RE: [ActiveDir] adminsdholder
You'll also need to re-enable inheritance on the affected account. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, January 16, 2007 6:37 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Rights Required to Rename Computer Objects
That's what Microsoft recommends... from the whitepaper Best Practices for Delegating Active Directory Administration, Appendix A: Rename a computer account WP[Write Property] on the computer object to modify all attributes NOTE: User performing operation must be a Local Administrator on the computer being renamed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Wednesday, July 19, 2006 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rights Required to Rename Computer Objects I posted about this a week or so ago and I didnt see a response, but can anyone tell me what specific rights are needed to allow someone to rename a computer attached to an AD domain? Read and Write all Properties works but thats a bit excessive I think. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] Site link costs
Title: Site link costs Sorry for the basic question... Our company just upgraded our NT4 domains in-place as child W2K3 domains under an empty W2K3 forest root domain. 22 sites and their associated subnets were established, with one subsidiary leaving all their objects in the default first site because they feel their bandwidth will support it. However, we're currently having heated discussions regarding AD and site topology. Some IT members are saying that there is no need to manually create site links or assign properties such as cost and replication interval. They say that if we don't do this, then AD does it automatically and it will do a better job than we would anyway. I thought that the KCC needed the site topology info to be provided (whether manually or programmatically) so that it could automatically create the connection objects (provided you're not manually creating them). So who is confused here, me or them? This should be basic stuff, and I want to understand it correctly :-). TIA, Cathy
RE: [ActiveDir] Site link costs
Title: Site link costs Thanks, Rick. Re: the subsidiary that left their objects in the Default-First-Site-Name site, that's been a whole other argument. They have several locations around the US and Canada and they're not currently that well connected. They claim as long as they have at least 64K they'll be okay. I think their tolerance for slow connections must be much better than ours... when we were first testing and had just a single default site for locations spread out globally (Corporate mandate at that point), we and another subsidiary quickly decided that it was worth a fight to get sites defined, even if it was just for our own locations. Now the argument has moved on because our subsidiary went in and defined site links (and costs) connecting all our sites, and our replication performance hasn't given us any problems. A second subsidiary did define their sites/subnets but did not create site links, and they're seeing replication traffic being routed through a slow VPN link when there's a fasterroute available. They'd like to go back and create site links now but they no longer have rights to do so (we were quick and did it while we had rights for our PDC upgrade), so they're trying to justify the change at this point. Corporate claims it's unnecessary. Within the next several months our network will be upgraded to full mesh, at least within the US (we don't haveall thedetails yet). So perhaps some of this will be moot at that point, but things tend to happen slowly here so we'd like to have a good design for our current network situation. It's undoubtedly apparent that there's some of the tail wagging the dog here... management needed to be able to say we were using active directory, so the initial upgrades were done before we had a complete design.Now we're going back to finish up designing and cleaning up after the fact. We're also having to rework all our processes to support a global IT environment. Upuntil now we had 6 separate IT groups that operated more or less autonomously except that Corporate controlled the WAN infrastructure. It's a slow painful process :-). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 21, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site link costs Cathy, My approach to sites, site link objects, and topology overall has been to look at the physical/logical layout of the network as it pertains to the Layer 2/Layer 3 communication. Remember what were telling AD with Sites, Subnet objects, site links, etc This is what the network looks like, or how I want you to THINK the network looks like. So, when you crate a site (a site is a collection of subnet objects that are local to each other) you are telling AD that this site and another site will communicate Inter-Site. While the subnets inside the site will be deemed Intra-site. To that, I would question the subsidiary that left their objects in the Default-First-Site-Name site. Are they all local to all other objects in that site? Does it make sense from a local vs. remote perspective? I managed the AD of a company that used ATM practically to all of our ~50 remote sites. (Telecomm heavy company we had lots of carrier agreements with b-width to spare) I STILL treated remote sites not in the campus with the Data Center as a remote site. They might have appeared as well connected, but that could have changed at any time. As to costing for site links you can do that, but if there is only on site link from A to B, the cost isnt going to have much impact. There still is only one way to get there. Now, if you want redundancy for site links, you CAN add links from C to B, and cost that one higher than A to B. You will also want to take into account site link bridging and determine if you want that on or off. (Site link bridging transitively connects one site through another site with a virtual link the site link bridge.) Typically, I have turned off site link bridging to accomplish what I need to have done not leaving those decisions up to the mechanisms that might not have a clear idea of what my topology was really like. The key here is much more in the realm of Network considerations than OS. The KCC is still going to connect things but not optimally until you set up a site topology that emulates efficiencies that you can only hope are in your network design. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of O'Brien, CathySent: Thursday, July 21, 2005 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site link costs Sorry for the basic question... Our company just upgraded our NT4 domains in-place as child W2K3 domains under an empty W2K3 forest root domain. 22 sites and their associated subnets were established, with one subsidiary leaving all their objects in the default first site because they feel their bandwidth
RE: [ActiveDir] Site link costs
