date:20060712

You may want to configure one default gateway on your primary network interface 
and then configure the other nics routing (leave default gateway blank)  in the 
local routing table else you can have loads of fun based on metrics and Lan 
speeds.

Mark
-Original Message-
From: [EMAIL PROTECTED]
Date: Wed, 12 Jul 2006 07:28:01 
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

Looks like SP1 fixes the DNS issue with replaces a few DNS files -- At this 
point Windows 2003 SP1 should be a minimum.  Good find - 

Chuck

RE: [ActiveDir] Moving a Certificate Authority

2006-07-12 Thread Myrick, Todd $NIH/CC/DCRI$ [E]









How about a P to V process to move the
physical server to a virtual server. Then perform the upgrade.
When I hear Slow, I assume you are concerned about the hardware.
The idea is to keep the original server and just turn it off once you P
to V it. Of course you need a Virtualization solution and a P2V solution.

Personally I am a fan of rebuilding from
scratch and keeping the same name. I havent done a CA upgrade to
2003, but most Microsoft network services run JET. In my experiences with
JET services, you can install the new service, stop it, delete the new
database, then just copy the older formatted database to the same location,
then start the database When the service initially runs, it will convert
the old database to the new format.

From what I read about below. I am not
sure what the impact would be with the templates, and registry settings though.


If this makes no sense it is
because I havent had my coffee.

Todd









From: Kevin
Brunson [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 12, 2006
12:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





The other advantage to doing it this way,
now that I think about it, is a little clearer recovery path if everything
blows up. A system state restore on your old ca and an authoritative
restore on AD should (please everyone check me on this) get you back where you
were without having to reload the original un-upgraded OS on your original CA.



Kevin Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 8:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3? That way you dont have to
worry about the hardware not supporting 2003 or something terrible like
that. Then if you want you could move it from that 2003 server to another
2003 server, or you could just leave it where it is. 

Kevin Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to

1)
Upgrade the old DC to 2k3

2)
Backup the CA and the
registry key as stated in the KB298138 article.

3)
Remove the CA services,
demote server and rename it.

4)
Promote a 2k3 server with
the same name as the old DC and install the CA services.

5)
Restore the CA data and
registry key

6)
Cross my fingers and hope
that I have a CA once again

Ill give this a shot
tomorrow. I just wonder what would be my backup plan should the CA
restoration fail on the new server? The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







You cannot move from
2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would
be temporary ) and then move to another 2k3 server. I know that you said that
the HW was old - but perhaps a temporary sloow 2k3 machine?











You should keep the
hostname the same - if you took the defaults for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.











my .02











steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority









As part of my on-going journey into
upgrading a 2000 domain to 2003, Ive run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then dont pan out. Here is
the situation

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native. However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Jeff Green

Title: Multihomed Domain Controllers



Hi Guys,


 
Many thanks to all that have responded 
(and so quickly !)

Points / clarifications / additional Qs

 a) DNS multihomed 
issues

 
Yes, found that in the MS KB about not 
"registering this connection in DNS" on the second NIC.

 
Also leave the gateway / DNS TCP/IP 
settings blank on the second NIC.

 b) Browser 
Issues

 
Several things in MS KB about this and 
fixes (including hackinga registry if I remember 
correctly)
 

 
But would Browser issues affect AD 
operations - I'm talking about replication issues here ?

 c) Currently running W2K SP4 + 
rollups on all DCs - but moving to W2K3.

Sorry 
should have stated this.


 d) Backup

 
Using BackupExec, which allows binding of remote agents to specific 
NICs


Have I got everything covered - I can't believe this is an 
unusual configuration ?


 

 
Many Thanks
 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
GreenSent: 12 July 2006 11:43To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain 
Controllers

Hi, 
 First posting to this list 
but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having 
multihomed DCs. Basically I want to run 
backups over a separate GbE and as my servers have dual inbuilt NICs this 
seems an obvious route to take. I know there are 
some issues with DNS (I have a DNS integrated 
AD). 
Would this cause replication problems, etc ? 

Any other "gotchas" ? 
 
 
 Many 
Thanks, 
--- Jeff 
Green Network Support Manager 
SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
"I dream of hover cars and old transistor radios ... 
She dreams of flowers in a field of sunny bungalows" 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd. 
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Robert Rutherford

Title: Multihomed Domain Controllers



Ive used the same configuration ina number of 
relatively sizeablesites (2000+ user base) with no issues as the guys 
state.. just trial it.

Cheers

Rob





  
  



  Robert 
  RutherfordQuoStar 
  Solutions Limited
  

  The 
  Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH


  


  T:
  +44 
(0) 8456 
440 331

  F:
  +44 
(0) 8456 440 332

  M:
  +44 
(0) 7974 
249 494

  E: 

  [EMAIL PROTECTED]

  W: 

  www.quostar.com











From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
GreenSent: 12 July 2006 13:03To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed 
Domain Controllers

Hi Guys,


 
Many thanks to all that have responded 
(and so quickly !)

Points / clarifications / additional Qs

 a) DNS multihomed 
issues

 
Yes, found that in the MS KB about not 
"registering this connection in DNS" on the second NIC.

 
Also leave the gateway / DNS TCP/IP 
settings blank on the second NIC.

 b) Browser 
Issues

 
Several things in MS KB about this and 
fixes (including hackinga registry if I remember 
correctly)
 

 
But would Browser issues affect AD 
operations - I'm talking about replication issues here ?

 c) Currently running W2K SP4 + 
rollups on all DCs - but moving to W2K3.

Sorry 
should have stated this.


 d) Backup

 
Using BackupExec, which allows binding of remote agents to specific 
NICs


Have I got everything covered - I can't believe this is an 
unusual configuration ?


 

 
Many Thanks
 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
GreenSent: 12 July 2006 11:43To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain 
Controllers

Hi, 
 First posting to this list 
but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having 
multihomed DCs. Basically I want to run 
backups over a separate GbE and as my servers have dual inbuilt NICs this 
seems an obvious route to take. I know there are 
some issues with DNS (I have a DNS integrated 
AD). 
Would this cause replication problems, etc ? 

Any other "gotchas" ? 
 
 
 Many 
Thanks, 
--- Jeff 
Green Network Support Manager 
SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
"I dream of hover cars and old transistor radios ... 
She dreams of flowers in a field of sunny bungalows" 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd. 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd.

Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues

Good news is, if you look around on the Exchange team blog site, you'll find articles about Exchange 2007 on 64-bit Windows (it's not going to support a 32-bit OS) and basically the paged pool memory issue goes away completely (lots more room for that stuff when we're talking about 64-bit addressing). Only problem with that is that you have to make sure that your spam filtering and antivirus software will support it. Once you have your antivirus and spam support for Exchange 2007, I honestly can't think of a good reason to stick with Exchange 2000 or 2003 any more.
On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote:





Thanks guys, really helpful didnt know how bad things can 
be with those huge groups...like poolpaged memory issues

Thank 
you and have a splendid day!


Kind Regards,

Freddy Hartono
Group Support 
Engineer
InternationalSOS Pte Ltd
mail: 
[EMAIL PROTECTED]
phone: (+65) 
6330-9785

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau




Neal, you totally misunderstood. I said DO NOT READ 
that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. 

And then if you read the blog on Defending Security Infrastructures, I asked for you to 
comment to the blog your thoughts on Defending Security 
Infrastructures

This is neither the time 
to discuss Defending Security Infrastructures nor the place to discuss Defending 
Security Infrastructures.

I 
personally haven't fully stepped into the Defending Security Infrastructures 
space yet, though if I did I would probably look to the fine folks at NetPro and 
Quest first to see their ideas on Defending Security Infrastructures, and of 
course I would be obligated to look at Microsoft's Defending Security 
Infrastructures solutions and also as mentioned in one of the blog comments, a 
key portion of the Defending Security Infrastructures solution would be GPOs so 
I would look to GPOGuy for Defending Security Infrastructures products as 
well.

 
joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
[List Owner] [OT] OOFs from Steven Comeau

So we can defend our security infras using either of 2 
vapourware solutions now :) cool!

Mr Tandon was there before you tho, joe 
:-^


neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 July 2006 03:51To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Gotta love that signature Tony... I promise not to disclose 
this information to anyone. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- 
I'm serious, you will learn absolutely nothing about Defending Security 
Infrastructures. 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Tuesday, July 11, 2006 9:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs 
from Steven Comeau


Hi all

I have temporarily suspended Steven Comeaus subscription, 
which should stop the out of office replies hitting the list.

Tony
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.


PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies.

Re: [ActiveDir] Multihomed Domain Controllers

Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. 


When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. 


Just some random thoughts and my $.04 (USD) worth. 

Al
On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote:



Hi Guys,


 Many thanks to all that have responded (and so quickly !)

Points / clarifications / additional Qs

 a) DNS multihomed issues

 Yes, found that in the MS KB about not registering this connection in DNS on the second NIC.

 Also leave the gateway / DNS TCP/IP settings blank on the second NIC.

 b) Browser Issues

 Several things in MS KB about this and fixes (including hackinga registry if I remember correctly)
 
 But would Browser issues affect AD operations - I'm talking about replication issues here ?

 c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3.

Sorry should have stated this.


 d) Backup

 Using BackupExec, which allows binding of remote agents to specific NICs


Have I got everything covered - I can't believe this is an unusual configuration ?


 
 Many Thanks
 




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed Domain Controllers



Hi, 
 First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this
 seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). 
Would this cause replication problems, etc ? 
Any other gotchas ? 
   Many Thanks, 
--- Jeff Green Network Support Manager SAPIENS (UK) Ltd 
t: +44 (0)1895 464228 f: +44 (0)1895 463098 
I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows 
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.
Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED]
, if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.

 
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.
Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED]
, if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Robert Rutherford




I guess that is very true... on reflection I was using the 
separate connection situation on satellite sites, where the DC did have backup 
exec loaded.. I hear you*gasp*

Cheers





  
  



  Robert 
  RutherfordQuoStar 
  Solutions Limited
  

  The 
  Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH


  


  T:
  +44 
(0) 8456 
440 331

  F:
  +44 
(0) 8456 440 332

  M:
  +44 
(0) 7974 
249 494

  E: 

  [EMAIL PROTECTED]

  W: 

  www.quostar.com











From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 12 July 2006 14:36To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed 
Domain Controllers

Personally, I've never used that configuration for a DC. Since being 
bit in the nt4.0 days (before that really, but hate to show the age :) I've had 
architectural reasons to not do that. Since AD is made up of a 
multi-master fabric, I have had no reason at all to require an isolated network 
dedicated to backups. I get the feeling in your case it's just a nice to 
have vs. a requirement since you have the hardware and figure why not put it to 
use. You'd be a rare exception if the size of the dit is large enough to 
require such a configuration. Saying that, is it possible? Most 
likley. Will it be difficult when/if you call for support for some other 
issue to explain to the engineer that you have a mutli-homed DC? Most 
likely. Does it break the "keep it as simple as possible while meeting the 
requirements?" rule? Most likley. 

When you test this, as the others have mentioned, be sure to test the 
recoverability and the gotchas that come along with bringing up a recovered DC 
on a multi-homed machine. You'll want to have that documented and 
thouroughly tested so as not to have to deal with that when under 
pressure. You may also want to consider an alternative backup method that 
doesn't require a dedicated network to the DC's. 

Just some random thoughts and my $.04 (USD) worth. 

Al
On 7/12/06, Jeff 
Green [EMAIL PROTECTED] 
wrote: 

  
  
  Hi 
  Guys,
  
  
   
  Many thanks to all that have responded 
  (and so quickly !)
  
  Points / 
  clarifications / additional Qs
  
   a) DNS multihomed 
  issues
  
   
  Yes, found that in the MS KB about not 
  "registering this connection in DNS" on the second NIC.
  
   
  Also leave the gateway / DNS TCP/IP 
  settings blank on the second NIC.
  
   b) Browser Issues
  
   
  Several things in MS KB about this and 
  fixes (including hackinga registry if I remember 
  correctly)
   
  
   
  But would Browser issues affect AD 
  operations - I'm talking about replication issues here ?
  
   c) Currently running W2K SP4 + rollups 
  on all DCs - but moving to W2K3.
  
  Sorry 
  should have stated this.
  
  
   d) Backup
  
   Using 
  BackupExec, which allows binding of remote agents to specific 
  NICs
  
  
  Have I got 
  everything covered - I can't believe this is an unusual configuration 
  ?
  
  
   
  
   
  Many Thanks
   
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Jeff 
  GreenSent: 12 July 2006 11:43
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Multihomed Domain 
  Controllers
  
  
  
  Hi, 
   First posting to this list 
  but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
  My question is regarding the advisability of having 
  multihomed DCs. Basically I want to run 
  backups over a separate GbE and as my servers have dual inbuilt NICs this 
  seems an obvious route to take. I know 
  there are some issues with DNS (I have a 
  DNS integrated AD). 
  Would this cause replication problems, etc ? 
  
  Any other "gotchas" ? 
   
