RE: [ActiveDir] Deleting default-first-site-name site
Title: RE: [ActiveDir] Deleting "default-first-site-name" site Woozzah.. stupid laggyexchange server. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 13, 2006 11:26 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Deleting "default-first-site-name" site I think you must have missed the answer in the follow-up reply ... that response contained - paste No, IIRC it defaults to the site of the DC from which the directory was sourced. /paste ... let me know if that doesn't cover your question. Hope it's helpful! --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, April 12, 2006 10:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting "default-first-site-name" site just curious, if this is deleted - where would a new dc with nosubnet mapping be dropped to Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: Steve Rochford [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Thanks; that's what I expected but I wanted to check before I deleted something crucial :-) Steve From: [EMAIL PROTECTED] on behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - AD mailing listSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Since replication takes place between DCs which logically exist in logicalsites, no, ... not at all -- there's nothing to replicate with. Regardingthe deletion question; I've deleted it more times than I can count,sometimes I rename it if I need a new site ... there's nothing "special"about that object outside of its name (and that _should_ also prove a mootpoint. This of course depends upon the developer, good coding vs. badcoding ... deleting it may break some joeware tools though -- haha, justteasing :0)--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Rochford Sent: Wednesday, April 12, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deleting "default-first-site-name" site We no longer have any servers in the "default-first-site-name" site; should I delete that site? I hadn't really thought it mattered until I was looking at the latency figures with repadmin (shown below for one server). Does it matter that no replication has taken place to a site without servers? Steve Replication Latency for site willesden (wstud3.student.cnwl.ac.uk): Originating Site Ver Time Local Update Time Orig. Update Latency Since Last == = === === == Default-First-Site-Name 50 2004-04-07 08:25:58 2001-07-26 15:39:10 23656:46:48 17644:21:27 wembley 58498 2006-04-12 12:25:57 2006-04-12 12:25:55 00:00:02 00:21:28 kilburn 5 2006-04-12 12:10:56 2006-04-12 12:06:52 00:04:04 00:36:29 willesden 59228 2006-04-12 12:09:50 2006-04-12 12:09:50 00:00:00 00:37:35 Madhouse 13173 2006-04-12 12:25:57 2006-04-12 12:22:40 00:03:17 00:21:28 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] No Terminal License Server available
Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message "No Terminal Server License Server is available in the current domain or workgroup" Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
RE: [ActiveDir] No Terminal License Server available
Let me guess because the DC you demoted is your Terminal Service License server in the domain? It's been a while since I last baby-sat a TS issue, but I believe that if the Site license service is not installed on a DC, then you will have to manually tell EACH TS in your environment how to locate the site license server. You do this through the registry. I don't have a TS server/environment handy to tell you exactly where the key is located. You can, however search the registry for DomainLicenseServer (I think) and this should be where you specify the name of the TS License server. HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Carter Sent: Wed 4/12/2006 11:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Terminal License Server available Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message No Terminal Server License Server is available in the current domain or workgroup Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com/evt =39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OU's Structure
Joe, The problem is that, as some one else mentioned your OU structure serveves two purposes:- 1) To delegate authourity 2) To apply rights and restrictions via GPO's Now if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its (more?) natural to apply GPOs based on group membership rather than having rights or restrictions "drop on you from above" because of where you are in AD. Mind you of course NTFS rights may also descend from above. Dave. As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on thehierarchical structure would have.
