RE: [ActiveDir] E2k3 before upgrading to W2k3
There are features of Exchange 2003 that are not available unless you are running W2K3. For example the ability to use snapshot backups. Dennis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: Tuesday, November 11, 2003 10:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] E2k3 before upgrading to W2k3 I heard that it is a best practice to move to Exchange 2003 before moving to Windows Server 2003 AD… Anyone know what the reasoning is behind this? Joe Pelle Systems Analyst Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] Group Policy for static and mobile users
One possibility is to enable loopback processing on the laptop. With Loopback processing you can have a user setting tied to a machine account instead of a user account. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Friday, November 28, 2003 9:02 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Group Policy for static and mobile users Please can anyone confirm of deny that the followuing scenario is possible : A user has both a desktop and a laptop. GPO settings define proxy settings used by IE. They also prevent the user from changing proxy settings in IE (the connection tab is hidden). When the user logs on to the desktop there is a sinlge netowrk access point (the NIC) and they receive proxy settings which are accessible via this NIC. When the user logs on to the laptop (connected via NIC to the corporate LAN) the GPO settings are also valid. And they can happily surf away. HOWEVER, when working remotely and they want access to the internet, the local security prevents them from changing Proxy settings and when starting the dial up connection the settings are not valid. Cannot change these settings as they are prevented from access the required tab. So is it possible to set up a GPO/OU structure that would allow a user to have settings follow them depending on the machine they log on to, desktop or laptop ? The problem seems to be that porxy settings are users based and not machine based. So any ideas ? Is it possible to have policy applied to a user at logon dependent on the machine they are logging on to ? Many thanks Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation of control for WINS
To manage a WINS server, the user has to be a local administrator on the WINS box. As long as your WINS servers are not domain controllers, this is not a problem. If your domain controllers are performing double duty as WINS servers well You might consider standing up one member server as a WINS server. Any local admins on this machine will be able to manage WINS from this server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregoire Maux Posted At: Wednesday, December 03, 2003 7:57 AM Posted To: W2K List Conversation: [ActiveDir] Delegation of control for WINS Subject: [ActiveDir] Delegation of control for WINS Dennis and members, - I saw in ActiveDir archives that you asked (see below mail) if it is possible to have account dedicated to do WINS administration. At that time, you did not receive any clear answer on that. - Could you please tell what you did in fact? What access rights did you give to people in charge of WINS service? - One more question, I am wondering if you still have many WINS Server in your architecture or if you reduce its number as some other administrators strongly suggest you to do? - Many thanks in advance for your help. > > > > > -Original Message- > > > > > From: Dennis Meyer [mailto:[EMAIL PROTECTED] > > > > > Sent: Friday, October 11, 2002 12:43 PM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] WINS administration > > > > > > > > > > > > > > > Anyone: > > > > > We would like to control who has the ability to make > > > > > modifications to WINS, like adding static entries, > tombstoning > > > > > bad records,etc. We have deployed Active > Directory DC's to > > > > > several nationwide offices and want to be able to > delegate this > > > > > control to local administrators without making them a domain > > > > > admin. There is a built in group called DNS Admins > that allows > > > > > this kind of functionality and you can set permissions on DNS > > > > > zones so that only certain accounts can add/delete zone > > > > > entries...etc. but there is no > > > > > corresponding WINS admin group. Does anyone know of a way > > > > > to accomplish this kind of delegation of control for WINS? > > > > > > > > > > Thanks for any help you can provide, Thanks & Regards Gregoire MAUX Network & Security Consultant Schlumberger Network Solutions Mail: [EMAIL PROTECTED] Phone: + 33 (0)1 46 00 47 80 Fax:+ 33 (0)1 46 00 44 83 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