   
   Many 
  Thanks, 
  --- Jeff 
  Green Network Support Manager 
  SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
  "I dream of hover cars and old transistor radios 
  ... She dreams of flowers in a field of sunny bungalows" 
   
  Confidentiality Note: The information contained in this email and 
  document(s) attached are for the exclusive use of the addressee and may 
  contain confidential, privileged and non-disclosable information. If the 
  recipient of this email is not the addressee, such recipient is strictly 
  prohibited from reading, photocopying, distribution or otherwise using this 
  email or its contents in any way. Please notify the Sapiens (UK) Ltd. 
  Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this 
  email in error.Disclaimer: The views, opinions and guidelines 
  contained in this confidential e-mail are those of the originating

Re: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Susan Bradley

Depends on your support engineers... mullihomed DCs are quite typical to the SBS CSS engineer :-) The KB in the 2000 era that we had tattooed to our foreheads due to our two nic DCs was this one http://support.microsoft.com/default.aspx?scid=kb;en-us;292822Al Mulnick [EMAIL PROTECTED] wrote:Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since
you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and
my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !)Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about
replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3.Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain ControllersHi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual
inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows"
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the

RE: [ActiveDir] Rights for Authorizing DHCP Server

2006-07-12 Thread Clay, Justin $ITS$









Thanks for all the responses on this guys!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, July 11, 2006 2:38
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights
for Authorizing DHCP Server





You will need EA rights. The admin needs
write access in the Config partition so child domain DA rights will *not*
suffice.



It is also possible to delegate the right
- grant FC access in:

CN=NetServices,CN=Services,CN=Configuration,DC=xxx,DC=yyy

using adsiedit or similar.



hth,

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)
Sent: 10 July 2006 19:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights for
Authorizing DHCP Server

I seem to be finding conflicting posts and articles on this
subject. Are Enterprise Admin rights required to authorize a DHCP server in a
child domain? Can a Domain Admin authorize a DHCP server in his own child
domain?



Thanks all!





Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573




 
  
  
  
  ITS ENTERPRISE SERVICES EMAIL NOTICE
  
  The information contained in this email and any attachments is confidential
  and may be subject to copyright or other intellectual property protection. If
  you are not the intended recipient, you are not authorized to use or disclose
  this information, and we request that you notify us by reply mail or
  telephone and delete the original message from your mail system.
  
 




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
  England 





no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member
of the Nomura group of companies. 











ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

RE: [ActiveDir] Multihomed Domain Controllers

Title: Multihomed Domain Controllers








The one gotcha I have seen (only once
though), was that somehow multihoming a 2000 DC corrupted a couple of registry
keys. I think KB 888048 appeared a few days after the 8 hour phone call with
MS. Basically the dc no longer had a DNS name. Needless to say that caused
problems. But as long as you know which registry keys to change if it goes
bad, you should be fine. I have seen a multitude of multihomed domain
controllers since with no issues.

Kevin Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green
Sent: Wednesday, July 12, 2006
5:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed
Domain Controllers





Hi,



First posting to this list but I've lurked quite a while and I've been very
impressed by 
the
quality of replies by the gurus. 

My
question is regarding the advisability of having multihomed DCs. Basically I
want 
to run
backups over a separate GbE and as my servers have dual inbuilt NICs this

seems
an obvious route to take. I know there are some issues with DNS (I have

a DNS
integrated AD). 

Would
this cause replication problems, etc ? 

Any
other gotchas ? 





 Many Thanks,


---

Jeff
Green 
Network
Support Manager 
SAPIENS
(UK)
Ltd 
t: +44
(0)1895 464228 f: +44 (0)1895 463098 

I
dream of hover cars and old transistor radios ... She dreams of flowers in a
field of sunny bungalows 



Confidentiality Note: The information contained in this email and document(s)
attached are for the exclusive use of the addressee and may contain
confidential, privileged and non-disclosable information. If the recipient of
this email is not the addressee, such recipient is strictly prohibited from
reading, photocopying, distribution or otherwise using this email or its
contents in any way.

Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
immediately at [EMAIL PROTECTED], if you have received this email in
error.

Disclaimer: The views, opinions and guidelines contained in this confidential
e-mail are those of the originating author and may not be representative of
Sapiens (UK) Ltd.

Re: [ActiveDir] Multihomed Domain Controllers

Did you hear me giggle? Are you watching me?

Like I mentioned, keeping any solution as simple as possible will pay dividends later. If the solution requires two networks and a dual-homed DC, I have not qualms about doing that and I understand the amount of complexity that entails. I also accept that complexity by default if I have to go down that road. 


Satellite links? Permanent ones? Or mobile? ;-)
On 7/12/06, Robert Rutherford [EMAIL PROTECTED] wrote:



I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you*gasp*


Cheers











Robert Rutherford
QuoStar Solutions Limited


The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH






T:
+44 (0) 8456 440 331

F:
+44 (0) 8456 440 332

M:
+44 (0) 7974 249 494

E: 

[EMAIL PROTECTED]

W: 
www.quostar.com













From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent:
 12 July 2006 14:36
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers



Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. 


When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. 


Just some random thoughts and my $.04 (USD) worth. 

Al
On 7/12/06, Jeff Green [EMAIL PROTECTED]
 wrote: 



Hi Guys,


 Many thanks to all that have responded (and so quickly !)

Points / clarifications / additional Qs

 a) DNS multihomed issues

 Yes, found that in the MS KB about not registering this connection in DNS on the second NIC.

 Also leave the gateway / DNS TCP/IP settings blank on the second NIC.

 b) Browser Issues

 Several things in MS KB about this and fixes (including hackinga registry if I remember correctly)
 
 But would Browser issues affect AD operations - I'm talking about replication issues here ?

 c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3.

Sorry should have stated this.


 d) Backup

 Using BackupExec, which allows binding of remote agents to specific NICs


Have I got everything covered - I can't believe this is an unusual configuration ?


 
 Many Thanks
 




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed Domain Controllers



Hi, 
 First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this 
seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). 
Would this cause replication problems, etc ? 
Any other gotchas ? 
   Many Thanks, 
--- Jeff Green Network Support Manager SAPIENS (UK) Ltd 
t: +44 (0)1895 464228 f: +44 (0)1895 463098 
I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows  
Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. 
Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] 
, if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.

Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

I see there is an opening for a CEO too!

-Original Message-
From: joe [EMAIL PROTECTED]
Date: Wed, 12 Jul 2006 09:26:39 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry 
on Defending Security Infrastructures located at  
http://blog.joeware.net/2006/07/11/445/ 
http://blog.joeware.net/2006/07/11/445/. 

And then if you read the blog on Defending Security Infrastructures, I asked 
for you to comment to the blog your thoughts on Defending Security 
Infrastructures 

This is neither the time to discuss Defending Security Infrastructures nor the 
place to discuss Defending Security Infrastructures. 

I personally haven't fully stepped into the Defending Security Infrastructures 
space yet, though if I did I would probably look to the fine folks at NetPro 
and Quest first to see their ideas on Defending Security Infrastructures, and 
of course I would be obligated to look at Microsoft's Defending Security 
Infrastructures solutions and also as mentioned in one of the blog comments, a 
key portion of the Defending Security Infrastructures solution would be GPOs so 
I would look to GPOGuy for Defending Security Infrastructures products as well. 

  joe 

-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: 
http://www.joeware.net/win/ad3e.htm   

Do not read this worthless blog entry on Defending Security Infrastructures -  
http://blog.joeware.net/2006/07/11/445/ 
http://blog.joeware.net/2006/07/11/445/ ---  I'm serious, you will learn 
absolutely nothing about Defending Security Infrastructures. 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Wednesday, July 12, 2006 3:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

So we can defend our security infras using either of 2 vapourware solutions now 
:) cool! 

Mr Tandon was there before you tho, joe :-^ 

neil

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 July 2006 03:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

Gotta love that signature Tony... I promise not to disclose this information to 
anyone. 

-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: 
http://www.joeware.net/win/ad3e.htm   

Do not read this worthless blog entry on Defending Security Infrastructures - 
http://blog.joeware.net/2006/07/11/445/: 
http://blog.joeware.net/2006/07/11/445/  ---  I'm serious, you will learn 
absolutely nothing about Defending Security Infrastructures. 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, July 11, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [List Owner] OOFs from Steven Comeau

Hi all

I have temporarily suspended Steven Comeau’s subscription, which should stop 
the out of office replies hitting the list.

Tony

This communication, including any attachments, is confidential. If you are not 
the intended recipient, you should not read it - please contact me immediately, 
destroy it, and do not copy or use any part of this communication or disclose 
anything about it. Thank you. Please note that this communication does not 
designate an information system for the purposes of the Electronic Transactions 
Act 2002. 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of

Re: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Paul Williams

Title: Multihomed Domain Controllers

Couple of points. Most have probably been
covered, or read by you:

Clearly label the NICs, e.g. LAN00 and
BACKUP00.
Adjust the binding order so that LAN00 is above
BACKUP00.
If you don't require NetBT, disable it on
BACKUP00 (BackupExec will most likely not like you if you disable
this).
Forget about the Advanced TCP/IP DNS option
"Don't register in DNS". There is a hotfix, and it's supposed to be in
SP1, but I'm still seeing A records registered in DNS in my lab when I don't
want them in there, so use the necessary registry key
DisableDynamicUpdate on the NIC BACKUP00.
Only have a gateway on LAN00
Bind the BackupExec agent to BACKUP00
only.
If the backup LAN is routed, define persistent
routes in the routing table.
Brower operations won't affect AD. If you
have bad entries in DNS, that will cause issues so check DNS.
OS Shouldn't matter. I've implemented
multi-homed systems many times in the past, and have been messing around with
NLB and LDAP on DCs (in Unicast mode -requires a second NIC) over the last
couple of days without any issues. DNS is the main issue. There
can be some issues with NetBT/ WINS, but I personally wouldn't use LMHOSTS or
WINS on the BACKUP00 NIC.

That's a few points based on what I'm doing in
the lab. Main thing is to test your configuration. In the last place
I worked we used a dedicated backup LAN. No issues worth noting (in other
words it worked and I don't remember any issues), and that was a mixed NT 4, 2k
and k3 environment.

Dedicated systems management LANs are also a good
idea, e.g. iLO, etc.

--Paul

- Original Message -
From:
Jeff
Green
To: ActiveDir@mail.activedir.org

Sent: Wednesday, July 12, 2006 1:03
PM
Subject: RE: [ActiveDir] Multihomed
Domain Controllers

Hi Guys,

Many thanks to all that have responded
(and so quickly !)

Points / clarifications / additional
Qs

a) DNS multihomed
issues

Yes, found that in the MS KB about not
"registering this connection in DNS" on the second NIC.

Also leave the gateway / DNS TCP/IP
settings blank on the second NIC.

b) Browser
Issues

Several things in MS KB about this and
fixes (including hackinga registry if I remember
correctly)

But would Browser issues affect AD
operations - I'm talking about replication issues here ?

c) Currently running
W2K SP4 + rollups on all DCs - but moving to W2K3.

Sorry
should have stated this.

d)
Backup

Using BackupExec, which allows binding of remote agents to specific
NICs

Have I got everything covered - I can't believe this is
an unusual configuration ?

Many Thanks

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff
GreenSent: 12 July 2006 11:43To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain
Controllers

Hi,
First posting to this list
but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus.
My question is regarding the advisability of having
multihomed DCs. Basically I want to run
backups over a separate GbE and as my servers have dual inbuilt NICs
this seems an obvious route to take. I know
there are some issues with DNS (I have a
DNS integrated AD).
Would this cause replication problems, etc ?

Any other "gotchas" ?

Many
Thanks,
--- Jeff
Green Network Support Manager
SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098
"I dream of hover cars and old transistor radios
... She dreams of flowers in a field of sunny bungalows"
Confidentiality
Note: The information contained in this email and document(s) attached are for
the exclusive use of the addressee and may contain confidential, privileged
and non-disclosable information. If the recipient of this email is not the
addressee, such recipient is strictly prohibited from reading, photocopying,
distribution or otherwise using this email or its contents in any
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via
e-mail immediately at [EMAIL PROTECTED], if you have received this
email in error.Disclaimer: The views, opinions and guidelines
contained in this confidential e-mail are those of the originating author and
may not be representative of Sapiens (UK)
Ltd.
Confidentiality
Note: The information contained in this email and document(s) attached are for
the exclusive use of the addressee and may contain confidential, privileged
and non-disclosable information. If the

Re: [ActiveDir] Multihomed Domain Controllers

I've never seen a problem with doing this stuff before and there are actually some backup solution providers that recommend using a paralell network for backup data to transmit across.That being said, I think the most important thing for you to make sure that you're *not* doing is testing it out on your FSMO roles holder. Do it with a non-GC domain controller first, then move up to a GC and after all of your DCs are working on the paralell network for backups, I'd probably move FSMO roles over to one of them that is working and move the last GC over (then move back the FSMO roles, if you have some old software that's hardcoded to the 'PDC').
On 7/12/06, Kevin Brunson [EMAIL PROTECTED] wrote:



















The one gotcha I have seen (only once
though), was that somehow multihoming a 2000 DC corrupted a couple of registry
keys. I think KB 888048 appeared a few days after the 8 hour phone call with
MS. Basically the dc no longer had a DNS name. Needless to say that caused
problems. But as long as you know which registry keys to change if it goes
bad, you should be fine. I have seen a multitude of multihomed domain
controllers since with no issues.

Kevin Brunson











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Jeff Green
Sent: Wednesday, July 12, 2006
5:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed
Domain Controllers





Hi,



First posting to this list but I've lurked quite a while and I've been very
impressed by 
the
quality of replies by the gurus. 

My
question is regarding the advisability of having multihomed DCs. Basically I
want 
to run
backups over a separate GbE and as my servers have dual inbuilt NICs this

seems
an obvious route to take. I know there are some issues with DNS (I have

a DNS
integrated AD). 

Would
this cause replication problems, etc ? 

Any
other gotchas ? 





