RE: [ActiveDir] OT: Exchange daylight savings patch

[John Strongosky]

Try this link, but its not available yet...

http://office.microsoft.com/en-us/outlook/HA102086071033.aspx 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward
Sent: Wednesday, January 17, 2007 4:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange daylight savings patch

 
Has anyone seen the Microsoft Exchange Calendar Update tool yet, the
link off the Exchange 2003 SP2 patch page is bad, and a search of the MS
downloads site, Google, and others doesn't find anything of the such. 

EZ

Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:[EMAIL PROTECTED]
cell:401-639-3505

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange daylight savings patch

http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4
cd9-a7c3-8b5df5471b7a&displaylang=en&tm


Update for Daylight Saving Time changes in 2007 for Exchange Server 2003
Service Pack 2 (SP2).

Ensure servers+Exchange+Sharepoint are patch (now to go figure out how
my phones will handle this)

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5

[John Strongosky]

Found it, had to use my home pc to get to the ftp link from Microsoft...

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, November 22, 2006 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5

 

 Hi,

 

 Could someone please, please, please help me find the PFINFO.exe tool
for Exchange 5.5. 

I've found the ftp link for it on the Google group's message board but when
I try it, it says I don't have permissions. I also don't have access to the
Resource Kit for Win2k.

 

Reasons that someone out there should help me...

 

1.  I've asked nicesee my mom did raise me to be polite...
2.  You'll save the remaining hair I have on my head.
3.  Keep me from cursing
4.  I won't have to drink some Pepto-Bismol for my ulcer
5.  My wife will appreciate it, as it gives me gas when I drink
Pepto-Bismol.
6.  I'll be a hero to my co-workers, since we won't have to go thru all
our PF to look for Zombie users by hand
7.  It's the season

 

 

john

 

[ActiveDir] OT-Help with PFINFO fro Exchange 5.5

[John Strongosky]

 Hi,

 

 Could someone please, please, please help me find the PFINFO.exe tool
for Exchange 5.5. 

I've found the ftp link for it on the Google group's message board but when
I try it, it says I don't have permissions. I also don't have access to the
Resource Kit for Win2k.

 

Reasons that someone out there should help me...

 

1.  I've asked nicesee my mom did raise me to be polite...
2.  You'll save the remaining hair I have on my head.
3.  Keep me from cursing
4.  I won't have to drink some Pepto-Bismol for my ulcer
5.  My wife will appreciate it, as it gives me gas when I drink
Pepto-Bismol.
6.  I'll be a hero to my co-workers, since we won't have to go thru all
our PF to look for Zombie users by hand
7.  It's the season

 

 

john

 

RE: [ActiveDir]event log monitoring.

[John Strongosky]

Mom (Microsoft Operations Manager)is pretty
good at this…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Thursday, November 09, 2006
10:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]event log
monitoring.



 



Hi,





 





I want to implement a system that will
send me an email whenever there is an error in any of the event logs in my
servers.





 





I could do this with an script or similar,
but I don't have the time to do it that way and many other reasons.





 





I was wondering if any of you has used GFI
EventsManager, my main concern is to know if monitoring the events will put to
much work on the servers that I am monitoring, I don't want to crash my server
because I am monitoring it.





 





Any suggestion?





 





Thanks





 





Rezuma

RE: [ActiveDir] Migration from Exchange Server to an SMTP Server?

[John Strongosky]

What 
client are they going to use? Exmerge to a pst...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Corbett, 
TonySent: Wednesday, November 08, 2006 2:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration from 
Exchange Server to an SMTP Server?


Hi all,
Has anyone migrated OFF MS-Exchange 
to an SMTP email server?
Any tips on how to move the mail so 
the users don’t lose all their historical email?
 
I’m trying to write up a detailed 
project plan to move the users’ email from our Exchange server to a regular ol’ 
SMTP server.   The only requirement is: “Don’t lose my 
emails”.
 
I appreciate any help you have to 
offer.
 
TIA
 
Tony Corbett
[EMAIL PROTECTED]
770-870-2820 (desk)
 
DISCLAIMER: The information in this message is 
confidential and may be legally privileged. It is intended solely for the 
addressee. Access to this message by anyone else is unauthorized. If you are not 
the intended recipient, any disclosure, copying, or distribution of the message, 
or any action or omission taken by you in reliance on it, is prohibited and may 
be unlawful. Please immediately contact the sender if you have received this 
message in error. Thank you.

RE: [ActiveDir] [OT] Restore left Info store in an inconsistant s tate.

[John Strongosky]

Title: Message



Diane, thanks for the response tried to convince my manages that 
this is the way to go but since this is the first server in the site and has all 
the roles assigned to it, and I submitted a plan using Ed's move server method 
(thanks Ed ) my mangers are reluctant to do this because some might break when 
we set up PF replication and move free/busy info as we use the calendar 
sharing function of  outlook 
allot 
here
 
My biggest concern is 
the backups...why did this happen. I'm up the preverbal puddle without a 
paddle...
 
john



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
DianeSent: Monday, September 11, 2006 2:07 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Restore 
left Info store in an inconsistant state.

Your better course of action (besides upgrading from a 
dead version but that is another thread) is build the new server as a 
second server in your organization and moving the mailboxes.  You get a 
clean db and a fresh start.   Forget trying to migrate the DB 
like you would an application database.
 
Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
StrongoskySent: Monday, September 11, 2006 1:07 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restore left Info 
store in an inconsistant state.

Tried moving my dying ex 5.5 server to new hardware 
this weekend and it failed because the restore did not bring over a log 
file and left the dbase in an inconsistent state. 
Lucky for me I has a recovery plan and was able to bring the old server back 
online. Has any 
one had this happen to them or heard of this happening. Using VERITAS backup 
Exec 10.d, I remember reading during my haste to find out what was wrong that 
anti-virus and some backup software will hold on to the edb log file, tried 
searching for the article that I read but cant find it The error I 
received when I tried to start the dbase after the restore 
was:
 
EVENT ID 5000, could not 
start the information store,  0x8004010f in the app log, and in the 
system log was the info store service terminated with service specific error, 
2147746063.
 
Another question, since my dbase is 26gb and I 
can't copy it across the wan, can do I a save with the services shutdown and 
restore the dbase and work dbase to the new server?
 
thanks,john

RE: [ActiveDir] Restore left Info store in an inconsistant state.

[John Strongosky]

Title: Message



Sorry 
posted this in the wrong group not a good week for me...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
StrongoskySent: Monday, September 11, 2006 1:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left 
Info store in an inconsistant state.

