RE: [ActiveDir] Multihomed Domain Controllers
I don’t deploy any servers which are connected to a monitoring system that calls me at night or calls my manager without fault-tolerant NIC teaming. Inevitably it will be my fault when the network team crashes a supervisor in a 6509 or a line card dies. I have no second thoughts about using a $250 switchport as a failover port. Some shops I’ve found the network guys expect this from my part so it’s not their problem when a NIC dies or a cable gets screwed up or whatever. Conversely I’ve dealt with network teams and systems people who haven’t the faintest clue how teaming works and go ballistic when they hear it. It won’t cause spanning tree issues (most popular network team myth I’ve heard), it doesn’t require setting up an etherchannel (you can’t have an etherchannel span switches), and it doesn’t require four IOS commands and three TAC calls to make it work. It also doesn’t crash switches, create broadcast loops, flood segments, etc. I’ve deployed thousands of network connections with HPQ, Broadcom, and Intel teaming software and have not had issues yet. On clusters I always team across the onboard and PCI NIC for the redundancy. DCs and other stuff without a PCI NIC I just team the two ports for switch fault tolerance. This is also an easy way to see if your network people didn’t follow directions on the cross connects – if the team negotiates a 200mbps or 2gbps connection, they’re on the same switch, and quite likely the same line card Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations:-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed
Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
I did indeed, but I was trying to introduce another acronym to the IT almanac, Defending Security Infrastructures DSI it is then. Boss, Boss, the DSI boss. -Original Message- From: Brian Desmond [EMAIL PROTECTED] Date: Thu, 13 Jul 2006 11:01:49 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I think you meant Defending Security Infrastructures (“DSI”): Las Vegas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, July 12, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I can see a TV Show emerging here DSI (Las Vegas) If he was still alive Herve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo) and the man with the Golden Gun (Nick Nack). From: joe [EMAIL PROTECTED] Sent: 12 July 2006 16:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definition of the term Defending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/ which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 12, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 July 2006 03:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read
RE: [ActiveDir] Multihomed Domain Controllers
Can't your spyware just change/delete the host entries again? Or use an IP address (or do you configure static routes for the subnets that the IP addresses reside in that those host entries point to?) Has this tactic ever helped anyone in a spyware-on-the-server situation? (except possibly in a SOHO situation where the server's been treated like a desktop?) Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Kevin Brunson : Sent: Thursday, 13 July 2006 3:00 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Multihomed Domain Controllers : : I have definitely found the hosts file to be useful on servers to keep : them from EVER getting to spyware sites. This guy has a great list : : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=hos : t : s : : Just cut and paste into the hosts file and you are good to go. I : scripted it for all of the servers I deal with. But I guess this is : getting pretty far OT: :) : Kevin : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, : CPA aka Ebitz - SBS Rocks [MVP] : Sent: Wednesday, July 12, 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Multihomed Domain Controllers : : In the year 2006.. I hope we are still not making host file entries on : servers and workstations :-) : : Peter Johnson wrote: : : You might want to then create entries in the host file on the backup : server so that you guarantee that the backup server always uses the : right network connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
I quite like the oxymoron - Attacking Defending Security Infrastructures Perhaps we could call it - ADSI for short? -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Thu, 13 Jul 2006 06:17:04 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I did indeed, but I was trying to introduce another acronym to the IT almanac, Defending Security Infrastructures DSI it is then. Boss, Boss, the DSI boss. -Original Message- From: Brian Desmond [EMAIL PROTECTED] Date: Thu, 13 Jul 2006 11:01:49 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I think you meant Defending Security Infrastructures (“DSI”): Las Vegas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, July 12, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I can see a TV Show emerging here DSI (Las Vegas) If he was still alive Herve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo) and the man with the Golden Gun (Nick Nack). From: joe [EMAIL PROTECTED] Sent: 12 July 2006 16:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definition of the term Defending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/ which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 12, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
One point that is nearly always overlooked is the following, if a DC points to itself for DNS name res: The DNS server service starts *after* NETLOGON, at startup The DNS server service stops *before* NETLOGON, at shutdown i.e. at startup netlogon cannot register DNS records on the local machine until the DNS server starts (record reg may fail or be stalled / time out). at shutdown or during a demotion netlogon cannot un-register DNS records on the local machine since DNS server has stopped (demotion will leave DC records in tact). For these reasons alone - I always recommend that a DC points to another (local) DNS server (not necessarily a DC) and then itself as secondary (or maybe even tertiary). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2006 02:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server.That'd be the best practice. Before 2003 you could have an "island effect" where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the information when he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :) He'll try the neigbor first, because that's the preferred. He'll also register there etc. The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information. Now, will it work? Yes. Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the sounds of it, an unwillingness to fix the underlying issues that led them there as well. On the other hand, they're spot on if it's W2K vs. K3 :) Does that help? [1] unless you like a granular audit logging. But that'sneither here nor there. On 7/12/06, Victor W. [EMAIL PROTECTED] wrote: Today a conversation at my jobcame up about setting the preferred DNS server on the NIC of a DC with DNS installed. For as far as I know it's best topoint the DC (with DNS installed) to itself for DNS by specifying
