RE: [ActiveDir] Change a password over PPTP Windows Domain
After they change their password but before disconnecting from the PPTP VPN, ask them to lock and unlock their computer using the new password. This should update the cached credentials with the new password. Let us know if it works; have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain - Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by cache problems and dialup option? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: Thursday, October 26, 2006 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike 2006-10-26, 14:42:08 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Configuring SNMP via GPO
Jeff, I didnt see a very easy way to do what youre asking out of the box. You could check out RegToADM which will take an exported reg file and make an ADM file for you. It could help you with configuring your custom ADM file. I tried it with some sample settings and it seems like it could work for you. Id probably change the ADM file it creates a bit to clean up the format and make it more readable once you add it to the GPO. Of course, test it thoroughly. Remember you have to enable the GPO Editor to see these keys as they are preferences rather than policies which also means that once the server gets the settings, it wont automatically undo itself if you remove the GPO. http://yizhar.mvps.org/ Have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ Sent: Tuesday, September 26, 2006 12:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Configuring SNMP via GPO I have been looking at a way to ensure that SNMP is configured on all of our servers the same way. Looking at the GPO's there is a shortfall. We have a custom community name that we set with the allowed managers that you can look at on the security tab of SNMP service. We need a Custom Community name under TRAPS tab of the SNMP service with the allowed destinations. The only current GPO setting I can find just adds destinations for the Public community which we are not allowed to use here. Anyone know of a custom ADM template that would allow the creation/setup of Traps for a custom community. Jeff 2006-09-26, 15:20:31 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] AD object (User accounts) Permissions dissappearing
Maybe AdminSDHolder is biting you? Heres an article that talks about the Send-As specifically, but its more than just that: http://support.microsoft.com/kb/907434/ If the user in question is a member of any of the following groups, then you could be seeing this: The following list describes the protected groups in Windows 2000: Enterprise Admins Schema Admins Domain Admins Administrators The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4: Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers Additionally the following users are also considered protected: Administrator Krbtgt The above was taken from: http://support.microsoft.com/kb/817433/ Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Thursday, September 07, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server. Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems. Thanks, ...D 2006-09-07, 13:03:30 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
Tom, This is just a stab in the dark but is it possible that this users password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Moms Alert Question.
John, I'm not 100% sure if this is what you're seeing, but check out the Active Directory Management Pack Guide located here: http://www.microsoft.com/downloads/details.aspx?familyid=2B9D3613-5516-4 F44-8550-B21E054F5047displaylang=en Around page 14, you'll see where you can set this value. Please be sure to read through the whole document as it contains lots of useful information about configuring the ADMP. Here's a snippet from the above: SNIP The maximum intersite replication latency threshold value is the maximum amount of time it takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes. If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult your system architect to review what the expected maximum threshold value is for your environment. Usually, this value is monitored closely to ensure that any applicable SLAs for your organization are being met. After you have determined an appropriate value for your environment, modify the setting accordingly. The most common scenario involves ensuring that basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to a branch office within a reasonable amount of time as determined by the SLA. /SNIP The document tells you where to change this value. Another good read for the ADMP is the Active Directory Management Pack Technical Reference: http://www.microsoft.com/downloads/details.aspx?familyid=2F0237D8-FDA1-4 925-87D6-7D609E5D0807displaylang=en I hope that helps...the thing with the Management Packs is to read the guides (a few times). Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, September 06, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moms Alert Question. Hey everyone, below is a MOM's Alert I'm getting, and I'm new to Active Directory and MOM's and for the life of me cant find where this (Intersite, expected replication time is 15 minutes) is set I have looked at the repl mon program and cant see it.. I know I'm looking at some trees when I should be looking at the forest, but I really need a second pair of eyes here...could anyone direct me where to look for the intersite replication parameter. v/r john Description: The following DCs took more than three times the expected replication time to replicate. Format: DC, Naming Context, Calculated Replication Time (in minutes) Site name: City-CenterCity (Intersite, expected replication time is 15 minutes) CIUTIL01A, Domain:SDCCD, 55 Site name: DistrictOffice (Intersite, expected replication time is 15 minutes) DOUTIL01A, Domain:SDCCD, 55 Name: AD Replication is occurring slowly Severity: Warning Resolution State: New Domain: SDCCD Computer: CDUTIL01A Time of First Event: 9/1/2006 3:01:00 PM Time of Last Event: 9/1/2006 5:01:00 PM Alert latency: -7 min, -26 sec Problem State: Active Repeat Count: 2 Age: Source: AD Replication Monitoring Alert Id: 4d23ee51-3b8e-4360-b0b4-6ca850d6f49f Rule (enabled): Microsoft Windows Active Directory\Active Directory Windows 2000 and Windows Server 2003 \Active Directory Availability\AD Replication is occurring slowly John M. Strongosky Network Support Group, Messaging Administrator, San Diego Community College District SunGard Higher Education Managed Services 9315 Hillery Drive, San Diego California 92126 Tel 619-388-1129 Fax 619-388-1195 Help Desk 619-388-7000 [EMAIL PROTECTED] CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx 2006-09-06, 12:31:21 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Secure LDAP queries from the outside
Mike,
Ive been thinking of this answer
for a bit but had to research more to get the info I needed. I wish my
knowledge of Certificates was better, but it would seem there is a way to have
the client log something somewhere saying it cant get to the CRL.maybe
one of the smart folks will speak up J
If your external client cant get to
the CRL, you could possibly bring the CRL to the external clientMaybe
you could publish the CRL to an alternate location which the client can get to?
