[ActiveDir] AD Replication
Dear Group, This might seem like a dull question but I have not been able to find a good answer for it, so here goes. I was wondering if it is possible to use the delegate administration feature to give a non-admin the ability to force replication of an AD? Thus far, we have been unable to do this. The user has the ability to see everything in the sites and services plug in however they still get an access error when they attempt to force the replication. The error reads: "The following error occurred during the attempt to synchronize naming context domain.ad.local from domain control domaincontroler to domain controller domaincontroler2: Replication access was denied. This operation will not continue." Any suggestions? Thanks, Chuck -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Importing IPSEC Policies into an OU
Hey all, This might seem kinda odd and maybe I'm just doing something wrong. But I tried to import an IPSEC policy (that basically just does port blocking) into and AD but I keep getting rejected due to permissions (apparently). Now I don't have Domain Admin rights to the domain, however I have been delegated complete authority to the OU that I'm working in. Does anyone know if there are additional issues dealing with the importing of IPSec policies at OU levels that I might be missing? Thanks, Chuck -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Importing IPSEC Policies into an OU
What I have is an exported .ipsec file (that was created on a local workstation). It contains the tested and fully functional IPSEC policy that I was advised to implement so my plan was to export the policy from the local machine and then import it into the GPO. I am the GPO administrator and I can change the IPSEC stuff, I'm just not able to import the .ipsec file in the security area. I was just trying to figure out if you were able to conduct that type of import on a GPO or if that only works on local workstations (which doesn't make sense) or the guy who set up my permissions may have just made a mistake when he granted me the admin rights to the GPO. I guess I can ask the admin to recheck my privileges on the GPO to ensure that he has me set with the IPSEC part, but that doesn't seem that plausible of an option considering he said that he granted my privileges using the delegate administration feature. Is there a big difference between using the .ipsec file instead of the .inf file? Thanks, chuck Darren Mar-Elia wrote: Charles- When you say you're importing IPSEC, I assume this means you have an .inf file that you've created that you importing into an OU-linked GPO? The ability to make changes to a GPO are governed by the permissions on the GPO object itself, which is not stored in the OU but rather under the System\Policies container in your domain (and also in SYSVOL). If you view the permissions on the GPO object itself, you should be able to see if you have modify rights on that GPO. If you don't, you'll need to get the owner of that GPO to grant you those rights explicitly for that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Carerros Sent: Thursday, April 15, 2004 6:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Importing IPSEC Policies into an OU Hey all, This might seem kinda odd and maybe I'm just doing something wrong. But I tried to import an IPSEC policy (that basically just does port blocking) into and AD but I keep getting rejected due to permissions (apparently). Now I don't have Domain Admin rights to the domain, however I have been delegated complete authority to the OU that I'm working in. Does anyone know if there are additional issues dealing with the importing of IPSec policies at OU levels that I might be missing? Thanks, Chuck -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Importing IPSEC Policies into an OU
The problem is with permission. GPOs are considered domain policies for permissions although they can be linked at lower levels. So my problem is that I don't have access to import domain level policies. I'm going to have to have someone else do that for me. Thanks for the help, chuck Darren Mar-Elia wrote: Chuck- Sorry, its been a while since I've touched IPSec. So IPSec is not supported through .inf security templates--you're using the right approach. I confirmed that it is possible to import an IPSec policy created on a local workstation GPO into a domain-based GPO. I did it and it worked just fine. Of course, I was logged on as Administrator on the domain. You should have your administrator who set up your permissions confirm that you have sufficient permissions on that GPO. I have found that the clearest tool to use for this kind of delegation is GPMC. It presents delegation through the Delegation tab on the GPO and provides a clear set of rights for the different levels of GPO access. If you try to do this using the Delegation of Control Wizard, its not nearly as clear, nor is it geared towards delegating GPO rights, since when you permission a GPO, you have to permission both the part of it held in AD and the part held in SYSVOL. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Carerros Sent: Thursday, April 15, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Importing IPSEC Policies into an OU What I have is an exported .ipsec file (that was created on a local workstation). It contains the tested and fully functional IPSEC policy that I was advised to implement so my plan was to export the policy from the local machine and then import it into the GPO. I am the GPO administrator and I can change the IPSEC stuff, I'm just not able to import the .ipsec file in the security area. I was just trying to figure out if you were able to conduct that type of import on a GPO or if that only works on local workstations (which doesn't make sense) or the guy who set up my permissions may have just made a mistake when he granted me the admin rights to the GPO. I guess I can ask the admin to recheck my privileges on the GPO to ensure that he has me set