Title: Site link costs Thanks to all of you who responded. I think part of my problem is with semantics. As Aric says, it's important to differentiate between sites, site links, and connection objects. People here at work are saying that AD will create its own site links, but actually, AD just uses the DefaultSiteLink to create connection objects if we don't explicitly create site links, right? AD doesn't actually create any new site link objects on its own? I certainly don't see any in our environment that we didn't explicitly create. I guess what these others mean is just that we don't HAVE to create any site links. While I think our experience is showing that we probably should, they're correct that we don't absolutely have to. I just wanted to be sure though that I was understanding the concepts underneath correctly. Homework for the weekend: read through the AD Replication Topology Technical Reference :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Thursday, July 21, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site link costs While I know absolutely nothing about your environment aside from what you mention below, but I would have to make an assumption that if your AD site topology were configured properly you could have accomplished what you want without deactivat[ing] the ability for AD to create its own links. Your approach is certainly not a best practice for most environments. Further more; it is important to differentiate between sites, site links and connection objects. In every forest, sites and associated site links must be implemented manually/programmatically [1] as the KCC/ISTG only handles the creation of connection objects between DCs based on the site topology explicitly defined in the AD. If you were seeing connection object being created automatically between servers that you disapproved of then an error existed in the site topology you defined. Keep in mind that your site topology consists of many things including sites, site links, site link bridges, costs, schedules, preferred bridgehead servers (optionally), and more. [1] The exception to this is the DefaultFirstSite and DefaultSiteLink. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: Thursday, July 21, 2005 11:36 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Site link costs Great question, we just had this at our place. We just finished deploying a W2K3 AD structure across the globule with each division using their own sub domain. We are creating our site links manually. And by saying "We" I mean one of the five Enterprise admins across the globe. We have deactivated the ability for AD to create its own links so we don't have to worry about oddities. The reason for this is so we can control how often and WITH WHO each site replicates. Right now we have the site that hosts the first DC for each domain replicating back to sites with root domain controllers but all other domain sites only replicate with each other and their first DC. This means that if the link between our root domain controllers and that primary domain controller site was to go away we wouldn't have replication with them. The links that were being created by AD weren't what we wanted. We had sites in Italy replicating with New Jersey and sites in Mexico replication with Ireland. I think this had something to do with our routing tables, firewall placements and frame relay clouds that we are using across the globe. So, I guess it all depends on your topology that you have. Charlie -Original Message-From: O'Brien, Cathy [mailto:[EMAIL PROTECTED]Sent: Thursday, July 21, 2005 1:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site link costs Sorry for the basic question... Our company just upgraded our NT4 domains in-place as child W2K3 domains under an empty W2K3 forest root domain. 22 sites and their associated subnets were established, with one subsidiary leaving all their objects in the default first site because they feel their bandwidth will support it. However, we're currently having heated discussions regarding AD and site topology. Some IT members are saying that there is no need to manually create site links or assign properties such as cost and replication interval. They say that if we don't do this, then AD does it automatically and it will do a better job than we would anyway. I thought that the KCC needed the site topology info to be provided (whether manually or programmatically) so that it could automatically create the connection objects (provided you're not manually creating them). So who is confused here, me or them? This should be basic stuff, and I want to understand it correctly :-). TIA, Cathy
RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan
There's one supplied with the Exchange 2000 Resource Kit; I couldn't find an E2K3 version. There was also one supplied with a TechRepublic article by Rick Vanover but I don't know if you would still find it on their site. Contact me offline if you'd like me to send either or both to you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 7:02 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan I look through those and they are great information. My problem is that I need to turn that into a project document to give to my boss, review group and risk management. I was hoping someone else already did this so I could save some time in duplicating everything myself. Thanks. -Original Message- From: Stelley, Douglas [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan I get a lot of nice info from msexchange.org. A quick search in there brought up this one... http://msexchange.org/tutorials/Exchange-Migration-Wizard.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 9:51 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan Group, Off topic. My organization is about to start an Exchange migration and I was wondering if anyone knows where I can get a migration plan that I can use as a shell for planning this upgrade. I know I can download all of the whitepapers and instructions for different methods, but I was wondering if there is a place I can grab a project plan from so I can save some time in drafting one from scratch. I think I have seen about three different ways of going about this and I believe I'm going to take the path of using the ADC but I have not seen this written up in any form other than white papers or notes on message boards. A bit of background, we will be conducting our migration in a parallel domain structure (we are just about done moving all of our other resources, machines and users out of our 5.5 domain). When we are done with this migration our 5.5 domain will go away. Thanks. Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] domain naming
Title: domain naming Our organization is planning an in-place upgrade from NT4 to W2K3. Our current NT domain name is no longer applicable (due to a corporate name change), unwieldy, and just plain ugly, and so we'd like to select a different name during the upgrade realizing of course that our NetBIOS name would remain the same. We know that a domain rename is now a possibility, but from the stories we've heard we're not in a rush to go that route. We're just wondering how much confusion may be caused for users by having our NetBIOS and our domain DNS name not match. Off the tops of our heads it seems like not much of an issue, particularly since although we'll be a child domain we're planning to use just the forest root suffix for our UPNs. Our current DNS suffix doesn't contain our NT domain name at all, so whatever gets placed there will be a change for users. Does anyone have any issues to point out that we're not thinking of, or opinion in general on the pros and cons of having the domain DNS and NetBIOS names match? TIA, Cathy O'Brien Cubic Transportation Systems