Hey 
Brian, thanks for the response, we in the process of moving to ex 2003 but in 
the AD migration part and this server external disk array is dying and sorry Ed, 
they don't trust the move server method as we have to move roles so 
since I've done a restore to a new server with win2k 3 years ago 
with Microsoft's help and was using the same process. (i.e. rename all dbdata 
and mdbdata directories and rename server to same name, same EX services, 
restore dbase etc etc) and this error did not happen with that restore but the 
info store would not start because of an index problem which Microsoft said 
would happen so I did a defrag on that server and every thing worked on that 
server, but when I restored this dbase for the second time after renaming the 
directories etc, to check to see if I was doing everything ok, and did an 
eseutil /mh on the priv dbase before I tried and start the info store 
it said it was in an inconsistent state, which blew me away...as I just did 
a restore of this dbase to my recovery server to recover some email the 2 weeks 
before and now my boss's are questioning the savesSo I'm trying to come up 
with another plan and I was thinking of doing an offline save of this server as 
we cant copy a 26gb file across the wan, restore the logs/dbase/working 
dbase to same directory's on the new server and then try and bring up the 
dbase...any thoughts..
 
john



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, September 11, 2006 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left 
Info store in an inconsistant state.


Hi 
John,
 
You 
can get it to start with eseutil and roll forward to the last log available. 
What you’re going to need to do with your method is restore the backup and then 
copy the logs over (which shouldn’t be many).
 
You 
can just copy the database and logs over the wire and mount them at the other 
end, I don’t rmember how to do this on 5.5 though. Why aren’t you moving to 
2003? 5.5 and 2000 are end of life products. 
 

Thanks,
Brian 
Desmond
[EMAIL PROTECTED]
 
c 
- 312.731.3132
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of John StrongoskySent: Monday, September 11, 2006 
4:07 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Restore left Info store in an inconsistant 
state.
 

Tried moving my dying ex 5.5 server 
to new hardware this weekend and it failed because the restore did not 
bring over a log file and left the dbase in an inconsistent state. Lucky for me 
I has a recovery plan and was able to bring the old server back online. Has any 
one had this happen to them or heard of this happening. Using VERITAS backup 
Exec 10.d, I remember reading during my haste to find out what was wrong that 
anti-virus and some backup software will hold on to the edb log file, tried 
searching for the article that I read but cant find it The error I 
received when I tried to start the dbase after the restore 
was:

 

EVENT ID 5000, could not start the 
information store,  0x8004010f in the app log, and in the system log 
was the info store service terminated with service specific error, 
2147746063.

 

Another question, since my 
dbase is 26gb and I can't copy it across the wan, can do I a save with the 
services shutdown and restore the dbase and work dbase to the new 
server?

 

thanks,john

RE: [ActiveDir] Restore left Info store in an inconsistant state.

[John Strongosky]

Title: Message



Hey 
Brian, thanks for the response, we in the process of moving to ex 2003 but in 
the AD migration part and this server external disk array is dying and sorry Ed, 
they don't trust the move server method as we have to move roles so 
since I've done a restore to a new server with win2k 3 years ago 
with Microsoft's help and was using the same process. (i.e. rename all dbdata 
and mdbdata directories and rename server to same name, same EX services, 
restore dbase etc etc) and this error did not happen with that restore but the 
info store would not start because of an index problem which Microsoft said 
would happen so I did a defrag on that server and every thing worked on that 
server, but when I restored this dbase for the second time after renaming the 
directories etc, to check to see if I was doing everything ok, and did an 
eseutil /mh on the priv dbase before I tried and start the info store 
it said it was in an inconsistent state, which blew me away...as I just did 
a restore of this dbase to my recovery server to recover some email the 2 weeks 
before and now my boss's are questioning the savesSo I'm trying to come up 
with another plan and I was thinking of doing an offline save of this server as 
we cant copy a 26gb file across the wan, restore the logs/dbase/working 
dbase to same directory's on the new server and then try and bring up the 
dbase...any thoughts..
 
john



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, September 11, 2006 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left 
Info store in an inconsistant state.


Hi 
John,
 
You 
can get it to start with eseutil and roll forward to the last log available. 
What you’re going to need to do with your method is restore the backup and then 
copy the logs over (which shouldn’t be many).
 
You 
can just copy the database and logs over the wire and mount them at the other 
end, I don’t rmember how to do this on 5.5 though. Why aren’t you moving to 
2003? 5.5 and 2000 are end of life products. 
 

Thanks,
Brian 
Desmond
[EMAIL PROTECTED]
 
c 
- 312.731.3132
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of John StrongoskySent: Monday, September 11, 2006 
4:07 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Restore left Info store in an inconsistant 
state.
 

Tried moving my dying ex 5.5 server 
to new hardware this weekend and it failed because the restore did not 
bring over a log file and left the dbase in an inconsistent state. Lucky for me 
I has a recovery plan and was able to bring the old server back online. Has any 
one had this happen to them or heard of this happening. Using VERITAS backup 
Exec 10.d, I remember reading during my haste to find out what was wrong that 
anti-virus and some backup software will hold on to the edb log file, tried 
searching for the article that I read but cant find it The error I 
received when I tried to start the dbase after the restore 
was:

 

EVENT ID 5000, could not start the 
information store,  0x8004010f in the app log, and in the system log 
was the info store service terminated with service specific error, 
2147746063.

 

Another question, since my 
dbase is 26gb and I can't copy it across the wan, can do I a save with the 
services shutdown and restore the dbase and work dbase to the new 
server?

 

thanks,john

[ActiveDir] Restore left Info store in an inconsistant state.

[John Strongosky]

Title: Message



Tried moving my dying ex 5.5 server to new hardware 
this weekend and it failed because the restore did not bring over a log 
file and left the dbase in an inconsistent state. 
Lucky for me I has a recovery plan and was able to bring the old server back 
online. Has any 
one had this happen to them or heard of this happening. Using VERITAS backup 
Exec 10.d, I remember reading during my haste to find out what was wrong that 
anti-virus and some backup software will hold on to the edb log file, tried 
searching for the article that I read but cant find it The error I 
received when I tried to start the dbase after the restore 
was:
 
EVENT ID 5000, could not 
start the information store,  0x8004010f in the app log, and in the 
system log was the info store service terminated with service specific error, 
2147746063.
 
Another question, since my dbase is 26gb and I 
can't copy it across the wan, can do I a save with the services shutdown and 
restore the dbase and work dbase to the new server?
 
thanks,john

RE: [ActiveDir] Moms Alert Question.

[John Strongosky]

Robert, it looks like it, like I said I couldn't see the trees For me
I've got to read these things more than a few times...my old brain is not
what it once wasto many beers probablynah maybe to many
rumsnah...

Thanks again,

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Wednesday, September 06, 2006 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moms Alert Question.

John,

I'm not 100% sure if this is what you're seeing, but check out the Active
Directory Management Pack Guide located here:
http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4
F44-8550-B21E054F5047&displaylang=en

Around page 14, you'll see where you can set this value.  Please be sure to
read through the whole document as it contains lots of useful information
about configuring the ADMP.