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Al, This sure helped, we are by the way indeed talking about W2K DC's. Victor - Oorspronkelijk bericht - Van: Al Mulnick [EMAIL PROTECTED] Datum: donderdag, juli 13, 2006 3:58 am Onderwerp: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternateonly. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancementsabove and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND.Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client*to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'llhave one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization)and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configureyour DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server. That'd be the best practice. Before 2003 you could have an island effect wherebecause you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectivelycreating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continueas a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the informationwhen he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :) He'll try the neigbor first, because that's the preferred. He'll also register there etc. The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information. Now, will it work? Yes. Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the sounds of it, an unwillingness to fix the underlying issues that led them there as well. On the other hand, they're spot on if it's W2K vs. K3 :) Does that help? [1] unless you like a granular audit logging. But that's neither here nor there. On 7/12/06, Victor W. [EMAIL PROTECTED] wrote: Today a conversation at my job came up about setting the preferred DNS server on the NIC of a DC with DNS installed. For as far as I know it's best to point the DC (with DNS installed) to itself for DNS by specifying the internal IP address of the DC as the preferred DNS server on the NIC. Then I was told that this is not always necessary and this puzzled me a bit. Not everybody was convinced of the above and this got me thinking. Some people are claiming that it doesnt really matter if you set that DC to be the *preferred* or the *alternate* DNS server. I was then showed an environment where all DC's in a child domain (all had DNS installed), had the same DNS server set as preferred DNS server. Perhaps an example will make it more clear: a forest root domain with 4
[ActiveDir] AD Sites Rename
Hi,I need to rename some of my AD Sites, is this likely to cause any issues I am unaware off?I use DFS if thats any help.Windows 2003 Single Domain/Forest FFL.thanks James Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
RE: [ActiveDir] Acqusition of 2003 Forest - options experiences
I can vouch for the Aelta/Quest Migration tools and say they are pretty good for NT to AD migrations, and AD to AD migrations. There was a lot of innovation in the space a couple years ago, but I think most of the solutions today are pretty stable and offer comparable features. The value of third-party tools is that with some you can get around certain group limitations, password migration issues, and workstation provisioning. Here is a tip, when evaluating, ask what APIs they use for achieving their migration functions. Some vendors just write Project Management Code around the MS APIs, others take a more unique approach and develop their own APIs to give you more flexibility. One more thing, several of the vendors only offer professional services instead of access to their software, due to the fact a lot of time you pretty much needed their expertise on site anyway. I encourage you to have an open mind about that, but also not just assume everything is magic. Good luck, Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Acqusition of 2003 Forest - options experiences I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Planning for the future
If you create a new domain in your forest for this requirement, and in the future they are bought by another company, then your only supported option is to migrate to the new or existing forest on the other side. It is probably easier, and safer, to create a new forest with an external trust. When they are then sold, you simply agree a date and time when the trust is severed and the comms equipment decomissioned. --Paul - Original Message - From: Larry Wahlers [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, July 12, 2006 6:18 PM Subject: [ActiveDir] Planning for the future Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SFTP with AD Auth
The last place I worked, we used WinSSH for this purpose. Trivial to setup and cheap (about $100/ £65). This allows you to tunnel FTP and use Windows auth. There's also additional options to allow some additional access control, e.g. only specific groups can use the tunnel, etc. If I remember correctly, this is the product: -- http://www.bitvise.com/winsshd.html?gclid=CKWM-InFjoYCFQx2QgodciAEsA --Paul - Original Message - From: Paul Glenn To: ActiveDir@mail.activedir.org Sent: Wednesday, July 12, 2006 6:46 PM Subject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference.The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used.Thanks,Paul-- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken***
RE: [ActiveDir] Multihomed Domain Controllers
Well, I don't think the driving factor is the size of the IT operation in terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x Sharepoint), the factors are My client facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendors recommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration. So I guess you could look at as a poor man's SAN. From my perspective it seems a reasonable thing to do. --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... she dreams of flowers in a field of sunny bungalows -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation [deleted] Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Jeff, If you back them up over the client-facing LAN conn or over your Gb back-end I wouldn't have any concerns. If you want to just standardise your setup then just go for it. Cheers. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: 13 July 2006 12:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Well, I don't think the driving factor is the size of the IT operation in terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x Sharepoint), the factors are My client facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendors recommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration. So I guess you could look at as a poor man's SAN. From my perspective it seems a reasonable thing to do. --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... she dreams of flowers in a field of sunny bungalows -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation [deleted] Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
FWIW - I too have teamed NICs in FT mode on DCs on many occasions and have never experienced any issues. The NIC driver only presents one NIC to the OS so I don't why that should cause an issue. The FT aspects are transparent to the OS. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 13 July 2006 12:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] Multihomed Domain Controllers
Yeah except the fact that thin clients have about twice the useful life, are less prone to failure by virtue of having no moving parts, and use a fraction of the power. There's still a TCO argument to be made, but the initial outlay argument is gone. Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 04:46 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Multihomed Domain Controllers Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
Brian, Could you please explain to me what you mean by "save for the browsing situation, but who uses that anyway?" Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian DesmondSent: 13 July, 2006 1:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you
Re: [ActiveDir] Multihomed Domain Controllers
Yeah, I figured you'd have a different experience with nic teaming. :) On 7/13/06, Brian Desmond [EMAIL PROTECTED] wrote: I don't deploy any servers which are connected to a monitoring system that calls me at night or calls my manager without fault-tolerant NIC teaming. Inevitably it will be my fault when the network team crashes a supervisor in a 6509 or a line card dies. I have no second thoughts about using a $250 switchport as a failover port. Some shops I've found the network guys expect this from my part so it's not their problem when a NIC dies or a cable gets screwed up or whatever. Conversely I've dealt with network teams and systems people who haven't the faintest clue how teaming works and go ballistic when they hear it. It won't cause spanning tree issues (most popular network team myth I've heard), it doesn't require setting up an etherchannel (you can't have an etherchannel span switches), and it doesn't require four IOS commands and three TAC calls to make it work. It also doesn't crash switches, create broadcast loops, flood segments, etc. I've deployed thousands of network connections with HPQ, Broadcom, and Intel teaming software and have not had issues yet. On clusters I always team across the onboard and PCI NIC for the redundancy. DCs and other stuff without a PCI NIC I just team the two ports for switch fault tolerance. This is also an easy way to see if your network people didn't follow directions on the cross connects – if the team negotiates a 200mbps or 2gbps connection, they're on the same switch, and quite likely the same line card Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 8:29 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and noteaming... Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support Engineer InternationalSOS Pte Ltdmail: [EMAIL PROTECTED] phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations:-)Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support
