[ActiveDir] DNS question for a Parent/Child domain
I have a customer that has been experiencing name resolution issues. They have a Windows 2000 Active Directory with parent.com and child.parent.com domains. I made some changes that have fixed the problems for now by removing orphaned secondary DNS zones with no Primary and ensuring there are only AD-Integrated DNS zones. Also removed WINS from the environment. Just not comfortable with how DNS is still setup, so have a few questions: 1. Presently, the DHCP scopes point clients to the parent.com DNS servers. Since all users and computers are in the child.parent.com domain, wouldn't the best practice be to point all DHCP clients to the child.parent.com domain DNS servers? Does it make a difference that these clients use the DNS servers in the root (parent) domain? 2. Presently, the child.parent.com forward lookup zone is housed in the root of the DNS - i.e. - there is a DNS Forward Lookup Zone setup just for this child domain. There is also a separate lookup zone for the parent.com domain. Shouldn't the child domain zone be listed under the parent.com domain zone? Does it make a difference? 3. There are a number of websites hosted in the DMZ, so there are a number of Forward Lookup Zones. If I move the DHCP scope to point to the child DNS servers, should I then move these website zones to the child DNS servers to ensure the best possible performance? Thanks for any help with this long-winded question! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Forest Migration and consolidation
Title: Message Ran into a customer today who wants to consolidate 8 Windows 2000 Forests into 1 new Forest w/8 domains. The Resource kit explicitly says that you cannot move a domain between forests. The ADMT seems to be more of a Intra-Forest Domain tool also. Anyone with any experience or suggestions? Thanks!
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Rick - Did PSS give you any documentation about what files could and could not be copied using DFS? Was there a size limitation on the actual file (not the DFS database which is documented as 5MB)? Thanks! Jeff -Original Message-From: Jeffrey Dubyn [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 6:28 AMTo: '[EMAIL PROTECTED]'Cc: 'Rick Kingslan'Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
[ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Went through the Q article and was already doing everything as proscribed - still couldn't get the schema updated. Turned out that in the test environment there was a child domain that was never DCPROMO'd out - the server was just rebuilt. Hence, the schema update was trying to update that AD also, yet could not contact the domain controller for the child domain (as it didn't exist). After using ADSIEdit and NTDSUtil to get rid of the child domain, the update worked perfectly. Thanks to all for their input! Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, June 08, 2003 4:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Sounds like you're on the right track. To enable writes to the schema, have a look at the following article. http://support.microsoft.com/?kbid=285172 BTW, it is good practice to keep the membership of the Schema Admins group empty and only populate it when you need to. This prevents any unintentional updates from, for example, 3rd party applications. Have you considered using VMWare for testing your schemea updates. The snapshot feature in version 4 is great as it allows you to revert to a saved version if something goes awry with your update. Tony -- Original Message ------ From: Jeffrey Dubyn <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Sat, 07 Jun 2003 19:42:27 -0400 These are very good points - it is being done on a workstation, not the server that is the Schema Master. The user is part of the Enterprise Admin group, but I don't think the script changes the schema to read-write first. I'll let you know how I make out on Monday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, June 07, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is the schema addition / expansion being done on the schema master, and - more importantly - have you enabled writes to the schema? By default, Enterprise Admin and members of that group are the only SP's that have permissions to the schema. Secondly by default, the schema is read-only. It meust be changed to a read-write status. It's not absolutely necessary to do your schema work on the master, but it does prevent potential conflicts and erros that you would otherwise not see. And - many applications DO REQUIRE the expansion be done on the master. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 11:01 AM To: [EMAIL PROTECTED] Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? "ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0" The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