Here's a snippet from the above:

The maximum intersite replication latency threshold value is the maximum
amount of time it takes for a change to replicate across the entire forest.
By default, this value is set to 15 minutes. If it takes longer than 15
minutes for replication to occur, you will receive a warning.
Consult your system architect to review what the expected maximum threshold
value is for your environment. Usually, this value is monitored closely to
ensure that any applicable SLAs for your organization are being met. After
you have determined an appropriate value for your environment, modify the
setting accordingly. The most common scenario involves ensuring that basic
help desk procedures, such as resetting passwords, replicate from corporate
headquarters to a branch office within a reasonable amount of time as
determined by the SLA.


The document tells you where to change this value.

Another good read for the ADMP is the Active Directory Management Pack
Technical Reference:
http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4
925-87D6-7D609E5D0807&displaylang=en

I hope that helps...the thing with the Management Packs is to read the
guides (a few times).

Have a great day!

Robert Williams


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, September 06, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moms Alert Question.


Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this "(Intersite,
expected replication time is 15 minutes)" is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the "intersite replication"
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes) CIUTIL01A,
Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes) DOUTIL01A,
Domain:SDCCD, 55 Name: AD Replication is occurring slowly
Severity: Warning
Resolution State: New
Domain: SDCCD
Computer: CDUTIL01A
Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006
5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat
Count: 2
Age:  
Source: AD Replication Monitoring
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator, San Diego Community College
District SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

2006-09-06, 12:31:21
The information contained in this e-mail message and any attachments may be
privileged and confidential.  If the reader of this message is not the
intended recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.  If
you have received this communication in error, please 

RE: [ActiveDir] Moms Alert Question.

[John Strongosky]

Answered my own question,,, 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, September 06, 2006 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moms Alert Question.


Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this "(Intersite,
expected replication time is 15 minutes)" is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the "intersite replication"
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes) CIUTIL01A,
Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes) DOUTIL01A,
Domain:SDCCD, 55 Name: AD Replication is occurring slowly
Severity: Warning
Resolution State: New
Domain: SDCCD
Computer: CDUTIL01A
Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006
5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat
Count: 2
Age:  
Source: AD Replication Monitoring
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator, San Diego Community College
District SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Moms Alert Question.

[John Strongosky]

Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active
Directory and MOM's and for the life of me cant find where this "(Intersite,
expected replication time is 15 minutes)" is set I have looked at the repl
mon program and cant see it.. I know I'm looking at some trees when I should
be looking at the forest, but I really need a second pair of eyes
here...could anyone direct me where to look for the "intersite replication"
parameter.

v/r
john



Description:
The following DCs took more than three times the expected replication time
to replicate.

Format: DC, Naming Context, Calculated Replication Time (in minutes)


Site name: City-CenterCity
(Intersite, expected replication time is 15 minutes)
CIUTIL01A, Domain:SDCCD, 55

Site name: DistrictOffice
(Intersite, expected replication time is 15 minutes)
DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly 
Severity: Warning 
Resolution State: New 
Domain: SDCCD 
Computer: CDUTIL01A 
Time of First Event: 9/1/2006 3:01:00 PM 
Time of Last Event: 9/1/2006 5:01:00 PM 
Alert latency: -7 min, -26 sec 
Problem State: Active 
Repeat Count: 2 
Age:  
Source: AD Replication Monitoring 
Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f 
Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows
2000 and Windows Server 2003 \Active Directory Availability\AD Replication
is occurring slowly 
 



John M. Strongosky
Network Support Group, Messaging Administrator,
San Diego Community College District
SunGard Higher Education Managed Services
9315 Hillery Drive,
San Diego California 92126
Tel 619-388-1129
Fax 619-388-1195
Help Desk 619-388-7000
[EMAIL PROTECTED]

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] FMSO roles split, patch question.

[John Strongosky]

Whets the time interval on moving these before you patch the DC's that the
roles were on.

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, August 17, 2006 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.

I completely concur with Jorge on his process. 

It takes a lot less hassle and a lot less feeling of concern to move a FSMO
prior to an update of a machine than to have to seize the role later
regardless of the reason of it going down. Especially when you have a script
that applies the NTSUTIL commands to move the roles. A move of all roles in
a properly scripted environment is a procedure that takes all of about 10-15
seconds. A seize on the other hand isn't something you should just quickly
think about doing, you need to work out the consequences and make a
determination in most cases whether or not you will ever bring that DC back
up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it
is isn't any real workload or concern to do it.

When I am doing production ops I *always* move roles prior to making machine
specific updates. I never assume a server is going to come back up after I
say restart or in fact even go down properly without hanging. 

Now I understand the SBS thoughts behind it though... In the SBS world if
you lost the DC, you have far greater issues than you lost a FSMO role for
the moment. In the world outside of SBS, most people look at DCs as
expendable. You set up 10 of them in front of you and 5 fell down you would
be like, crap, I will have to fix those at some point. You set up an SBS DC
and it falls over there are skid marks where you were previously standing. 

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, August 17, 2006 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FMSO roles split, patch question.

As a person who tests/patches a bunch of single DCs I've never seen a
"patch" kill a server.

Driver update may and has, yes.
Impair functionality of the server, yes.

But kill it completely?  Microsoft tests patches ahead of time and they
would find ahead of time if basic functionality of a DC would be nailed.

But if the server dies... it was probably on the emergency list prior to
patching.  Rebooting the box first ensures that you find these 'hospital
bound' servers.

Almeida Pinto, Jorge de wrote:
> the reason is that is a DC dies during the patching you do not have to
seize the rolesIMHO, I prefer transfering over seizing
>  
> Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto 
> Senior Infrastructure Consultant MVP Windows Server - Directory 
> Services
>  
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
>
> 
>
> From: [EMAIL PROTECTED] on behalf of John Strongosky
> Sent: Thu 2006-08-17 16:55
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] FMSO roles split, patch question.
>
>
> I cornfused is this a standard practice as I thought you did not want 
> to
move the FMSO roles back and forth. 
>  
> john
>
> 
>
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
> Sent: Thursday, August 17, 2006 4:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] FMSO roles split, patch question.
>
>
> in addition to that
> DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 
> to DC2 apply patches to DC1 and reboot and check everything (event 
> logs DCdiag,
etc)
> if everything OK!
> transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 
> and reboot and check everything (event logs DCdiag,
etc)
> if everything OK!
> transfer FSMOset2 from DC1 to DC2
> voila (that's french)...done! ;-)
>  
> jorge
>
>  
>
> 
>
>   From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
>   Sent: Wednesday, August 09, 2006 01:52
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] FMSO roles split, patch question.
>   
>   
>   It doesn't matter.
>
>   
>
>   Sincerely, 
>  _
> (, /  |  /)   /) /)   
>   /---| (/_  __   ___// _   //  _ 
>) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
>   (_/ /)  

RE: [ActiveDir] FMSO roles split, patch question.

[John Strongosky]

Makes 
sensehow many dc's do you have in you 
infrastructure...


From: Almeida Pinto, Jorge de 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Thursday, August 17, 2006 8:02 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.


the reason is that is a DC 
dies during the patching you do not have to seize the rolesIMHO, I prefer 
transfering over seizing
 


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 

LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(   Tel 
: +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 


From: [EMAIL PROTECTED] on 
behalf of John StrongoskySent: Thu 2006-08-17 16:55To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.