You can also use a startup script to add the user to the local admins group. Assuming you are running W2k or better. Denny _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Thursday, December 04, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You could add him to the local administrators group using the computer management tool | connect to another computer. The addusers.exe can add users to local groups using the cmd or batch file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Johnson Sent: Thursday, December 04, 2003 9:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I guess it is kinda funny now that I think about it. I would not mind if the domain user in question was a member of all the clients local admin group but I do not know of a way to accomplish this without visiting each desktop. Jerry Scicom Data Services Minnetonka,Mn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, December 04, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I hope that last comment was a joke...as I wouldnt want a "user" to have domain admin rights. If you find a good solution for this, I would be suprised, as I have looked for a better solution than just adding the users domain account to the local admin group and cant find anything. I have been living with all "domain users" being members of their local machine admin group, and just hoping that they dont change the local admin user password. If all you are worried about is keeping the admin password so that you can get into the machine if you need...dont worry, there are always local machine administrator reset programs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Johnson Sent: Thursday, December 04, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hi I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop. All of our clients are setup with the same local admin password and do not want him to know that password. Is this possible? He is currently just a domain user. Thank you Jerry Scicom Data Services Minnetonka,Mn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Win2k List recommendation
sunbelt-software runs a list. You can find it at http://www.sunbelt-software.com/community.cfm Dennis _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, December 05, 2003 5:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Win2k List recommendation Can anyone recommend a decent Windows 2000/XP list ? I'm after something to help with general windows problems, and networking issues outside of AD. Any ideas ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virus software on DC
No! I am more concerned about scanning the directory database than a slow down of the server. Since only admins should be accessing the server and should never use the DC as a file point, I don't consider them to be particularly vunlerable. Denny _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, December 10, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Virus software on DC This may be a dumb question, but do you guys have virus scanning software on your DCs? I have been confused if the virus scanner slows the machine down or not. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation of control for WINS
Rocky, I run WINS on my DCs with not problem. My resoning was to elimate two machines from our infrastruction. We have one site with 3 domain controllers and about 4000 users. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, December 12, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of control for WINS This message is for Joe. Dear Joe, I was surprised to not see you mention, in this thread, anything about whether or not you should run WINS on a DC. Could you please just tell me if you are doing it? I am trying to troubleshoot why turning WINS on on a FSMO in a small Forest (2 DCs, 3 member servers, 5 Users) takes the DC offline. It worked fine for two months, then I went home one Friday night and came in Monday and it stopped working. I hope the Chicken Shack Broasted Chicken was good. I need you to keep your strength up ;-D Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company www.jws.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gregoire Maux Sent: Thursday, December 04, 2003 8:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of control for WINS Dennis, - If we are in the case that the WINS Server is also a DC, what could be the solution? Thanks & Regards Gregoire MAUX Network & Security Consultant Schlumberger Network Solutions Mail: [EMAIL PROTECTED] Phone: + 33 (0)1 46 00 47 80 Fax:+ 33 (0)1 46 00 44 83 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of W2K List Sent: Thursday, December 04, 2003 2:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of control for WINS To manage a WINS server, the user has to be a local administrator on the WINS box. As long as your WINS servers are not domain controllers, this is not a problem. If your domain controllers are performing double duty as WINS servers well You might consider standing up one member server as a WINS server. Any local admins on this machine will be able to manage WINS from this server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregoire Maux Posted At: Wednesday, December 03, 2003 7:57 AM Posted To: W2K List Conversation: [ActiveDir] Delegation of control for WINS Subject: [ActiveDir] Delegation of control for WINS Dennis and members, - I saw in ActiveDir archives that you asked (see