If thats not possible which makes
sense, maybe you can set up your CA to publish the CRL to another location and
then take that CRL and copy it to the location on the client where the CRL is cached.
This is the information Ive been hunting for the past 20 minutes or soI
think you can read about it here:
http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx
SNIP
Certificates are cached when CryptoAPI
retrieves them from a certificate store or a URL. The cache location varies
depending on the source where a certificate or a CRL was retrieved. A
certificate or a CRL can exist in one or several of the following locations.
Memory All valid
certificates and CRLs that have been touched by the chain-building engine since
the last reboot are cached in memory.
Certificate Store All
certificates that are not treated as root CA certificates and that have been
retrieved from an HTTP, LDAP or FILEURL reference via the
AIA certificate extension are cached in the certificate store if the
certificates are found to be part of a valid chain by the CryptAPI. Root CA
certificates are not automatically cached and must be added explicitly by the
interactive user to the corresponding certificate store.
Local File System When a
certificate or CRL is retrieved via LDAP or HTTP by a Windows 2000 client with
MS04-11, Windows XP SP2 client, or Windows Server 2003 client, it is cached by
CAPI in the Application Data folder. The per-user cache location
is C:\Documents and Settings\{user name}\Application
Data\Microsoft\CryptnetUrlCache and the per-machine cache location is
%WINDIR%\System32\config\SystemProfile\Application
Data\Microsoft\CryptnetUrlCache.
Windows 2000 with MS04-11, Windows XP, and
Windows Server 2003 handle caching for HTTP, LDAP, or
FILEURL references exclusively with CAPI. Earlier versions of CryptoAPI
used WinInet instead of CAPI for this purpose.
Note On computers where the Windows
Server 2003 version of certutil is available, cached CRLs can be listed by
typing Certutil urlcache CRL at a command-line prompt. This command is
also available on Windows XP computers that have the Windows Server 2003
Administration Pack installed.
/SNIP
The following link may help too. It
talks about an offline CAwhich for all apparent purposes, from the
perspective of your client, the CA would seem to be offline:
http://technet2.microsoft.com/WindowsServer/en/library/45c28bf8-9952-4ca1-b124-7d86afb83f691033.mspx?mfr=true
Thanks for the questionI like the learning!
Have a great day!
Robert Williams
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, August 22, 2006
9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside
Hi Robert,
Yes, the command is *exactly* the same. We are thinking
that our CRL location is not available outside of the firewall. We
generate our own certificates; we dont use a well known
provider.
Mike Thommes
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams,
Robert
Sent: Tuesday, August 22, 2006
9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside
Hey Mike,
When you say It works fine behind
our firewall, are you meaning that the *exact same* command line works and you get the object
returned?
I tried using adfind to connect to my test
DC using port 636 and got the exact same errorbut I dont have a
cert installed on my DC so Id expect mine not to work.
Robert
Williams
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Tuesday, August 22, 2006
6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP
queries from the outside
Hi,
We are trying to set up secure LDAP queries
from the outside to AD for pulling email addresses but are running into an
issue. Port 636 has been opened up to our DCs but we get a 0x51 error
like the one shown below in this example of using adfind:
adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *
-default -nodn -f sn=thommes extensionAttribute2
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005
LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down
Terminating program.