I 
cornfused is this a standard practice as I thought you did not want to move the 
FMSO roles back and forth. 
 
john


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.

in addition to that
DC1 having FSMOset1 and DC2 having 
FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event 
logs DCdiag, etc)
if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to 
DC1
apply patches 
to DC2 and reboot and check everything (event logs DCdiag, 
etc)
if everything OK!
transfer FSMOset2 from DC1 to 
DC2
voila (that's 
french)...done! ;-)
 
jorge
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Deji 
  AkomolafeSent: Wednesday, August 09, 2006 01:52To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  
  It doesn't 
  matter.
   
  
  
  Sincerely,    
  _    
    (, /  |  
  /)   
  /) /)       /---| 
  (/_  __   ___// _   //  _  ) 
  /    |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /)  
     
  (/   Microsoft MVP - Directory 
  Serviceswww.akomolafe.com - we know 
  IT-5.75, -3.23Do 
  you now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: John StrongoskySent: Tue 
  8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] FMSO roles split, patch question.
  
  We 
  have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree 
  Operator on 1 and on 2,  the roles PDC Emulator/Rid Pool/Intrastate on 
  the other. After I apply the patches from Microsoft what is the beat 
  practices for the boot order...or does it matter?
   
  1. 
  Remote DC/GC's first
  2. 
  no. 1
  3. 
  then no 2.
   
   
  thanks
   
   
   
This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] FMSO roles split, patch question.

[John Strongosky]

I 
cornfused is this a standard practice as I thought you did not want to move the 
FMSO roles back and forth. 
 
john


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
split, patch question.

in addition to that
DC1 having FSMOset1 and DC2 having 
FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event 
logs DCdiag, etc)
if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to 
DC1
apply patches 
to DC2 and reboot and check everything (event logs DCdiag, 
etc)
if everything OK!
transfer FSMOset2 from DC1 to 
DC2
voila (that's 
french)...done! ;-)
 
jorge
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Deji 
  AkomolafeSent: Wednesday, August 09, 2006 01:52To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles 
  split, patch question.
  
  
  It doesn't 
  matter.
   
  
  
  Sincerely,    
  _    
    (, /  |  
  /)   
  /) /)       /---| 
  (/_  __   ___// _   //  _  ) 
  /    |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /)  
     
  (/   Microsoft MVP - Directory 
  Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: John StrongoskySent: Tue 
  8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] FMSO roles split, patch question.
  
  We 
  have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree 
  Operator on 1 and on 2,  the roles PDC Emulator/Rid Pool/Intrastate on 
  the other. After I apply the patches from Microsoft what is the beat 
  practices for the boot order...or does it matter?
   
  1. 
  Remote DC/GC's first
  2. 
  no. 1
  3. 
  then no 2.
   
   
  thanks
   
   
   
This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] FMSO roles split, patch question.

[John Strongosky]

06-040?? What is this?
 
john


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 08, 2006 5:17 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
FMSO roles split, patch question.
The main thing it to test and approve 06-040 and get that one on the 
fast track IMHO.Deji Akomolafe wrote: 

  
  It doesn't 
  matter.
   
  
  
  Sincerely,    
  _    
    (, /  |  
  /)   
  /) /)       /---| 
  (/_  __   ___// _   //  _  ) 
  /    |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /)  
     
  (/   Microsoft MVP - Directory 
  Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: John StrongoskySent: Tue 
  8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] FMSO roles split, patch question.
  
  We 
  have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree 
  Operator on 1 and on 2,  the roles PDC Emulator/Rid Pool/Intrastate on 
  the other. After I apply the patches from Microsoft what is the beat 
  practices for the boot order...or does it matter?
   
  1. 
  Remote DC/GC's first
  2. 
  no. 1
  3. 
  then no 2.
   
   
  thanks
   
   
   -- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbsList 
info : http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx

[ActiveDir] FMSO roles split, patch question.

[John Strongosky]

We 
have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree 
Operator on 1 and on 2,  the roles PDC Emulator/Rid Pool/Intrastate on the 
other. After I apply the patches from Microsoft what is the beat practices 
for the boot order...or does it matter?
 
1. 
Remote DC/GC's first
2. 
no. 1
3. 
then no 2.
 
 
thanks
 
 
 

RE: [ActiveDir] Admt Migration question.

[John Strongosky]

Fixed...nic driver...uninstalled and reinstalled and it workedgo
figure... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Thursday, August 03, 2006 2:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Admt Migration question.

 
Hey everyone I'm going nuts here and I need some help

   Am trying to do a security translation on a pc using ADMT v3.0 and it
gives me this error "Unable to access server service on the machine
'MISMCGOWAN'. Make sure netlogon and workstation services are running and
you can authenticate yourself to the machine. hr=0x800706ba. The RPC server
is unavailable",

 We have completed about 30 pc's and this is the first one that is giving us
fits... We rename the pc before the migration to confirm to our new naming
standards. ( I think this is where the problem lies)

This is what we have done so far to troubleshoot this.

1. Made sure services it has mentioned are running.
2. Made sure the Remote registry service is running.
3. Added the Preferred DNS entry of the AD Dns Server and Wins entries to
the Ip properties of the nic.
4. Deleted the old wins entries and new ones as well, did a nbtstat -RR at
workstation to register the names in wins.
5. Disabled the firewall service and uninstalled another firewall program
that was on this pc.
6. Went thru and uninstalled programs that we thought might impact this
problem.
7. When we try and do a start, run  \\MISMCGOWAN\c$ it won't list the
contents' of the C drive from the AD domain Controller that we are migrating
this pc from. We are logged in to this DC as a source domain Admin that is a
member of the local admin group on the pc. We get this error " No network
Provider accepted the accepted the given network path"
8. Can login to machine as the source domain admin account.
9. Changed the Administrator's name to fit our new naming standard.
10. Changed the password to match the account that is doing the migration.
It's a source domain admin account.


Thanks in advance for any input..

john



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Admt Migration question.

[John Strongosky]

 
Hey everyone I'm going nuts here and I need some help

   Am trying to do a security translation on a pc using ADMT v3.0 and it
gives me this error "Unable to access server service on the machine
'MISMCGOWAN'. Make sure netlogon and workstation services are running and
you can authenticate yourself to the machine. hr=0x800706ba. The RPC server
is unavailable",

 We have completed about 30 pc's and this is the first one that is giving us
fits... We rename the pc before the migration to confirm to our new naming
standards. ( I think this is where the problem lies)

This is what we have done so far to troubleshoot this.