with the IPSEC part, but that doesn't seem that plausible of an option considering he said that he granted my privileges using the delegate administration feature. Is there a big difference between using the .ipsec file instead of the .inf file? Thanks, chuck Darren Mar-Elia wrote: Charles- When you say you're importing IPSEC, I assume this means you have an .inf file that you've created that you importing into an OU-linked GPO? The ability to make changes to a GPO are governed by the permissions on the GPO object itself, which is not stored in the OU but rather under the System\Policies container in your domain (and also in SYSVOL). If you view the permissions on the GPO object itself, you should be able to see if you have modify rights on that GPO. If you don't, you'll need to get the owner of that GPO to grant you those rights explicitly for that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Carerros Sent: Thursday, April 15, 2004 6:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Importing IPSEC Policies into an OU Hey all, This might seem kinda odd and maybe I'm just doing something wrong. But I tried to import an IPSEC policy (that basically just does port blocking) into and AD but I keep getting rejected due to permissions (apparently). Now I don't have Domain Admin rights to the domain, however I have been delegated complete authority to the OU that I'm working in. Does anyone know if there are additional issues dealing with the importing of IPSec policies at OU levels that I might be missing? Thanks, Chuck -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.a
[ActiveDir] GPO Question
Hey all, For the past few years I have been doing my GPOs primarily based up on the user settings. (We don't have a firewall on my campus so by disabling a lot of stuff using the security portion of the user GPO I can help reduce the security risk.) However, I have just been asked to only use computer based GPOs (a migration scheme will leave me no access to user accounts). 1) I was wondering if anyone has any suggestion (pro or con) to doing only computer based policies? 2) Are there any really good documents that might help clarify the process by which loopback (and troubleshooting loopback) is utilized? I will probably need to implement this in order to have a good policy. 3) Does anyone here only do computer based policies? What is your experience with them? I am going to re-read the Microsoft Group Policy white paper tonight, but if anyone knows of any additional documentation that is related to this and might discuss the issues (negative or positive) about this type of organization scheme, it would be tremendously helpful. Just for a little more background, if I end up implementing the scheme that was suggested to me today it would consist of a five level OU structure with 1 OU at 1 tier, 1 OU at 2 tier, 35 OUs at 3 tier, 4 OUs at 4 tier and 2 OUs at 5 tier (not all of the 4th tier OUs will have a fifth, only about 40% of them.) Does anyone have any feedback of having a five level nested OU structure. I would like to maintain my current 3 tier OU structure, but I need some technical ammo to defend my structure with. Thanks, Chuck List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Folder Redirection Question
Before you do that registry wipe, it might be easier to just wipe out the user profile and then login again. I haven't tried it but it should work correctly. And it is easier then messing with the registry. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 4:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Know where I can fix that in the registry? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Narkinsky, Brian Sent: Monday, June 24, 2002 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question I believe in this case it "tattoos" the registry. That is it makes the changes permanent to the local registry. Once it is done the only way to undo is manually edit the registry. Brian -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Ok so I did the secdedit /refreshpolicy user_policy and for machine_policy but whenever I log in with the Admin account or the test account their still pointed to the old location. Is there something else I need to do? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sykes Sent: Saturday, June 22, 2002 12:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Chris, It should work pretty much instantly. To refresh the policy you can use secedit /refreshpolicy or more recently gpupdate (XP). Darren. -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: 21 June 2002 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Folder Redirection Question Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Hummert Sent: Friday, June 21, 2002 11:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Folder Redirection Question Ok so I have a new server and a new domain that I'm setting up. I was editing the default domain policy and I was setting up folder redirection. I set up the applictaion data to redirect to \\server\share\%username%\ and the same place with the My Documents and the Desktop folder. I realised my mistake of not adding the \My Documents\, \Application Data\ and \Desktop\ after the string when I loged out and logged back in. I current have 2 users on this machine one is the administrator and one is the test account. I've corrected the mistake in the default domain policy but the users on the machine don't seem to have had the change effect them yet. Is there anyways to get these changes to update to the current users? Thanks Chris Hummert Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net http://www.noghri.net MS Beta tester ID #: 388366 Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contacts us." - from Calvin and Hobbes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP and RIS