(extensionAttribute2 is used for email address)
Portqry shows that the DC is listening on port 636.
Using ldp, the bind operation seems to want to default to
port 389
RE: [ActiveDir]
Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question. By default, if the group has over 500 members in it, the user icons inside the group will turn grey. Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]
Hey Robert, In the article you posted, the registry key is incorrect in the KB content. It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question. By default, if the group has over 500 members in it, the user icons inside the group will turn grey. Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] 2003 domain 2000,
Hey Kevin, I dunno if youre already aware of this or if it even applies in your environmentbut if you have more than one site then the new DC will automatically become the ISTG of the site you put it into. Whenever a 2003 DC is added to a site, it will assume ISTG ownership if there are no other 2003 DCs in that site. Might not even matter for your situation, but the following is a really good read anyway to understand all the cool replication stuff. Heres a snippet from the following URL: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true SNIP ISTG Role Ownership and Viability The owner of the ISTG role is communicated through normal Active Directory replication. Initially, the first domain controller in the site is the ISTG role owner. It communicates its role ownership to other domain controllers in the site by writing the distinguished name of its child NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site. As a change to the configuration directory partition, this value is replicated to all domain controllers in the forest. The ISTG role owner is selected automatically. The role ownership does not change unless: The current ISTG role owner becomes unavailable. All domain controllers in the site are running Windows 2000 and one of them is upgraded to Windows Server 2003. If at least one domain controller in a site is running Windows Server 2003, the ISTG role is assumed by a domain controller that is running Windows Server 2003.Robert Williams /SNIP Have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, August 04, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 domain 2000, They will be able to coexist with no problems, assuming you take all of the appropriate steps before you upgrade. You will need to run adprep to prepare the forest and domain for the 2003 schema. Run adprep /forestprep on the schema master, and adprep /domainprep on the infrastructure master. If you havent moved these roles, they will be installed on the first domain controller that was put into place. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Friday, August 04, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 domain 2000, We have 5 domain controllers all 2000, one forest, now we want to add one more domain controller, and the sever is 2003, if we add 2003 domain controller is there going to be any issues with the 2000? compatibility issues, replicaiton issues, errors that will show? any thing I should be worried about when the 2 domain controllers (2000 and 2003) coexist? thank you
RE: [ActiveDir] 2003 domain 2000,
We didntI was just mentioning that with regard to having 2000 DCs co-existing with 2003 DCsI didnt know that it would matter to you that much I replied to your message instead of someone elses reply. Have a great day! Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, August 04, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 domain 2000, Sorry., how did we get to the topology generator from adprep? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Friday, August 04, 2006 11:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 domain 2000, Hey Kevin, I dunno if youre already aware of this or if it even applies in your environmentbut if you have more than one site then the new DC will automatically become the ISTG of the site you put it into. Whenever a 2003 DC is added to a site, it will assume ISTG ownership if there are no other 2003 DCs in that site. Might not even matter for your situation, but the following is a really good read anyway to understand all the cool replication stuff. Heres a snippet from the following URL: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true SNIP ISTG Role Ownership and Viability The owner of the ISTG role is communicated through normal Active Directory replication. Initially, the first domain controller in the site is the ISTG role owner. It communicates its role ownership to other domain controllers in the site by writing the distinguished name of its child NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site. As a change to the configuration directory partition, this value is replicated to all domain controllers in the forest. The ISTG role owner is selected automatically. The role ownership does not change unless: The current ISTG role owner becomes unavailable. All domain controllers in the site are running Windows 2000 and one of them is upgraded to Windows Server 2003. If at least one domain controller in a site is running Windows Server 2003, the ISTG role is assumed by a domain controller that is running Windows Server 2003.Robert Williams /SNIP Have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, August 04, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 domain 2000, They will be able to coexist with no problems, assuming you take all of the appropriate steps before you upgrade. You will need to run adprep to prepare the forest and domain for the 2003 schema. Run adprep /forestprep on the schema master, and adprep /domainprep on the infrastructure master. If you havent moved these roles, they will be installed on the first domain controller that was put into place. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Friday, August 04, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 domain 2000, We have 5 domain controllers all 2000, one forest, now we want to add one more domain controller, and the sever is 2003, if we add 2003 domain controller is there going to be any issues with the 2000? compatibility issues, replicaiton issues, errors that will show? any thing I should be worried about when the 2 domain controllers (2000 and 2003) coexist? thank you