1. Made sure services it has mentioned are running.
2. Made sure the Remote registry service is running.
3. Added the Preferred DNS entry of the AD Dns Server and Wins entries to
the Ip properties of the nic.
4. Deleted the old wins entries and new ones as well, did a nbtstat -RR at
workstation to register the names in wins.
5. Disabled the firewall service and uninstalled another firewall program
that was on this pc.
6. Went thru and uninstalled programs that we thought might impact this
problem.
7. When we try and do a start, run  \\MISMCGOWAN\c$ it won't list the
contents' of the C drive from the AD domain Controller that we are migrating
this pc from. We are logged in to this DC as a source domain Admin that is a
member of the local admin group on the pc. We get this error " No network
Provider accepted the accepted the given network path"
8. Can login to machine as the source domain admin account.
9. Changed the Administrator's name to fit our new naming standard.
10. Changed the password to match the account that is doing the migration.
It's a source domain admin account.


Thanks in advance for any input..

john



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Question on "restricted group" policy.

[John Strongosky]

Laura, yes the restricted group gpo that I 
created.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: Wednesday, July 26, 2006 4:13 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on 
"restricted group" policy.

If you 
delete what? The GPO?
 
Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  StrongoskySent: Wednesday, July 26, 2006 7:08 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on 
  "restricted group" policy.
  
  Hey,
   
     Created a restricted group policy for my domain 
  that's adds some groups to the local administrators group of the workstations. 
  My question is now management wants me to delete it. If I understand the way 
  this works is that if I delete it then it will delete the groups that were 
  associated with this policy thus leaving nobody in the local admin group. Am I 
  correct...
   
  v/r
  john
   

[ActiveDir] Question on "restricted group" policy.

[John Strongosky]

Hey,
 
   Created a restricted group policy for my domain 
that's adds some groups to the local administrators group of the workstations. 
My question is now management wants me to delete it. If I understand the way 
this works is that if I delete it then it will delete the groups that were 
associated with this policy thus leaving nobody in the local admin group. Am I 
correct...
 
v/r
john
 

RE: [ActiveDir] Servers or Workstations

[John Strongosky]

Guido, thanks for the info. Yes you are correct we are not using our windows
all (188) of them as file servers  I'm an old fart, have a bad heart and  I
hate surprises so could tell me what surprises I have in store for me. (i.e.
SIDhistory has some nice surprises here)

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, June 21, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

yes, this approach would work fine. Important is to finish step 1+2 before
you do 3+4. As your AD domain has trusts to both source domains and it
doesn't look like you're leveraging windows file-servers, you could also do
step 5 early on (would be different if you are leveraging a lot of Windows
File Servers - SIDhistory has some nice surprises here).  BTW, step 3+4 can
be done at once (but I also preferr to keep them apart)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Mittwoch, 21. Juni 2006 17:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Guido, thanks, for the feed backhere is the info about our domain. 2
nt4
domains, 1 an account and 1 a resource with a 2 way trust between them.
No
roaming profiles. Servers have shares on them for web development.
Novell is
our file server's. We do direct ip printing. Have 1 Citrix Server. Have
migrated groups first then users with sid history using ADMT v3.0 and now am
starting on workstation's/servers but I used my self as a test dummy and
screwed up my workstation (this worked in our lab) by not having access to
an Helpdesk application that uses a share and logging on to the AD domain
before I had migrated my profile.

So if I'm doing this correctly the scenario for this AD migration using ADMT
v 3.0 should be:

1. Migrate Groups from both Domains with sid history.
2. Migrate Users with Sid history and fix group membership.
3. Migrate User Profiles using the Security Translation Wizard selecting to
do only the profile/User rights and adding security references selecting the
source domain workstations.
4. Migrate the workstation using the Computer Migration Wizard but leave the
Users Profiles and User rights unchecked 5. Migrate Servers using the
Security Translation Wizard and then the Computer Migration Wizard.


john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, June 20, 2006 11:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

servers first? workstations first?
first what?

I assume you're talking about migrating your servers and workstations from
an NT4 domain to an AD domain - correct?  If so, the order strongly depends
on various aspects, such as the status of your user and group migration and
how you handle permissions on your servers.  There's too much detail here to
know, which doesn't make sense to add without knowing more about your
environment. 

But more often than not it is more advisable to 1. migrate your users
accounts and groups to AD 2. take care of the user profiles on the
workstations and ensure that the users are actually using the AD account
(often combined with the computer migration) 3. migrate the servers and any
other workstations to AD 

Usually the order of workstation or servers is not important - this changes
if you have a lot of trusts in your environment and need to ensure
availability of specific trusted resources from other domains that have not
been migrated yet. Suddenly the order can become important again.

So maybe you want to enlighten us a little about your environment, such as
trusts between your domains, usage of SidHistory for account/group
migration, usage of local profiles/roaming profiles on workstations,
terminal servers, tools you're using for the migration etc.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Mittwoch, 21. Juni 2006 00:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Thanks Rob, thought so... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, June 20, 2006 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Hi John,

I would 'generally' opt for servers first as you can then take advantage of
the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
Fr

RE: [ActiveDir] Servers or Workstations

[John Strongosky]

Guido, thanks, for the feed backhere is the info about our domain. 2 nt4
domains, 1 an account and 1 a resource with a 2 way trust between them. No
roaming profiles. Servers have shares on them for web development. Novell is
our file server's. We do direct ip printing. Have 1 Citrix Server. Have
migrated groups first then users with sid history using ADMT v3.0 and now am
starting on workstation's/servers but I used my self as a test dummy and
screwed up my workstation (this worked in our lab) by not having access to
an Helpdesk application that uses a share and logging on to the AD domain
before I had migrated my profile.

So if I'm doing this correctly the scenario for this AD migration using ADMT
v 3.0 should be:

1. Migrate Groups from both Domains with sid history.
2. Migrate Users with Sid history and fix group membership.
3. Migrate User Profiles using the Security Translation Wizard selecting to
do only the profile/User rights and adding security references selecting the
source domain workstations.
4. Migrate the workstation using the Computer Migration Wizard but leave the
Users Profiles and User rights unchecked
5. Migrate Servers using the Security Translation Wizard and then the
Computer Migration Wizard.


john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, June 20, 2006 11:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

servers first? workstations first?
first what?

I assume you're talking about migrating your servers and workstations from
an NT4 domain to an AD domain - correct?  If so, the order strongly depends
on various aspects, such as the status of your user and group migration and
how you handle permissions on your servers.  There's too much detail here to
know, which doesn't make sense to add without knowing more about your
environment. 

But more often than not it is more advisable to 1. migrate your users
accounts and groups to AD 2. take care of the user profiles on the
workstations and ensure that the users are actually using the AD account
(often combined with the computer migration) 3. migrate the servers and any
other workstations to AD 

Usually the order of workstation or servers is not important - this changes
if you have a lot of trusts in your environment and need to ensure
availability of specific trusted resources from other domains that have not
been migrated yet. Suddenly the order can become important again.