below mail) if it is possible to have account dedicated to do WINS administration. At that time, you did not receive any clear answer on that. - Could you please tell what you did in fact? What access rights did you give to people in charge of WINS service? - One more question, I am wondering if you still have many WINS Server in your architecture or if you reduce its number as some other administrators strongly suggest you to do? - Many thanks in advance for your help. > > > > > -Original Message- > > > > > From: Dennis Meyer [mailto:[EMAIL PROTECTED] > > > > > Sent: Friday, October 11, 2002 12:43 PM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] WINS administration > > > > > > > > > > > > > > > Anyone: > > > > > We would like to control who has the ability to make > > > > > modifications to WINS, like adding static entries, > tombstoning > > > > > bad records,etc. We have deployed Active > Directory DC's to > > > > > several nationwide offices and want to be able to > delegate this > > > > > control to local administrators without making them a domain > > > > > admin. There is a built in group called DNS Admins > that allows > > > > > this kind of functionality and you can set permissions on DNS > > > > > zones so that only certain accounts can add/delete zone > > > > > entries...etc. but there is no > > > > > corresponding WINS admin group. Does anyone know of a way > > > > > to accomplish this kind of delegation of control for WINS? > > > > > > > > > > Thanks for any help you can provide, Thanks & Regards Gregoire MAUX Network & Security Consultant Schlumberger Network Solutions Mail: [EMAIL PROTECTED] Phone: + 33 (0)1 46 00 47 80 Fax:+ 33 (0)1 46 00 44 83 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-ar
RE: [ActiveDir] After upgrading to Windows 2003
NLB is loaded by default in Windows 2003. Have you ensured NLB is not checked under network properties? Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, December 22, 2003 9:54 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] After upgrading to Windows 2003 You didn't say why you have NLB loaded. What's it's purpose? -Original Message- From: Irwan Hadi [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 2:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] After upgrading to Windows 2003 I just upgraded my active directory infrastructure from Windows 2000 to Windows 2003. For a background, we have two servers working as domain controller and file server, and one server working as Exchange Server 2000 for about 70 users. The upgrade from Windows 2000 to Windows 2003 went pretty smoothly, and here is how I did that. First, I moved all FSMO roles from the first server to the second server, moved all the data from the first server to the second server, demoted the first server, rebuilt it with Windows 2003 Standard edition so that I have clean install. After that I promoted the first server, transfered the FSMO roles that the first one originally had, transfered back the data to the first server, and recreated the shared drives. Both of the domain controllers have the same specs, where basically both of them have two network cards, one is Intel 100/S, and the other Intel 1000/XT. I needed to put both network cards on originally, because we have two different subnets in the same network. By having the server to listens on the two subnets, besides getting better throughput, I can make the local traffic to stay within the local network, instead of going to the router and coming back again. After I upgraded the system to Windows 2003, I disabled the second network card on the domain controller that handles the RID, PDC, Infrastructure roles, because when they were running Windows 2000, I always get warning on the event log which after I checked at Microsoft site I found that Domain Controller that handles PDC should not be multi-homed. Moreover, I noticed after I promoted the servers back as domain controller, everytime I restart both servers, I got a popup message saying that a service could not be started, and I should check the event log. After I checked the event log, I noticed this popup is caused by the following: --- EventId: 7000 Source: Service Control Manager The Network Load Balancing service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -- So I went to Microsoft site, and found the following: http://support.microsoft.com/?kbid=268437 But the problem is the KB above only applies for Windows 2000 Advanced server. Furthermore, I also noticed that the registry key that this KB tells I should delete also exists on my other Windows 2003 box that only has one network card. My question is have any of you ever got the same problem like I'm having above, why it seems only after I promote the server as a domain controller, I'm starting to have the popup above. Is there anyway to fix the popup above? I know that it is not harmful, but I just don't like the DC to give popup like that everytime I restart it. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How large are your security logs on your DC's?