To end the PID what you need to do is edit the RIPREP.SIF file. It should be located in the \RemoteInstall\Setup\applicable_language\Images\applicable_image_name\I3 86\Templates\RIPREP.SIF (change the applicable stuff as needed). You need to type ProductID = "----" Include the dashes and the quotation marks, where the is the PID of there retail version of the OS into the [UserData] section of the RIPPREP.SIF file. However, if you leave the PID out it should just ask for it during the installation process. Of course that means that the user knows what the PID is. chuck -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 12:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] XP and RIS Question: If I'm required to activate Windows XP as well as use and Unique product, how do I do this automatically with RIS? What are you guys doing to solve this problem? Joshua Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP and RIS
Hey, Sorry, I can't help you there I have a site license for all MS products I only use one PID for all my installations (in fact besides XP I don't use PIDs at all). Maybe I could suggest a workaround though. When you instruct your users how to do the network boot you could give them a PID to use and set the RIS to request that during installation, then you could put a runonce script on the RISPREP that could do the activation, if you know what the activation numbers are. I don't know maybe what I am suggesting is more work that it is worth, but you never know. chuck -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] XP and RIS What about Activation and the Fact that you would have 1 PID for All your machines? Joshua Morgan PH: (864) 250-1350 Ext 133 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info -Original Message----- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] XP and RIS To end the PID what you need to do is edit the RIPREP.SIF file. It should be located in the \RemoteInstall\Setup\applicable_language\Images\applicable_image_name\I3 86\Templates\RIPREP.SIF (change the applicable stuff as needed). You need to type ProductID = "----" Include the dashes and the quotation marks, where the is the PID of there retail version of the OS into the [UserData] section of the RIPPREP.SIF file. However, if you leave the PID out it should just ask for it during the installation process. Of course that means that the user knows what the PID is. chuck -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 12:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] XP and RIS Question: If I'm required to activate Windows XP as well as use and Unique product, how do I do this automatically with RIS? What are you guys doing to solve this problem? Joshua Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Unable to browse across the subnets/gateways
Title: Message Okay, Situation: I have two subnets (subnet A and subnet B) with gateways between then. All my DCs (and the rest of my server farm) is on subnet A. There are clients on both subnets. All the the clients are either Windows XP or Windows 2000 Prof patched to current standards. The servers are all Windows 2000 fully patched. Problem: For some reason I am unable to browse the network from any client on the subnets B. On subnet A I can only browse those computers and servers that are located on subnet A. Attempted Fixes: I have reviewed my current services. I checked my WINS servers. I can locate all machines if I search Active Directory using the Find Computers options. The IPC$ is mapped. Any suggestions would be helpful. Thanks, Chuck �
RE: [ActiveDir] OT: Unable to browse across the subnets/gateways
Title: Message Thanks for the suggestions Kevin, but unfortunately the solution isn't so nice. My ICP$ admin share is messed up and that is what is causing my problems. Now all I have to do is figure out how to fix that part. Thanks for the input, Chuck -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 4:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Unable to browse across the subnets/gateways What are the subnets? And what is the gateway config. Also, When you say browse do you mean Network neighborhood? If so play with the LMHosts file to see if you can force resolution if you can it is probably a WINS issue. Are the servers WINS clients? Do the registrations look OK? Can the XP/2k systems log on? Can they ping via FQDN and IP? Make sure you separate the hostname function and the NetBIOS function when you troubleshoot this one. If it is Net Neighborhood :( then it is probably a WINS issue or browser service issue. Are there error in the System event log? Kevin -Original Message-From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 3:37 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Unable to browse across the subnets/gateways Okay, Situation: I have two subnets (subnet A and subnet B) with gateways between then. All my DCs (and the rest of my server farm) is on subnet A. There are clients on both subnets. All the the clients are either Windows XP or Windows 2000 Prof patched to current standards. The servers are all Windows 2000 fully patched. Problem: For some reason I am unable to browse the network from any client on the subnets B. On subnet A I can only browse those computers and servers that are located on subnet A. Attempted Fixes: I have reviewed my current services. I checked my WINS servers. I can locate all machines if I search Active Directory using the Find Computers options. The IPC$ is mapped. Any suggestions would be helpful. Thanks, Chuck �
RE: [ActiveDir] Domain Controllers per users...
Title: Message You will want to check out the Executive summary on http://www.microsoft.com/technet/treeview/default.asp?url="/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp Thanks, Chuck -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Domain Controllers per users... I can't imagine how one could make such a recommendation without at least taking into account the DC h/w characteristics and the network characteristics. -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 11:11 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick �
RE: [ActiveDir] Domain Controllers per users...