RE: [ActiveDir] No Terminal License Server available
FYI: The landscape changed somewhat with w2k3 TS. Excerpt from http://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81a fafa2d08d/Terminal%20Server%20Licensing.doc Although it is possible for non-domain controllers to be license servers in Windows Server 2003, it is important to note that domain license servers are not automatically discovered. You must configure a preferred license server on all terminal servers that need to communicate with non-Domain controller license servers configured as domain license servers. Enterprise domain license servers deployed on non-domain controllers are automatically discovered. Hth, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 13 April 2006 07:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] No Terminal License Server available Let me guess because the DC you demoted is your Terminal Service License server in the domain? It's been a while since I last baby-sat a TS issue, but I believe that if the Site license service is not installed on a DC, then you will have to manually tell EACH TS in your environment how to locate the site license server. You do this through the registry. I don't have a TS server/environment handy to tell you exactly where the key is located. You can, however search the registry for DomainLicenseServer (I think) and this should be where you specify the name of the TS License server. HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Carter Sent: Wed 4/12/2006 11:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Terminal License Server available Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message No Terminal Server License Server is available in the current domain or workgroup Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.co m/evt =39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU's Structure
Yes - prio 1 is delegation, prio 2 GPOs since you have multiple ways to influence GPOs. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Thursday, April 13, 2006 9:22 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OU's Structure Joe, The problem is that, as some one else mentioned your OU structure serveves two purposes:- 1) To delegate authourity 2) To apply rights and restrictions via GPO's Now if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its (more?) natural to apply GPOs based on group membership rather than having rights or restrictions "drop on you from above" because of where you are in AD. Mind you of course NTFS rights may also descend from above. Dave. As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on thehierarchical structure would have.
RE: [ActiveDir] No Terminal License Server available
Thanks for your response,I think keeping if I keep the old DC as a member server,it will be apaintohave tomanually configure every workstation server to discover the existinglicense server. Having the TS licensing server on a DC appears to make the discovery alot more automated.So if I want to move the TS licensing server to a newdomain controller, does anyone know what the procedure is for this?I was thinking about backing up the LServer folder on the old DC and then restoring it onto the new DC.Sorry, this appears to be going off topic,[EMAIL PROTECTED] wrote: FYI: The landscape changed somewhat with w2k3 TS.Excerpt fromhttp://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81afafa2d08d/Terminal%20Server%20Licensing.doc"Although it is possible for non-domain controllers to be licenseservers in Windows Server 2003, it is important to note that domainlicense servers are not automatically discovered. You must configure apreferred license server on all terminal servers that need tocommunicate with non-Domain controller license servers configured asdomain license servers. Enterprise domain license servers deployed onnon-domain controllers are automatically discovered. "Hth,neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: 13 April 2006 07:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available"Let me guess because the DC you demoted is your Terminal ServiceLicense server in the domain?It's been a while since I last baby-sat a TS issue, but I believe thatif the Site license service is not installed on a DC, then you will haveto manually tell EACH TS in your environment how to locate the sitelicense server. You do this through the registry. I don't have a TSserver/environment handy to tell you exactly where the key is located.You can, however search the registry for "DomainLicenseServer" (I think)and this should be where you specify the name of the TS License server.HTHSincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize thatToday is the Tomorrow you were worried about Yesterday? -anonFrom: [EMAIL PROTECTED] on behalf of James CarterSent: Wed 4/12/2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "No Terminal License Server available"Hi,Single Windows 2003 domainI demoted our DC to a member server and now we have an issue wherebywhen Iopen Terminal Server Licensing manager, I get a message "No TerminalServerLicense Server is available in the current domain or workgroup"Anyone know why I receive this from demoting a DC and how to fix this!?How low will we go? Check out Yahoo! Messenger's low PC-to-Phone callrates.m/evt=39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
RE: [ActiveDir] No Terminal License Server available
Hi James If i remember correctly you'd have to setup a new one, reactivate server (call clearinghouse) - reactivate cals, then deactivate the other ones. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, April 13, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available" Thanks for your response, I think keeping if I keep the old DC as a member server,it will be apaintohave tomanually configure every workstation server to discover the existinglicense server. Having the TS licensing server on a DC appears to make the discovery alot more automated. So if I want to move the TS licensing server to a newdomain controller, does anyone know what the procedure is for this? I was thinking about backing up the LServer folder on the old DC and then restoring it onto the new DC. Sorry, this appears to be going off topic,[EMAIL PROTECTED] wrote: FYI: The landscape changed somewhat with w2k3 TS.Excerpt fromhttp://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81afafa2d08d/Terminal%20Server%20Licensing.doc"Although it is possible for non-domain controllers to be licenseservers in Windows Server 2003, it is important to note that domainlicense servers are not automatically discovered. You must configure apreferred license server on all terminal servers that need tocommunicate with non-Domain controller license servers configured asdomain license servers. Enterprise domain license servers deployed onnon-domain controllers are automatically discovered. "Hth,neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: 13 April 2006 07:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available"Let me guess