 Many Thanks,


---

Jeff
Green 
Network
Support Manager 
SAPIENS
(UK)
Ltd 
t: +44
(0)1895 464228 f: +44 (0)1895 463098 

I
dream of hover cars and old transistor radios ... She dreams of flowers in a
field of sunny bungalows 



Confidentiality Note: The information contained in this email and document(s)
attached are for the exclusive use of the addressee and may contain
confidential, privileged and non-disclosable information. If the recipient of
this email is not the addressee, such recipient is strictly prohibited from
reading, photocopying, distribution or otherwise using this email or its
contents in any way.

Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
immediately at [EMAIL PROTECTED], if you have received this email in
error.

Disclaimer: The views, opinions and guidelines contained in this confidential
e-mail are those of the originating author and may not be representative of
Sapiens (UK) Ltd.

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau




Oh F^%. I apologize in front of everyone for 
mispelling your name AGAIN, neil. I was so worked up over the topic of Defending 
Security Infrastructures that everything other than the topic of Defending 
Security Infrastructures completely slipped through my mind. Of course this 
would be much easier if you simply changed your first name to Neal then I would 
be right when I was wrong so when dicussing topics such as Defending Security 
Infrastructures I would not mess up the spelling on your name. Again, I humbly 
ask your forgiveness[1] and apologize profusely and blame it all on the lack of 
definitionof the termDefending Security Infrastructures[2]. 


So before I go on too much more about Defending Security 
Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending 
Security Infrastructures, I will now close this note on Defending Security 
Infrastructures.

 
joe


[1] 
That is serious. No excuse neil, I am quite sorry.
[2] 
Err so is that, but not as serious as [1] above.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, July 12, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Neal, you totally misunderstood. I said DO NOT READ 
that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. 

And then if you read the blog on Defending Security Infrastructures, I asked for you to 
comment to the blog your thoughts on Defending Security 
Infrastructures

This is neither the time 
to discuss Defending Security Infrastructures nor the place to discuss Defending 
Security Infrastructures.

I 
personally haven't fully stepped into the Defending Security Infrastructures 
space yet, though if I did I would probably look to the fine folks at NetPro and 
Quest first to see their ideas on Defending Security Infrastructures, and of 
course I would be obligated to look at Microsoft's Defending Security 
Infrastructures solutions and also as mentioned in one of the blog comments, a 
key portion of the Defending Security Infrastructures solution would be GPOs so 
I would look to GPOGuy for Defending Security Infrastructures products as 
well.

 
joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
[List Owner] [OT] OOFs from Steven Comeau

So we can defend our security infras using either of 2 
vapourware solutions now :) cool!

Mr Tandon was there before you tho, joe 
:-^


neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 July 2006 03:51To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Gotta love that signature Tony... I promise not to disclose 
this information to anyone. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- 
I'm serious, you will learn absolutely nothing about Defending Security 
Infrastructures. 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Tuesday, July 11, 2006 9:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs 
from Steven Comeau


Hi all

I have temporarily suspended Steven Comeaus subscription, 
which should stop the out of office replies hitting the list.

Tony
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.


PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura

[ActiveDir] OT: Free Virtual PC

2006-07-12 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

If anyone cares,

http://www.microsoft.com/windows/virtualpc/default.mspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)


Peter Johnson wrote:

You might want to then create entries in the host file on the backup 
server so that you guarantee that the backup server always uses the 
right network connection.


 




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
Rutherford

*Sent:* 12 July 2006 12:57
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Multihomed Domain Controllers

 


No issues, if you...

 

Go to the TCP/IP settings of the backup network card, click advanced, 
goto the DNS tab and untick register the connection in DNS.


 


Cheers,

 


Rob

 




 




*Robert Rutherford*
*QuoStar Solutions Limited*
 


The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 




 




*T:*



+44 (0) 8456 440 331

*F:*



+44 (0) 8456 440 332

*M:*



+44 (0) 7974 249 494

*E: *



[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

*W: *



www.quostar.com http://www.quostar.com



 

 

 

 

 

 

 

 

 

 




 

 

**From:** [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green

*Sent:* 12 July 2006 11:43
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Multihomed Domain Controllers

Hi,

 First posting to this list but I've lurked quite a while and I've 
been very impressed by

the quality of replies by the gurus.

My question is regarding the advisability of having multihomed DCs. 
Basically I want
to run backups over a separate GbE and as my servers have dual inbuilt 
NICs this
seems an obvious route to take. I know there are some issues with DNS 
(I have

a DNS integrated AD).

Would this cause replication problems, etc ?

Any other gotchas ?

 


Many Thanks,

---
Jeff Green
Network Support Manager
SAPIENS (UK) Ltd
t: +44 (0)1895 464228 f: +44 (0)1895 463098

I dream of hover cars and old transistor radios ... She dreams of 
flowers in a field of sunny bungalows




Confidentiality Note: The information contained in this email and 
document(s) attached are for the exclusive use of the addressee and 
may contain confidential, privileged and non-disclosable information. 
If the recipient of this email is not the addressee, such recipient is 
strictly prohibited from reading, photocopying, distribution or 
otherwise using this email or its contents in any way.


Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this 
email in error.


Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) Ltd.





--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moving a Certificate Authority









Ah, good point. I havent dealt
with CAs in this regard in the past, and just assumed that CAs
had to involve a DC since I couldnt demote the DC until the CA was
removed.

Ill certainly make it a point to
move the CA to a server that is not a DC when this domain upgrade is complete.
Thanks for the heads up.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 7:56
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







One morepoint
- you dont have to have the CA on a DC  just wanted to make sure you knew
this. So, in the future ,you dont have to worry about removing\moving the CA in
order to upgrade DC's











steve

























- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 4:05 PM





Subject: RE: [ActiveDir]
Moving a Certificate Authority









And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to

1) Upgrade the old DC to 2k3

2) Backup the CA and the registry key as stated in the KB298138
article.

3) Remove the CA services, demote server and rename it.

4) Promote a 2k3 server with the same name as the old DC and install
the CA services.

5) Restore the CA data and registry key

6) Cross my fingers and hope that I have a CA once again

Ill give this a shot
tomorrow. I just wonder what would be my backup plan should the CA
restoration fail on the new server? The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?











You should keep the
hostname the same - if you took the defaults for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.











my .02











steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority









As part of my on-going journey into
upgrading a 2000 domain to 2003, Ive run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then dont pan out. Here is
the situation

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native. However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted. It was
originally a Windows NT 4.0 domain controller back in the day. So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138.
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

RE: [ActiveDir] Moving a Certificate Authority









Excellent idea. I have a couple Vmware
GSX servers in our test environment so I think Ill follow your
suggestion and create a new 2000 server, try and transfer the CA services to
the new 2000 server and then upgrade the box to 2003 if successful.

~Ben









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 9:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





The other advantage to doing it this way,
now that I think about it, is a little clearer recovery path if everything
blows up. A system state restore on your old ca and an authoritative
restore on AD should (please everyone check me on this) get you back where you
were without having to reload the original un-upgraded OS on your original CA.



Kevin
 Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Tuesday, July 11, 2006 8:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3? That way you dont have to
worry about the hardware not supporting 2003 or something terrible like
that. Then if you want you could move it from that 2003 server to another
2003 server, or you could just leave it where it is. 

Kevin
 Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to

1) Upgrade the old DC to 2k3

2) Backup the CA and the registry key as stated in the KB298138
article.

3) Remove the CA services, demote server and rename it.

4) Promote a 2k3 server with the same name as the old DC and install
the CA services.

5) Restore the CA data and registry key

6) Cross my fingers and hope that I have a CA once again

Ill give this a shot
tomorrow. I just wonder what would be my backup plan should the CA
restoration fail on the new server? The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







You cannot move from
2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would
be temporary ) and then move to another 2k3 server. I know that you said that
the HW was old - but perhaps a temporary sloow 2k3 machine?











You should keep the
hostname the same - if you took the defaults for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.











my .02











steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority









As part of my on-going journey into
upgrading a 2000 domain to 2003, Ive run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then dont pan out. Here is
the situation

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native. However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted. It was
originally a Windows NT 4.0 domain controller back in the day. So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138.
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

RE: [ActiveDir] OT: Free Virtual PC

Thanks for the heads up on this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, July 12, 2006 8:22 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: Free Virtual PC

If anyone cares,

http://www.microsoft.com/windows/virtualpc/default.mspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

I can see a TV Show emerging here DSI (Las Vegas)If he was still aliveHerve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo)and the man with the Golden Gun (Nick Nack).  From: "joe" [EMAIL PROTECTED]Sent: 12 July 2006 16:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2].   So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures.   joe   [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm   Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures.From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 12, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau  Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/.   And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures  This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures.  I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well.   joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm  Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau  So we can defend our security infras using either of 2 vapourware solutions now :) cool!  Mr Tandon was there before you tho, joe :-^   neil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau  Gotta love that signature Tony... I promise not to disclose this information to anyone.-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm  Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau   Hi all  I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list.  Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.   PLEASE READ: The information contained in this email is confidential and  intended for the named

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kurt Falde

So how many DC's do you have? What is your DIT size like to warrant
going through all this trouble? Are there other applications that you
need to backup on the DC's that are requiring full backups of all your
DC's.  With most environments getting the system state from a DC/GC in
each domain should be enough to allow you to do whatever authoritative
restores that you need. Now if you have other apps that you need to do a
large data backups of then this may be required.  Yes you can do
multiple nic's on DC's and quite a few organizations do however it
definitely would not fall under best practices for Domain Controllers.

Kurt Falde
Premier Field Engineer
Northeast Region
Microsoft Corporation

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  




 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

   

  

   

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

   

  

   

 *T:*

   

 +44 (0) 8456 440 331

 *F:*

   

 +44 (0) 8456 440 332

 *M:*

   

 +44 (0) 7974 249 494

 *E: *

   

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

   

 www.quostar.com http://www.quostar.com

   

  

  

  

  

  

  

  

  

  

  




  

  

 **From:** [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've

 been very impressed by
 the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt

 NICs this
 seems an obvious route to take. I know there are some issues with DNS 
 (I have
 a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other gotchas ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows




 Confidentiality Note: The information contained in this email and 
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information. 
 If the recipient of this email is not the addressee, such recipient is

 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this

 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be

 representative of Sapiens (UK) Ltd.




-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moving a Certificate Authority

2006-07-12 Thread Kurt Falde









http://technet2.microsoft.com/WindowsServer/en/Library/c3f67fb4-a1ae-43ed-b30e-fe1b183a553d1033.mspx


 
  
  
  
  
  Important: 
  Important 
  
 
 
  
  
  
  
  For
  security reasons, a CA should always run on a separate computer. Do not install
  an online CA on a domain controller, even if it is technically possible.
  
 


Just a little extra backup on the installations
of CAs on DCs from the PKI Best Practices whitepaper.





Kurt Falde

Premier FieldEngineer

Northeast Region

MicrosoftCorporation













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, July 12, 2006
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





Ah, good point. I havent
dealt with CAs in this regard in the past, and just assumed that
CAs had to involve a DC since I couldnt demote the DC until the
CA was removed.

Ill certainly make it a point to
move the CA to a server that is not a DC when this domain upgrade is
complete. Thanks for the heads up.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 7:56
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







One morepoint
- you dont have to have the CA on a DC  just wanted to make sure you knew
this. So, in the future ,you dont have to worry about removing\moving the CA in
order to upgrade DC's











steve

























- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 4:05 PM





Subject: RE:
[ActiveDir] Moving a Certificate Authority









And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to

1) Upgrade the old DC to 2k3

2) Backup the CA and the registry key as stated in the KB298138 article.

3) Remove the CA services, demote server and rename it.

4) Promote a 2k3 server with the same name as the old DC and install
the CA services.

5) Restore the CA data and registry key

6) Cross my fingers and hope that I have a CA once again

Ill give this a shot tomorrow.
I just wonder what would be my backup plan should the CA restoration fail on
the new server? The old server will have been demoted and removed from
Active Directory along with the CA services removed, not to mention a new
server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?











You should keep the
hostname the same - if you took the defaults for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.











my .02











steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority









As part of my on-going journey into
upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate
Authority on one of the original domain controllers to a new Windows 2003
domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then dont pan out. Here is
the situation

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native. However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted. It was
originally a Windows NT 4.0 domain controller back in the day. So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138.
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of
moving the CA to a server with a different hostname than the

RE: [ActiveDir] Multihomed Domain Controllers

But I hope we still have the option of doing so...  I use the hosts file on
a regular basis to redirect the localhost name to the machine's IP instead
of to 127.blah and then stick in route statements so all locally directed
traffic bounces out to a router and back so I can look at the network traces
of the traffic. 

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
Do not read this worthless blog entry on Defending Security Infrastructures
- http://blog.joeware.net/2006/07/11/445/ ---  I'm serious, you will learn
absolutely nothing about Defending Security Infrastructures. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

   

  

   

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

   

  

   

 *T:*

   

 +44 (0) 8456 440 331

 *F:*

   

 +44 (0) 8456 440 332

 *M:*

   

 +44 (0) 7974 249 494

 *E: *

   

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

   

 www.quostar.com http://www.quostar.com

   

  

  

  

  

  

  

  

  

  

  

 

  

  

 **From:** [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've 
 been very impressed by
 the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt 
 NICs this
 seems an obvious route to take. I know there are some issues with DNS 
 (I have
 a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other gotchas ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows


 
 Confidentiality Note: The information contained in this email and 
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information. 
 If the recipient of this email is not the addressee, such recipient is 
 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this 
 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be 
 representative of Sapiens (UK) Ltd.
 


