 years ago) worked perfectly from what I
saw in a very large unnamed organization. 
 
Use was pretty simple, just follow the adlb /? info. What I would do is dump
the info to LDIF files and NOT commit to the directory so that I could see
what it wanted to do. If you do that for a while and are confident in what it
wants to do, go ahead and have it commit the changes. Or if you prefer, just
run the LDIF files. 
 
Note this isn't something you should have to very often, just when you see
that your connections are getting stacked up on a couple of DCs and you don't
like it. Some people will run it every time they add in a new DC, others will
only do it if they don't like the specific loading. If your replication
latency is fine and you aren't burning a hub bridgehead to the ground then it
is your call if you want to do it or not. My main thoughts in using it was to
lessen the impact of a bad WAN site DC from backing up a bridgehead's inbound
replication. This was a lot larger problem in 2K than it is in K3 since the
timeouts have been reduced for dropping a bad repl partner (or one across bad
WAN links). I used to see occasional issues where a bad network connection or
bad DC could tie up replication for over an hour. This is why I liked
monitoring pending repl queue so much and also why I initially wrote adqueue
(not publicly available) and adqueueloop (on joeware site). 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documentation regarding ADLB



My last question was long winded so this one will be much shorter :) 

Are there any good resources which discuss ADLB (AD load balancer), how it
works? It's issues? How to use it? Etc etc 

The branch office guide does not appear to cover this in detail. 

Thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 
List info   : http://www.activedir

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Olivarez, Sergio J Mr CTNOSC/GD-NS]

Here is a link of what Ulf is talking about:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076


Thanks,
Sergio 

-Original Message-
From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

Might be - you know that you can delegate any eventlog by adjusting the
CustomSD Registrykey underneath the specific eventlog in the registry?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Thommes, Michael M.
|Sent: Thursday, April 06, 2006 5:54 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
|
|The default "DNS Admins" group has permission to use the DNS GUI
|(dnsmgmt.msc) and to make changes in it but does not have 
|permission to view the DNS event log (DnsEvent.Evt).  Would 
|this just be an oversight on Microsoft's part?
|
|TIA,
|Mike Thommes
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Documentation regarding ADLB

[joe]

Title: Documentation regarding ADLB



I haven't seen much docos on ADLB. I was one of the guys 
who was "beta" testing it back in W2K days though and found my share of bugs. 
The bugs I ran into were all around the connections it wanted to delete and then 
where it wanted to recreate them to. Basically there were some very bad 
decisions because it didn't really differentiate between GC and writeable NCs 
and it would try to connect a DC from DOM2 to a GC from DOM1 for the DOM2 NC to 
replicate down to the DOM2 DC... Ah yeah that isn't right. :)  I was quite 
vocal on that problem and it got resolved fairly quickly and the last rev I 
ended up playing with (from maybe 2-3 years ago) worked perfectly from what 
I saw in a very large unnamed organization. 
 
Use was pretty simple, just follow the adlb /? info. What I 
would do is dump the info to LDIF files and NOT commit to the directory so that 
I could see what it wanted to do. If you do that for a while and are confident 
in what it wants to do, go ahead and have it commit the changes. Or if you 
prefer, just run the LDIF files. 
 
Note this isn't something you should have to very often, 
just when you see that your connections are getting stacked up on a couple of 
DCs and you don't like it. Some people will run it every time they add in a new 
DC, others will only do it if they don't like the specific loading. If your 
replication latency is fine and you aren't burning a hub bridgehead to the 
ground then it is your call if you want to do it or not. My main thoughts in 
using it was to lessen the impact of a bad WAN site DC from backing up a 
bridgehead's inbound replication. This was a lot larger problem in 2K than it is 
in K3 since the timeouts have been reduced for dropping a bad repl partner (or 
one across bad WAN links). I used to see occasional issues where a bad network 
connection or bad DC could tie up replication for over an hour. This is why I 
liked monitoring pending repl queue so much and also why I initially wrote 
adqueue (not publicly available) and adqueueloop (on joeware site). 