Re: [ActiveDir] Multihomed Domain Controllers
I think the term is BAN in this case. ;-) On 7/13/06, Jeff Green [EMAIL PROTECTED] wrote: Well, I don't think the driving factor is the size of the IT operationin terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 xSharepoint), the factors are My client facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendorsrecommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration.So I guess you could look at as a poor man's SAN.From my perspective it seems a reasonable thing to do.---Jeff GreenNetwork Support ManagerSAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098I dream of hover cars and old transistor radios ... she dreams offlowers in a field of sunny bungalows-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain ControllersSo how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that youneed to backup on the DC's that are requiring full backups of all yourDC's.With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritativerestores that you need. Now if you have other apps that you need to do alarge data backups of then this may be required.Yes you can do multiple nic's on DC's and quite a few organizations do however itdefinitely would not fall under best practices for Domain Controllers.Kurt FaldePremier Field EngineerNortheast RegionMicrosoft Corporation [deleted]Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
In that case, then you won't want to make the host a client of itself. Then you would/could run into the island effect. When you get to R2, you'll want to weigh Neil's comments and see how that plays in your environment. Al On 7/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Al,This sure helped, we are by the way indeed talking about W2K DC's.Victor- Oorspronkelijk bericht - Van: Al Mulnick [EMAIL PROTECTED]Datum: donderdag, juli 13, 2006 3:58 amOnderwerp: Re: [ActiveDir] Always point a DC with DNS installed toitself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternateonly. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?)Microsoft has done some enhancementsabove and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND.Active Directory plays very well with such third party DNS systems.You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone.You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client*to another DNS server that hosts the zones.You're also talking about making dc1 a client of dc2 and vice versa.That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'llhave one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization)and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configureyour DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server. That'd be the best practice.Before 2003 you could have an island effect wherebecause you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectivelycreating an island of a DC.In 2003 some additional code was put in to make sure that doesn't happen.You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted.After replication completes, you have a full list and there's no need to continueas a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information?I find it amusing that if the server wants to find something he'll ask his neighbor if he has the informationwhen he could just ask himself.It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :)He'll try the neigbor first, because that's the preferred. He'll also register there etc.The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information. Now, will it work? Yes.Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the sounds of it, an unwillingness to fix the underlying issues that led them there as well. On the other hand, they're spot on if it's W2K vs. K3 :) Does that help? [1] unless you like a granular audit logging.But that's neither here nor there. On 7/12/06, Victor W. [EMAIL PROTECTED] wrote: Today a conversation at my job came up about setting the preferred DNS server on the NIC of a DC with DNS installed. For as far as I know it's best to point the DC (with DNS installed) to itself for DNS by specifying the internal IP address of the DC as the preferred DNS server on the NIC. Then I was told that this is not always necessary and this puzzled me a bit. Not everybody was convinced of the above and this got me thinking. Some people are claiming that it doesnt really matter if you set that DC to be the *preferred* or the *alternate* DNS server. I was then showed an environment where all DC's in a child domain (all had DNS installed), had the same DNS server set as preferred DNS server.
RE: [ActiveDir] Multihomed Domain Controllers
In the Windows Server System Reference Architecture (WSSRA) Microsoft states: At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - - -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Not unless you make Netlogon dependent on DNS in the startup order. That should be a standard practice. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Thu 7/13/2006 1:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? One point that is nearly always overlooked is the following, if a DC points to itself for DNS name res: The DNS server service starts *after* NETLOGON, at startup The DNS server service stops *before* NETLOGON, at shutdown i.e. at startup netlogon cannot register DNS records on the local machine until the DNS server starts (record reg may fail or be stalled / time out). at shutdown or during a demotion netlogon cannot un-register DNS records on the local machine since DNS server has stopped (demotion will leave DC records in tact). For these reasons alone - I always recommend that a DC points to another (local) DNS server (not necessarily a DC) and then itself as secondary (or maybe even tertiary). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2006 02:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server.That'd be the best practice. Before 2003 you could have an "island effect" where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the information when he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :) He'll try the neigbor first, because that's the preferred. He'll also register there etc. The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information. Now, will it work? Yes. Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the
[ActiveDir] ADSIEdit, Exchange and Assistants
Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Planning for the future
A separate forest for a 30-user environment that may (or may not) be sold at some point in the future? What would that give you -except unneeded complications, over-engineering and heart burns? Just dump the objects into an OU and be done with it. If you end up selling that entity later, you've only got 30 (or maybe 50 now) users to migrate. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Thu 7/13/2006 3:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Planning for the future If you create a new domain in your forest for this requirement, and in the future they are bought by another company, then your only supported option is to migrate to the new or existing forest on the other side. It is probably easier, and safer, to create a new forest with an external trust. When they are then sold, you simply agree a date and time when the trust is severed and the comms equipment decomissioned. --Paul - Original Message - From: "Larry Wahlers" [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, July 12, 2006 6:18 PM Subject: [ActiveDir] Planning for the future Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Really the advantage is that the server can not easily get to the spyware to begin with. The list is basically a list of spyware and adware servers on the internet, but the addresses are all pointed at 127.0.0.1. Here's a few lines : 127.0.0.1 007arcadegames.com 127.0.0.1 101com.com 127.0.0.1 101order.com 127.0.0.1 123banners.com 127.0.0.1 123found.com If you hit a site that wants to go to one of these servers (with a pop-up for example) the server tries to talk to back to itself. If it is running on a web server, it is especially funny. I had a client once who thought his web site had been hacked. He was surfing the web from one of his web servers, and every time he went to cnn.com it popped up a copy of HIS site on the screen. It took me a while to explain to him through the laughter what was happening. I think I finally convinced him to stop surfing from his server farm. Once the spyware is on the server, it is way too late for this kind of defense. At that point you are going to have to go to some active process to get rid of it. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Thursday, July 13, 2006 1:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Can't your spyware just change/delete the host entries again? Or use an IP address (or do you configure static routes for the subnets that the IP addresses reside in that those host entries point to?) Has this tactic ever helped anyone in a spyware-on-the-server situation? (except possibly in a SOHO situation where the server's been treated like a desktop?) Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Kevin Brunson : Sent: Thursday, 13 July 2006 3:00 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Multihomed Domain Controllers : : I have definitely found the hosts file to be useful on servers to keep : them from EVER getting to spyware sites. This guy has a great list : : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=hos : t : s : : Just cut and paste into the hosts file and you are good to go. I : scripted it for all of the servers I deal with. But I guess this is : getting pretty far OT: :) : Kevin : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, : CPA aka Ebitz - SBS Rocks [MVP] : Sent: Wednesday, July 12, 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Multihomed Domain Controllers : : In the year 2006.. I hope we are still not making host file entries on : servers and workstations :-) : : Peter Johnson wrote: : : You might want to then create entries in the host file on the backup : server so that you guarantee that the backup server always uses the : right network connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
Nevermind - figured it out myself after finding an account with N/A in the field- the correct field is called 'telephoneAssistant', and is a freetext input, rather than a DN. On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: A Picture is worth a 1000 words... Computer Security Related
http://www.ranum.com/security/computer_security/calendar/ Sorry to spam all your inboxes with this, but It is pretty amusing and given the number of security discussions we get in here, I figured it was worth passing on. I wonder if we as a group could come up with ones for AD security. Enjoy Todd
RE: [ActiveDir] Planning for the future
Many thanks, everybody. The big meeting is today at 1:30 CDT. The determining factor, I believe, will probably be cost right now. So, we will probably follow the advice of some folks here and just make them an OU. If they get sold, we'll get the buyers to pay for the migration :) But, of course, I don't decide those things. The players at the meeting do. Thanks again for your assistance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
Yes, I can imagine MSFT using that as a get out of jail card as that is specifiying NLB teaming and not FT teaming. FT teaming is fine as you're only using one NIC at any given time. --Paul - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:54 PM Subject: RE: [ActiveDir] Multihomed Domain Controllers In the Windows Server System Reference Architecture (WSSRA) Microsoft states: At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be
RE: [ActiveDir] Multihomed Domain Controllers
You prolly have the outdated one, Jorge :) I've written and read materials that speak to MS actively supporting NIC Teaming on DCs. I believe that the latest WSSRA DC Build Guide has NIC Teaming in it. Generally, though, my designs tend to preach simplicity and NIC Team on DC and I fail to see the necessity of doing this on DCs unless you only manage single-DC infrastructures. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Almeida Pinto, Jorge deSent: Thu 7/13/2006 6:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: "Freddy HARTONO" [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferr...
Absolutely - you will want the DC to do a DNS query for itself first and then the second DNS entry to the next nearest DNS server. Hopefully you are using AD-integrated zones where possible. Chuck .
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
I'd rather not make fundamental changes like that - I'd need to spend time testing, which I can better allocate to other tasks :) It's also not a "visible" change and one which may be overlooked and falls into my 'over engineering' bucket. :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: 13 July 2006 15:11To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Not unless you make Netlogon dependent on DNS in the startup order. That should be a standard practice. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Thu 7/13/2006 1:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? One point that is nearly always overlooked is the following, if a DC points to itself for DNS name res: The DNS server service starts *after* NETLOGON, at startup The DNS server service stops *before* NETLOGON, at shutdown i.e. at startup netlogon cannot register DNS records on the local machine until the DNS server starts (record reg may fail or be stalled / time out). at shutdown or during a demotion netlogon cannot un-register DNS records on the local machine since DNS server has stopped (demotion will leave DC records in tact). For these reasons alone - I always recommend that a DC points to another (local) DNS server (not necessarily a DC) and then itself as secondary (or maybe even tertiary). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2006 02:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server.That'd be the best practice. Before 2003 you could have an "island effect" where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the information when he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length of time and the primary DNS server was not reachable. Of course, if there are never any changes to DC IPs or names and the MSDCS is never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNS server...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the
RE: [ActiveDir] Multihomed Domain Controllers
Hi Jorge Aha, does that happen to be a link somewhere on the net that I can reference to? Personally for DC I never find a need for adapter teaming, if the nic dies and I get an alert from the monitoring server that's all good for me - clients should failover elsewhere anyway... So any bullets against teaming would be excellent! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 13, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers In the Windows Server System Reference Architecture (WSSRA) Microsoft states: At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
Thanks everyone for your feedback - much appreciated. I received a quote from Quest, and we are looking at minimum commitment of $40,000 CDN. Still working out the budget, but I think a business decision will be made by management to go the ADMT route. :) Please keep the opinions and experiences coming. I look forward to posting my experience as we move forward. :)...DOn 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] [EMAIL PROTECTED] wrote: I can vouch for the Aelta/Quest Migration tools and say they are pretty good for NT to AD migrations, and AD to AD migrations. There was a lot of innovation in the space a couple years ago, but I think most of the solutions today are pretty stable and offer comparable features. The value of third-party tools is that with some you can get around certain group limitations, password migration issues, and workstation provisioning. Here is a tip, when evaluating, ask what API's they use for achieving their migration functions. Some vendors just write Project Management Code around the MS API's, others take a more "unique" approach and develop their own API's to give you more flexibility. One more thing, several of the vendors only offer professional services instead of access to their software, due to the fact a lot of time you pretty much needed their expertise on site anyway. I encourage you to have an open mind about that, but also not just assume everything is magic. Good luck, Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Acqusition of 2003 Forest - options experiences I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Don't domain controllers register their SRV records with both primary and secondary DNS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 13, 2006 10:02 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length of time and the primary DNS server was not reachable. Of course, if there are never any changes to DC IPs or names and the MSDCS is never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNS server...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server. That'd be the best practice. Before 2003 you could have an island effect where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full