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

2006-07-12 Thread neil.ruston




LOL. It's a refreshing change to see my (simple?) first 
name spelt wrongly, rather than my last name.

:)
I sense some angst against a certain Mr Tandon... 
???



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 July 2006 15:54To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Oh F^%. I apologize in front of everyone for 
mispelling your name AGAIN, neil. I was so worked up over the topic of Defending 
Security Infrastructures that everything other than the topic of Defending 
Security Infrastructures completely slipped through my mind. Of course this 
would be much easier if you simply changed your first name to Neal then I would 
be right when I was wrong so when dicussing topics such as Defending Security 
Infrastructures I would not mess up the spelling on your name. Again, I humbly 
ask your forgiveness[1] and apologize profusely and blame it all on the lack of 
definitionof the termDefending Security Infrastructures[2]. 


So before I go on too much more about Defending Security 
Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending 
Security Infrastructures, I will now close this note on Defending Security 
Infrastructures.

 
joe


[1] 
That is serious. No excuse neil, I am quite sorry.
[2] 
Err so is that, but not as serious as [1] above.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, July 12, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Neal, you totally misunderstood. I said DO NOT READ 
that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. 

And then if you read the blog on Defending Security Infrastructures, I asked for you to 
comment to the blog your thoughts on Defending Security 
Infrastructures

This is neither the time 
to discuss Defending Security Infrastructures nor the place to discuss Defending 
Security Infrastructures.

I 
personally haven't fully stepped into the Defending Security Infrastructures 
space yet, though if I did I would probably look to the fine folks at NetPro and 
Quest first to see their ideas on Defending Security Infrastructures, and of 
course I would be obligated to look at Microsoft's Defending Security 
Infrastructures solutions and also as mentioned in one of the blog comments, a 
key portion of the Defending Security Infrastructures solution would be GPOs so 
I would look to GPOGuy for Defending Security Infrastructures products as 
well.

 
joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
[List Owner] [OT] OOFs from Steven Comeau

So we can defend our security infras using either of 2 
vapourware solutions now :) cool!

Mr Tandon was there before you tho, joe 
:-^


neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 July 2006 03:51To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Gotta love that signature Tony... I promise not to disclose 
this information to anyone. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- 
I'm serious, you will learn absolutely nothing about Defending Security 
Infrastructures. 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Tuesday, July 11, 2006 9:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs 
from Steven Comeau


Hi all

I have temporarily suspended Steven Comeaus subscription, 
which should stop the out of office replies hitting the list.

Tony
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.


PLEASE READ: The 
information

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Deji Akomolafe




Susan,

there are still valid reasons for using hosts file even in an enterprise. I believe that we went through this a couple of months ago.




NB: Not to encourage joe or anything like that. I just need to point out that my statement abovemay beintepreted to imply that hosts files have a role to play in the whole big "Defending Security Infrastructure" realm; for example, if your "Defending SecurityInfrastructure" service delivery plans doesNOT include a robust "split-brain" DNS infrastructure. Of course, a "Defending Security Infrastructure" plan that does not include that is not worth the name "Defending SecurityInfrastructure plan" at all and does not belong in the "Defending SecurityInfrastructure" big black ops book.

Now I crawl back into my heavily-defended "Defending Security Infrastructure" bunker - or castle - or cave.

Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 7/12/2006 8:40 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers
In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

 	

  

 	

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

 	

  

 	

 *T:*

 	

 +44 (0) 8456 440 331

 *F:*

 	

 +44 (0) 8456 440 332

 *M:*

 	

 +44 (0) 7974 249 494

 *E: *

 	

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

 	

 www.quostar.com http://www.quostar.com

 	

  

  

  

  

  

  

  

  

  

  

 

  

  

 **From:** [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've 
 been very impressed by
 the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt 
 NICs this
 seems an obvious route to take. I know there are some issues with DNS 
 (I have
 a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other "gotchas" ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 "I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows"


 
 Confidentiality Note: The information contained in this email and 
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information. 
 If the recipient of this email is not the addressee, such recipient is 
 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this 
 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be 
 representative of Sapiens (UK) Ltd.
 


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Rights needed to Rename Computer Object

2006-07-12 Thread Clay, Justin $ITS$









What rights are needed to delegate authority for people to
rename computers that are joined to a domain? I know if I give Full Control of
computer objects they of course can, but Id like to limit the authority
they have. Ive so far tried:



From running a comparison of before and after a rename, it
looks like it needs the following:



Write Computer name (pre-Windows 2000)

Write displayName

Write distringuishedName

Write dNSHostName

Write Name

Write pwdLastSet

Create/Delete service PrincipalName



Does that sound correct? I want to make sure I delegate
enough authority for them to rename computers, but not enough to do anything
else.



Thanks,



Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard School Building 
Phone: (615) 880-2573











ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

RE: [ActiveDir] Multihomed Domain Controllers

I have definitely found the hosts file to be useful on servers to keep
them from EVER getting to spyware sites.  This guy has a great list :
http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=host
s

Just cut and paste into the hosts file and you are good to go.  I
scripted it for all of the servers I deal with.  But I guess this is
getting pretty far OT: :)
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  




 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

   

  

   

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

   

  

   

 *T:*

   

 +44 (0) 8456 440 331

 *F:*

   

 +44 (0) 8456 440 332

 *M:*

   

 +44 (0) 7974 249 494

 *E: *

   

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

   

 www.quostar.com http://www.quostar.com

   

  

  

  

  

  

  

  

  

  

  




  

  

 **From:** [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've

 been very impressed by
 the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt

 NICs this
 seems an obvious route to take. I know there are some issues with DNS 
 (I have
 a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other gotchas ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows




 Confidentiality Note: The information contained in this email and 
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information. 
 If the recipient of this email is not the addressee, such recipient is

 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this

 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be

 representative of Sapiens (UK) Ltd.




-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Acqusition of 2003 Forest - options experiences

2006-07-12 Thread Danny


A company with an independent 2003 Forest has been acquired.  They
have Exchange 2003 and a Citrix server.  We have a similar
configuration minus Citrix.  The goal is obviously to migrate key AD
objects, mailboxes, and servers into our 2003 forest.

I understand that ADMT is often the right tool for the job, but I
would greatly appreciate hearing your personal experiences and any
caveats that you may have run into.  And is it the only tool you need?

I am off to read some MS docs on the topic and specifically ADMT.
Hopefully I am able to contribute back to the list.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Planning for the future

2006-07-12 Thread Larry Wahlers

Esteemed colleagues,

We have a radio station that is currently part of our denomination that
we want to finally put on our network. They are located about 20 miles
from our headquarters. However, there has been talk for many, many years
about selling off this radio station, but that hasn't come to pass yet.

My question is, if we put them in their own domain in our existing
forest, would that make it easier to get them into their own forest if
they should some day no longer be a part of us? If not, what's the best
way to plan for a possible future in which these 30 people might no
longer be working for us?

Many thanks in advance.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Rocky Habeeb




Could someone please tell me 
what all this "Defending Security Infrastructure" stuff is about? Even 
though joe said "Do not read about "Defending Security Infrastructure"" on his 
blog, I went there and read all about what he wrote about "Defending Security 
Infrastructure" because I literally hang off every word joe writes, and he wrote 
about "Defending Security Infrastructure" and I wanted to know what his thoughts 
were on"Defending Security Infrastructure". But interestingly enough, joe 
didn't have much to say about "Defending Security Infrastructure" so I queried 
other avenues on "Defending Security Infrastructure" and there sure is a lot on 
the subject of "Defending Security Infrastructure" but I couldn't really distill 
it. So now I'm going to have to keep watching the joedog blog on "Defending 
Security Infrastructure", because if joe talks about "Defending Security 
Infrastructure", then "Defending Security Infrastructure" is probably pretty 
important.

_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Deji 
  AkomolafeSent: 12 July, 2006 12:29 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed 
  Domain Controllers
  
  Susan,
  
  there are still valid reasons for using 
  hosts file even in an enterprise. I believe that we went through this a couple 
  of months ago.
  
  
  
  
  NB: Not to encourage joe or anything like that. I just need to 
  point out that my statement abovemay beintepreted to imply that 
  hosts files have a role to play in the whole big "Defending Security 
  Infrastructure" realm; for example, if your "Defending 
  SecurityInfrastructure" service delivery plans doesNOT include a 
  robust "split-brain" DNS infrastructure. Of course, a "Defending Security 
  Infrastructure" plan that does not include that is not worth the name 
  "Defending SecurityInfrastructure plan" at all and does not belong in 
  the "Defending SecurityInfrastructure" big black ops book.
  
  Now I crawl back into my heavily-defended "Defending Security 
  Infrastructure" bunker - or castle - or cave.
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, 
  -3.23Do you now realize that Today 
  is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Susan Bradley, CPA aka Ebitz - SBS Rocks 
  [MVP]Sent: Wed 7/12/2006 8:40 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed 
  Domain Controllers
  In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

 	

  

 	

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

 	

  

 	

 *T:*

 	

 +44 (0) 8456 440 331

 *F:*

 	

 +44 (0) 8456 440 332

 *M:*

 	

 +44 (0) 7974 249 494

 *E: *

 	

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

 	

 www.quostar.com http://www.quostar.com

 	

  

  

  

  

  

  

  

  

  

  

 

  

  

 **From:** [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've 
 been very impressed by
 the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt 
 NICs this
 seems an obvious route to take. I know there are some issues with DNS 
 (I have
 a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other "gotchas" ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 "I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows"

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

2006-07-12 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]




No angst here. I think Sanjay is fine. I think he 
hasideas that are a bit off though. From the recent influx of notes in my 
inbox I don't appear to be completely isolated in these thoughts. I intend to 
blog something on the topic in the next week or so as I properly put into words 
my thoughts and comments on the topic of updating one of my blog posts from one 
year ago. In the meanwhile, anyone who has received a visit to their corporation 
from saidindividual, I would be interested to hear what the value of the 
visit was and the thoughts on what was discussed. Any humourous stories I would 
also love to hear as I have already heard some doozies already in addition to my 
own that I experienced personally.

In the meanwhile, I want to become the undisputed 
search engine lead on the markitecture of Defending Security Infrastructures 
because Defending Security Infrastructuresis extremely important, I think, 
and having the top hitson the topic of Defending Security Infrastructures 
certainly says something about Defending Security Infrastructures. Whatever that 
is, I am not entirely sure, but it does comprise what we know about Defending 
Security Infrastructures. Thanks to all who have posted their comments on the 
topic of Defending Security Infrastructures at my worthless blog entry on the 
topic of Defending Security Infrastructures at http://blog.joeware.net/2006/07/11/445/.

:o)

 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 12:19 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
[List Owner] [OT] OOFs from Steven Comeau

LOL. It's a refreshing change to see my (simple?) first 
name spelt wrongly, rather than my last name.

:)
I sense some angst against a certain Mr Tandon... 
???



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 12 July 2006 15:54To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Oh F^%. I apologize in front of everyone for 
mispelling your name AGAIN, neil. I was so worked up over the topic of Defending 
Security Infrastructures that everything other than the topic of Defending 
Security Infrastructures completely slipped through my mind. Of course this 
would be much easier if you simply changed your first name to Neal then I would 
be right when I was wrong so when dicussing topics such as Defending Security 
Infrastructures I would not mess up the spelling on your name. Again, I humbly 
ask your forgiveness[1] and apologize profusely and blame it all on the lack of 
definitionof the termDefending Security Infrastructures[2]. 


So before I go on too much more about Defending Security 
Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending 
Security Infrastructures, I will now close this note on Defending Security 
Infrastructures.

 
joe


[1] 
That is serious. No excuse neil, I am quite sorry.
[2] 
Err so is that, but not as serious as [1] above.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


Do not 
read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
nothing about Defending Security Infrastructures. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, July 12, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] 
[OT] OOFs from Steven Comeau

Neal, you totally misunderstood. I said DO NOT READ 
that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. 

And then if you read the blog on Defending Security Infrastructures, I asked for you to 
comment to the blog your thoughts on Defending Security 
Infrastructures

This is neither the time 
to discuss Defending Security Infrastructures nor the place to discuss Defending 
Security Infrastructures.

I 
personally haven't fully stepped into the Defending Security Infrastructures 
space yet, though if I did I would probably look to the fine folks at NetPro and 
Quest first to see their ideas on Defending Security Infrastructures, and of 
course I would be obligated to look at Microsoft's Defending Security 
Infrastructures solutions and also as mentioned in one of the blog comments, a 
key portion of the Defending Security Infrastructures solution would be GPOs so 
I would look to GPOGuy for Defending Security Infrastructures products as 
well.

 
joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

Do

Re: [ActiveDir] Multihomed Domain Controllers


You surf on your servers?

My servers go to WU/MU...and maybe to Joe's blog for information on 
Defending Security Infrastructure..iin fact they regularly hang out on 
Joe's blog for all the information I need to know on Defending 
Security Infrastructure.. in fact 
http://blog.joeware.net/2006/07/11/445/ that link is the home page so 
that I'm constantly reminded about Defending Security Infrastructur 
..but other than that... they don't have antispyware because they don't 
go anywhere to get spyware and the Enhanced IE is still on there.




Kevin Brunson wrote:


I have definitely found the hosts file to be useful on servers to keep
them from EVER getting to spyware sites.  This guy has a great list :
http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=host
s

Just cut and paste into the hosts file and you are good to go.  I
scripted it for all of the servers I deal with.  But I guess this is
getting pretty far OT: :)
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)


Peter Johnson wrote:

 

You might want to then create entries in the host file on the backup 
server so that you guarantee that the backup server always uses the 
right network connection.