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, April 06, 2006 12:48 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Documentation regarding ADLB

My last question was long winded so this one will be 
much shorter :) 
Are there any good resources which discuss ADLB (AD 
load balancer), how it works? It's issues? How to use it? Etc etc 
The branch office guide does not appear to cover this 
in detail. 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Ulf B. Simon-Weidner]

Might be - you know that you can delegate any eventlog by adjusting the
CustomSD Registrykey underneath the specific eventlog in the registry?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Thommes, Michael M.
|Sent: Thursday, April 06, 2006 5:54 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
|
|The default "DNS Admins" group has permission to use the DNS GUI
|(dnsmgmt.msc) and to make changes in it but does not have 
|permission to view the DNS event log (DnsEvent.Evt).  Would 
|this just be an oversight on Microsoft's part?
|
|TIA,
|Mike Thommes
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] 2003 DFS/open files

[Steven Comeau]

This is a good question and I hope it gets answered.  We have 20 sites and
want to put servers out there and possibly do DFS w/replication to keep
main copies at the HQ for backup purposes, but I am afraid of changes to a
single file that is opened at several sites.  I was considering WAN
Accelerators/WAN Cache devices that negotiate the file locks, etc., that
makes the file appear it is only open at the HQ file server.  Anyone have
experience with these type of devices?

Steven Comeau
Sr. Director of IT
Community Options
16 Farber Road
Princeton, NJ  08540
EMail: [EMAIL PROTECTED]
Phone: 609-951-9900  x114
FAX: (609)  919-3889
www.comop.org

Give the gift of  flowers   http://www.Vaseful.com.

~
This message is intended for the use of the individual or entity to which
it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If the
reader of this message is not the intended recipient or the employee or
agent responsible for delivering the message to the intended recipient,
you are hereby notified that any distribution or copying of the
communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by e-mail and return
the original message to us at this e-mail address.  Thank you for your
cooperation in supporting confidentiality.
 ~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DFS/open files

[Thommes, Michael M.]

Title: [ActiveDir] 2003 DFS/open files








Maybe I need to describe my environment a
little more…we have 3 file servers that have a common file structure with
one server holding a master directory structure that is copied to both itself
(with xcopy) and to the other two servers with robocopy.  To ensure that a
file actually does get copied, via a daily scheduled job we need to stop the
server service and kick off each of the current user connections (net session
\\computer_name_here /delete) to make sure no one has a file open before the
xcopy/robocopy process starts.  Note each of these users will only have a
particular file(s) open for read access.

 

With the latest DFS process using dynamic
file replication (yes, I know we can schedule the replication times), I wonder
what would happen when a file is updated and a user still has it open.  Hope
this explanation makes things a little clearer.

 

Mike Thommes

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott
Sent: Wednesday, April 05, 2006
2:01 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
DFS/open files



 





The client will continue to have the file
open but depends on what action they take next...if they close the
file..nothing.





 





If they save the file, the last write is going to win and
possibly replace the changes that were made on the file saved previously that
the user may not be aware of.





 





The work around for this issue really depends on the
structure of your DFS environment, I tend to use DFS-R to just replicate data
and disable referrals to that backup server so that doesn't happened.





 





Depends on exactly how your using it I guess...





 

















Ion V. Gott





 





 













 







From:
[EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Wed 4/5/2006 7:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 DFS/open
files





Can
someone tell me what happens with DFS/replication when a file is
updated on one DFS server and a client has that same file open on
another DFS server?

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disable site link bridging and DFS site costing

[Dean Wells]

Title: Disable site link bridging and DFS site costing



... 
sorry, got carried away and forgot to address your more direct questions 
-
 
>> Is this a forest wide or site wide 
change?
I believe it prevents the affected ISTG from creating connection 
objects on its bridgeheads sourced from DCs in non-transitive sites, i.e. it's 
mostly a site-wide change (to be clear though, I'm inferring this definition 
since I don't have any other docs. that neatly package a full feature 
description)
>> What attribute is 
changed in AD as a result of the above repadmin command?
NTDS Site Settings --> Options : 
bit 12 I believe (4096)
>> Is the change effective immediately or 
after a reboot?
To the ISTG, it's 
immediate.  DFS requires a 
bounce.
 