Title: Message To be a little more specific: Deploy => Research Product Specs => Sizing Guidelines for Windows 2000 Domain Controllers and Global Catalog Server Then the Executive Summary. Sorry for the second e-mail. Chuck -Original Message-From: Charles Carerros Sent: Friday, November 08, 2002 8:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Domain Controllers per users... You will want to check out the Executive summary on http://www.microsoft.com/technet/treeview/default.asp?url="/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp Thanks, Chuck -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Domain Controllers per users... I can't imagine how one could make such a recommendation without at least taking into account the DC h/w characteristics and the network characteristics. -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 11:11 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick �
RE: [ActiveDir] Domain Controllers per users...
Well, If you read the real text then it will go into more detail. I was just pointing out the beginning of the document. After all there are no page and paragraph numbers on those documents. -Original Message- From: Craig Cerino [mailto:Craig_Cerino@;Tiel.com] Sent: Friday, November 08, 2002 8:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controllers per users... HAHAHAHA - now THAT was funny! :) -Original Message- From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] Sent: Friday, November 08, 2002 9:19 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Domain Controllers per users... Yeah - I base all technical recommendations on Executive Summaries. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: Charles Carerros [mailto:ccarerros@;cie.uwm.edu] > Sent: Friday, November 08, 2002 9:10 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controllers per users... > > > You will want to check out the Executive summary on > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodtechnol/ad/windows2000/plan/bpaddsgn.as> p > > Thanks, > > Chuck > > -Original Message- > From: Gil Kirkpatrick [mailto:gilk@;netpro.com] > Sent: Thursday, November 07, 2002 5:30 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Domain Controllers per users... > > > I can't imagine how one could make such a > recommendation without at least taking into account the DC > h/w characteristics and the network characteristics. > > -Original Message- > From: Myrick, Todd (NIH/CIT) > [mailto:myrickt@;mail.nih.gov] > Sent: Thursday, > November 07, 2002 11:11 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Domain Controllers per users... > > > Greetings all, > > Quick question, has anyone seen a KB or White > paper that outlines the guideline of how many DC's you need > per number of users. The old rule for NT4 was 1 BDC for > every 2000 active users. I have read all the AD sizing > papers etc, but just wanted to know if anyone remembered > coming across this little tidbit. > > Thanks, > > Todd Myrick > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD upgrade DNS namespace questions.
I would like to see where this best practice rule came from. My university is using the .local structure because when we begin putting up AD domains this was the best practice. Right now we are considering a proposal to put up another AD domain and I would like it to be as up-to date as it can be. So, can you point me in the direction of your source. Thanks, Chuck -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. While there's no requirement to use *the* organizations DNS domain, it is strongly suggested to use a valid, registered DNS domain, and NOT to use .local Specifically, it guarantee's uniqueness of domain names, in case there is ever a time in which 2 organizations decide to enter a trust relationship, etc. We chose to register 2 generic DNS names for our forest root and production domains. The .local suggestion was done, IIRC, as part of the JDP program, and after the deployments began, it became apparent that there are some pretty big potential conflicts out there, and that using valid, registered domains is really the best practice. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 05, 2002 3:16 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. > > > I have done 5 enterprise sized production > installations/implementations > of AD and have always used the .local dns suffix. AD's DNS does not > need to be globally routable. > > Example: > NetBIOS domain name of ThanksBill > DNS domain name of ThanksBill.local > > Internal DNS (unregistered DNS) and External DNS (your registered DNS > name) are then maintained in separate zones (Internal never to be > replicated outside your network). My internal clients are assigned > the internal zone as the primary DNS suffix through DHCP (done > manually for > static IPs) and I add the external DNS zone as an alternate search > suffix. Intranet sites are registered in the non registered zone > intranet.thanksbill.local and internet sites are registered in the > registered DNS zone www.thanksbill.com > > If you were hosting your own registered DNS zone and maintained it on > you internal network letting TCP and UDP port 53 pass through your PIX > this setup would keep the AD DNS and Registered DNS zones > separate.a good thing indeed. I would never recommend allowing > any traffic to pass > into your internal network, this was just an example. I would host my > registered DNS in a perimeter zone (DMZ for those of use not in Korea) > and maintain my MX and Internet records separate from my internal DNS > servers. > > I am sure others have a more articulate explanation, but I > think you are > on the right track. > > > > -Original Message- > From: Jim Busick [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 05, 2002 2:32 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] AD upgrade DNS namespace questions. > > > We are planning to upgrade our single NT domain to AD and I > want to make > sure I understand about how we will name the domain. Currently our NT > domain name is SSD_DOMAIN0 (yeah, I know. I was handed it) and