   



 

*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
Rutherford

*Sent:* 12 July 2006 12:57
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Multihomed Domain Controllers



No issues, if you...



Go to the TCP/IP settings of the backup network card, click advanced, 
goto the DNS tab and untick register the connection in DNS.




Cheers,



Rob









*Robert Rutherford*
*QuoStar Solutions Limited*


The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH








*T:*



+44 (0) 8456 440 331

*F:*



+44 (0) 8456 440 332

*M:*



+44 (0) 7974 249 494

*E: *



[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

*W: *



www.quostar.com http://www.quostar.com
























   



 






**From:** [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green

*Sent:* 12 July 2006 11:43
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Multihomed Domain Controllers

Hi,

First posting to this list but I've lurked quite a while and I've
   



 


been very impressed by
the quality of replies by the gurus.

My question is regarding the advisability of having multihomed DCs. 
Basically I want

to run backups over a separate GbE and as my servers have dual inbuilt
   



 


NICs this
seems an obvious route to take. I know there are some issues with DNS 
(I have

a DNS integrated AD).

Would this cause replication problems, etc ?

Any other gotchas ?



   Many Thanks,

---
Jeff Green
Network Support Manager
SAPIENS (UK) Ltd
t: +44 (0)1895 464228 f: +44 (0)1895 463098

I dream of hover cars and old transistor radios ... She dreams of 
flowers in a field of sunny bungalows




   



 

Confidentiality Note: The information contained in this email and 
document(s) attached are for the exclusive use of the addressee and 
may contain confidential, privileged and non-disclosable information. 
If the recipient of this email is not the addressee, such recipient is
   



 

strictly prohibited from reading, photocopying, distribution or 
otherwise using this email or its contents in any way.


Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this
   



 


email in error.

Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be
   



 


representative of Sapiens (UK) Ltd.

   



 



 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] SFTP with AD Auth

2006-07-12 Thread Paul Glenn

I just thought I'd poll everyone to see what is being used as a
SFTP server. Because of the politics of the arena here, the server
will have to be on a member server and not on an DC itself - which I can't think would make much of a difference.The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: 
FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet.
SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc).
I've found a few more, but I thought (like I said) I would get a poll just to see what others used.Thanks,Paul
-- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken***

RE: [ActiveDir] LDAP Referrals - just curious

2006-07-12 Thread David Cliffe




Thanks joe, I almost forgot about this 
post.I found a draft of what I was originally going tosubmit 
which hasmore specifics in it, but I'm finding that your description below 
is actually right on in terms of the base specified (root) and scope 
(subtree). Only difference was that the query was for the name of user in 
a second child domain.

Yes, in the trace I could see the referrals for 
all the other NCs, and I guess I wondered why the one for the child domain 
wasn't followed. I suppose that would mean all of the other ones would 
have to be followed as well, and as you mentioned, perhaps it is by 
designbecause it's probablynotwhat the calling user intended - 
and possibly the calling user has just learneda little bit more about the 
referral logic in the process!

-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, July 11, 2006 11:15 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Referrals 
  - just curious
  
  Could you give specifics on what exactly you did, i.e. 
  the exact query?
  
  The code for adfind by default follows the Windows LDAP 
  lib's default for following referrals which is on. However I think that 
  islimitedcapability and I specifically chose not to add manual 
  referral chasing code because you will find that many queries that involve the 
  root domain as the base return referrals if you look at the traces. In most 
  cases those referrals are worthless to chase and would simply slow the 
  application down. 
  
  For instance, let's say you have a directory laid out 
  like
  
  domain.com
  child.domain.com
  
  then you query a DC of child.domain.com 
  with
  
  Base: domain.com
  Scope: subtree
  Query: name=someuser (which is a user objectin 
  domain.com)
  
  So adfind will go to the DC you specify and issue the 
  query, that DC will throw back a referral to go to a DC of domain.com, the 
  LDAP client software will automatically chase this referral (adfind didn't do 
  anything but let wldap32.dll do what it wanted to do). It will find the object 
  and return it but also it will return referrals for 
  dc=ForestDnsZones,dc=domain,dc=com, dc=DomainDnsZones,dc=domain,dc=com, 
  dc=child,dc=domain,dc=com, and cn=configuration,dc=domain,dc=com which really 
  aren't what the person wanted here most likely. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  Do 
  not read this worthless blog entry on Defending Security Infrastructures - 
  
  http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely 
  
  nothing about Defending Security Infrastructures. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  CliffeSent: Thursday, June 29, 2006 5:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Referrals - 
  just curious
  
  Hi,
  
   I was curious to watch some LDAP referral 
  traces (OK, so it's been a quiet day) and am seeing some results I don't 
  understand among different tools. The queries are issued from within a 
  child domain to a DC in that same domain,searching for an object in 
  another child domain (root + two child domains total). Not using the 
  GC.
  
  LDPchases a referral(if I turn that 
  option on) andreturns an object fromthe otherchild domain in 
  the forest. Search call type tested was ASYNC.
  
   DSQuery, after getting aninitial 
  referral to the other domain, reissues the query to a root DC 
  butincludes the LDAP_SERVER_DOMAIN_SCOPE_OID control in that search, so 
  then it gets no more referrals to the other child domain. Not sure why 
  it does that?
  
   ADFind starts off looking good but unbinds and ends 
  the session after gettingreferral references for the other NCs. 
  Not sure why it doesn't continue to chase.
  
   I realize I should be providing more info 
  and/or traces.I will be glad to, but just wanted to save some 
  space first and make sure I wasn't missing something 
  obvious?
  
  -DaveCTo find out more about 
  Reuters visit www.about.reuters.comAny views expressed in this message 
  are those of the individual sender, except where the sender specifically 
  states them to be the views of Reuters 
Ltd.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

RE: [ActiveDir] Account Password Expiration Tool

2006-07-12 Thread David Cliffe

re:Anyone who has TAMs... Start screaming now...

Done from here.

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

A comprehensive list of attributes and values doesn't exist; I have
thought about setting up a dynamic webpage backending into a MySQL DB on
my website for a long time but just haven't done it. 

However for userAccountControl you can look at this enumeration:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad
si/a
ds_user_flag_enum.asp

If you go up one level from that you will find several enumerations for
some of the attributes. Keep in mind that there are some flags that
actually are valid for ADSI in general but not for LDAP, for instance,
ADS_UF_LOCKOUT works for the WinNT provider but not the LDAP provider.
Again, no comprehensive docs exist for that, it is all one offs that
people run into.
Actually that is pretty pathetic in my opinion but hey, at least we get
some info.


Now for your other specific questions... 

All user accounts that must change password at next logon, that is
handled by a combination of the pwdLastSet attribute and the domain
policy for password aging which is in the maxPwdAge attribute and the
current time/detae and the userAccountControl. If the account is set to
not expire, it won't ever force a password change, if that isn't set
then there is a combination of the password age and the maxpwdage and
the current time. The easiest way to deal with this is findexpacc. If
you just want all accounts that have never set a password or have been
forced to change password at next logon that is a little easier, you
look for pwdLastSet=0.

All computers running Win2K pro would be handled by looking at the
operatingsystem attribute. I don't recall the actual string for Windows
2000 Professional but I expect that is the string, Windows Server 2003
is Windows Server 2003, Windows XP Pro is Windows XP Professional. MSFT,
again, in their infinite wisdom currently has Vista set as Windows Vista
(copyright
symbol) Ultimate. The copyright symbol is completely moronic in there as
it blows out people trying to look for the machines with command line
tools with really efficient queries. They have no choice but to wildcard
the strings. I bugged it, it was rejected, Eric jumped into the fray and
got it going again but just the same it seems we may end up losing and
it getting out into the OEM launch. Anyone who has TAMs... Start
screaming now, that is going to be a pain if it gets out there. I refuse
to figure out a way around it and will just say that MSFT was stupid and
didn't listen when I pitched it as a bug back in Beta 1. 

For excldn, it probably didn't work due to misunderstanding or mistake,
my code is perfect. ;o)  No seriously, if you have spaces in strings
that are passed as command line parameters, you need to use quotes.
Special characters need to be escaped, this isn't an issue with oldcmp,
it is the command line interpretor interpreting things in the way you
type them instead of how you intend them and passing that to my tools.
Also if you pass multiple DNs the proper delimiter needs to be supplied
(by default I think it is ; but would have to look to be sure) or else
adfind doesn't know what you mean. I am also not good at divining intent
versus what was typed.

  joe



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Tuesday, July 11, 2006 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

Pardon my ignorance, but I have one more question: where do I get a list
of all of user or computer object attributes and values as it was used
in (useraccountcontrol:AND:=65536)? 
For instance if I want to enumerate all the user accounts with User Must
Change Password at Next Logon or computers that are running WIN2K PRO.

Also I noticed the OU exclusion switch (-excldn) did not work in the
case of multiple OUs. Is it perhaps because they had space in their
names? 

TIA

Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Password Expiration Tool

This should do it

oldcmp -report -users -bit -af (useraccountcontrol:AND:=65536) -sh 

If you want a listing of all accounts with that set you would add -age 0

You could also use adfind to get the info. 


  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Tuesday, July 11, 2006 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]

Re: [ActiveDir] Acqusition of 2003 Forest - options experiences

2006-07-12 Thread AFidel


I think you'd be doing yourself a favor
to at least look into Quest Software's tools including Migration Manager
for Active Directory. While I haven't used that particular tool I have
used several of their other tools including their Domain Migration Wizard
to move from NT4 to 2000/2003 with much success. They really reduce the
workload in my experience and they have so much experience that they are
less likely to miss something then if you try to do it manually =)

Andrew Fidel






Danny [EMAIL PROTECTED]

Sent by: [EMAIL PROTECTED]
07/12/2006 01:18 PM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
[ActiveDir] Acqusition of
2003 Forest - options  experiences








A company with an independent 2003 Forest has been
acquired. They
have Exchange 2003 and a Citrix server. We have a similar
configuration minus Citrix. The goal is obviously to migrate key
AD
objects, mailboxes, and servers into our 2003 forest.

I understand that ADMT is often the right tool for the job, but I
would greatly appreciate hearing your personal experiences and any
caveats that you may have run into. And is it the only tool you need?

I am off to read some MS docs on the topic and specifically ADMT.
Hopefully I am able to contribute back to the list.

Thanks,

...D
List info  : http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

I only surf on the big ones.  The small ones just don't catch the waves
right.  

I don't even let them go to Windows Update.  WSUS connections configured
through Group Policy are about as far as I want them to go to the
internet.  The problem is users, and in many cases admins.  I get a
server just right, go back to my office, and by the time I get back
they've already installed 15 programs ending in zilla.

And of course no self-respecting admin can get a $15 Citrix
infrastructure without immediately giving every STINKING user a desktop.
Forget published apps.  Forget everything that made it worth investing
any money whatsoever, let's just give them a STINKING desktop.  Sorry, I
guess I must have let all of my thinking about Defending Security
Infrastructure get to my head.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

You surf on your servers?

My servers go to WU/MU...and maybe to Joe's blog for information on 
Defending Security Infrastructure..iin fact they regularly hang out on 
Joe's blog for all the information I need to know on Defending 
Security Infrastructure.. in fact 
http://blog.joeware.net/2006/07/11/445/ that link is the home page so 
that I'm constantly reminded about Defending Security Infrastructur 
..but other than that... they don't have antispyware because they don't 
go anywhere to get spyware and the Enhanced IE is still on there.



Kevin Brunson wrote:

I have definitely found the hosts file to be useful on servers to keep
them from EVER getting to spyware sites.  This guy has a great list :
http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=hos
t
s

Just cut and paste into the hosts file and you are good to go.  I
scripted it for all of the servers I deal with.  But I guess this is
getting pretty far OT: :)
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

  

You might want to then create entries in the host file on the backup 
server so that you guarantee that the backup server always uses the 
right network connection.

 




---
-
  

*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
Rutherford
*Sent:* 12 July 2006 12:57
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Multihomed Domain Controllers

 

No issues, if you...

 

Go to the TCP/IP settings of the backup network card, click advanced, 
goto the DNS tab and untick register the connection in DNS.

 

Cheers,

 

Rob

 

  

 

  

*Robert Rutherford*
*QuoStar Solutions Limited*
 

The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 

  

 

  

*T:*

  

+44 (0) 8456 440 331

*F:*

  

+44 (0) 8456 440 332

*M:*

  

+44 (0) 7974 249 494

*E: *

  

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

*W: *

  

www.quostar.com http://www.quostar.com

  

 

 

 

 

 

 

 

 

 

 




---
-
  

 

 

**From:** [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
*Sent:* 12 July 2006 11:43
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Multihomed Domain Controllers

Hi,

 First posting to this list but I've lurked quite a while and I've



  

been very impressed by
the quality of replies by the gurus.

My question is regarding the advisability of having multihomed DCs. 
Basically I want
to run backups over a separate GbE and as my servers have dual inbuilt



  

NICs this
seems an obvious route to take. I know there are some issues with DNS 
(I have
a DNS integrated AD).

Would this cause replication problems, etc ?

Any other gotchas ?