There are several commercial products out there that will do this. Some have an agent on the machine which sends the information to a central database. Others rely on the ability to read the log files remotely. There are some syslog clients available that will send the logs to a syslog server. Some of these are free and some are for a small charge. Also there are some free utilities available that will dump the event logs to a CSV file. This file can then be used to upload the data into a database. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, December 26, 2003 10:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] How large are your security logs on your DC's? Central logging server? How do you go about redirecting all your event logs to a single server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Reynolds Sent: Friday, December 26, 2003 2:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? I have managed very large environments for a few years now, You need a central logging server to gather all the logs and copy into a database, then right reports to flag the items where you are at risk. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rimmerman, Russ Sent: Thursday, December 25, 2003 6:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] How large are your security logs on your DC's? I take it ya'll don't view your event logs remotely across the LAN (especially not the WAN)?We set all our logs to 8MB on DC's, member servers, etc. We have a default domain level policy setting it that way for the domain. I guess this isn't a good idea since we recently when through an audit and they required us to turn on auditing? Is there a recommendation MS KB article anywhere to show to the team here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Thursday, December 25, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? We currently have our security logs set to 100MB. Depending on the domain controller the logs can take anywhere from 12 hours to a couple of weeks to "roll". Our data center servers tend to roll over every 20 hours during normal every day operation but when we are getting pounded by authenticating worms and such it goes to about every 12 hours. Our auditing is Account logon eventsfailure Account management success/failure Logons failure Object access none Policy changes success/failure Privilege use Success/failure Process trackingnone System events success/failure joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, December 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How large are your security logs on your DC's? We have auditing enabled on all our servers, with the Security log set to 5MB on member servers. We upped that number to 25MB on DC's because the log was filling so fast, then again to 50MB, but it's still only maintaining about 3-4 days worth of logs (we have it configured to prune as needed). We have plenty of disk space, but I know the more we track, the harder it is to even open the log, especially remotely. I'm curious how others have their logs setup. We need to be able to track when users have logged on or off and when changes are made to policies and accounts. The audit settings are (I'm doing this from memory; I'm not at work): Account logon eventssuccess/failure Account management success/failure Logons success/failure Object access none Policy changes success/failure Privilege use failure Process trackingnone System events success/failure List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.actived
RE: [ActiveDir] GPO and the Outlook Dumpster
Shift+Del will still send an item to the dumpster. Shift+Del will by pass the deleted items folder. Each folder has a dumpster, not just the deleted items. If you use Shift+Del to delete an item, it will go into the dumpster where you deleted the item. To recover this item, you have to use the DumpsterAlwaysOn registry key. This allows you to see the deleted items for any folder. I have found this key to be very helpful when troubleshooting users who have "lost" thier mail because they have POPed it off to another machine. Denny _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, January 14, 2004 1:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Oliver Marshall Sent: Tue 1/13/2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Oliver Marshall [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 11:19 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] GPO and the Outlook Dumpster > > > Does anyone know a GPO setting that will allow me to prevent users > from accessing the Recover Deleted Items addin in Outlook ? Someone on > an exchange mailing list said that there is a GP setting to prevent > this addin being loaded. > > Olly > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
You can have NT 4 servers and still switch to Native mode. However, the
servers cannot be Domain Controllers.
Denny
>
> -Original Message-
> From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 19, 2003 9:45 AM
> To: [EMAIL PROTECTED]
>
> Correct about servers but clients are really irrelevant with
> regards to
> Native vs. Mixed mode.
>
> -Original Message-
> From: rick reynolds [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 19, 2003 9:29 AM
> To: [EMAIL PROTECTED]
>
> You need to run in mixed mode until the last nt4 server or
> client leaves
> the
> network,
> also, if you run mixed mode, you can still roll-back,
>
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, June 19, 2003 4:21 AM
> Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
>
>
> > I have completed a rollback with Windows 2000 AD back to NT4 and had
> no
> problems with the W2K clients authenticating back to NT4. Maybe this
> was
> just look and something to do with the reasonings behind the rollback
> but
> thought it was worth a mention.