[ActiveDir] Loopback Processing Problem
I am hoping someone can help us out with a loopback processing issue we are having. We are trying to add our lab computers to our Active Directory and are going to have our students login using their child domain credentials. All the computers are added as objects to the child domain that the students belong to. We want to manage group policy by applying it to the computers and not to the users, this enables us to do things like locking down the background image for all computers regardless of the logged on user. No matter what we try our policies are not being applied and we can't get we want user policies to apply to computer objects. When local security policies are applied they work, when user policies are applied they work, which means that the computer is communicating with the domain properly. Weve read through the following article from Microsoft but are not having any luck finding good troubleshooting steps for this. Does anyone know of any gotchas for loopback processing or of a good troubleshooting guide? Loopback processing of Group Policy http://support.microsoft.com/?id=231287 Pat - Desktop Server Services Keene State College Keene, NH 03435-2615 603 358-2172 Beware the lollipop of mediocrity; lick it once and you'll suck forever. - Brian Wilson.
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
The tools are great from Quest - use either the Consolidator tool or the Domain Migration Wizard (DMW) depending on your scenario. The tools are a must for medium to large-scale customers. Chuck
RE: [ActiveDir] Loopback Processing Problem
Pat- Have you tried using GPMC's GP Results wizard to ensure that the loopback policy is actually applying to the computers? Also, are you using merge or replace loopback? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Piper, PatSent: Thursday, July 13, 2006 9:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loopback Processing Problem I am hoping someone can help us out with a loopback processing issue we are having. We are trying to add our lab computers to our Active Directory and are going to have our students login using their child domain credentials. All the computers are added as objects to the child domain that the students belong to. We want to manage group policy by applying it to the computers and not to the users, this enables us to do things like locking down the background image for all computers regardless of the logged on user. No matter what we try our policies are not being applied and we can't get we want user policies to apply to computer objects. When local security policies are applied they work, when user policies are applied they work, which means that the computer is communicating with the domain properly. Weve read through the following article from Microsoft but are not having any luck finding good troubleshooting steps for this. Does anyone know of any gotchas for loopback processing or of a good troubleshooting guide? Loopback processing of Group Policy http://support.microsoft.com/?id=231287 Pat - Desktop Server Services Keene State College Keene, NH 03435-2615 603 358-2172 "Beware the lollipop of mediocrity; lick it once and you'll suck forever." - Brian Wilson.
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it has successfully replicated with one of it's replication partners. This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replication partner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length of time and the primary DNS server was not reachable. Of course, if there are never any changes to DC IPs or names and the MSDCS is never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNS server...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server. That'd be the best practice. Before 2003 you could have an
RE: [ActiveDir] AD Sites Rename
not a problem for AD or most apps that use it - potentially an issue with scripts that use hardcoded names. Clients will fail to find their DC that they've last used and will need to do a generic DNS query prior to finding the renamed site again. Usually no big deal. If your DFS root servers are Win2000, you'd need to refresh the site data (using dfsutil I believe) - if they're Win2003, they look up site information dynamically and don't care abouta rename. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Donnerstag, 13. Juli 2006 12:32To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Sites Rename Hi, I need to rename some of my AD Sites, is this likely to cause any issues I am unaware off? I use DFS if thats any help. Windows 2003 Single Domain/Forest FFL. thanks James Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
RE: [ActiveDir] AD Sites Rename
Will be fine unless you have some app hardcoded to them and well it should break so you can demand to have it fixed. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Thursday, July 13, 2006 5:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Sites Rename Hi, I need to rename some of my AD Sites, is this likely to cause any issues I am unaware off? I use DFS if thats any help. Windows 2003 Single Domain/Forest FFL. thanks James Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
RE: [ActiveDir] Multihomed Domain Controllers
I don’t know anyone who goes in network neighborhood. My last AD gig had 90K windtel devices and 500K users at almost 800 WAN locations – going in nethood was a pretty silly idea… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 13, 2006 7:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Brian, Could you please explain to me what you mean by save for the browsing situation, but who uses that anyway? Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian Desmond Sent: 13 July, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not registering this connection in DNS on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows
RE: [ActiveDir] Loopback Processing Problem
Make sure that the permissions are set to Apply Group Policy for both the computers AND the student accounts. Otherwise it will not apply the User Settings. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Piper, Pat Sent: Thursday, July 13, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loopback Processing Problem I am hoping someone can help us out with a loopback processing issue we are having. We are trying to add our lab computers to our Active Directory and are going to have our students login using their child domain credentials. All the computers are added as objects to the child domain that the students belong to. We want to manage group policy by applying it to the computers and not to the users, this enables us to do things like locking down the background image for all computers regardless of the logged on user. No matter what we try our policies are not being applied and we can't get we want user policies to apply to computer objects. When local security policies are applied they work, when user policies are applied they work, which means that the computer is communicating with the domain properly. Weve read through the following article from Microsoft but are not having any luck finding good troubleshooting steps for this. Does anyone know of any gotchas for loopback processing or of a good troubleshooting guide? Loopback processing of Group Policy http://support.microsoft.com/?id=231287 Pat - Desktop Server Services Keene State College Keene, NH 03435-2615 603 358-2172 Beware the lollipop of mediocrity; lick it once and you'll suck forever. - Brian Wilson.