So maybe you want to enlighten us a little about your environment, such as
trusts between your domains, usage of SidHistory for account/group
migration, usage of local profiles/roaming profiles on workstations,
terminal servers, tools you're using for the migration etc.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Mittwoch, 21. Juni 2006 00:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Thanks Rob, thought so... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, June 20, 2006 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Hi John,

I would 'generally' opt for servers first as you can then take advantage of
the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Servers or Workstations

[John Strongosky]

Thanks Rob, thought so... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, June 20, 2006 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Hi John,

I would 'generally' opt for servers first as you can then take advantage of
the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Servers or Workstations

[John Strongosky]

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Failed Computer account migration

[John Strongosky]

 In my lab I had a computer account that would not completely migrate. It
was in AD but the ADMT did not change its domain affiliation and thus when I
logged on it created a whole new profile. This has me worried as I can just
see us do this to the head honcho here and all his programs go missingI
did some research about the move user utility I noticed that there are
problems moving from one domain account to another (said its was most likely
permissions) Has anyone used this tool when you computer account migration
failed? If so what how did you get it to work. Or did you use another tool.
I look at the User Migration Tool from Microsoft but from what I read that's
for a reimage or a new load of XP


Thanks,

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Forest prep/domain prep in a MT root Domain

[John Strongosky]

Title: RE: [MVP-Directory Services] October MVP Awards



Thanks for the reply's
Nothing in place yet, I'm talking both Win2k3 and Exchange 
2003.
 
john

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
  HunterSent: Tuesday, October 11, 2005 10:24 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest 
  prep/domain prep in a MT root Domain
  
  John-
   
  Some more details please...
   
  What do you have in place now, in terms of Active 
  Directory and Exchange (versions, layout, etc)? Or is this a brand new install 
  of everything?
   
  Are you talking about Exchange forestprep/domainprep, or 
  Win 2003 adprep forestprep/domainprep?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of ZAD Forum for 
  Active DirectorySent: Tuesday, October 11, 2005 9:55 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Forest prep/domain prep in a MT root Domain
  
  Hey 
  everyone, long time reading hereI'm confused as I'm new to AD and doing my 
  research for our conversion..so here is my question we are gong to have an 
  MT root domain and a sub ( if that the correct term) domain where we are going 
  to put exchange, let call the root domain "AD.sdccd" and the sub domain 
  admin.
   
  What is the proper procedure for running Forest prep and Domain 
  Prep? From all my reading I don't think I run forest prep on the sub domain 
  but do run domain prep on the MT root and on the sub domain. Am I 
  correct
   
   
  john
  
 

[ActiveDir] Forest prep/domain prep in a MT root Domain

[John Strongosky]

Title: RE: [MVP-Directory Services] October MVP Awards



Hey 
everyone, long time reading hereI'm confused as I'm new to AD and doing my 
research for our conversion..so here is my question we are gong to have an 
MT root domain and a sub ( if that the correct term) domain where we are going 
to put exchange, let call the root domain "AD.sdccd" and the sub domain 
admin.
 
What 
is the proper procedure for running Forest prep and Domain Prep? From all my 
reading I don't think I run forest prep on the sub domain but do run domain prep 
on the MT root and on the sub domain. Am I correct
 
 
john

   

RE: [ActiveDir] ADMT Group SID History

[John Strongosky]

Does the sid filtering apply to nt40 to w2k3 Native AD migration? 

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 12, 2005 2:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History

yep, sound just like the source-domain's SIDs are being filtered when the
resource is still in the source domain (external.dev).  Realize, that you
only need to disable SID filtering on the trust in the source domain - you
should leave it enabled on the target domain.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Dienstag, 12. Juli 2005 21:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History

Have your turned off SID filtering on the Trust?

NETDOM trust DomainX /domain:DomainY /quarantine:No
/usero:DomainX\AdministratorX /passwordo:*

The * will cause a prompt for the password.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 July 2005 19:53
To: activedir@mail.activedir.org
Subject: [ActiveDir] ADMT Group SID History





All,
  I've been following the Sybex book, Mastering Windows 2003, to test an
inter-forest migration from external.dev to development.dev using the ADMT.
I have not received any errors during the migration and everything appears
to be setup correctly, however, I do not think the SID History is
functioning properly.

  I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and a
member of that group named "Pete". I have a member server in external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has been
removed from the ACL and the External\Accounting group has been given full
control.

  I migrate Accounting from external.dev to development.dev with the box
checked to migrate SID histories and I receive no errors. The new Accounting
group in development.dev should have a SID matching the one on the
Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate
N060MSADDEV4
to development.dev and Add the equivalent security references for the target
object and leave the source references in tact I can then access the share
with Tom, but according to the book I should not have to do that.
Am
I not doing something correctly in this test?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question about NT 4.0 Account/Resource Domain Mig ration.

[John Strongosky]

Guido, thanks for the answer...helps a lot
No I understand it that I can do the accounts/server/computer/desktop
migration from the accounts domainand that once everything is migrated I
use AD to do any new additions such a accounts etcI know that the last
question was a no brainer but I had to be sure I understood the migration
steps

john 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, February 23, 2005 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question about NT 4.0 Account/Resource Domain
Migration.

no,yes,yes

no, don't have to do two migrations... yes, you can migrate servers from the
resource domain directly, but you need to setup a trust from the resource
domain to the AD domain... yes, after migration, add new users machines to
AD

/Guido

gee, I find my own answer hard to read ;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Wednesday, February 23, 2005 10:18 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Question about NT 4.0 Account/Resource Domain
Migration.

We have 2 nt40 domains, 1 an accounts domain and the other a resource domain
with a one way trust from the accounts domain to the resource domain, and we
are planning on have 1 AD domain, to migrate all user accounts,
servers/computers, desktops etc... before we do our exchange migration do I
need to do 2 migrations using the ADMT  tool or can I use the ADMT  and
migrate servers that are in the resource domain from the accounts domain
since I have a trust between the domains. The reason I ask is I'm in the
middle of my test migration of exchange and it would save me a lot of time
and money if I could get this answered.I'd have to go ask the boss for
another server so I can add more VPC's and I don't think he would be too
happy since I had to beg for this test server I have nowI'm running 5
VPC's now on this server and its almost maxed out of memory
 
 
Also once I have all of the user accounts/servers/desktops/computers
migrated I should not be using the NT40 side to add users accounts
etc...correct?
 
v/r
John
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Question about NT 4.0 Account/Resource Domain Migration.

[John Strongosky]

We have 2 nt40 domains, 1 an accounts domain and the other a resource domain
with a one way trust from the accounts domain to the resource domain, and we
are planning on have 1 AD domain, to migrate all user accounts,
servers/computers, desktops etc... before we do our exchange migration do I
need to do 2 migrations using the ADMT  tool or can I use the ADMT  and
migrate servers that are in the resource domain from the accounts domain
since I have a trust between the domains. The reason I ask is I'm in the
middle of my test migration of exchange and it would save me a lot of time
and money if I could get this answered.I'd have to go ask the boss for
another server so I can add more VPC's and I don't think he would be too
happy since I had to beg for this test server I have nowI'm running 5
VPC's now on this server and its almost maxed out of memory
 
 
Also once I have all of the user accounts/servers/desktops/computers
migrated I should not be using the NT40 side to add users accounts
etc...correct?
 
v/r
John
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:exchange frontend

[John Strongosky]

I found this in the book Microsoft Exchange Server 2003 24seven by Jim
McBee(with Barry Gerber)on page 794:

Frontend VersionBackend Version Result interface
Ex 5.5 owa  ex2003  ex5.5 owa
Ex2003 owa  Ex 5.5  not functional
Ex2000  ex2003  not allowed
Ex2003  ex2000  ex2000owa
Ex2003  ex2003  ex2003owa

Hope this helps
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Friday, January 28, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:exchange frontend

I agree with Al that the same risk is taken, however the impact of a hack is
not necessarily the same. I'd much rather lose a frontend OWA/SMTP box than
a mailbox server; at least I'd keep internal messaging functional.

