Re: [ActiveDir] Separate AD forest in a DMZ

2006-02-15 Thread FDiskThePC 
For simplicity sake, let's just say that I need to use
my production AD account to access a Windows file
share in the DMZ.  Thanks.

-FDiskThePC

--- Al Mulnick <[EMAIL PROTECTED]> wrote:

> What kind of resources specifically?  Web based
> only?  Or other? If other,
> what kinds?
> 
> Trusts might be the least of your concerns depending
> on traffic types.
> 
> Also, what are the security requirements? Is this
> something that has to be
> monitored via IDS systems?  What other security
> requirements?
> 
> I understand if you can't answer some of this in a
> public forum.  You're
> welcome to drop a note directly or not answer at
> all. But these types of
> answers are critical to making any suggestions as
> they frame up the
> boundaries.
> 
> Al
> 
> 
> 
> 
> On 2/13/06, FDiskThePC <[EMAIL PROTECTED]> wrote:
> >
> > Good point.  The requirements are that the DMZ
> forest
> > needs to have a one way trust to the production
> forest
> > so that user accounts in the production forest can
> > access DMZ resources.
> >
> > --- Al Mulnick <[EMAIL PROTECTED]> wrote:
> >
> > > It's not clear what the requirements are nor
> what
> > > you expect to break.  You
> > > aren't thinking of putting a MSCS across a
> firewall
> > > anyway, now are  you?
> > > Better yet, if so, which type of cluster?
> > >
> > >
> >
> >
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ:
> http://www.activedir.org/ListFAQ.aspx
> > List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Separate AD forest in a DMZ

2006-02-13 Thread FDiskThePC 
Good point.  The requirements are that the DMZ forest
needs to have a one way trust to the production forest
so that user accounts in the production forest can
access DMZ resources.

--- Al Mulnick <[EMAIL PROTECTED]> wrote:

> It's not clear what the requirements are nor what
> you expect to break.  You
> aren't thinking of putting a MSCS across a firewall
> anyway, now are  you?
> Better yet, if so, which type of cluster?
> 
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Separate AD forest in a DMZ

2006-02-13 Thread FDiskThePC 
Hey Guys,

I need to setup a separate AD forest in our DMZ to
accommodate the need for a domain (SQL log shipping,
Windows clustering, etc).  The issue is that we're
using NAT and a Cisco PIX between our production
network and the DMZ network.  So even though our
production network is 172.16.x.x, for example, the DMZ
sees these resources as 10.10.x.x.

>From everything I've read, NAT breaks a lot of things,
but unfortunately we must use NAT.  Anyone have any
real world experience with this?  Any suggestions
would be appreciated.

-FDiskThePC

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Inter-site Urgent replication

2003-11-20 Thread FDiskThePC 
I have modified all 108 of our Windows 2000 DC's to
use the Windows 2003 intrasite defaults of 15/3
seconds with no problems.