because the DC you demoted is your Terminal ServiceLicense server in the domain?It's been a while since I last baby-sat a TS issue, but I believe thatif the Site license service is not installed on a DC, then you will haveto manually tell EACH TS in your environment how to locate the sitelicense server. You do this through the registry. I don't have a TSserver/environment handy to tell you exactly where the key is located.You can, however search the registry for "DomainLicenseServer" (I think)and this should be where you specify the name of the TS License server.HTHSincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize thatToday is the Tomorrow you were worried about Yesterday? -anonFrom: [EMAIL PROTECTED] on behalf of James CarterSent: Wed 4/12/2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "No Terminal License Server available"Hi,Single Windows 2003 domainI demoted our DC to a member server and now we have an issue wherebywhen Iopen Terminal Server Licensing manager, I get a message "No TerminalServerLicense Server is available in the current domain or workgroup"Anyone know why I receive this from demoting a DC and how to fix this!?How low will we go? Check out Yahoo! Messenger's low PC-to-Phone callrates.m/evt=39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private
[ActiveDir] GPO console version 1/2003 Admin tools.
Title: GPO console version 1/2003 Admin tools. Hi, We have a 2000 AD environment. We have just started rolling out xp workstations and now I cannot use 2000 admin tools on the xp box. I have downloaded the 2003 admin tools which run fine on xp, however, my gpo templates don't match what's on the 2000 domain controllers. Same thing is happening for the GPO console (which is totally sweet!). Has anyone else had this issue? Do I need to update gpo templates or something? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] No Terminal License Server available
This is a guide to terminal services licensing that Ive found to be the most helpful: http://www.brianmadden.com/content/content.asp?id=154 Cheers, Randy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Thursday, April 13, 2006 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] No Terminal License Server available Thanks for your response, I think keeping if I keep the old DC as a member server,it will be apaintohave tomanually configure every workstation server to discover the existinglicense server. Having the TS licensing server on a DC appears to make the discovery alot more automated. So if I want to move the TS licensing server to a newdomain controller, does anyone know what the procedure is for this? I was thinking about backing up the LServer folder on the old DC and then restoring it onto the new DC. Sorry, this appears to be going off topic, [EMAIL PROTECTED] wrote: FYI: The landscape changed somewhat with w2k3 TS. Excerpt from http://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81a fafa2d08d/Terminal%20Server%20Licensing.doc Although it is possible for non-domain controllers to be license servers in Windows Server 2003, it is important to note that domain license servers are not automatically discovered. You must configure a preferred license server on all terminal servers that need to communicate with non-Domain controller license servers configured as domain license servers. Enterprise domain license servers deployed on non-domain controllers are automatically discovered. Hth, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 13 April 2006 07:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] No Terminal License Server available Let me guess because the DC you demoted is your Terminal Service License server in the domain? It's been a while since I last baby-sat a TS issue, but I believe that if the Site license service is not installed on a DC, then you will have to manually tell EACH TS in your environment how to locate the site license server. You do this through the registry. I don't have a TS server/environment handy to tell you exactly where the key is located. You can, however search the registry for DomainLicenseServer (I think) and this should be where you specify the name of the TS License server. HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Carter Sent: Wed 4/12/2006 11:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Terminal License Server available Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message No Terminal Server License Server is available in the current domain or workgroup Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates. m/evt =39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A
Re: [ActiveDir] OU's Structure
I get the sense that everyone is really getting deep into the theory and highlighting the differences in how the art of design is practiced ;) OU's are grouping mechanisms in a directory world. Microsoft makes it easy to work with because you can change them easily and often if you like. As easily as changing groups. That's not the case with LDAP directories... As for OU design, as mentioned it's not a performance impact, but rather an administrative impact[2]. Was it me, I'd continue to use the same OU structure you had before (based on the information you've presented and the experience you've mentioned) since it works for you and the way you manage your directory/users/etc. Rule #1 of design - the design should work for the company it's being built for based on their requirements and not the application vendor's requirements[1]. Rule #2 of design - when in doubt, be sure to reference rule # 1 [1] within the confines of reality of course. The consultants job is to act as a transmission - marry the power of the application with the path of business to move the company towards it's goals as seemlessly as possible. [2] Think about it: if you have too many OU's you won't be able to effectively administer the system. If you didn't set recommendations like ...keep it 5-7 deep. then people would deploy 105.2 OU's deep every chance they got. Then they'd wonder why they had unexpected results. By unexpected, I mean they didn't expect it, but the system will do what it does regardless. PITA to troubleshoot as well. Al On 4/13/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Yes - prio 1 is delegation, prio 2 GPOs since you have multiple ways to influence GPOs. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dave WadeSent: Thursday, April 13, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OU's Structure Joe, The problem is that, as some one else mentioned your OU structure serveves two purposes:- 1) To delegate authourity 2) To apply rights and restrictions via GPO's Now if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its (more?) natural to apply GPOs based on group membership rather than having rights or restrictions drop on you from above because of where you are in AD. Mind you of course NTFS rights may also descend from above. Dave. As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on thehierarchical structure would have.