>> Does this actually disable site link 
bridging as per my requirement? 

I haven't had reason to try it myself as yet ... that said, theory would 
indicate that it does so but only for the site in question and only from an 
inbound perspective.  I'd have to try it out myself to be sure though (let 
me know your findings ;o)
 
>> Is my requirement not met at all? [or is it partially met? 
:) ]

Since 
you haven't defined your requirement, I don't know 
:o)
>> Is there further info which describes 
how this functions 'under the covers'?
Public?  No, not that I know 
of.
 
>> i.e. what is happening behind the 
scenes such that bridging is disabled but DFS costing is not affected? 

Unlike AD 
(necessary func. levels assumed), DFS costing does not use the ISTG's newer 
algorithms employed on 2K3 DCs (the Dykstra and Kruskal combo.), it continues to 
use the legacy ISM.  The legacy ISM remains active even on 2K3 DCs 
regardless of forest functional level for precisely this purpose.  In line 
with legacy behaviors, "Bridge all site links" disables the ISM subsequently and 
effectively disabling the newer DFS site-costing mechanisms.
 
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dean 
  WellsSent: Thursday, April 06, 2006 1:32 PMTo: Send - AD 
  mailing listSubject: RE: [ActiveDir] Disable site link bridging and 
  DFS site costing
  
  This switch is used to permit automatic site link bridging to be disabled without affecting DFS's ability to use the legacy ISM 
  to calculate the cost matrix.  
  The change is maintained on the NTDS Site Settings 
  object and is effective only against 2K3 SP1 
  ISTGs (you can originate the change anywhere you like but it won't become 
  effective until it replicates to the active ISTG within the site whose NTDS 
  Site Settings object you just altered).  When used to disable automagic site link bridging (as opposed 
  to disabling it for the entire repl. 
  transport), the site-costing calculation 
  continues to occur and can 
  subsequently be used by 
  DFS.  Note that this ISTG behavior 
  requires a minimum of forest func. level 1 and (again) a 2K3 SP1 
  DC.
   
  Hope that helps.
  --Dean 
  WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, April 06, 2006 12:15 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Disable site link bridging and DFS site costing

Background: 

  Designing a new global AD 
  Designing a new global DFS hierarchy 
  Org is very federated with firewalls etc 
  etc 
  For various reasons, I suspect we may need to 
  disable transitive bridging of site links (due to firewall rules) 
  
According to this article: http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx disabling site link bridging can have a detrimental 
effect upon DFS.
As a result, the article explains how repadmin 
may be used to disable bridging without affecting DFS, using "repadmin 
/siteoptions w2k3_bridges_required" [supported by w2k3 sp1 ISTG DCs 
only]
This looks like a good fit for our requirements 
but I need a little more info on this new feature: 

  Is this a forest wide or site wide 
  change? 
  What attribute is changed in AD as a result of 
  the above repadmin command? 
  Is the change effective immediately or after a 
  reboot? 
  Does this actually disable site link bridging 
  as per my requirement? Is my requirement not met at all? [or is it 
  partially met? :) ] 
  Is there further info which describes how this 
  functions 'under the covers'? i.e. what is happening behind the scenes 
  such that bridging is disabled but DFS costing is not affected? 
  