-Rick

--- Joe <[EMAIL PROTECTED]> wrote:
> We actually have the holdback and pause cranked down
> to 30 seconds and 15
> seconds on my DC's in my data center sites (all
> 100Mbs switched with Gig
> backbone) and it works fine. Had to crank it up to
> keep Exchange 2000
> happy... Heh.
>  
> As for the bridgeheads, once you get to W2K3 you
> will get load balancing on
> your bridgeheads - not dynamic but better than what
> you have now. You can
> also look at a tool now called ADLB which will
> stagger your bridgeheads for
> a given site. If you have DC's that could
> potentially be really slow or bad
> network to them this could be a good thing because
> one bridgehead can become
> an anchor if its ONE SINGLE INBOUND REPLICATION
> thread gets tied up with a
> bad DC or bad network to a DC until it can finally
> time it out and dump it
> which can vary depending on when it went bad... I
> think the max is something
> like 40 minutes but it has been a while since I have
> looked at it. Now if I
> get something backing me up I run a little perl
> script that smokes the DNS
> records and keeps them smoked until I know that DC
> is back talking properly.
> 
>  
> But again... each DC has (by default) 25 outbound
> threads for listening for
> replication pulls... they all only have ONE inbound
> thread. If that inbound
> ties up, that DC is bottlenecked. PSS and I have
> agreed to disagree that
> that is a good design. :o)  
>  
>   joe
> 
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Ayers, Diane
> Sent: Tuesday, November 18, 2003 10:58 AM
> To: [EMAIL PROTECTED]
> 
> 
> All:
>  
> Thanks for the tips and hints.  It seems that urgent
> replication is working
> better this AM.  I tracked a locked account from the
> source DC to the
> replication partners and it seems to be bypassing
> the replication schedule.
> Too cool...
>  
> I'm still seeing some delay between the DCs that are
> "second hop" from the
> source via the replication topology but it seems to
> be a result of the new
> replication topology as opposed to anything else. 
> As Joe mentioned, the
> bridgehead server issue between sites comes into
> play.  
>  
> I was curious if anyone has tweaked the holdback
> timing and pause rates.
> I'm inclined to tweak those settings to see better
> replication times as it
> seems that it has been tweaked already in 2003. 
> We're planning to go to
> 2003 after the holidays but want to see if anyone
> has taken the plunge in
> Win2K.
>  
> Diane
> 
>   _  
> 
> From: GRILLENMEIER,GUIDO (HP-Germany,ex1)
> [mailto:[EMAIL PROTECTED]
> 
> Sent: Tuesday, November 18, 2003 1:14 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Inter-site Urgent
> replication
> 
> 
> 
> this is not only useful in the scenario described in
> this thread - if you
> generally want to speed up intra-site replication
> between DCs, you'd also
> want to work on these settings (not in 2k3, where
> it's as quick as it can
> get anyways and where the registry key is removed by
> default):
> 
> Registry Key to change Windows 2000 Replication
> behavior 
>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
> - Replicator notify pause between DSAs (secs)  =>
> pause between
> notifications
> - Replicator notify pause after modify (secs) =>
> pause to send first
> notification after a change
> 
> Default values: pause after modify / pause between
> DSAs 
> 
> 
> * Windows 2000:  registry values 
> 
> 
> * 5 minutes / 30 seconds 
> 
> * Windows 2003: new default values if registry keys
> are not set 
> 
> 
> * 15 seconds / 3 seconds 
> 
> 
> 
> _ 
> From:   Rick Kingslan [ 
> mailto:[EMAIL PROTECTED] 
> Sent:   Dienstag, 18. November 2003 05:34 
> To: [EMAIL PROTECTED] 
> Subject:RE: [ActiveDir] Inter-site Urgent
> replication 
> 
> So, you're thinking with ATM between DCs I can crank
> up the holdback timing
> and pause rates?  Neat. 
> 
> ;op 
> 
> Rick Kingslan  MCSE, MCSA, MCT 
> Microsoft MVP - Active Directory 
> Associate Expert 
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> 
> WebLog - www.msmvps.com/willhack4food 
>   
> 
> 
> _ 
> From:   [EMAIL PROTECTED] [
> 
> mailto:[EMAIL PROTECTED]  On
> Behalf Of Joe 
> Sent:   Monday, November 17, 2003 10:23 PM 
> To: [EMAIL PROTECTED] 
> Subject:RE: [ActiveDir] Inter-site Urgent
> replication 
> 
> Cool in that case I would do the same... Also if it
> is W2K and your
> bandwidth can truly handle it I would turn down the
> timing for holdback and
> pause between dsa's. 
> 
>   joe 
> 
> 
> _ 
> From:  [EMAIL PROTECTED] [
> 
> mailto:[EMAIL PROTE

Re: [ActiveDir] Backup Topology Suggestions

2003-11-20 Thread FDiskThePC 
We only do tape backup of our FSMO role DC's.  We also
use a scheduled script to backup the System State to
disk on all the DC's at Corporate just so that our
backup is only ever two hours old.  Worst case is that
we have to go to tape.

Not many folks talk about this, but restoring group
memberships is tricky if you haven't hit this already.
 We run a csvde dump of the entire AD every night so
that we have something to manipulate in case of
disaster.