 

Many Thanks,

---
Jeff Green
Network Support Manager
SAPIENS (UK) Ltd
t: +44 (0)1895 464228 f: +44 (0)1895 463098

I dream of hover cars and old transistor radios ... She dreams of 
flowers in a field of sunny bungalows





---
-
  

Confidentiality Note: The information contained in this email and 
document(s) attached are for the exclusive use of the addressee and 
may contain confidential, privileged and non-disclosable information. 
If the recipient of this email is not the addressee, such recipient is



  

strictly prohibited from reading, photocopying, distribution or 
otherwise using this email or its contents in

RE: [ActiveDir] SFTP with AD Auth

2006-07-12 Thread Lucas, Bryan









Were just now rolling into
production with Globalscapes product. Mixed feelings about it.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn
Sent: Wednesday, July 12, 2006
12:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SFTP with AD
Auth







I just thought I'd poll
everyone to see what is being used as a SFTP server. Because of the
politics of the arena here, the server will have to be on a member server and
not on an DC itself - which I can't think would make much of a difference.

The users will be accessing their home dirs only. I've found a couple of
packages just by doing some google searches: 



FreeSTP
doesn't look like it works unless it's actually on a DC. Although I
haven't confirmed that yet. 





SSH Secure Shell
(which is now SSH TecTIA) at first glance looks like you need their client to
connect to the server. I'd really like to stay with something that works
with most free SFTP clients (Filezilla, WinSCP, Etc). 



I've found a few more, but I thought (like I said) I would get a poll
just to see what others used.

Thanks,
Paul






-- 
***
I've got a fever and the only prescription is more
cowbell.--Christopher Walken
***

Re: [ActiveDir] Acqusition of 2003 Forest - options experiences

2006-07-12 Thread Phil Renouf

ADMT does a pretty good job of domain migrations, although the exchange migration tools from Microsoft do leave a few tasks to be done manually (DL migration being one of them). There is a lot of benefit in some of the 3rd party Exchange migration utilities, but for many small AD migrations ADMT has enough functionality to manage it. For larger more complex migrations the 3rd party tools offer a lot of value.


I've not tried to migrate Citrix servers in the past so I dont know if there are any specific pitfalls to watchout for with them.

Phil
On 7/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =)
 Andrew Fidel 



Danny [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
07/12/2006 01:18 PM 




Please respond toActiveDir@mail.activedir.org






To
ActiveDir@mail.activedir.org 


cc



Subject
[ActiveDir] Acqusition of 2003 Forest - options  experiences






A company with an independent 2003 Forest has been acquired. Theyhave Exchange 2003 and a Citrix server. We have a similarconfiguration minus Citrix. The goal is obviously to migrate key AD
objects, mailboxes, and servers into our 2003 forest.I understand that ADMT is often the right tool for the job, but Iwould greatly appreciate hearing your personal experiences and anycaveats that you may have run into. And is it the only tool you need?
I am off to read some MS docs on the topic and specifically ADMT.Hopefully I am able to contribute back to the list.Thanks,...DList info  : 
http://www.activedir.org/List.aspxList FAQ  : http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Multihomed Domain Controllers

Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive.
Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.

Re: [ActiveDir] SFTP with AD Auth

2006-07-12 Thread Paul Glenn

On 7/12/06, Bernier, Brandon (.) [EMAIL PROTECTED] wrote:







It's too bad IIS6 doesn't support TLS for FTP or that 
would be a great solution. Agreed! It's amazing to me that after all these years they haven't decided to have make some sort of SFTP native service. Too bad really.
paul
However, since it doesn't I would recommend a product 
called Serv-U by Rhinosoft.

-Brandon



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, 
BryanSent: Wednesday, July 12, 2006 3:32 PMTo: 
ActiveDir@mail.activedir.orgSubject:
 RE: [ActiveDir] SFTP with AD 
Auth


We're just now rolling 
into production with Globalscape's product. Mixed feelings about 
it.





From: 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] 
On Behalf Of Paul 
GlennSent: Wednesday, July 12, 
2006 12:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] SFTP with AD 
Auth


I just thought I'd poll everyone to see 
what is being used as a SFTP server. Because of the politics of the arena 
here, the server will have to be on a member server and not on an DC itself - 
which I can't think would make much of a difference.The users will be 
accessing their home dirs only. I've found a couple of packages just by 
doing some google searches: 

FreeSTP doesn't look like 
it works unless it's actually on a DC. Although I haven't confirmed that 
yet. 

SSH Secure Shell (which 
is now SSH TecTIA) at first glance looks like you need their client to connect 
to the server. I'd really like to stay with something that works with most 
free SFTP clients (Filezilla, WinSCP, Etc). 
I've found a few more, but I thought (like I said) I 
would get a poll just to see what others used.Thanks,Paul
-- 
***I've 
got a fever and the only prescription is 
morecowbell.--Christopher 
Walken*** 


-- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken
***

RE: [ActiveDir] Planning for the future

2006-07-12 Thread Almeida Pinto, Jorge de

an OU with the objects needed for those people (users, groups, computers) would 
be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no 
special requirements while other domain(s) exist
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Larry Wahlers
Sent: Wed 2006-07-12 19:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Planning for the future



Esteemed colleagues,

We have a radio station that is currently part of our denomination that
we want to finally put on our network. They are located about 20 miles
from our headquarters. However, there has been talk for many, many years
about selling off this radio station, but that hasn't come to pass yet.

My question is, if we put them in their own domain in our existing
forest, would that make it easier to get them into their own forest if
they should some day no longer be a part of us? If not, what's the best
way to plan for a possible future in which these 30 people might no
longer be working for us?

Many thanks in advance.

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

[OT]Re: [ActiveDir] Multihomed Domain Controllers

I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? 

On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote:

Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. 
Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.

RE: [ActiveDir] Multihomed Domain Controllers









Sorry, forgive me for my lack of clarity.
I was on the phone with Microsoft when I wrote that, so my head was
shrinking. But dont worry, they refunded my case.



I agree with you 100%. 

My rant was purely referring to the
desktop published app, not a physical workstation. I was ranting about
admins who cant seem to understand that citrix costs more than rdp, but
that is about the only difference if every user is connecting to the citrix
desktop instead of published apps. Especially since they dont want
to lock the users down on the citrix servers. 



Wow, its a long way from multihomed
domain controllers to Citrix and desktops vs. thin clients.















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Wednesday, July 12, 2006
3:46 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Multihomed Domain Controllers





Not so sure I agree with that. Thin clients work just fine,
require less maintenance and can be replaced in 5 minutes, vs. the 3 hour
argument that you'll get if you try replacing someone's desktop because they
saved 19 items that have nothing to do with their job on the local hard
drive. 

Then again, desktops are about as expensive nowadays as thin clients, so the
justification for thin clients isn't what it used to be.

RE: [OT]Re: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kurt Falde









Great so we can have even more people
taking confidential data home with them and getting their laptops stolen from
their cars J Until we get Vista BitLocker and laptops that utilize it across
the board I would be extremely paranoid about laptops all over.





Kurt Falde











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, July 12, 2006
5:06 PM
To: ActiveDir@mail.activedir.org
Subject: [OT]Re: [ActiveDir]
Multihomed Domain Controllers







I know we're drifting off-topic, but I read this and started thinking:
laptops. Why bother with desktops? 













On 7/12/06, Matt
Hargraves [EMAIL PROTECTED]
wrote: 



Not so sure I agree with that. Thin clients work just fine,
require less maintenance and can be replaced in 5 minutes, vs. the 3 hour
argument that you'll get if you try replacing someone's desktop because they
saved 19 items that have nothing to do with their job on the local hard
drive. 

Then again, desktops are about as expensive nowadays as thin clients, so the
justification for thin clients isn't what it used to be.

Re: [ActiveDir] Planning for the future

I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective:

You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them.

Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully.

If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc.

On 7/12/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist
Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-
29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom:
[EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future
Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years
about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if
they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.--Larry Wahlers
Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers

Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? 


I wonder though, desktop machines guarded by the cleaning crew are better?
What about smart phones? Those keep you up late at night as well? :)

We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?)either but leave that for another time


My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not ownedAND managed by the company) are enough to give you the heebie jeebies. 


I don't see bit-locker solving those issues. Know something different? 


On 7/12/06, Kurt Falde [EMAIL PROTECTED] wrote:




Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars 
J
 Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over.


Kurt Falde




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM
To: ActiveDir@mail.activedir.org

Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers 




I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? 



On 7/12/06, Matt Hargraves 
[EMAIL PROTECTED] wrote: 

Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. 
Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.

[ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?

2006-07-12 Thread Victor W.




Today a conversation 
at my jobcame up about setting the preferred DNS server on the NIC of a DC 
with DNS installed.
For as far as I know 
it's best topoint the DC (with DNS installed) to itself for DNS by 
specifying the internal IP address of the DC as the preferred 
DNS
server on the 
NIC.

Then I was told that 
this is not always necessary and this puzzled me a bit.

Not everybody was 
convinced of the above and this got me thinking. Some people are claiming 
thatit doesnt really matter if you set that DC to bethe 
preferred or the alternate DNS server.

I was then showed an 
environment where all DC's in a child domain (all had DNS installed), had the 
same DNS server set as preferred DNS server.

Perhaps 
anexample will make it more clear:

a forest root domain 
with 4 child domains.

child domain A, B, 
C, and D.

Names of the Domain 
Controllers:
root domain: DC-A 
 DC-B  DC-C  DC-D
for child domain A: 
DC-A1  DC-A2
for child domain B: 
DC-B1  DC-B2
for child domain C: 
DC-C1  DC-C2
for child domain D: 
DC-D1  DC-D2


DC-A1 has specified DC-A2 as preferred DNS server and has specified DC-A1 
(itself) as alternate DNS server.
DC-A2 has specified 
DC-A2 (itself) as preferred DNS server and has specified DC-A1 as alternate DNS 
server

DC-B1 has specified DC-B2 as 
preferred DNS server and has specified DC-B1 (itself) as alternate DNS 
server
DC-B2 has specified DC-B2 
(itself) as preferred DNS server and has specified DC-B1 as alternate DNS 
server

And so on for the other child 
domains.

I was told that thiswas done because this 
ADenvironment wasnot optimaland that bypointing all the 
dc's ina child domain to the same DNS server, other issues were prevented 
from occuring.
This didnt sound all that good to me to be honoust 
:-)

I am now wondering if there arescenario's 
thinkable when it would be betternot to point a DC with DNS installed as 
the preferred server on it's NIC.

Does the term Island DNS also play a role in 
this?

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

2006-07-12 Thread Bart Van den Wyngaert


Hi Al,

Just came accross this link... Didn't test it myself as I am going to
do a real upgrade of the stuff (I still don't understand why there is
no real upgrade package, I really don't see any difference except the
added feature and I want to have both mstsc.exe as the MMC with the
feature)...

http://www.petri.co.il/download_rdp_5_2.htm

Regards,
Bart

On 7/4/06, Al Mulnick [EMAIL PROTECTED] wrote:


Sounds suspiciously like a bug of omission that ought to be reported.  The
newer version should be laid down with the applications that it comes with
IMHO. If it's in the code tree that far ahead, then I can't see a reason
that it isn't laid down.

Al



On 7/4/06, Bart Van den Wyngaert [EMAIL PROTECTED] wrote:

What I have found today is that I actually don't have to register the
.DLL file, only have both files in the same directory present already
does the trick. Although when you do a 'Start  Run  mstsc' it will
start the one in your Windows folder ofcourse.

Old version: 5.1.2600.2180
New version: 5.2.3790.1830

And when registering the new .DLL in another location then the current
one (ex. D:\MSTSC\MSTSCAX.DLL), I receive the message *.DLL was
loaded, but the DllInstall entry point was not found. *.DLL does not
appear the be a .DLL or .OCX file

For tsmmc.msc I have found that I needed to install the MMC 3.0
update, register the .DLL (although I had a warning) and then it was
available...

I've installed W2K3 SP1 Administration Tools, but that didn't actually
do the upgrade. If I look into the source of the Support Tools, I
don't see the .DLL files or the .EXE files located there.

So actually we should fine tune this to have the ideal 'upgrade' ;-)

Regards,
Bart

On 6/21/06, Al Mulnick  [EMAIL PROTECTED] wrote:

 I would have expected the support tools from W2K3 SP1 Server to upgrade
the
 version.  Can you send the file version and time stamp information for
those
 files?


 Al



 On 6/20/06, Ravi Dogra [EMAIL PROTECTED] wrote:
  HI,
 
  Al Mulnick::
  I have tried updating the version but that didnt helped me. Did you
  see the snapshot without security tab it was same after installing
  updated version.
 
  Can you send me a link from where i can find Updated version to modify
  built in MSTSC.
 
  Thanks for all your help.
 
  Bart Van den Wyngaert::
  You are right i tried same but it wasnt giving me option to select
  Require Authentication
 
  It look like there is a dll which is used by both mstsc and tsmmc.msc
  because when i registered this dll both things worked fine for me.
 
  Let me know if i am missing something?
 
  Thanks and Regards
  Ravi Dogra
 
 
 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moving a Certificate Authority









I am mostly complete with the domain
upgrade and the subsequent certificate authority move. Ive run
into what should be the final problem before I can say everything
is now successful.

I have moved the Certificate Authority
from one Windows 2000 Server to another Windows 2000 Server. Everything
appears happy on the new server running as a new certificate authority; however
domain clients are unable to request a certificate at this point. For
instance, when attempting to request a user certificate from a Windows 2000
member server, I get the pretty standard error message stating, Windows cannot find a certification authority that
will process the request.

I have followed the instructions from KB298138
in the Windows 2000 section and while the certificate authority itself seems
happy, all the clients dont seem to know where it is located. The
new certificate authority has the exact same name as the old certificate
authority, and I backed up the old CA certs and keys along with a registry key
and restored these on the new CA as directed in the KB article.