RE: [ActiveDir] OU's Structure
Thanks! I am pretty confident I understand why you configure OUs. :) I didn't say I wouldn't use group filtering but instead thatI am against that being a going in view, someone has to prove that that is the way to go because it is more prone to confusion and failures. This is what I mean by being a fan of setting up by hierarchy than filtering. The fact is, I am against having many GPOs at all, I like a very simple GPO structure preferably without having multiple GPOs impacting users as the more you havethe slower auth processing is and the more complex troubleshooting is for issues. How many times have you been sitting there looking at gpresult output trying to figure out why a machine got configured a certain way, for me, the first 2-3 times was too many, I have better things to do with my time andI dread anytime I hear someone saying, we have this GPO and... and they start looking at me. I know I am not alone in this as I have had decent conversations with several people who are big into GPOs and really know that stuff backwards and forwards and in fact they can point out way more inconsistencies and issues and problems than I could even start to. Anyone truly being honest with themselvesand understands the technology knows that GPOs can be quite flakey or maybe I should call them "odd" and difficult to deal with. They can be a great boon but they can also be a great detriment. I amagainst having ad hoc GPOs any time someone gets a bug up their bum thinking there is some new great thing they can do with it such as deliver software or make minor tweaks. For instance I feel there arebetter solutions for software delivery. Plus I have yet to have encountered any company that manages GPOs well when they have a large number of them. Usually there are a bunch of unlinked GPOs or GPOs that are linked but missing sysvol files, etc. There is of course the folks who worry about logon speed due to hierarchy which I hope has been sufficiently extinguished now, but if someone truly has a concern, if they are sitting in an environment with a thousand GPOs that are being filtered by group membership, having traced that code path, I would expect a perf hit. If you have say 14 GPOs as a round number, that is much more manageable and will be speedy whether handled through filtering or hierarchy (barring some stupidly complex GPO with scripts or tons of settings, etc). Finally there are the fun issues you can encounter that are completely an issue due to exposure gained bygroup filtering, say like someoneadds the everyone secprinto a group that has the kiosk settings either on purpose because today is their last day or accidently because some admin screwed up and gave them rights they didn't full comprehend, etc. Possibly something resets the ACLs on the GPCs. I have seen these occur both in person and through the grapevine and they can be quite fun to extract yourself from. The hierarchy mechanism has built in protections against this kind of wholesale nasty issue across an entire domain. All in all GPOs aresort of like Domain Admins. You should have very few (say two is a nice round number)buteveryone has an excuse why at least one more is neededfor whatever they are doing. This is an area you don't want to really get crazy in and you want to have it sufficiently locked down and controlled because it can be an area of immense pain for you when something goes pear shaped. Possibly I am jaded in that I deal primarily with Fortune 25 or bigger companies and large military and government customers primarily and it is the normal scaling issues MS has with tech and tech management. A smaller company is almost surely going to have a smaller (and possiblyless complex) number of GPOs just from the fact that they are smaller. On to delegation... I am slowly getting more and more of the opinion that almost all people based[1] delegation should be pulled out of ADand put into provisioning systems. People are getting more and morecomplex with their delegation models and then asking questions like, "hey what can people do and where can they do it" and the current native toolsets do not answer those questions well. Plus the complete lack and no desire by Microsoft to have the ability to have built in triggers and business rules and the fact that we currently havepoor auditing at best means a provisioning system makes even more sense because you can easily add all of those items at that layer. Also applications like Exchange/LCS are completely screwing up thedelegation model anyway. It is causing so much complexity and confusion in the ACL structure that most companies are either granting too many rights or duping up on permissions which causes bloat in older ADs and perf issues in all ADs. The issues with how poorlyproperty sets were implemented add to the confusion and pain here. I won't even get into the point about the first time some smart person
RE: [ActiveDir] No Terminal License Server available