I will elaborate since I don't contribute that much to
the list... forgive me if I digress.  If someone
deletes an OU, and you authoritatively restore it,
people's group memberships to groups outside of this
OU will not be restored.  It's sort of by design,
because you didn't restore the groups.  But how do you
know what groups to restore since those memberships
are now lost?  To make matters worse, group
memberships to groups inside the OU may also be lost! 
This is because of the nature of AD replication - see
KB 280079.  It's a real mess.

-Rick

--- "Donovan, Michael" <[EMAIL PROTECTED]> wrote:
> Hi-
> 
> I'm hoping someone can offer suggestions: we are
> moving over to an AD
> infrastructure next month and I am trying to come up
> with a good backup
> topology, not a plan, that would allow us to capture
> a complete backup
> of the AD in a domain with 4 sites: LA, Phila, and
> London and Spain.
> 
> My connection to LA and Phila is good, London to LA
> and Phila is
> marginal, and Spain is below marginal. Each site
> will be responsible for
> there own backup.
> 
> My question:
> Is it a practice to re-define, or just define,
> replication partners,
> times and costs so that the Admin can schedule a
> backup after a known
> replication process finishes?
> 
> Michael Donovan
> [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



__
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Forcing Replication from a Source DC

2003-11-04 Thread FDiskThePC 
he undocumented command you
> mention. That is
> interesting, I will dig into it when I get time as
> the implications are
> rather large as it would have to force replications
> though the entire domain
> and possibly forest if it was a GC.
> 
> Hope this helps.
> 
> 
> May I ask why you need to force replication like
> this? It is so ungodly rare
> that we have to force replication that I am not even
> sure if my team other
> than myself even knows how to do it through repadmin
> like this. 
> 
> 
>joe
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of FDiskThePC
> Sent: Tuesday, November 04, 2003 12:36 PM
> To: [EMAIL PROTECTED]
> 
> Okay, guys, I've done quite a bit of research here,
> but I need some help.  I
> don't know about you guys, but I find it frustrating
> that AD has been out
> for over three years and so much of this stuff is
> still undocumented!  Argh!
> 
> First problem was delegating the right for remote
> admins to synchronize the
> domain.  For those out there that may still be
> searching, you need to
> delegate the "Replication Synchronization" right to
> your Domain Naming
> Context (NC) and any other NC's (Schema, Config,
> etc.) that you may have.
> Note that if you do not delegate this right to every
> NC, AD Sites & Services
> will still fail because a "Replicate Now"
> tries to sync every NC behind the scenes - there is
> no way with this tool to
> sync a particular NC.  Note that ADSIEdit will
> probably be needed to make
> the delegation.
> 
> Okay, second problem that I still need an answer to.
> 
> I need a way to force replication from one source DC
> to all my other DC's.
> Ah!  Use replmon you say choosing "Push Mode" and
> "Cross Site Boundaries". 
> That works great, actually, but not for my remote
> admins.  Come to find out,
> replmon doesn't work unless the remote admin is also
> given the "Replicating
> Directory Changes" and "Manage Replication Topology"
> permission.  And I am not about to do that.
> 
> I've also looked at repadmin.  It appears that some
> changes have been made
> to this command in W2K3, but I'd like to do this in
> a W2K setting.
> Unfortunately, the W2K tool requires that you use
> actual GUIDS, but the more
> important thing is that I can't figure out how to
> push changes rather than
> pull!  I did come across one undocumented switch
> with repadmin.  Using
> repadmin /p /e /d server1.company.com forces server1
> to pull any and all
> 
=== message truncated ===


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Forcing Replication from a Source DC

2003-11-04 Thread FDiskThePC 
Okay, guys, I've done quite a bit of research here,
but I need some help.  I don't know about you guys,
but I find it frustrating that AD has been out for
over three years and so much of this stuff is still
undocumented!  Argh!

First problem was delegating the right for remote
admins to synchronize the domain.  For those out there
that may still be searching, you need to delegate the
"Replication Synchronization" right to your Domain
Naming Context (NC) and any other NC's (Schema,
Config, etc.) that you may have.  Note that if you do
not delegate this right to every NC, AD Sites &
Services will still fail because a "Replicate Now"
tries to sync every NC behind the scenes - there is no
way with this tool to sync a particular NC.  Note that
ADSIEdit will probably be needed to make the
delegation.