Any advice on where to look to resolve
this? I did find KB271861
which talked about the same error I was getting, and I did not have the Enroll right
given to Domain Users, however even after giving Domain Users that right it
still has not changed anything. 

Thanks,

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 6:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3? That way you dont have to
worry about the hardware not supporting 2003 or something terrible like that.
Then if you want you could move it from that 2003 server to another 2003
server, or you could just leave it where it is. 

Kevin
 Brunson











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority





And will it ever be a slooow 2k3
machine indeed. After continuing to do some reading and researching, it
does appear that my only option is to

1) Upgrade the old DC to 2k3

2) Backup the CA and the registry key as stated in the KB298138
article.

3) Remove the CA services, demote server and rename it.

4) Promote a 2k3 server with the same name as the old DC and install
the CA services.

5) Restore the CA data and registry key

6) Cross my fingers and hope that I have a CA once again

Ill give this a shot
tomorrow. I just wonder what would be my backup plan should the CA
restoration fail on the new server? The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority







You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?











You should keep the
hostname the same - if you took the defaults for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.











my .02











steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority









As part of my on-going journey into
upgrading a 2000 domain to 2003, Ive run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then dont pan out. Here is
the situation

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native. However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted. It was
originally a Windows NT 4.0 domain controller back in the day. So I am in
a situation where I need to take a Certificate Authority

Re: [ActiveDir] Planning for the future

I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction.
Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain.
I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire.
On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote:
I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: 

You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. 


Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. 


If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. 

On 7/12/06, Almeida Pinto, Jorge de 
[EMAIL PROTECTED] wrote:
an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist
Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-
29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address
From: 
[EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future
Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years
about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if
they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.--
Larry Wahlers
Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers

Fortunately, unless you know who has the data that you want to steal, the chances of any actual confidential data being stolen to the thieve's benefit is pretty slim. Even if you do find data that a competitor would want, most companies today are pretty hesitant about taking confidential information. Didn't you hear about Pepsi turning in that guy who was going to sell them confidential information from Coca Cola?
The information that people are really worried about is controlled by the people who are usually more paranoid than we are the accountants ;)On 7/12/06, 
Al Mulnick [EMAIL PROTECTED] wrote:
Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? 


I wonder though, desktop machines guarded by the cleaning crew are better?
What about smart phones? Those keep you up late at night as well? :)

We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?)either but leave that for another time


My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not ownedAND managed by the company) are enough to give you the heebie jeebies. 


I don't see bit-locker solving those issues. Know something different? 


On 7/12/06, Kurt Falde [EMAIL PROTECTED]
 wrote:




Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars 
J

 Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over.


Kurt Falde




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM
To: ActiveDir@mail.activedir.org

Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers 




I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? 



On 7/12/06, Matt Hargraves 

[EMAIL PROTECTED] wrote: 

Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. 
Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Freddy HARTONO

Don't mean to hijack this thread but on a similar note - whats the
downside for installing DCs with Adapter Teaming?

All I know is that when adapter teaming is enabled, setting up WINS
service will pops and error message (which can be ignored)...but
anything else? I've always been a firm believer of one nic and no
teaming...

Any comments? 


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 11:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

  

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

  

 No issues, if you...

  

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

  

 Cheers,

  

 Rob

  

   

  

   

 *Robert Rutherford*
 *QuoStar Solutions Limited*
  

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
  

   

  

   

 *T:*

   

 +44 (0) 8456 440 331

 *F:*

   

 +44 (0) 8456 440 332

 *M:*

   

 +44 (0) 7974 249 494

 *E: *

   

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

   

 www.quostar.com http://www.quostar.com

   

  

  

  

  

  

  

  

  

  

  

 --
 --

  

  

 **From:** [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've

 been very impressed by the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt

 NICs this seems an obvious route to take. I know there are some issues

 with DNS (I have a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other gotchas ?

  

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows


 --
 -- Confidentiality Note: The information contained in this email and
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information.
 If the recipient of this email is not the addressee, such recipient is

 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this

 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be

 representative of Sapiens (UK) Ltd.
 --
 --


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

Hijack this thread?  I didn't know it could be hijacked any more than I
already had.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Wednesday, July 12, 2006 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multihomed Domain Controllers

Don't mean to hijack this thread but on a similar note - whats the
downside for installing DCs with Adapter Teaming?

All I know is that when adapter teaming is enabled, setting up WINS
service will pops and error message (which can be ignored)...but
anything else? I've always been a firm believer of one nic and no
teaming...

Any comments? 

Thank you and have a splendid day!

Kind Regards,

Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 11:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on
servers and workstations  :-)

Peter Johnson wrote:

 You might want to then create entries in the host file on the backup 
 server so that you guarantee that the backup server always uses the 
 right network connection.

 --
 --

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers

 No issues, if you...

 Go to the TCP/IP settings of the backup network card, click advanced, 
 goto the DNS tab and untick register the connection in DNS.

 Cheers,

 Rob

 *Robert Rutherford*
 *QuoStar Solutions Limited*

 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH

 *T:*

 +44 (0) 8456 440 331

 *F:*

 +44 (0) 8456 440 332

 *M:*

 +44 (0) 7974 249 494

 *E: *

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

 *W: *

 www.quostar.com http://www.quostar.com

 --
 --

 **From:** [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers

 Hi,

  First posting to this list but I've lurked quite a while and I've

 been very impressed by the quality of replies by the gurus.

 My question is regarding the advisability of having multihomed DCs. 
 Basically I want
 to run backups over a separate GbE and as my servers have dual inbuilt

 NICs this seems an obvious route to take. I know there are some issues

 with DNS (I have a DNS integrated AD).

 Would this cause replication problems, etc ?

 Any other gotchas ?

 Many Thanks,

 ---
 Jeff Green
 Network Support Manager
 SAPIENS (UK) Ltd
 t: +44 (0)1895 464228 f: +44 (0)1895 463098

 I dream of hover cars and old transistor radios ... She dreams of 
 flowers in a field of sunny bungalows

 --
 -- Confidentiality Note: The information contained in this email and
 document(s) attached are for the exclusive use of the addressee and 
 may contain confidential, privileged and non-disclosable information.
 If the recipient of this email is not the addressee, such recipient is

 strictly prohibited from reading, photocopying, distribution or 
 otherwise using this email or its contents in any way.

 Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
 immediately at [EMAIL PROTECTED], if you have received this

 email in error.

 Disclaimer: The views, opinions and guidelines contained in this 
 confidential e-mail are those of the originating author and may not be

 representative of Sapiens (UK) Ltd.
 --
 --

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Multihomed Domain Controllers

I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. 



On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote:
Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming?
All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...butanything else? I've always been a firm believer of one nic and noteaming...
Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: 
[EMAIL PROTECTED]phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations:-)Peter Johnson wrote: You might want to then create entries in the host file on the backup
 server so that you guarantee that the backup server always uses the right network connection. -- --
 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers
 No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS.
 Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited*
 The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:*
 +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: *
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: *
 www.quostar.com http://www.quostar.com
 -- --
 **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers
 Hi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs.
 Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD).
 Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green
 Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows
 -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and
 may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or
 otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED]
, if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be
 representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days?
http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... Iwill hunt you down...http://blogs.technet.com/sbsList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Planning for the future

I can respect that. And I agree with some of that logic to an extent. I don't find migrations to be terribly complex, but I have to question what you're really migrating with 30 users. Email? Nope, that was held by the parent company. I need to get a PST (easily done with tools readily available that drops them into PST files nice and neat). Security principals? For what? What exactly are you going to access when you sever the ties? Do you have a file server? Hmm... again, a migration is pretty easy and well documented and for thirty users is a few hours work. Not much more or less than you'd likely spend unhooking the data and systems for the cast off if you went with multiple forests. In the meantime you have integration issues (Exchange would be particularly difficult to deal with in that environment leading me to my thoughts of migration later vs. separate forests now) and you likely have given access to other shared resources to the users while they were part of the company. Otherwise, why bother with the trusts at all? DNS is a PITA and the worst part is that nobody ever pays as much attention to the other forest or the DNS after you've moved on and been promoted or reassigned to some other project.

In my experience, the times I've seen this approach it was worse operationally than I believe it should be. They were still the red-headed step children and received very little benefit from being joined in the first place. This was after walking into sites that had gone this route and then seeing it years after the decisions. Similar thinking was used to get there, but the people that made the decisions were long long gone.

For all of that, I think it best to keep them part of the organization and not worry about three years down the road for what the business *might* do. If that time comes, deal with it as a migration/divestiture vs. a separate forest that you've been running for them. I think that results in lowered cost, better service and not much more dificulty divesting later than if you had given them a separate forest.

On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote:

I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction.
Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain.
I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire.

On 7/12/06, Al Mulnick
[EMAIL PROTECTED] wrote:

I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective:

Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?

You don't work at the post office do you? ;)

There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of.

DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory.

Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that.

If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system.

If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers.

If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server.That'd be the best practice. Before 2003 you could have an island effect where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do.

So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the information when he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :) He'll try the neigbor first, because that's the preferred. He'll also register there etc. The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information.

Now, will it work? Yes. Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the sounds of it, an unwillingness to fix the underlying issues that led them there as well. On the other hand, they're spot on if it's W2K vs. K3 :)

Does that help?

[1] unless you like a granular audit logging. But that'sneither here nor there.
On 7/12/06, Victor W. [EMAIL PROTECTED] wrote:

Today a conversation at my jobcame up about setting the preferred DNS server on the NIC of a DC with DNS installed.
For as far as I know it's best topoint the DC (with DNS installed) to itself for DNS by specifying the internal IP address of the DC as the preferred DNS
server on the NIC.

Then I was told that this is not always necessary and this puzzled me a bit.

Not everybody was convinced of the above and this got me thinking. Some people are claiming thatit doesnt really matter if you set that DC to bethe preferred or the alternate
DNS server.

I was then showed an environment where all DC's in a child domain (all had DNS installed), had the same DNS server set as preferred DNS server.

Perhaps anexample will make it more clear:

a forest root domain with 4 child domains.

child domain A, B, C, and D.

Names of the Domain Controllers:
root domain: DC-A DC-B DC-C DC-D
for child domain A: DC-A1 DC-A2
for child domain B: DC-B1 DC-B2
for child domain C: DC-C1 DC-C2
for child domain D: DC-D1 DC-D2

DC-A1 has specified DC-A2 as preferred DNS server and has specified DC-A1 (itself) as alternate DNS server.
DC-A2 has specified DC-A2 (itself) as preferred DNS server and has specified DC-A1 as alternate DNS server

DC-B1 has specified DC-B2 as

RE: [ActiveDir] Multihomed Domain Controllers

Title: Multihomed Domain Controllers








Thats fine. You need to do two things:



This needs to be a backup subnet (so no gateway)

In the Network Connections explorer window under
toolsadvanced settings, prioritize your connections with this one being
last (this is only necessary if you need a gateway for the backup subnet for whatever
reason). 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jeff Green
Sent: Wednesday, July 12, 2006 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed Domain Controllers







Hi, 


First posting to this list but I've lurked quite a while and I've been very
impressed by 
the quality of
replies by the gurus. 

My question
is regarding the advisability of having multihomed DCs. Basically I want

to run backups
over a separate GbE and as my servers have dual inbuilt NICs this 
seems an
obvious route to take. I know there are some issues with DNS (I have 
a DNS
integrated AD). 

Would this
cause replication problems, etc ? 

Any other
gotchas ? 





 Many Thanks, 

--- 
Jeff Green

Network Support
Manager 
SAPIENS (UK)
Ltd 
t: +44 (0)1895
464228 f: +44 (0)1895 463098 

I
dream of hover cars and old transistor radios ... She dreams of flowers in a
field of sunny bungalows 



Confidentiality Note: The information contained in this email and document(s)
attached are for the exclusive use of the addressee and may contain
confidential, privileged and non-disclosable information. If the recipient of
this email is not the addressee, such recipient is strictly prohibited from
reading, photocopying, distribution or otherwise using this email or its
contents in any way.

Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
immediately at [EMAIL PROTECTED],
if you have received this email in error.

Disclaimer: The views, opinions and guidelines contained in this confidential
e-mail are those of the originating author and may not be representative of
Sapiens (UK) Ltd.

RE: [ActiveDir] Multihomed Domain Controllers









I’ve got hundreds of sites/forests with multihomed DCs. It works
fine save for the browsing situation, but who uses that anyway? 



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Wednesday, July 12, 2006 8:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers









Personally, I've never used that configuration for a
DC. Since being bit in the nt4.0 days (before that really, but hate to
show the age :) I've had architectural reasons to not do that. Since AD
is made up of a multi-master fabric, I have had no reason at all to require an
isolated network dedicated to backups. I get the feeling in your case
it's just a nice to have vs. a requirement since you have the hardware and
figure why not put it to use. You'd be a rare exception if the size of
the dit is large enough to require such a configuration. Saying that, is
it possible? Most likley. Will it be difficult when/if you call for
support for some other issue to explain to the engineer that you have a
mutli-homed DC? Most likely. Does it break the keep it as simple as
possible while meeting the requirements? rule? Most likley. 











When you test this, as the others have mentioned, be sure to
test the recoverability and the gotchas that come along with bringing up a
recovered DC on a multi-homed machine. You'll want to have that
documented and thouroughly tested so as not to have to deal with that when
under pressure. You may also want to consider an alternative backup
method that doesn't require a dedicated network to the DC's. 











Just some random thoughts and my $.04 (USD) worth. 