I don't see the change. What you quoted is describing what I said. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 4/13/2006 1:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] No Terminal License Server available FYI: The landscape changed somewhat with w2k3 TS. Excerpt from http://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81a fafa2d08d/Terminal%20Server%20Licensing.doc Although it is possible for non-domain controllers to be license servers in Windows Server 2003, it is important to note that domain license servers are not automatically discovered. You must configure a preferred license server on all terminal servers that need to communicate with non-Domain controller license servers configured as domain license servers. Enterprise domain license servers deployed on non-domain controllers are automatically discovered. Hth, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 13 April 2006 07:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] No Terminal License Server available Let me guess because the DC you demoted is your Terminal Service License server in the domain? It's been a while since I last baby-sat a TS issue, but I believe that if the Site license service is not installed on a DC, then you will have to manually tell EACH TS in your environment how to locate the site license server. You do this through the registry. I don't have a TS server/environment handy to tell you exactly where the key is located. You can, however search the registry for DomainLicenseServer (I think) and this should be where you specify the name of the TS License server. HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Carter Sent: Wed 4/12/2006 11:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Terminal License Server available Hi, Single Windows 2003 domain I demoted our DC to a member server and now we have an issue whereby when I open Terminal Server Licensing manager, I get a message No Terminal Server License Server is available in the current domain or workgroup Anyone know why I receive this from demoting a DC and how to fix this!? How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.co m/evt =39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London,
RE: [ActiveDir] GPO console version 1/2003 Admin tools.
Title: GPO console version 1/2003 Admin tools. Check out this KB article it might clear some things up for you - http://support.microsoft.com/?id=842933 -Sergio From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Thursday, April 13, 2006 7:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO console version 1/2003 Admin tools. Christine- Default behavior whenever you edit a GPO is that GP Editor will check the version of the ADM files that exist in c:\windows\inf on the workstations where you're editing the GPO, and, if newer, they will be coped up to the SYSVOL portion of that GPO, thus updating it, and allowing you to see the new templates in the GPO. What you should find is that the XP, SP2 ADMs are a superset of those found on Win2K. So, if you make a conscious decision to update all of your GPOs to the XP, Sp2 templates, then you will be consistent across the board and won't lose anything in terms of still managing those Win2K boxes. What I would recommend, however, is that from now on you only edit your GPOs from XP. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Thursday, April 13, 2006 5:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO console version 1/2003 Admin tools. Hi, We have a 2000 AD environment. We have just started rolling out xp workstations and now I cannot use 2000 admin tools on the xp box. I have downloaded the 2003 admin tools which run fine on xp, however, my gpo templates don't match what's on the 2000 domain controllers. Same thing is happening for the GPO console (which is totally sweet!). Has anyone else had this issue? Do I need to update gpo templates or something? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
Re: [ActiveDir] Store only function
Works excellent. Thank you all! ActiveDir@mail.activedir.org on Wednesday, April 12, 2006 at 7:17 PM -0500 wrote: You could do what Bryan mentioned by adjusting the ACL of the required folder under the security tab. -Shariff On 4/11/06 4:12 PM, Brian Desmond [EMAIL PROTECTED] wrote: Yes. Give them the right to Create Files/Write Data but not modify or delete. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Steven Comeau Sent: Tuesday, April 11, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Store only function Is there a way for setting up rights to a folder so that someone can place a file in a folder but not be able to modify or overwrite that file once placed into a folder? Thankie... Steven Comeau Sr. Director of IT Community Options 16 Farber Road Princeton, NJ 08540 EMail: [EMAIL PROTECTED] Phone: 609-951-9900 x114 FAX: (609) 919-3889 www.comop.org Give the gift of flowers http://www.Vaseful.com. ~ This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any distribution or copying of the communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and return the original message to us at this e-mail address. Thank you for your cooperation in supporting confidentiality. ~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Steven Comeau Sr. Director of IT Community Options 16 Farber Road Princeton, NJ 08540 EMail: [EMAIL PROTECTED] Phone: 609-951-9900 x114 FAX: (609) 919-3889 www.comop.org Give the gift of flowers http://www.Vaseful.com. ~ This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any distribution or copying of the communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and return the original message to us at this e-mail address. Thank you for your cooperation in supporting confidentiality. ~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication issues on one of our DCs