Either way, having a proxy server between Exchange and the internet is a
good idea if you can swing it.

As far as I know, you can't run E2K frontend to E2K3 backend.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, January 28, 2005 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:exchange frontend

IMHO, same risk is taken in regards to being hacked.  

As for operational availability risk, a FE server serves two purposes in my
opinion: it allows you to hide the mail store for the user thereby allowing
higher scalability and it also buffers the mail flow if deployed for the
SMTP as well.  That allows you some room to work if the mail gets backed up
for some reason yet the mailboxes are still functional internally.

Outside of that, it wouldn't be much of a difference in most cases. 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, January 28, 2005 10:17 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:exchange frontend

I remeber this being spoken of before but I can't seem to find the thread,
so my apologies in advance.


my question is- are there any security issues with allowing outlook web
access directly to your exchange server as opposed to using a front end
server?

we currently use a exchange2k front end with ssl cert, however we are
migrating to exchange 2k3 and my dept doesn't want to spend the $$ on 2
copies of exchange2k3 and new hardware for the front-end server(our current
frontend cannot support win2k3/exchange2k3).

also, can my existing exchange2k frontend server perform this same role for
a exchange2k3 server running on win2k3?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving NT4.0 Dns to Win2k3 DNS

[John Strongosky]

Title: Message



I 
think the reason we only use one forwarder is because of bandwidth issues in the 
past, but now that we are on an ATM I don't think that an issue it just has not 
be revisited and yes all other dns server point to this one as the forwarder for 
the district. All servers have the entries for the dns server on 
their segment and as a secondary entree they use the nt4.0 dns server which 
is also the forwarder (ntdns1) and for those segments that do not have a dns 
server they use the forwarder(ntdns1)  the first entry and (ntdns2) as the 
second entry in the tcp/ip properties of the nic card.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
  AlSent: Monday, October 18, 2004 9:22 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Moving NT4.0 
  Dns to Win2k3 DNS
  
  Let's make sure we're talking the same thing: For 
  forwarders, you can specify several forwarders per DNS host.  You may be 
  talking about making this particular host the only forwarder in the 
  organization e.g. the other servers refer to this one for forward requests 
  possibly for ease of input or for legacy reasons.  Can you 
  clarify?
   
  The servers: Can you get a list of the servers and 
  see which servers they use for they for their name resolution?  If none 
  of them are using the existing servers, but rather the W2K hosts, then you may 
  not need to worry about it.  Either way, it's worth it to get them to 
  change over and just take longer to do so, vs. replacing the IP address.  
  I'm basing that on opinion, because you could do it by replacing the 
  machine.  It's just that based on the conversation so far, I'd say the 
  risk is much higher that way.
   
  I think it's a good idea to make this suggestion: If 
  you're designing AD, changing out DNS could very well result in your having to 
  revisit the DNS design in the near future.  AD is so heavily dependent on 
  DNS that it would be worthwhile for you to plan both at the same time. Anyone 
  who's had to troubleshoot AD in the past will likely tell you the same. 
  
   
   
  Al
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  StrongoskySent: Monday, October 18, 2004 11:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Moving NT4.0 
  Dns to Win2k3 DNS
  
  Al, 
  thanks for the response. answer to your questions below.
  1. 
  Didn't know we could have more than 1 forwarder.
  2. 
  yes our client workstations are using dhcp. but our server are not and we have 
  about 100+ that are hard coded with the dns entries.
  3. 
  no we are not using AD but are in the design process of migrating to 
  AD.
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Monday, October 18, 2004 6:35 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Moving 
NT4.0 Dns to Win2k3 DNS

Couple of questions:
 
Why do you have only one forwarder?  Does it 
matter to you that you have only one?  That seems like a single point 
of failure to me.
 
Are you setting DNS hosts via DHCP?  If so, why 
not use that as a way to work in the new DNS servers vs. changing IP 
addresses?  Much better to work them in in a parallel method vs. cut 
over and take your chances. ;)  DHCP would be harder to change over as 
the routers often have to be adjusted to forward the bootp packets. 

 
 
 
Do you use Active Directory?  Or are these 
intended to be standalone for ever?
 
 
Ajm



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
StrongoskySent: Friday, October 15, 2004 11:23 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Moving NT4.0 Dns 
to Win2k3 DNS

I've currently been 
tasked with moving our nt4.0 dns to win2k3 and I think I have an 
understanding how I want to do but I'm not sure,  so i thought I would 
run it by the this group and see if my logic will pass 
muster.
 
1. we have 2 nt4.0 
sp6a dns servers called ntdns1 and ntdns2, plus 5 other win2k dns servers as 
secondary dns servers on other campus's.
2. ntdns1 is our 
forwarder and the primary dns server for 70+ domains and its also 
running dhcp for about 30 scopes and wins.
3. ntdns2 is our 
secondary for these zones and also has wins on it.
4. wins 
servers are not in a push/pull scenario. They act on there 
own.
 
How I was thinking 
about migrating these dns servers is to do ntdns2 first.
 
1. after I 
 load win2k3 on let's say  "ntdns3", then  load dns and then 
 add the zone files as a secondary zones and reverse lookup zones and 
let them propagate, then add wins and do a 
scavenge.
2. turn off ntdns2 
and then change the ip address of "ntdns3" to the ip address of 
ntdns2.
 
Then do ntdns1 in 
the same way but with

RE: [ActiveDir] Moving NT4.0 Dns to Win2k3 DNS

[John Strongosky]

Title: Message



Al, 
thanks for the response. answer to your questions below.
1. 
Didn't know we could have more than 1 forwarder.
2. 
yes our client workstations are using dhcp. but our server are not and we have 
about 100+ that are hard coded with the dns entries.
3. no 
we are not using AD but are in the design process of migrating to 
AD.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
  AlSent: Monday, October 18, 2004 6:35 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Moving NT4.0 
  Dns to Win2k3 DNS
  
  Couple of questions:
   
  Why do you have only one forwarder?  Does it matter 
  to you that you have only one?  That seems like a single point of failure 
  to me.
   
  Are you setting DNS hosts via DHCP?  If so, why not 
  use that as a way to work in the new DNS servers vs. changing IP 
  addresses?  Much better to work them in in a parallel method vs. cut over 
  and take your chances. ;)  DHCP would be harder to change over as the 
  routers often have to be adjusted to forward the bootp packets. 
  