These are very good points - it is being done on a workstation, not the server that is the Schema Master. The user is part of the Enterprise Admin group, but I don't think the script changes the schema to read-write first. I'll let you know how I make out on Monday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, June 07, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is the schema addition / expansion being done on the schema master, and - more importantly - have you enabled writes to the schema? By default, Enterprise Admin and members of that group are the only SP's that have permissions to the schema. Secondly by default, the schema is read-only. It meust be changed to a read-write status. It's not absolutely necessary to do your schema work on the master, but it does prevent potential conflicts and erros that you would otherwise not see. And - many applications DO REQUIRE the expansion be done on the master. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 11:01 AM To: [EMAIL PROTECTED] Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? "ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0" The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Good thought, but there is no other activity going on at the same time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Saturday, June 07, 2003 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error message when attempting to modify the AD Schema Is there by chance any other schema modifications occurring at the same time? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message when attempting to modify the AD Schema Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? "ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0" The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Error message when attempting to modify the AD Schema
Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? "ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0" The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC Problem
Richard - You'll need to have DNS setup on the network for this to work - it is a basic building block for Active Directory to function. Once this is setup, change the TCP/IP settings of all servers and workstations on your network to use the DNS server(s) you setup for name resolution. Here's some links to assist you: http://support.microsoft.com/?kbid=261321 http://support.microsoft.com/?kbid=237675 http://support.microsoft.com/?kbid=301191 (see the To Configure Forwarders section to give Internet name resolution to the network) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Sunday, April 06, 2003 10:40 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DC Problem How or where would I do that in? On Sunday, April 6, 2003, at 06:58 PM, Kevin Miller wrote: > Point all the servers to the same DDNS ad integrated DNS server and > all will > be well. > > You can use netdiag or restart to net logon service to make the server > refresh it's dns entries. > > -- Kevinm WLKMMAS, Exchange MVP > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Richard > Sumilang > Sent: Sunday, April 06, 2003 6:45 PM > To: [EMAIL PROTECTED] > > The DNS problem is as follows, I setup a Windows 2000 Server with > Active Directory and the works and now I'm trying to setup another > Domain Controller for the network to help load balance the main > server. So when I try to setup it up as another Domain Controller > using dcpromo, it gets to the part where it try's to copy on over all > the Directory information but errors out because it can't find > my_company.net??? So do I actually have to purchase a domain and point > it to my server or??? I thought that it could just use the NetBIOS > name to find the computer but it try's to find it through the DNS > name. I didn't set up anything on the DNS information under > Administrative tools because I'm not too familiar with it yet and not > sure if thats the problem. Any suggestions on this are greatly > appreciated. > > Thanks, > Richard S. > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can't access Default Domain Controller Security policy
Rick -
Thanks for the detailed info! I do have a backup of the environment, but
since this is a test environment, I'll be more comfortable building it from
scratch (4 servers - 2 in 2 different sites).
The only thing I can see that caused this was installing Doubletake software
being used for DR. When the AD was originally loaded in the remote site,
the database files were not on the same drive as on the server it was being
replicated with in the original site. This was required for Doubletake, so
the files were moved successfully as per
http://support.microsoft.com/?kbid=257420 . I say successfully as the
database integrety was verified. About a day later, this issue came to
light.
As for the GUID, I didn't realize it was a standard string - hence my lame
attempt to recreate it. I'm still puzzled as to why I can't delete the
existing one from the Properties page if the GUID does not exist.
Thanks again for the details!
Regards,
Jeff
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, April 05, 2003 8:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can't access Default Domain Controller Security
policy
Jeffrey,
This is not exactly easy to resolve - but it can be done. Firstly, some
background as to why your valiant efforts met with no success.
The Default Domain Controllers Policy has a unique GUID that is the same on
all systems. In fact, everything is coded to look for this GUID. So, if
it's not in SYSVOL, simply creating another GPO and naming it the same won't
work - because it has a different GUID. The GUID for the Default DC Pol
will be:
{6AC1786C-016F-11D2-945F-00C04fB984F9}.
Now, knowing this - you have a problem. You can't just 'make' a new on. At
least in Windows 2000 you can't.
Knowing that you are a good Administrator who backs up frequently (right??
;-) ), you CAN restore this object from one of your backup tapes. Doing the
procedure of an Authoritative Restore on the DC that holds the PDC Emulator
role in your domain that the Default DC Policy has gone missing would be
best.