RE: [ActiveDir] Inbound mail NDR
Postini (at least in our case) allows us to select whether all recipients for our mail domain need to be registered with a Postini client account in order to have e-mail forwarded to our site. If you have checked this option in your Postini settings and haven't created Postini accounts for these new users then replies to these people will bounce. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 8:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Inbound mail NDR Manjeet, Have you called Postini? What did they say? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Manjeet Sent: Wed 1/12/2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Inbound mail NDR Deji, The newly cretaed user hasno problem in sending mail to internal accounts, and also can send mail to internet (yahoo). but if I reply the same message from the yahoo account I got the error. Manjeet [EMAIL PROTECTED] wrote: Are these new accounts receiving emails internally? If you use an internal account to send a test email to the accounts, does it bounce? If it does, try doing message tracking and see which server is bouncing it. Then look on that server's event log and see if anything looks out of whack. Since you indicated originally that the problem is with inbound mails, you need to call Postini. They are responsible for your inbound mails, as far as I can see. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Manjeet Sent: Wed 1/12/2005 7:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Inbound mail NDR Hi Deji, Thanks for your prompt reply. More update on this is that problem is with all the newly created accounts.The other old accounts, are continue to work fine. Manjeet [EMAIL PROTECTED] wrote: It looks like you are going through Postini. I think it's time to call their support. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Manjeet Sent: Wed 1/12/2005 6:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Inbound mail NDR We have a account and we can send internal email to this account, but inbound internet mail keeps getting bounced, with an NDR like this: r=downsort=datepos=0view=ahead=b : 64.18.6.10 does not like recipient. Remote host said: 550 No such user - psmtp Giving up on 64.18.6.10. Accounts are set up identically to our other user accounts. I've been through everything that looks relevant on Microsoft's support site. I don't think we have an SMTP issue because I can send the mail to my yahoo account and if i reply back i got the NDR.I have tried to add one more smtp adress but the problem is same. I've tried removing the account and setting it up again - no luck. any idea ?? Manjeet Do you Yahoo!? The all-new My Yahoo! - What will yours do? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!? The all-new My Yahoo! - What will yours do? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do You Yahoo!? Tired of spam?
RE: [ActiveDir] IPNATHLP Event ID 32004
Suggestion from eventid.net: Change the logon settings for the Windows Firewall/Internet Connection Sharing (ICS) service from Network Service to Local System. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 23, 2004 10:23 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IPNATHLP Event ID 32004 Sensitivity: Private Hi List. I have the above error in the System Event Log but can't find any information what this means or how to resolve it. Has anyone had this Event ID 32004. Its happen when I try to start the ICF Service. The description of the event is: The Network Address Translator (NAT) was unable to load the kernel-mode translation module. The data is the error code. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp; I have Windows 2003 Server Enterprise Edition, Exchange Server 2003 and ISA Server 2004 Could anyone help me? Thanks in advance. Martin AVISO LEGAL: Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Definately OT for Collabrative Calendar
If you have someone who can modify some code you might want to look at Tom Howes' Enterprise Calendar sample application. There's a link to it at http://www.slipstick.com/calendar/scheduleall.htm under the Live Group Calendar Tools. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, October 04, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Definately OT for Collabrative Calendar I am trying to find some good software to ease some issues we are having. Currently we have a system in place that thru macros mainly I believe. A section leaders exchange calendar is updated with a meeting. That is then created on a Collaborative calendar that shows when that person will be unavailable etc. Basically we need to have one calendar that people can look at to see when all the important people are available or not without the important peoples secretaries having to open up multiple calendars to do it. Does any one know of some software that does this and will work with exchange? Sorry bout the OT. But you guys seem to know so much useful information I can find other places. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Complexity
Title: RE: [ActiveDir] Password Complexity picking thru cluttered brain It seems like Roger Seielstad has given warnings about this issue. Roger? -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Monday, June 30, 2003 3:32 AM To: [EMAIL PROTECTED] I've not heard of an issue like this. In fact I've seen situations where user accounts have been migrated along with weaks passwords from Windows NT 4.0 domains to an AD domain with password complexity enabled. When the users subsequently change the password in the AD domain there is no issue. It could be an over simplification, but I think this has to do with the password itself not being stored - just the hash. From the hash information the system is unable to determine whether old password meets the password complexity (or indeed other password policies) or not. Because of this there should never be a problem with the old password not meeting the new password policy requirements. There were some fixes for certain password issues included in SP3, so it would be good to make sure you are not running SP2 or earlier. Tony _ Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQ Sent: Freitag, 27. Juni 2003 19:32 To: [EMAIL PROTECTED] In July we are going to enable password complexity. I know I've seen issues with this on the list but am unable to connect to the archives. I believe the issue was that if your old pw didn't meet the requirements then you were unable to change your pw. Is this correct and has anyone experienced this issue? I have also searched for a KB on this issue but don't seem to be able to find one. (if a KB is there it won't be the first time I couldn't find one...) TIA Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/