Hopefully I understood the article correctly and 
haven't asked redundant questions :) 
Thanks in advance, neil 
___Neil RustonGlobal Technology 
InfrastructureNomura 
Inter

RE: [ActiveDir] Disable site link bridging and DFS site costing

[Dean Wells]

Title: Disable site link bridging and DFS site costing



This switch 
is used to permit automatic 
site link bridging to be disabled 
without affecting DFS's ability to use the legacy ISM 
to calculate the cost matrix.  
The change is maintained on the NTDS Site Settings object and is effective only against 2K3 SP1 ISTGs (you can 
originate the change anywhere you like but it won't become effective until it 
replicates to the active ISTG within the site whose NTDS Site Settings object 
you just altered).  
When used to 
disable automagic site link bridging (as opposed 
to disabling it for the entire repl. 
transport), the site-costing calculation 
continues to occur and can 
subsequently be used by 
DFS.  Note that this ISTG behavior 
requires a minimum of forest func. level 1 and (again) a 2K3 SP1 
DC.
 
Hope that helps.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Thursday, April 06, 2006 12:15 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Disable site link bridging and DFS site costing
  
  Background: 
  
Designing a new global AD 
Designing a new global DFS hierarchy 
Org is very federated with firewalls etc 
etc 
For various reasons, I suspect we may need to 
disable transitive bridging of site links (due to firewall rules) 

  According to this article: http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx disabling site link bridging can have a detrimental effect 
  upon DFS.
  As a result, the article explains how repadmin may 
  be used to disable bridging without affecting DFS, using "repadmin 
  /siteoptions w2k3_bridges_required" [supported by w2k3 sp1 ISTG DCs 
  only]
  This looks like a good fit for our requirements but 
  I need a little more info on this new feature: 
  
Is this a forest wide or site wide 
change? 
What attribute is changed in AD as a result of 
the above repadmin command? 
Is the change effective immediately or after a 
reboot? 
Does this actually disable site link bridging as 
per my requirement? Is my requirement not met at all? [or is it partially 
met? :) ] 
Is there further info which describes how this 
functions 'under the covers'? i.e. what is happening behind the scenes such 
that bridging is disabled but DFS costing is not affected? 
  
  Hopefully I understood the article correctly and 
  haven't asked redundant questions :) 
  Thanks in advance, neil 
  ___Neil RustonGlobal Technology 
  InfrastructureNomura 
  International plcTelephone: ჸ (0) 20 7521 3481 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 

[ActiveDir] Documentation regarding ADLB

[neil.ruston]

Title: Documentation regarding ADLB






My last question was long winded so this one will be much shorter :)


Are there any good resources which discuss ADLB (AD load balancer), how it works? It's issues? How to use it? Etc etc


The branch office guide does not appear to cover this in detail.


Thanks,

neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] Disable site link bridging and DFS site costing

[neil.ruston]

Title: Disable site link bridging and DFS site costing






Background:



Designing a new global AD

Designing a new global DFS hierarchy

Org is very federated with firewalls etc etc

For various reasons, I suspect we may need to disable transitive bridging of site links (due to firewall rules)


According to this article: http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx disabling site link bridging can have a detrimental effect upon DFS.

As a result, the article explains how repadmin may be used to disable bridging without affecting DFS, using "repadmin /siteoptions w2k3_bridges_required" [supported by w2k3 sp1 ISTG DCs only]

This looks like a good fit for our requirements but I need a little more info on this new feature:


Is this a forest wide or site wide change?

What attribute is changed in AD as a result of the above repadmin command?

Is the change effective immediately or after a reboot?

Does this actually disable site link bridging as per my requirement? Is my requirement not met at all? [or is it partially met? :) ]

Is there further info which describes how this functions 'under the covers'? i.e. what is happening behind the scenes such that bridging is disabled but DFS costing is not affected?


Hopefully I understood the article correctly and haven't asked redundant questions :)


Thanks in advance,

neil




___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: ჸ (0) 20 7521 3481 



PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] Server 2003 "DNS Admins" group permissions

[Thommes, Michael M.]

The default "DNS Admins" group has permission to use the DNS GUI
(dnsmgmt.msc) and to make changes in it but does not have permission to
view the DNS event log (DnsEvent.Evt).  Would this just be an oversight
on Microsoft's part?