[ActiveDir] Object Auditing
Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I dont see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Loopback Processing Problem
I usually don't like loopback. It's just kinda messy in most situations.But for reference to Darren's question, you might want to look at:http://support.microsoft.com/?id=231287 On 7/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Pat- Have you tried using GPMC's GP Results wizard to ensure that the loopback policy is actually applying to the computers? Also, are you using merge or replace loopback? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Piper, PatSent: Thursday, July 13, 2006 9:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loopback Processing Problem I am hoping someone can help us out with a loopback processing issue we are having. We are trying to add our lab computers to our Active Directory and are going to have our students login using their child domain credentials. All the computers are added as objects to the child domain that the students belong to. We want to manage group policy by applying it to the computers and not to the users, this enables us to do things like locking down the background image for all computers regardless of the logged on user. No matter what we try our policies are not being applied and we can't get we want user policies to apply to computer objects. When local security policies are applied they work, when user policies are applied they work, which means that the computer is communicating with the domain properly. We've read through the following article from Microsoft but are not having any luck finding good troubleshooting steps for this. Does anyone know of any "gotchas" for loopback processing or of a good troubleshooting guide? Loopback processing of Group Policy http://support.microsoft.com/?id=231287 Pat - Desktop Server Services Keene State College Keene, NH 03435-2615 603 358-2172 Beware the lollipop of mediocrity; lick it once and you'll suck forever. - Brian Wilson.
RE: [ActiveDir] Multihomed Domain Controllers
Hi, I'm not saying that teaming should not be used... I'm saying that teaming in load balancing mode should not be used as MS does not support it. Teaming in fault tolerance mode can be used for this. More info can be found here: http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp_2.mspx search for load balancing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Thu 2006-07-13 17:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Hi Jorge Aha, does that happen to be a link somewhere on the net that I can reference to? Personally for DC I never find a need for adapter teaming, if the nic dies and I get an alert from the monitoring server that's all good for me - clients should failover elsewhere anyway... So any bullets against teaming would be excellent! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 13, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers In the Windows Server System Reference Architecture (WSSRA) Microsoft states: At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers
RE: [ActiveDir] Object Auditing
I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD. you may also want to disable drag drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): use ADSIEDIT, LDPor equivalent tool locate "flags" attribute of DisplaySpecifiers container in config. NC set bit 0 to 1 drag and drop now disabled /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Donnerstag, 13. Juli 2006 20:25To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I dont see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
See how quickly thinking changes? :) I almost think this is a better reason not to have AD-integrated DNS. Shall have to ponder a bit more, but I detest the idea of a DNS server being a client to a peer name res server. I'm still inclined to continue to use the self-as-primary deployment. I understand that silliness (thanks for pointing out that situation James) can impact availability and that would normally indicate a bad design. I'm curious though, why in the situation described that the server couldn't replicate and begin serving records. I haven't looked lately, but how many replication partners does it have to talk to before it will serve DNS? I'm looking for server x. Do you have it? Hello? Are you there? No? Let me check myself then. It also goes against the idea that each name res server should have as much of a complete picture of the environment as possible else there's no reason to have multiples. Hmm... On 7/13/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: note that DNS startup behavious changes with SP1, which is anotherreason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it hassuccessfully replicated with one of it's replication partners.This isto avoid false or duplicate registration of records (or even duplicate creation of the application partitions).As such, with SP1 it's better to point your DCs to a replication partneras a primary DNS and to self as a secondary./Guido-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Donnerstag, 13. Juli 2006 17:02To: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?Hi Al I did want to throw in a personl experience I had with W2K3 thatvalidatesthe Point your DNS server to a replication partner theory.I did seeinone environment where every DC had DNS and the msdcs partition was a forestpartition.An unfortunate DNS scavenge was done deleting some of theGUIDrecords in the MSCDCS partition.Replication started to fail shortlyafterthat and the missing GUIDs were discovered.The netlogon service was restarted to make the DCs re-register but of course they re-registeredtheGUID on themselves.They could find themselves but not theirreplicationpartners.The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primaryandthemselves as secondary the problem went away - the netlogon service wasrestarted, the GUIDs registered on the central DNS server, the spokes didthe lookup for replication parnters on the hub site DC and eventuallythings started working again.This was pre - SP1 so this may not be a problem anymore, but after thatexperience I have seen value in doing the DNS configuration so that the DCsall point to the hub first and themselves second.I have not seen anyproblems for the DC itself when the WAN link dropped for a length oftimeand the primary DNS server was not reachable.Of course, if there are never any changes to DC IPs or names and the MSDCSis never scavenged (or the interval is long enough not to recreate theabove problem) then the above argument is moot.Regards;James R. DayActive Directory Core TeamOffice of the Chief Information Officer National Park Service202-230-2983[EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Sent by: cc: (bcc:James Day/Contractor/NPS) [EMAIL PROTECTED]Subject:Re:[ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNSserver...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;)There are many many many ways to properly configure DNS.One thing thathelps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternateserver that you want this DC to be a client of.DNS is a standard.Windows 2003 DNS follows those standards (commentsreally, but let's not pick right?)Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoftsphere[1].You can however have DNS that is a third party DNS system, such as BIND.Active Directory plays very well with such third party DNS systems.You could have your domain controllers not have any DNS hosted on them atall.You could have it hosted, but as a secondary zone.You could also haveitAD integrated meaning that you have a listener for DNS but the data(base)is stored in the active directory.Something to clarify: what you're talking about is making the DC a*client*to another DNS server that hosts the zones.You're also talking aboutmaking dc1 a client of dc2 and vice versa.That's silly, but I'll get tothat.If you have your dns hosted on a third party system such as BIND, you'llhave one server as the primary (not best
[ActiveDir] Log On To...