You will need:
1. Ability to get into DS Restore Mode (F8 during the Starting Windows
status bar) 2. Backup tape WITH SYSTEM STATE (less than the tombstone time
- typically 60 days) 3. NTDSUTIL 4. Knowledge of the Distingushed Name of
the Default DC Policy
Number 4 can be answered by a trip to ADSIEdit. Turns out that the Default
DC Policy lives in the Policies CN under System CN under the DC. So, the
full path to be stipulated to NTDSUTIL might be:
CN={6AC1786C-016F-11D2-945F-00C04fB984F9,CN=Policies,CN=System,DC=Corp,DC=Co
m
To get the other pieces in place, I suggest reviewing this Q article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248132
Using method 2:
1. Restart the domain controller.
2. When the Windows 2000 Startup menu is displayed, select Directory
Services Restore Mode, and then press ENTER. 3. At a command prompt, type
ntdsutil, and then press ENTER. 4. Restore the System State from a backup
set that was created prior to the computer account deletion. 5. Type
authoritative restore, and then press ENTER. 6. Type restore subtree
"CN={6AC1786C-016F-11D2-945F-00C04fB984F9,CN=Policies,CN=System,DC=Corp,DC=C
om", and then press ENTER, where Corp is the domain name the domain
controller resides in, and Com is the top level domain name of the domain
controller, such as com, org, or net.
7. Type quit, press ENTER, type quit, and then press ENTER.
8. Type exit, and then press ENTER.
9. Restart the domain controller.
One other method that I have used in tests is to use the 'not quite yet
released' Group Policy Management Console. To do it with GPMC, you can
connect to a foreign forest and backup and existing GP - in this case the
Default DC Policy. GPMC has a restore function which will allow you to
restore to another DC - in this case, your DC with the PDC-E role missing
the GP. See the GPMC help, if you can get your hands on the tool. It
should be avaiable at the same time that Win2k3 is released, but works just
fine on Windows 2000.
Hope this all helps.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn
Sent: Saturday, April 05, 2003 4:51 PM
To: [EMAIL PROTECTED]
Problem started with a new DC in a new site not being able to access the
Windows Update site giving the "Administrators Only" error. That was odd as
we were logged in with the administrator username. We can access the
Windows Update site on the DC in the original site with the same user name.
The exact problem is described in this Q article
"Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001 Logged
http://su
[ActiveDir] Can't access Default Domain Controller Security policy
Problem started with a new DC in a new site not being able to access the Windows Update site giving the "Administrators Only" error. That was odd as we were logged in with the administrator username. We can access the Windows Update site on the DC in the original site with the same user name. The exact problem is described in this Q article "Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001 Logged http://support.microsoft.com/?kbid=258296 " Unfortunately, the fix was already in place so was not relevant. Looking at the GUID of the GPO in the Event Log, I cannot see it in the SYSVOL folder - it's just not there. After some troubleshooting, found that on both DC's, I cannot open the Default Domain Controllers Policy object with an error of: "Failed to open the Group Policy Object. You may not have appropriate rights. Details The system cannot find the path specified." To attempt to rectify this, I renamed the Default Domain Controllers Policy object and then created a new Default Domain Controller Policy and disabled the renamed one. After using secedit /refreshpolicy for both machine and user, I forced replication and could see the new policy and the old, renamed disabled policy in the other DC in the new site. I logged out and back in as the administrator but unfortunately, this did not fix the problem - I could not access the Default Domain Controller Policy with the same error, and received the same issue with Windows Update. I tried deleting the renamed object, yet I could not. The system did not give any errors, but when I confirmed YES to delete it, it was still there. Any suggestions on how to proceed? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
Are you using a FQDN path (\\server\share\software.msi) to the software, not a local drive (C:\directory\software.msi) ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Pietrewicz Sent: Thursday, March 13, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hello everyone, I am trying to distribute an application through group policy. I am able to set up applications through GP but every time I try to attack an .MST file to the MSI package I get this error message: "An error occurred accessing the software data in the active directory. See event log." The event log has no useful information. I checked the event ID on the eventid web site and it is not found. Has anyone seen this before or have any recommendations? Thanks, Brian List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