Okay, second problem that I still need an answer to. 
I need a way to force replication from one source DC
to all my other DC's.  Ah!  Use replmon you say
choosing "Push Mode" and "Cross Site Boundaries". 
That works great, actually, but not for my remote
admins.  Come to find out, replmon doesn't work unless
the remote admin is also given the "Replicating
Directory Changes" and "Manage Replication Topology"
permission.  And I am not about to do that.

I've also looked at repadmin.  It appears that some
changes have been made to this command in W2K3, but
I'd like to do this in a W2K setting.  Unfortunately,
the W2K tool requires that you use actual GUIDS, but
the more important thing is that I can't figure out
how to push changes rather than pull!  I did come
across one undocumented switch with repadmin.  Using
repadmin /p /e /d server1.company.com forces server1
to pull any and all changes from every other server
(transitively).

Any advice on how to best take one DC's changes and
push them out to all other DC's would be GREATLY
appreciated.  Sounds like a script to me.  Thanks.

-Rick Dayton

__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] NTDSUTIL and Metadata Cleanup

2003-10-28 Thread FDiskThePC 
We had a dirty shutdown on a DC a few days ago, and it
would not boot back up successfully.  We called MS PSS
before we took any recovery measures since this was
our first dead DC.

After some initial troubleshooting, MS recommended
that we manually remove the server from AD with
ntdsutil and rebuild.  One thing they mentioned is
that all DC's need to fully replicate to learn of the
DC removal before rebuilding it with the same name and
IP.  Otherwise, they said we would have an identity
crisis on our hands.  Since we have our last seven
DC's that we built at corporate in route to remote
locations... I guess we'll have to wait.

My question is have any of you guys had to do this? 
And have you used the same name and IP for the server?
 Did you in fact wait for all DC's to be online and
fully replicate?  And for you real AD guru's out
there, what are the details behind the possible
"identity crisis"?

Thanks, guys.

-Rick Dayton

__
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP

2003-10-22 Thread FDiskThePC 
We are getting ready to do this as well for 50+
servers and just finished doing some of the same
testing in our lab.  

Netsh was great but very slow when done remotely
(netsh -r).  We plan to install the Remote Command
Service (RCS) on all of our AD DC's which will let us
run netsh "locally".  The speed difference is like
night and day, and we will get a lot of additional
functionality from the RCS.

-Rick Dayton

--- "Burns, Clyde" <[EMAIL PROTECTED]>
wrote:
> Ive used netsh to move the scopes from one server to
> another. There were
> some minor issues (documented in technet) but it
> works fairly well. 
> Other things to try:
>  
> >From the 2000 Server Resource Kit
> Microsoft DHCP Database Export Import Tool -
> DHCPEXIM.EXE
> Just like the title says. An import/export tool.
> I prefered netsh as
> I could edit the script between servers.
> DHCP Objects 1.0 - DHCPOBJS.EXE 
> dll to program against a dhcp server. It has
> issues with scopes that
> have more than 255 reservations.
>  
> If anyone knows of any other type of automation tool
> to use against a
> dhcp server I would really like to hear about it.
>  
> Clyde Burns
> Norton Healthcare.
> Louisville Ky.
> 
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Steve Rochford
> Sent: Tuesday, October 21, 2003 7:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DHCP/Netsh
> 
> 
> You can't have 2 identical servers running at the
> same time (you'd get
> some exciting conflicts!) but you could dump your
> working server and
> keep the file safe. When your working server fails
> you then just reload
> the data into a "spare" server and your DHCP server
> is back and running.
> I'd guess it would make sense to do a scheduled dump
> of this data at
> regular intervals so that the file is always
> reasonably up to date.
>  
> Steve
> 
>   -Original Message-
>   From: Jerry Johnson [mailto:[EMAIL PROTECTED] 
>   Sent: 16 October 2003 17:13
>   To: [EMAIL PROTECTED]
>   Subject: [ActiveDir] DHCP/Netsh
>   
>   
> 
>   Everyone,
> 
>
> 
>   Has anyone ever used Netsh to move DHCP to another
> server?
> 
>   In Mark Minasi's book he talks about using it to
> add another
> DHCP server to your network by dumping it with Netsh
> from one machine
> and Exec it to another machine.
> 
>   He did not go into much detail but I did not think
> you could
> have identically configured DHCP server's on a
> network.
> 
>
> 
>   Thanks
> 
>   Jerry
> 
>
> 
>   Scicom Data Services
> 
>   Minnetonka,Mn
> 
>
> 
>
> 
> 
> 
> This message is confidential, intended only for the
> named recipient(s) and may contain information that
> is privileged or exempt from disclosure under
> applicable law. Any patient health information must
> be delivered immediately to intended recipient(s).
> If you are not the intended recipient(s), you are
> notified that the dissemination, distribution or
> copying of this message is strictly prohibited. If
> you receive this message in error, or are not the
> named recipient(s), please notify the sender at
> either the e-mail address or telephone number above
> and discard this e-mail. Thank you. 
> 
> 