Al







On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote:






Hi Guys,






Many
thanks to all that have responded (and so quickly !)



Points / clarifications / additional Qs



 a) DNS multihomed issues




Yes,
found that in the MS KB about not registering this connection in
DNS on the second NIC.




Also
leave the gateway / DNS TCP/IP settings blank on the second NIC.



 b) Browser Issues




Several
things in MS KB about this and fixes (including hackinga registry if I
remember correctly)

 


But
would Browser issues affect AD operations - I'm talking about replication
issues here ?



 c) Currently running W2K SP4
+ rollups on all DCs - but moving to W2K3.



Sorry
should have stated this.





 d) Backup



 Using
BackupExec, which allows binding of remote agents to specific NICs





Have I got everything covered - I can't believe this is an unusual
configuration ?





 


Many
Thanks
















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Jeff Green
Sent: 12 July 2006 11:43





To: ActiveDir@mail.activedir.org





Subject: [ActiveDir] Multihomed Domain
Controllers














Hi, 


First posting to this list but I've lurked quite a while and I've been very
impressed by 
the quality of
replies by the gurus. 

My question
is regarding the advisability of having multihomed DCs. Basically I want

to run backups
over a separate GbE and as my servers have dual inbuilt NICs this 
seems an
obvious route to take. I know there are some issues with DNS (I have 
a DNS integrated
AD). 

Would this
cause replication problems, etc ? 

Any other
gotchas ? 





 Many Thanks, 

--- 
Jeff Green

Network Support
Manager 
SAPIENS (UK)
Ltd 
t: +44 (0)1895
464228 f: +44 (0)1895 463098 

I
dream of hover cars and old transistor radios ... She dreams of flowers in a
field of sunny bungalows 




Confidentiality Note: The information contained in this email and
document(s) attached are for the exclusive use of the addressee and may contain
confidential, privileged and non-disclosable information. If the recipient of
this email is not the addressee, such recipient is strictly prohibited from
reading, photocopying, distribution or otherwise using this email or its
contents in any way. 

Please notify the Sapiens (UK) Ltd. Systems Administrator via
e-mail immediately at [EMAIL PROTECTED] , if you have received this
email in error.

Disclaimer: The views, opinions and guidelines contained in this
confidential e-mail are those of the originating author and may not be
representative of Sapiens (UK) Ltd. 













Confidentiality Note: The information contained in this email and
document(s) attached are for the exclusive use of the addressee and may

RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau









I think you meant Defending Security Infrastructures (DSI):
Las Vegas. 



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Parris
Sent: Wednesday, July 12, 2006 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau







I
can see a TV Show emerging here 

DSI (Las Vegas)

If he was still aliveHerve Villechaiz could have played the lead, he used
to be on Fantasy Island (Tattoo)and the man with the Golden Gun (Nick
Nack).











From:
joe [EMAIL PROTECTED]
Sent: 12 July 2006 16:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

Oh F^%. I apologize in front of everyone for mispelling your
name AGAIN, neil. I was so worked up over the topic of Defending Security
Infrastructures that everything other than the topic of Defending Security
Infrastructures completely slipped through my mind. Of course this would be
much easier if you simply changed your first name to Neal then I would be right
when I was wrong so when dicussing topics such as Defending Security
Infrastructures I would not mess up the spelling on your name. Again, I humbly
ask your forgiveness[1] and apologize profusely and blame it all on the lack of
definitionof the termDefending Security Infrastructures[2]. 



So before I go on too much more about Defending Security
Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which
tells you absolutely nothing about Defending Security Infrastructures, I will
now close this note on Defending Security Infrastructures.





 joe

















[1] That is serious. No excuse neil, I am quite sorry.





[2] Err so is that, but not as serious as [1] above.









--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







Do not read this worthless blog entry on Defending Security
Infrastructures - http://blog.joeware.net/2006/07/11/445/---
I'm serious, you will learn absolutely nothing about Defending Security
Infrastructures. 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, July 12, 2006 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

Neal, you totally misunderstood. I said DO NOT READ that worthless
blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/.




And then if you read the blog on Defending
Security Infrastructures, I asked for you to comment to the blog your thoughts
on Defending Security Infrastructures



This is neither the time to discuss Defending Security
Infrastructures nor the place to discuss Defending Security Infrastructures.



I personally haven't fully stepped into the Defending Security
Infrastructures space yet, though if I did I would probably look to the fine
folks at NetPro and Quest first to see their ideas on Defending Security
Infrastructures, and of course I would be obligated to look at Microsoft's
Defending Security Infrastructures solutions and also as mentioned in one of
the blog comments, a key portion of the Defending Security Infrastructures
solution would be GPOs so I would look to GPOGuy for Defending Security
Infrastructures products as well.



 joe







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





Do not read this worthless blog entry on Defending Security
Infrastructures - http://blog.joeware.net/2006/07/11/445/---
I'm serious, you will learn absolutely nothing about Defending Security
Infrastructures. 

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 12, 2006 3:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

So we can defend our security infras using either of 2 vapourware
solutions now :) cool!



Mr Tandon was there before you tho, joe :-^





neil









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 July 2006 03:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau

Gotta love that signature Tony... I promise not to disclose this
information to anyone. 







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





Do not read this worthless blog entry on Defending Security Infrastructures
- http://blog.joeware.net/2006/07/11/445/---
I'm serious, you will learn absolutely nothing about Defending Security
Infrastructures. 























From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, July 11, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [List Owner] OOFs from Steven Comeau

Hi all



I have temporarily suspended Steven Comeaus subscription,
which should stop the out of office replies

RE: [ActiveDir] Multihomed Domain Controllers

I had a production environment which required hosts files to deal with
the confusing mechanism behind Cisco's Layer 4 load balancer blades
(CSMs). That was one of those if you didn't know about it (it being the
CSM and the hosts file solution we came up with) you'd probably never
figure it out type things.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Wednesday, July 12, 2006 11:12 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Multihomed Domain Controllers
 
 But I hope we still have the option of doing so...  I use the hosts
 file on a regular basis to redirect the localhost name to the
machine's
 IP instead of to 127.blah and then stick in route statements so all
 locally directed traffic bounces out to a router and back so I can
look
 at the network traces of the traffic.
 
   joe
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm
 
 Do not read this worthless blog entry on Defending Security
 Infrastructures
 - http://blog.joeware.net/2006/07/11/445/ ---  I'm serious, you will
 learn absolutely nothing about Defending Security Infrastructures.
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
 CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, July 12, 2006 11:41 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Multihomed Domain Controllers
 
 In the year 2006.. I hope we are still not making host file entries on
 servers and workstations  :-)
 
 Peter Johnson wrote:
 
  You might want to then create entries in the host file on the backup
  server so that you guarantee that the backup server always uses the
  right network connection.
 
 
 
 
-
 -
  --
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert
  Rutherford
  *Sent:* 12 July 2006 12:57
  *To:* ActiveDir@mail.activedir.org
  *Subject:* RE: [ActiveDir] Multihomed Domain Controllers
 
 
 
  No issues, if you...
 
 
 
  Go to the TCP/IP settings of the backup network card, click
advanced,
  goto the DNS tab and untick register the connection in DNS.
 
 
 
  Cheers,
 
 
 
  Rob
 
 
 
 
 
 
 
 
 
  *Robert Rutherford*
  *QuoStar Solutions Limited*
 
 
  The Enterprise Pavilion
  Fern Barrow
  Wallisdown
  Poole
  Dorset
  BH12 5HH
 
 
 
 
 
 
 
 
  *T:*
 
 
 
  +44 (0) 8456 440 331
 
  *F:*
 
 
 
  +44 (0) 8456 440 332
 
  *M:*
 
 
 
  +44 (0) 7974 249 494
 
  *E: *
 
 
 
  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
  *W: *
 
 
 
  www.quostar.com http://www.quostar.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
-
 -
  --
 
 
 
 
 
  **From:** [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff
Green
  *Sent:* 12 July 2006 11:43
  *To:* ActiveDir@mail.activedir.org
  *Subject:* [ActiveDir] Multihomed Domain Controllers
 
  Hi,
 
   First posting to this list but I've lurked quite a while and
 I've
  been very impressed by the quality of replies by the gurus.
 
  My question is regarding the advisability of having multihomed DCs.
  Basically I want
  to run backups over a separate GbE and as my servers have dual
 inbuilt
  NICs this seems an obvious route to take. I know there are some
 issues
  with DNS (I have a DNS integrated AD).
 
  Would this cause replication problems, etc ?
 
  Any other gotchas ?
 
 
 
  Many Thanks,
 
  ---
  Jeff Green
  Network Support Manager
  SAPIENS (UK) Ltd
  t: +44 (0)1895 464228 f: +44 (0)1895 463098
 
  I dream of hover cars and old transistor radios ... She dreams of
  flowers in a field of sunny bungalows
 
 
 
-
 -
  -- Confidentiality Note: The information contained in this email and
  document(s) attached are for the exclusive use of the addressee and
  may contain confidential, privileged and non-disclosable
information.
  If the recipient of this email is not the addressee, such recipient
 is
  strictly prohibited from reading, photocopying, distribution or
  otherwise using this email or its contents in any way.
 
  Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
  immediately at [EMAIL PROTECTED], if you have received
 this
  email in error.
 
  Disclaimer: The views, opinions and guidelines contained in this
  confidential e-mail are those of the originating author and may not
 be
  representative of Sapiens (UK) Ltd.
 
-
 -
  --
 
 
 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com
 
 If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I
 will hunt you down...
 http://blogs.technet.com/sbs
 
 List info   :

RE: [ActiveDir] Multihomed Domain Controllers

Hmm, this whole no surfing the web on DCs is potentially problematic if
you're Defending Security Infrastructures in your datacenter. You would
need to order the pizza whilst in the presence of your security
infrastructures which might be collocated with the domain controllers.
If you were to abandon your security infrastructures to order pizza, you
would no longer be defending security infrastructures in your
datacenter.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Kevin Brunson
 Sent: Wednesday, July 12, 2006 1:35 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Multihomed Domain Controllers
 
 I only surf on the big ones.  The small ones just don't catch the
waves
 right.
 
 I don't even let them go to Windows Update.  WSUS connections
 configured through Group Policy are about as far as I want them to go
 to the internet.  The problem is users, and in many cases admins.  I
 get a server just right, go back to my office, and by the time I get
 back they've already installed 15 programs ending in zilla.
 
 And of course no self-respecting admin can get a $15 Citrix
 infrastructure without immediately giving every STINKING user a
 desktop.
 Forget published apps.  Forget everything that made it worth investing
 any money whatsoever, let's just give them a STINKING desktop.  Sorry,
 I guess I must have let all of my thinking about Defending Security
 Infrastructure get to my head.
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
 CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, July 12, 2006 12:45 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Multihomed Domain Controllers
 
 You surf on your servers?
 
 My servers go to WU/MU...and maybe to Joe's blog for information on
 Defending Security Infrastructure..iin fact they regularly hang out on
 Joe's blog for all the information I need to know on Defending
Security
 Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that
 link is the home page so that I'm constantly reminded about Defending
 Security Infrastructur ..but other than that... they don't have
 antispyware because they don't go anywhere to get spyware and the
 Enhanced IE is still on there.
 
 
 
 
 Kevin Brunson wrote:
 
 I have definitely found the hosts file to be useful on servers to
keep
 them from EVER getting to spyware sites.  This guy has a great list :

http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=ho
 s
 t
 s
 
 Just cut and paste into the hosts file and you are good to go.  I
 scripted it for all of the servers I deal with.  But I guess this is
 getting pretty far OT: :) Kevin
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
 Bradley,
 CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, July 12, 2006 10:41 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Multihomed Domain Controllers
 
 In the year 2006.. I hope we are still not making host file entries
on
 servers and workstations  :-)
 
 Peter Johnson wrote:
 
 
 
 You might want to then create entries in the host file on the backup
 server so that you guarantee that the backup server always uses the
 right network connection.
 
 
 
 
 
 

--
 -
 -
 
 
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert
 Rutherford
 *Sent:* 12 July 2006 12:57
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Multihomed Domain Controllers
 
 
 
 No issues, if you...
 
 
 
 Go to the TCP/IP settings of the backup network card, click
advanced,
 goto the DNS tab and untick register the connection in DNS.
 
 
 
 Cheers,
 
 
 
 Rob
 
 
 
 
 
 
 
 
 
 *Robert Rutherford*
 *QuoStar Solutions Limited*
 
 
 The Enterprise Pavilion
 Fern Barrow
 Wallisdown
 Poole
 Dorset
 BH12 5HH
 
 
 
 
 
 
 
 
 *T:*
 
 
 
 +44 (0) 8456 440 331
 
 *F:*
 
 
 
 +44 (0) 8456 440 332
 
 *M:*
 
 
 
 +44 (0) 7974 249 494
 
 *E: *
 
 
 
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
 *W: *
 
 
 
 www.quostar.com http://www.quostar.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

--
 -
 -
 
 
 
 
 
 
 **From:** [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff
Green
 *Sent:* 12 July 2006 11:43
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] Multihomed Domain Controllers
 
 Hi,
 
  First posting to this list but I've lurked quite a while and
 I've
 
 
 
 
 
 been very impressed by
 the quality of replies by the gurus.
 
 My question is regarding the advisability of having multihomed DCs.
 Basically I want
 to run backups over a separate GbE and as my servers have dual
 inbuilt
 
 
 
 
 
 NICs this
 seems an obvious route to take. I know there are some issues

RE: [ActiveDir] SFTP with AD Auth