On the Account tab of the User Properties window in ADUC there is a'Log On To...' button which - I thought -limited the user's ability to logon to only workstations specified. I applied restrictions to an account in our domain and they did not work. In other words, the restricted account was able to logon to a workstation not specified in the list. What did I miss? Is therea group policy setting that may be over-riding the setting? How do I go about troubleshooting this? Thank in advance. Tim
RE: [ActiveDir] Object Auditing
You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated. Then you can use Microsofts Eventcombmt tool to search your DCs for the information. We use the Quest Intrust product here for Monitoring and Auditing At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though. Both companies offer very good solutions. It is pretty hard to make a bad decision here. There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD. The shop I am in now uses several platforms, so that is what drove our decision. Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Object Auditing I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD. you may also want to disable drag drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): o use ADSIEDIT, LDPor equivalent tool o locate flags attribute of DisplaySpecifiers container in config. NC set bit 0 to 1 o drag and drop now disabled /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Donnerstag, 13. Juli 2006 20:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I dont see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Log On To...
We use this setting heavily for certain classes of users and it works great. We do exactly what youre saying, only put the workstations they should use in the list and it does restrict them from logging in elsewhere. Maybe replication is your culprit? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster Sent: Thursday, July 13, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Log On To... On the Account tab of the User Properties window in ADUC there is a'Log On To...' button which - I thought -limited the user's ability to logon to only workstations specified. I applied restrictions to an account in our domain and they did not work. In other words, the restricted account was able to logon to a workstation not specified in the list. What did I miss? Is therea group policy setting that may be over-riding the setting? How do I go about troubleshooting this? Thank in advance. Tim
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Great input, it's really getting more and more interesting, I'm glad I raised the question. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: donderdag 13 juli 2006 21:32To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? See how quickly thinking changes? :) I almost think this is a better reason not to have AD-integrated DNS. Shall have to ponder a bit more, but I detest the idea of a DNS server being a client to a peer name res server. I'm still inclined to continue to use the self-as-primary deployment. I understand that silliness (thanks for pointing out that situation James) can impact availability and that would normally indicate a bad design. I'm curious though, why in the situation described that the server couldn't replicate and begin serving records. I haven't looked lately, but how many replication partners does it have to talk to before it will serve DNS? "I'm looking for server x. Do you have it? Hello? Are you there? No? Let me check myself then." It also goes against the idea that each name res server should have as much of a complete picture of the environment as possible else there's no reason to have multiples. Hmm... On 7/13/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: note that DNS startup behavious changes with SP1, which is anotherreason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it hassuccessfully replicated with one of it's replication partners.This isto avoid false or duplicate registration of records (or even duplicate creation of the application partitions).As such, with SP1 it's better to point your DCs to a replication partneras a primary DNS and to self as a secondary./Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of[EMAIL PROTECTED]Sent: Donnerstag, 13. Juli 2006 17:02To: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?Hi Al I did want to throw in a personl experience I had with W2K3 thatvalidatesthe "Point your DNS server to a replication partner theory".I did seeinone environment where every DC had DNS and the msdcs partition was a forestpartition.An unfortunate DNS scavenge was done deleting some of theGUIDrecords in the MSCDCS partition.Replication started to fail shortlyafterthat and the missing GUIDs were discovered.The netlogon service was restarted to make the DCs re-register but of course they re-registeredtheGUID on themselves.They could find themselves but not theirreplicationpartners.The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primaryandthemselves as secondary the problem went away - the netlogon service wasrestarted, the GUIDs registered on the central DNS server, the spokes didthe lookup for replication parnters on the hub site DC and eventuallythings started working again.This was pre - SP1 so this may not be a problem anymore, but after thatexperience I have seen value in doing the DNS configuration so that the DCsall point to the hub first and themselves second.I have not seen anyproblems for the DC itself when the WAN link dropped for a length oftimeand the primary DNS server was not reachable.Of course, if there are never any changes to DC IPs or names and the MSDCSis never scavenged (or the interval is long enough not to recreate theabove problem) then the above argument is moot.Regards;James R. DayActive Directory Core TeamOffice of the Chief Information Officer National Park Service202-230-2983[EMAIL PROTECTED] "Al Mulnick" [EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Sent by: cc: (bcc:James Day/Contractor/NPS) [EMAIL PROTECTED]Subject:Re:[ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNSserver...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;)There are many many many ways to properly configure DNS.One thing thathelps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternateserver that you want this DC to be a client of.DNS is a standard.Windows 2003 DNS follows those standards (commentsreally, but let's not pick right?)Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoftsphere[1].You can however have DNS that is a third party DNS system, such as BIND.Active Directory plays very well with such third party DNS systems.You
RE: [ActiveDir] Log On To...