__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Intrasite Replication Schedule

2003-10-17 Thread FDiskThePC 
Thanks for the replies.  I have tested the 15/3
settings in our lab and will implement in a pilot site
over the next couple of days.  Our DC's are way
overpowered.  If it does becomes a performance issue,
I'll drop it back to 30/15 analyze the results. 
Thanks again, guys.

-Rick Dayton

--- Joe <[EMAIL PROTECTED]> wrote:
> I have modified our production and lab environments
> to 30 seconds pause
> after modify and 15 second pause between DSA's and
> have been running in that
> configuration for months with no perceived issues. 
> 
>   joe 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of FDiskThePC
> Sent: Wednesday, October 15, 2003 7:46 PM
> To: [EMAIL PROTECTED]
> 
> As most of you know, the default intrasite
> replication schedule in Windows
> 2000 is 5 minutes yet 15 seconds in Windows Server
> 2003.  Has anyone changed
> the setting in a Windows 2000 domain (Q214678) to
> match the settings that
> are now the default in Windows Server 2003?
> 
> The five minute replication is frustrating, because
> it can actually be up to
> 15 minutes with lots of DC's in a site.  Any advice
> would be appreciated.
> Thanks.
> 
> -Rick Dayton
> 
> __
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
> search
> http://shopping.yahoo.com
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
>
http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Intrasite Replication Schedule

2003-10-15 Thread FDiskThePC 
As most of you know, the default intrasite replication
schedule in Windows 2000 is 5 minutes yet 15 seconds
in Windows Server 2003.  Has anyone changed the
setting in a Windows 2000 domain (Q214678) to match
the settings that are now the default in Windows
Server 2003?

The five minute replication is frustrating, because it
can actually be up to 15 minutes with lots of DC's in
a site.  Any advice would be appreciated.  Thanks.

-Rick Dayton

__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Computer Account in its Primary Domain is Missing

2003-10-11 Thread FDiskThePC 
At least once a week, an admin in our company will
successfully join a computer (NT 4.0, Win2K, WinXP) to
our AD domain, and upon reboot receives "the computer
account in its primary domain is missing" error
message.  We assume this happens because we have two
DC's in every site, the five minute intrasite
replication hasn't happened, and the newly added
computer is simply authenticating with the other DC. 
But even when we wait fifteen minutes and then reboot
again, we still get the error message.  Our techs have
been using the take to workgroup, re-add to domain
method until it's successful.

One time I actually verified the existence of the
computer account on both local DC's at a particular
site, and yet the computer could still not login to
the domain.  Using replmon, I forced a sync of the
domain partition from one of the local DC's out to
every other DC in our environment.  Immediately the
workstation could login.

What gives?  Does every DC or a particular DC (PDC
Emulator?) need to know about newly added computer
accounts before they can be used?  Do I need to train
our techs to pre-populate computer accounts with ADUC
and sync the domain before using them?  A similar
complaint is that sometimes the computer account
simply disappears, but I haven't seen that yet
personally.

Any advice would be much appreciated.  Thanks.

-Rick Dayton

__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/