If you turn up internal processing, do you get any more data about this condition? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 12, 2006 6:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication issues on one of our DCs I would certainly be a trifle concerned about disk... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, April 12, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication issues on one of our DCs Any ideas? NTFS compression isn't turned on. Maybe a impending drive failure? Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller. Object: CN=FFF-LEE-Six-Sigma,OU=LEE,OU=EH,OU=CAM,DC=FFF,DC=ourdomain,DC=com Object GUID: 0a7ba036-b9be-4c9f-b978-1d1ce99c8e40 Source domain controller: 190d7fdf-0c3f-4c5d-ad78-0df06208c3be._msdcs.ourdomain.com Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected. This operation will be tried again at the next scheduled replication. User Action Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory). Additional Data Error value: 1127 While accessing the hard disk, a disk operation failed even after retries. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
Hi Brian, It appears that a schema attribute rename is what's needed. We haven't had a chance to try this yet in our testbed where the problem occurred. Here's the info we got back (we did not open an official case opened with MS but I am guessing someone else did.) as a workaround until an official patch is released. HTH, Mike Thommes Case Problem: Adprep for R2 runs into problems. Attributes in conflict: CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=gecos,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=loginShell,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowLastChange,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowMin,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowMax,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowWarning,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowInactive,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowExpire,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowFlag,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=memberUid,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=memberNisNetgroup,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipServicePort,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipServiceProtocol,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipProtocolNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=oncRpcNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipHostNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipNetworkNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipNetmaskNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=macAddress,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=bootParameter,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=bootFile,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMapName,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMapEntry,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMap,CN=Schema,CN=Configuration,DC=anl,DC=gov Resolution: First of all, we followed the guidelines in http://support.microsoft.com/?kbid=285172 Step 1 - Connect to the Schema Master using LDP, Login with Enterprise Admin Credentials or Schema Admin Privileges. Step 2 - What we have to change is the conflicting Schema Attributes to a bogus or a dummy name. Like for Example: Change uidnumber to Old-uidNumber. Step 3 - Choose Modify, and type in the name of the attribute and value you want Step 4 - We have to change the below attributes of the conflicting one: a. adminDisplayName b. LDAPDisplayName c. DN (This will have to be done after the two upper ones.) There is a modify DN option just for it. We have to do this with all the conflicting attributes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, April 13, 2006 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Mike- Did you ever get any resolution on this or more info? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 20, 2006 7:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Ask him/her what the article number is if this is a known issue. If he/she says there isn't one then say it sure isn't known very well then. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, February 17, 2006 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Our MS TAM has indicated this is a known bug! I will keep the group posted as I learn more details. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, February 17, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? As an update to this thread, we transferred the Schema Master role back to other DC that has the SFU tools installed originally thinking this might get the R2 schema update to work. Wrong! It fails with the same error. I can only imagine we do not have that unique an environment in our testbed and expect others to have the same experience. Luckily, we never put SFU 3.5 on our production systems. We are going to open up a trouble ticket with Microsoft regarding this issue. I would like to hear of others' experiences (success or failure) when trying to install R2 in an environment where SFU 3.5 had been installed. Thanks! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 16, 2006 9:07
[ActiveDir] Problems with remote acess
I am tryying to access a computer running windows 2003 via Renote Access. Remote connection is enabled in remote access It worked till some days ago. Now when I try to acces I recieve this message The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. I tried to disable and enable remote access again with nosuccess. What may be wrong? Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193
[ActiveDir] how to display DC services on a single line?