> >
> > J
> >
> > > from:Ken Cornetet <[EMAIL PROTECTED]>
> > > date:Wed, 18 Jun 2003 21:42:27
> > > to: [EMAIL PROTECTED]
> > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade
> questions
> > >
> > > Comments inline
> > >
> > > -Original Message-
> > > From: Mike Baudino [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, June 18, 2003 2:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions
> > >
> > >
> > >
> > >
> > >
> > >
> > > All,
> > >
> > > I'm not convinced, after reading the Microsoft documentation, that
> we've
> > > all got our answers nailed down on an in-place upgrade. So, I'd
> like to
> > > submit these questions to you to get the "real world" answer.
> > >
> > > Since we lack sufficient budget to perform a proper
> migration we'll
> need
> > > to do in-place upgrades to our domains and then
> consolidate some of
> the
> > > rogue domains into our structure (as well as cleaning things up
> after
> > > upgrade). All domains will remain mixed mode until we're able to
> > > complete application testing. One of our main drivers is the need
> to
> > > consolidate domains as well as eventually eliminate our dependence
> on
> > > the SAM.
> > >
> > >
> > > 1. One of my concerns is following the upgrade of the PDC it
> will be
> > > the only AD domain controller in the domain. Our current DNS
> settings
> > > for servers and workstations are to our enterprise DNS servers,
> which
> > > are not AD-compatible. We anticipate creating a new DNS structure
> for
> > > AD and then using forwarders to the other DNS servers for
> non-AD-related
> > > address resolution. It's my expectation that NT4.0
> clients w/o the
> AD
> > > client will not be impacted by this in any way. Is this correct?
> > >
> > > That's OK. Just make your AD DNS a subdomain of your existing DNS
> > > domain. For example, if your main DNS domain is
> "acme.com" and your
> NT
> > > domain is "ACME", then create your AD forest as
> "acme.acme.com". Put
> > > nameserver records in your existing DNS zone that delegates
> > > acme.acme.com to the DNS server running on your DC. Have
> your AD DNS
> > > server forward to your existing DNS to resolve anything
> not in your
> AD
> > > DNS domain.
> > >
> > > The only thing that will break is windows 95, which
> doesn't do "DNS
> > > devolution" (trying acme.acme.com, then acme.com). I don't know if
> the
> > > AD client fixes this or not.
> > >
> > > 2. It's also my expectation that the Win2k clients will be
> impacted
> > > depending on their configuration. For example, Win2k client that
> does
> > > not have the DNS domain for AD listed in the suffix for the client
> nor
> > > in the DNS search order would not realize that there was an AD
> domain
> > > controller in their midst and would continue to
> authenticate to the
> > > domain as they had prior to the upgrade. And Win2k clients that
> have
> > > the DNS domain for AD in their suffix or search order would
> > > prefferentially authenticate against the new AD DC to the extent
> that
> > > they would begin to ignore their local BDC. This is one area of
> > > significant concern as we don't want to overload any of the domain
> > > controllers. I thought there was a client reg entry that would
> > > eliminate this.
> > >
> > > If you put the nameserver records in your existing DNS zone, your
> > > win2k/XP clients WILL switch to AD authentication. When
> you convert
> your
> > > NT4 domain ("ACME" in my examples) to AD (acme.acme.com),
> your 2k/xp
> > > workstations will change their primary DNS domain to your AD DNS
> domain
> > > (acme.acme.com) regardless of what's in the interface
> specific DNS.
> They
> > > will then use your existing DNS (acme.com) to find nameservers for
> the
> > > AD DNS. From the
RE: [ActiveDir] Settign password Expiration date
Password policies can only be set at the domain level. Dennis Depp _ From: Erick Christian [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:17 PM To: [EMAIL PROTECTED] We are rolling our W2k network out, and have successfully migrated from NT4.0. Previously we had sat our user account's password to expire at the end of the year. However, going through and enabling each individual account is not an option, as of yet I have not found a way in AD to set the PW expiration date for an entire group. If anyone could shed light on this topic I would greatly appreciate it. Erick Christian Chesapeake Board of Education List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