   
   
   
  Do you use Active Directory?  Or are these intended 
  to be standalone for ever?
   
   
  Ajm
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  StrongoskySent: Friday, October 15, 2004 11:23 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Moving NT4.0 Dns 
  to Win2k3 DNS
  
  I've currently been 
  tasked with moving our nt4.0 dns to win2k3 and I think I have an 
  understanding how I want to do but I'm not sure,  so i thought I would 
  run it by the this group and see if my logic will pass 
  muster.
   
  1. we have 2 nt4.0 
  sp6a dns servers called ntdns1 and ntdns2, plus 5 other win2k dns servers as 
  secondary dns servers on other campus's.
  2. ntdns1 is our 
  forwarder and the primary dns server for 70+ domains and its also running 
  dhcp for about 30 scopes and wins.
  3. ntdns2 is our 
  secondary for these zones and also has wins on it.
  4. wins 
  servers are not in a push/pull scenario. They act on there 
  own.
   
  How I was thinking 
  about migrating these dns servers is to do ntdns2 first.
   
  1. after I 
   load win2k3 on let's say  "ntdns3", then  load dns and then 
   add the zone files as a secondary zones and reverse lookup zones and let 
  them propagate, then add wins and do a scavenge.
  2. turn off ntdns2 and 
  then change the ip address of "ntdns3" to the ip address of 
  ntdns2.
   
  Then do ntdns1 in the 
  same way but with another server and after the zones and wins have been done, 
  change the ip to the same on that ntdns1 was, change the zones from secondary 
  to primary and add it as the forwarder
   
   
  The thing that I'm 
  worried about is browsing and netbios shares won't work and that we will 
  have to reboot all the workstation and serversfor the entire district 
  which would cause me probably to be fired
   
  any thoughts would be 
  appreciated.
   
  john.
   
   
   

[ActiveDir] Moving NT4.0 Dns to Win2k3 DNS

[John Strongosky]

Title: Message



I've currently been 
tasked with moving our nt4.0 dns to win2k3 and I think I have an 
understanding how I want to do but I'm not sure,  so i thought I would run 
it by the this group and see if my logic will pass muster.
 
1. we have 2 nt4.0 sp6a 
dns servers called ntdns1 and ntdns2, plus 5 other win2k dns servers as 
secondary dns servers on other campus's.
2. ntdns1 is our 
forwarder and the primary dns server for 70+ domains and its also running 
dhcp for about 30 scopes and wins.
3. ntdns2 is our 
secondary for these zones and also has wins on it.
4. wins servers are 
not in a push/pull scenario. They act on there own.
 
How I was thinking about 
migrating these dns servers is to do ntdns2 first.
 
1. after I 
 load win2k3 on let's say  "ntdns3", then  load dns and then 
 add the zone files as a secondary zones and reverse lookup zones and let 
them propagate, then add wins and do a scavenge.
2. turn off ntdns2 and 
then change the ip address of "ntdns3" to the ip address of 
ntdns2.
 
Then do ntdns1 in the 
same way but with another server and after the zones and wins have been done, 
change the ip to the same on that ntdns1 was, change the zones from secondary to 
primary and add it as the forwarder
 
 
The thing that I'm 
worried about is browsing and netbios shares won't work and that we will 
have to reboot all the workstation and serversfor the entire district which 
would cause me probably to be fired
 
any thoughts would be 
appreciated.
 
john.
 
 
 

RE: [ActiveDir] What Services/Server's can be combined with Active Directory.

[John Strongosky]

Glenn, thank you.

   ___
   \\  - -  //
([EMAIL PROTECTED]@--)
+-oOOo-(_)-oOOo--+
|\\_|_// 
|
|John M. Strongosky,
|San Diego Community College
|District Email Administrator
|Phone: 619.388.6725
|"8bits down a wire, spoken words fly away, 
|while written word's stay on"
   
+--Oooo--+
  oooO (   )
 (   )  ) /
  \ (  (_/
   \_)
Remember 9/11, In an Atom Bomb, Chemical, and Biological Detonation
we are all Downwinder's...


-Original Message-
From: Glenn Corbett [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 22, 2003 2:34 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] What Services/Server's can be combined with
Active Directory.


John,

The reason why you havent really been able to find a source, is that the
answer is "it depends".

Depending on the size of your sites, the amount of data, number of clients,
other applications using DC services etc, you can really have a single
server that does DC, GC, DNS, WINS, DHCP, FP.  I really wouldn't worry about
putting DHCP on a server by itself, the load is so small. Out of all of the
infrastructure services, DCHP is probably the smallest load.  Client
machines get a dhcp address when they start, and IIRC there are two requests
during the lifetime of the IP address (one halfway though, and one at the
end of the lease).  So for a 2 week lease timeout, you have essentially 3
requests to a DHCP server which is nothing to really worry about.

I recently did some AD design work where small sites (up to about 30 uers)
had a single server (Dual PIII 2+Ghz) ran all the functions listed
previously, plus Exchange with no real trouble.  For larger sites, my
suggestion would be one "infrastructure server" (DC, GC, WINS, DHCP, DNS),
and "application server(s)" (File Print, Exchange etc).

As long as you design your AD site topology correctly (so that replication
is optimised, and GC placement is relevant for your clients), AD can pretty
much co-exist with most things, its a question of network bandwidth and load
on the server.  Other Databases (like Exchange, SQL, Oracle) are really the
main applications you need to be careful with when putting on the same
server as AD, because they can cramp each others style (Exchange and SQL on
the same box for example is very touchy).

If you are thinking or layering other applications onto an AD DC, just have
a read of the requirements.  In a lot of cases MS "force" you down a
particular path. For example, SUS (System Update Services), and MOM
(Microsoft Ops Manager) wont run on DC's, so you are forced to put in an
additional server to run these.

so, as for your original question *grin*, I would have one server that does
the "infrastructure" stuff, and another server for FP.

Glenn


- Original Message -
From: "John Strongosky" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 11:27 AM
Subject: [ActiveDir] What Services/Server's can be combined with Active
Directory.


> In our planning group we are having a discussion on what server's/services
> do we need to combine or can combine for our AD deployment. I have looked
> thru allot of Technote's there is not one definitive answer. Can anyone
> point me to a source or answer this for me.
>
> We are thinking of combing: DC,dns and gc's on a server, file and print
and
> dhcp on another in our sites or DC, dns, gc on a server, file and print on
a
> server and dhcp by itself.
>
>
> john
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] What Services/Server's can be combined with Active Directory.

[John Strongosky]

In our planning group we are having a discussion on what server's/services
do we need to combine or can combine for our AD deployment. I have looked
thru allot of Technote's there is not one definitive answer. Can anyone
point me to a source or answer this for me.

We are thinking of combing: DC,dns and gc's on a server, file and print and
dhcp on another in our sites or DC, dns, gc on a server, file and print on a
server and dhcp by itself.


john

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/