Brain freeze active There is a command that shows on a single line what services are running on a DC. The output is something like DS::GC::Time::LDAP:: Can someone help this poor, tired brain out? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Problems with remote acess
Uninstall Terminal Service and enabled Remote Desktop. [EMAIL PROTECTED] wrote: I am tryying to access a computer running windows 2003 via Renote Access. Remote connection is enabled in remote access It worked till some days ago. Now when I try to acces I recieve this message "The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection." I tried to disable and enable remote access again with nosuccess. What may be wrong? Adrio Ferreira Ramos Superintendncia de Tecnologia da Informao Depto. de Operaes e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193
RE: [ActiveDir] Problems with remote acess
Adrião, Check the firewall settings of the remote box. If you have it enabled, make sure the port 3389, the remote desktop port, is in the exclusionary list. You can also change the RDP port by following the instructions below. 1. Start Registry Editor. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber 3. On the Edit menu, click Modify, and then click Decimal. 4. Type the new port number, and then click OK. 5. Quit Registry Editor. Note When you try to connect to this computer by using the Remote Desktop connection, you must type the new port (i.e.; hostname:portnumber). Hope this helps. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, April 13, 2006 2:58 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problems with remote acess I am tryying to access a computer running windows 2003 via Renote Access. Remote connection is enabled in remote access It worked till some days ago. Now when I try to acces I recieve this message "The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection." I tried to disable and enable remote access again with nosuccess. What may be wrong? Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193
RE: [ActiveDir] how to display DC services on a single line?
Nltest perhaps? C:\Documents and Settings\Administrator.SRDC2nltest /dsgetdc:north DC: \\DCN1 Address: \\192.168.5.2 Dom Guid: 3efc188a-c7bb-4c72-9129-262d4a4b8fba Dom Name: NORTH Forest Name: north.com Dc Site Name: NORTH Our Site Name: NORTH Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, 14 April 2006 7:28 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to display DC services on a single line? Brain freeze active There is a command that shows on a single line what services are running on a DC. The output is something like DS::GC::Time::LDAP:: Can someone help this poor, tired brain out? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How to verify which DC authenticated a user account?
Greetings, We seem to bo getting intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for Oracle server name . LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] -- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify which DC authenticated a user account?
Echo %logonserver% Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, April 13, 2006 7:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to bo getting intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for Oracle server name . LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] --- - -- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify which DC authenticated a user account?
Jose, I think you want NLTEST which (I think) is part of the XP RK. -- nme -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, April 13, 2006 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Echo %logonserver% Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, April 13, 2006 7:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to bo getting intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for Oracle server name . LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] --- - -- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.1/310 - Release Date: 4/12/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.1/310 - Release Date: 4/12/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify which DC authenticated a user account?
You work for an imaginary company? :-) You can check the secure channel using nltest, as follows: Nltest /sc_query:domain /server:server_name e.g Nltest /sc_query:MYDOM /server:MYSRV Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, 14 April 2006 11:53 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to bo getting intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for Oracle server name . LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] -- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to verify which DC authenticated a user account?
Well.. I am not really supposed to list any server names, or mention our OU structure on the list. But, if you're savy, you can verify my email domain name and figure out where I am having the problem at. :-) I am thinking this may be a cost issue for our site, and the Oracle server's are going to the wrong DC for authentication! Thank you so much for the help! Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, April 13, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? You work for an imaginary company? :-) You can check the secure channel using nltest, as follows: Nltest /sc_query:domain /server:server_name e.g Nltest /sc_query:MYDOM /server:MYSRV Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, 14 April 2006 11:53 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to be having intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for Oracle server name . LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** [WARNING] Failed to query SPN registration on DC ' ' ** Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] -- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/