our > registered domain name is santee.k12.ca.us. We are NAT'd behind a PIX > and using 10. private address and only need our website and Exchange > (5.5) visable to the internet. As I understand it, when I run > the Win2k > upgrade I will be asked for the FQDN, I assume that I should use > santee.k12.ca.us, right. If I do, how will this affect our > downlevel (we > still have W9x) clients. I've read that I shouldn't use your > registered > DNS name for the AD, something like ssd.santee.k12.ca.us. Any > advice on > this subject would be appreciated. > > TIA > Jim Busick > Database Network Analyst MCSE > Santee School District > Santee, CA 92071 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I agree with Craig, however I would still stick with one domain and use the OU structure to the max. Maybe creating an OU for each campus and then dividing them down by departments or students and staff or whatever you find to work best. That is what I have found to work best because then you can have the departments do their own administration at their level. And one of the most difficult things that I have found on my campus is the politics and this kind of concept helps. But do what you must, chuck Thank you, Charles Carerros IS Network Specialist Center for International Education University of Wisconsin -- Milwaukee Garland Hall RM 117 [EMAIL PROTECTED] P: (414) 229-3604 F: (414) 229-3626 -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 8:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just "tip of the Iceberg things" but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone "THIS IS WHAT YOU SHOULD DO") I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc > -Original Message- > From: Wohlgehagen, Max W > [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 10, 2002 8:20 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Back to Basics - Design Pros and Cons > > > There is so much material out there on AD now it is almost > scary [in many ways it is not too dissimilar to NDS 'cepting > the DNS component] My problem is design for a new network, > being in a school we have the luxury of starting from scratch > without business fallout problems. We are multi-campus and > have a fairly substantial network with an 11MB "Spread > Spectrum" Microwave link between campuses. I am a big fan of > the KISS principle but am stuck in deciding between multiple > trees or a single tree with many sites, both concepts have > advantages. We do not need to implement a Forrest structure > as our DNS is set in concrete. We have the following > elements: Campus1, Campus2, Students1, Students2, Staff1, > Staff2 ... or OrganisationAll, StaffAll, StudentsAll. > Obviously there are sub components of these elements as well. > The main concern is to have the most useful GPO structure > without too much complexity. Does anyone have any experience > in setting up this type of AD. Any ideas on multiple domains > versus single domain many sites?? Help, opinions, comments, > ideas all welcome. Thanks. > > Max Wohlgehagen > TSI - Rowville > "Of all the things I've lost, it's my mind I miss the most." > <> > > > > ** > * > Important - This email and any attachments may be > confidential. If received in error, please contact us and > delete all copies. Before opening or using attachments check > them for viruses and defects. Regardless of any loss, damage > or consequence, whether caused by the negligence of the > sender or not, resulting directly or indirectly from the use > of any attached files our liability is limited to resupplying > any affected attachments. Any representations or opinions > expressed are those of the individual sender, and not > necessarily those of the Department of Education & Training. > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT- Terminal Services/Remote Desktop Issue
Title: Message Might have something to do with the "generic network problems message" Or it might have something to do with the network configuration. Or with any firewalls that might be present. Is the Server configured to allow terminal services. Does the Server have a static IP address and is it listed in the DNS server. Does the laptop have the correct DNS server listed. Are you trying to cross subnets, if so do you have WINS servers up. When you use the RDC do you enter IP addresses or computer names. Is the server name mistyped. The connection probably isn't the issue. Maybe a little more information might help. chuck -Original Message-From: Kevin Felker [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 10:24 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT- Terminal Services/Remote Desktop Issue All, One of my coworkers has a laptop with Windows XP and wants to Remote Desktop into one of our servers. He upgraded the laptop from WIN 2k to WIN XP. We also put the Server on the domain. It seems as though his laptop is the only machine that cannot Terminal Service into the server. It doesn’t even give it a chance, just gives the generic network problems message. He can Remote Desktop into our other Win 2k Servers on the domain. Does anyone have any ideas as to what is going on. I told him to just Remote Desktop into his PC and then from there Remote Desktop to the server, but he doesn’t like that idea. J What is wrong with the connection? �
RE: [ActiveDir] Policy on password
Do you have a minimum password age set? Or do you check the "User cannot change password" box checked? -Original Message- From: John Balos [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Policy on password I have a policy set for passwords; the passwords are set to expire every 90 days. When the passwords are about to expire, users are told that "Your password will expire in 5 days. Do you want to change your password now?" (The number changes, it does a countdown). However, if the user says yes to try and change the password, they get a message that tells them, "you do not have permission to change your password". Does anyone have any idea what could be causing this? Thank you, John List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