TIA,
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Robocopy(OT)

[Bruyere, Michel]

Hi, 

    I got something similar but
with a PDF file. The solution was to reboot the server… 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, April 06, 2006
9:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Robocopy(OT)



 



No one has this folder open.





I've run Process Explorer and Filemon and nothing is accessing this
folder.





 





I can't delete it or share it out and its missing the security tab.





 





anything else I should look for?





 





Thanks

 





On 4/5/06, Mark
Parris <[EMAIL PROTECTED]>
wrote: 

I have seen this if another PC has explorer open on that folder and you
try and delete from another.

Mark
-Original Message-
From: "Steve Rochford" <[EMAIL PROTECTED]>
Date: Wed, 5 Apr 2006 16:37:03
To:<
ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Robocopy(OT)

This seems to happen when the folder is in the process of being deleted but
hasn't quite gone. Sometimes, just waiting a while will clear the problem - I
suspect that a process is holding open the folder (or, possibly, a file in the
folder). More than once I've hit this and gone to use Sysinternals process
explorer to find out which process is guilty. By the time I've run up the
program and searched for the folder name there's nothing there. going back to
the folder finds that it's either gone or can now be deleted. 

In your case, I'd guess that robocopy had started creating folders and when it
got interrupted, something took a while for things to get tidied up - if the
helpdesk guy hasn't yet unmapped the drives he was using then I think that this
might help. 

Steve



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Tom Kern
Sent: 05 April 2006 15:45
To: activedirectory
Subject: [ActiveDir] Robocopy(OT)



I have a strange issue.
I had a help desk admin robocopy a dir from one server to another. 
During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be
deleted.
I can't delete it through explorer or the command console at the server and get
an error of "cannot delete file:cannot read from the source file or
disk". 

If i do a RD /s, i get "The system cannot find the file specified."

However the dir shows up in a dir listing or explorer.
The weird thing is also, the dir has no "security" tab(and its on an
ntfs file system). 

Some backround on the robocopy job-
the admin mapped 2 drives from his local box(win2k).
One drive to the root of the volume on the source server and another to the
root on the target.
he then CD'ed to the source and ran robocopy with the "/E" and
"/V" switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.

Any insight would be great.
thanks



 

Re: [ActiveDir] Robocopy(OT)

[Tom Kern]

No one has this folder open.
I've run Process Explorer and Filemon and nothing is accessing this folder.
 
I can't delete it or share it out and its missing the security tab.
 
anything else I should look for?
 
Thanks 
On 4/5/06, Mark Parris <[EMAIL PROTECTED]> wrote:
I have seen this if another PC has explorer open on that folder and you try and delete from another.
Mark-Original Message-From: "Steve Rochford" <[EMAIL PROTECTED]>Date: Wed, 5 Apr 2006 16:37:03To:<
ActiveDir@mail.activedir.org>Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted.
In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help.
SteveFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectorySubject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another.
During the copy, for whatever reason, he canceled the robocopy job.When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of "cannot delete file:cannot read from the source file or disk".
If i do a RD /s, i get "The system cannot find the file specified."However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no "security" tab(and its on an ntfs file system).
Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the "/E" and "/V" switches.
after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks

RE: [ActiveDir] repadmin info oddity

[joe]

If asking about the BLOB structure definition, absolutely. I actually needed
no special access into MS to figure this one out. The hardest part was
recognizing a new data structure was defined and realizing that the format
of the data coming from AD by default wouldn't work with it.

Seeing that definition made me realize that there HAD to be a way to get
that info out. It wasn't necessarily documented but it had to exist. So when
I went back to the RFCs I found a modifier (officially termed an attribute
option) that you can append to an attribute to get it to return in an
alternate format. You are probably already familiar with a modifier/option,
it is ;range=x-y which is used to return a range of members of a multivalue
attribute. This other modifier I found for this is ;binary. 