I cant think of a group policy that would override this. Is it possible that when you checked the user account after you had made the changes that you hadnt waited for the replication to take place? You may have made the changes on DC1, and when the user account attempted to log in, it may have authenticated against a DC other than DC1. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster Sent: Thursday, July 13, 2006 1:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Log On To... On the Account tab of the User Properties window in ADUC there is a'Log On To...' button which - I thought -limited the user's ability to logon to only workstations specified. I applied restrictions to an account in our domain and they did not work. In other words, the restricted account was able to logon to a workstation not specified in the list. What did I miss? Is therea group policy setting that may be over-riding the setting? How do I go about troubleshooting this? Thank in advance. Tim
RE: [ActiveDir] Moving a Certificate Authority
I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. Ive run into what should be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, Windows cannot find a certification authority that will process the request. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients dont seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this? I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything. Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, July 11, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you dont have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, July 11, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrickSent: Tuesday, July 11, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary
Re: [ActiveDir] Object Auditing
Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that. That being said... mistakes happen and these things are going to occur. Hopefully very, very infrequently.There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the money or not. It's possible that you might want to get them just so you can start monitoring and auditing your environment (which many organizations don't do). On 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] [EMAIL PROTECTED] wrote: You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated. Then you can use Microsofts Eventcombmt tool to search your DC's for the information. We use the Quest Intrust product here for Monitoring and Auditing… At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though. Both companies offer very good solutions. It is pretty hard to make a bad decision here. There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD. The shop I am in now uses several platforms, so that is what drove our decision. Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 13, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Object Auditing I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD. you may also want to disable drag drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): o use ADSIEDIT, LDPor equivalent tool o locate flags attribute of DisplaySpecifiers container in config. NC · set bit 0 to 1 o drag and drop now disabled /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Donnerstag, 13. Juli 2006 20:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I don't see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Moving a Certificate Authority
Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. Ive run into what should be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, Windows cannot find a certification authority that will process the request. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients dont seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this? I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything. Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, July 11, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you dont have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, July 11, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrickSent: Tuesday, July 11, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
IIRC, the migration from citrix to your forest should be quite interesting. Better bet might be to create a new deployment of citrix in your target (if that's the way you intend to go) and as the new users get migrated you put them into the new environment. That gives the advantage of having a known state as a target. Al On 7/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The tools are great from Quest - use either the Consolidator tool or the Domain Migration Wizard (DMW) depending on your scenario. The tools are a must for medium to large-scale customers. Chuck
[ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion From that machine can you run and post the output of repadmin /showreps /v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP levels? I assume you also did not set any preferred bridgehead settings? You could also use ADLB.exe in report only mode to see the topology. I am guessing that if you let it bake a little more it will correct itself. Also what is the replication interval set on that site link, the minimum 15 minutes? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion Are the DNS client settings on the DC in the remaining site maybe pointing to the old DC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Friday, 14 July 2006 12:35 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion The DNS settings are pointing to active DNS servers. A coworker has researched the issue and found that the KCC could take two hours to fix the replication link. We have about a half hour to go to see if this is the case. Thanks for the reply. Devin Riley Sr. Systems Engineer City of Pasadena, Department of Finance Information Technology Services Division Phone: 626-744-7072 Fax: 626-396-7300 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Thursday, July 13, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication Problem After DC Demotion Are the DNS client settings on the DC in the remaining site maybe pointing to the old DC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, DevinSent: Friday, 14 July 2006 12:35 p.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion A coworker has researched the issue and found that the KCC could take two hours to fix the replication link. We have about a half hour to go to see if this is the case. So I think your idea of letting it bake a little while longer may do the trick I will post more information if the problem continues. Devin Riley Sr. Systems Engineer City of Pasadena, Department of Finance Information Technology Services Division Phone: 626-744-7072 Fax: 626-396-7300 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Thursday, July 13, 2006 5:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication Problem After DC Demotion From that machine can you run and post the output of repadmin /showreps /v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP levels? I assume you also did not set any preferred bridgehead settings? You could also use ADLB.exe in report only mode to see the topology. I am guessing that if you let it bake a little more it will correct itself. Also what is the replication interval set on that site link, the minimum 15 minutes? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, DevinSent: Thursday, July 13, 2006 7:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion You can run repadmin /kcc to force the KCC Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 8:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problem After DC Demotion A coworker has researched the issue and found that the KCC could take two hours to fix the replication link. We have about a half hour to go to see if this is the case. So I think your idea of letting it bake a little while longer may do the trick I will post more information if the problem continues. Devin Riley Sr. Systems Engineer City of Pasadena, Department of Finance Information Technology Services Division Phone: 626-744-7072 Fax: 626-396-7300 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, July 13, 2006 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problem After DC Demotion From that machine can you run and post the output of repadmin /showreps /v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP levels? I assume you also did not set any preferred bridgehead settings? You could also use ADLB.exe in report only mode to see the topology. I am guessing that if you let it bake a little more it will correct itself. Also what is the replication interval set on that site link, the minimum 15 minutes? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
[ActiveDir] Forest trust - domain drop down list
Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
cough Since ...uh.. you know ..me.. and uh... well... I hang in the 'hood at times..what can I say? Honestly in the 2k3/XP era I can't say I have browse master issues anyway... Brian Desmond wrote: *I don’t know anyone who goes in network neighborhood. My last AD gig had 90K windtel devices and 500K users at almost 800 WAN locations – going in nethood was a pretty silly idea…* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rocky Habeeb *Sent:* Thursday, July 13, 2006 7:25 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers Brian, Could you please explain to me what you mean by save for the browsing situation, but who uses that anyway? Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Brian Desmond *Sent:* 13 July, 2006 1:29 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers *I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, July 12, 2006 8:36 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, *Jeff Green* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a)DNS multihomed issues Yes, found that in the MS KB about not registering this connection in DNS on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b)Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c)Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d)Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while