I had previously seen this years ago but it made no sense to me because the
exampole that was given was around a user certificate which is already
returned in an octet string, specifying ;binary does nothing to the output
format. However with the replication metadata info it normally comes back as
an XML stream such as 

C:\WINDOWS\ADAM>adfind -rootdse msDS-ReplQueueStatistics

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003

dn:
>msDS-ReplQueueStatistics: 
1601-01-01T00:00:00Z
0  160
1-01-01T00:00:00Z
1601-01-01T00:00:00Z
1601-01-01T00:00:00Z
1601-01-01T00:00:
00Z
1601-01-01T00:00:00Z



1 Objects returned


Appending the ;binary forces it to come back instead in a BLOB

C:\WINDOWS\ADAM>adfind -rootdse msDS-ReplQueueStatistics;binary

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003

dn:
>msDS-ReplQueueStatistics;binary:        
              
  


1 Objects returned


Which can be cast into the BLOB data structure
ds_repl_queue_statisticsw_blob and then the info can be directly pulled out
of data structure with code like

dwCurrentPendingOps=blob.cNumPendingOps;

Instead of having to parse the XML string. 

What are the benefits here? First off, less processing at the DC to return
the info. If you are doing this a lot, you could get a decent savings in DC
side processing as it doesn't have to generate the XML. 

That savings is further increased because you have far less data coming
across the wire, it is only half the data at the most. In the example above
the binary is 26*2 or 52 bytes in size. For the XML 52 bytes only gets you
the string "  " which
doesn't even have any real data... It takes 445 bytes to send the XML
stream  

Finally you don't have to parse up the XML at the client. XML is not usable
as it is. Some people may feel it is usable directly because the language or
framework they use hides the details but it isn't, you have to process the
strings and break them up into the various fields to do anything with it.
For one off items you don't have to worry much about that processing because
it is neglible and I wouldn't think twice about it, in those cases you go
for easy over fast or efficient - that is what .NET and VB are all about. If
you are pulling this info a lot, it becomes considerable load very quickly.
String processing is and I expect always will be expensive in relation to
any straight integer processing. The longer you can avoid string processing
the better off you are in terms of speed. 


Now you could possibly handle this in vbscript, I don't think I would
probably want to. Perl shouldn't be too difficult though I have never tried
it. For c/c++ this is trivial. 


At some point I will look into switching adqueueloop over to using this
mechanism as it side steps the RPC connectivity requirement and will help
with ADAM as I have been having trouble with using DsBindByInstance which is
required to make the RPC connection to ADAM. I didn't have time to do the
switching prior to DEC as I worked this all while working on the DEC slides.
This info is actually all in the DEC slides too btw. The brief initial
mention of it was in the LDAP portion of the talk and I figured best to dust
over it versus talk about how cool it was as not everyone seemed to be
extremely interested in the minutia of LDAP. There is also a slide in the
appendix with a little info. 

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, April 06, 2006 4:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] repadmin info oddity

That's very cool (and frustrating?), considering the effort you (joe) have
made to write something which can collate repl stats.

Is this something you take advantage of in adqueueloop or some other
utility?


neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:

RE: [ActiveDir] Renaming DCs via netdom - a no no or painless?

[Freddy HARTONO]

Title: RE: Renaming DCs via netdom - a no no or painless?







Hi


Any downside of renaming dc via netdom below instead of demoting one by one (ouch!)
http://technet2.microsoft.com/WindowsServer/en/Library/aad1169a-f0d2-47d5-b0ea-989081ce62be1033.mspx


Any side effects to those remote slow link sites when im doing this or will be transparent to them...comments plueasee.


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

[ActiveDir] Repadmin error message

[adriaoramos]

        My
friedns, I´m having a problem when I try to run repamin
/rehost.
        I receive
an error message.
        I receive
the message in portuguese, cause my domain is PT, but I´ll try to translate
it  (If some one Portugal or Brasil can Help me, I will Thnak)


IN PORTUGUESE.
failed with status 8450 (0x2102)
O contexto de nomes não pode
ser removido porque é duplicado para outro servidor.
New DC Options: IS_GC

IN ENGLISH
failed with status 8450 (0x2102)
the naming context could
not be removed because it is replicated to another server
       

Thnaks


Adrião Ferreira Ramos
Superintendência de Tecnologia da Informação
Depto. de Operações e Infra-estrutura - CII
*
 [EMAIL PROTECTED]
(  11 - 3388-8193

 

RE: [ActiveDir] repadmin info oddity

[neil.ruston]

That's very cool (and frustrating?), considering the effort you (joe)
have made to write something which can collate repl stats.

Is this something you take advantage of in adqueueloop or some other
utility?


neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 April 2006 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] repadmin info oddity

> I think they need to rethink the choices they've made and just call it

> The
Dean and Joe Show.  

Ah we are just the outside pieces of the whole show. There are a ton of
some amazing people back in the shadows of the halls of MS that are the
real heros. I am sure there are many from those areas that would like to
come out and play and post but I have to say that it is a touchy thing
to post publicly when you have information that may or may not be
publicly available yet. 

There are often times where I will not respond to some question that I
absolutely know the answer to because I am not quite sure if I can write
something without disclosing information that I shouldn't and I (and
Dean) have just tip of the iceberg access for the most part to that
info; if I had full access like the folks "on the inside" it would be
VERY difficult for me to post anything I imagine because I would be
constantly worrying if what I "know" and wrote was not supposed to be
known to anyone else yet. 

To be more specific, the smallest little slip could give away quite a
lot of info if the right people see it. I recently saw a data structure
definition in MSDN that I had never heard of / seen before and it kicked
in my mind that there must be something else that goes with it just
based on how I know things work. I ended up chasing it in the RFCs and
found functionality in AD that I had no clue existed and I can't find
any public documentation for it related to AD though it is mentioned in
the LDAP RFCs. If I listed the data structure definition most people
(>99% probably) would just look at it and go "uh yeah, and what about it
you dork?".

The web page that had me scrambling?

http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en
-us/
AD/ad/ds_repl_queue_statisticsw_blob.asp



All that being said, renaming ADAM was a horrible decision. So horrible
in fact that I refuse to accept it. Whose with me?



   joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen
Sent: Wednesday, February 22, 2006 9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] repadmin info oddity

Very handy and helpful.  Thank you so much for the time you've put into
this Dean.  If I ever get to meet you, it's worth a few at the bar.  If
you didn't see a couple of days ago, MS announced that it was changing
the names for parts of AD.  I think they need to rethink the choices
they've made and just call it The Dean and Joe Show.  Has a bit of a
ring to it.  :)

Scott Klassen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, February 22, 2006 8:17 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] repadmin info oddity

As I'd hoped, joe does indeed have another way ... one that does the
encoding for you.  There's a prefix that can be supplied within the
filter that extends to any attribute of your choosing (this instructs
ADfind to manipulate the byte ordering and related structure);
{{GUID=}}.  The query below exploits that feature permitting repadmin's 
string>GUID
format to be supplied directly.

C:\>adfind -config -binenc -f
(retiredReplDSASignatures=*{{GUID:6cc4a8e0-2019-4e4f-81cd-f35926de38a3}}
*)"
-dn

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, February 21, 2006 7:09 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] repadmin info oddity

Hmmm, I would guess he's probably adding a new switch to deal with this
particular thread.

Anyway, since he's not responded, I'll take a stab at what ADfind can or
cannot do here (not really ADfind's problem if my lazy research is
accurate).  The attribute in question's syntax is a single-valued "octet
string" which can typically be filtered against assuming the correct
notation is supplied.  This particular attribute, however, will often
contain multiple GUIDs within the flat value (a pack of them) making it
difficult to successfully construct a reliable and/or optimal filter
(remember, medial queries are painful without the necessary index). 

To further complicate the issue, the byte ordering is maintained
differently internally to the way it's displayed.  Since ADfind AFAIK
cannot yet decode "retiredReplDSASignatures", in order to query against
it we have to reorder it ourselves.  Here's an example of ho