Re: New job: AD is a mess
Seems like you are putting too much emphasis on the NetBIOS name which is still supported in 2003 FFL/DFL. Upgrading your FFL won't get rid of the NetBIOS name, so any apps that still rely on this will still work. You will not need to do step # 2 Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Tom Miller tmil...@sfgtrust.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 11/05/2012 11:21 AM Subject:New job: AD is a mess Hi Folks, I started a new job a week ago and I'm auditing the various systems for which I am responsible. Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). I'm sure I'm missing something. Comments/recommendations appreciated. Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
RE: New job: AD is a mess
Learn ADFIND and OLDCOMP.exe for AD cleanup. Also LDIFDE and CSVDE if you need to make bulk changes (like changing UPN from @ABD to ABCDomain.com and the like) From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Monday, November 05, 2012 8:21 AM To: NT System Admin Issues Subject: New job: AD is a mess Hi Folks, I started a new job a week ago and I'm auditing the various systems for which I am responsible. Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). I'm sure I'm missing something. Comments/recommendations appreciated. Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: New job: AD is a mess
MBS Or you could do it in PowerShell... /MBS DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: David Lum [mailto:david@nwea.org] Sent: Monday, November 05, 2012 12:20 PM To: NT System Admin Issues Subject: RE: New job: AD is a mess Learn ADFIND and OLDCOMP.exe for AD cleanup. Also LDIFDE and CSVDE if you need to make bulk changes (like changing UPN from @ABD to ABCDomain.com and the like) From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Monday, November 05, 2012 8:21 AM To: NT System Admin Issues Subject: New job: AD is a mess Hi Folks, I started a new job a week ago and I'm auditing the various systems for which I am responsible. Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). I'm sure I'm missing something. Comments/recommendations appreciated. Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: New job: AD is a mess
Might come in handy. AD Replication Status Tool http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx On Mon, Nov 5, 2012 at 9:20 AM, David Lum david@nwea.org wrote: Learn ADFIND and OLDCOMP.exe for AD cleanup. Also LDIFDE and CSVDE if you need to make bulk changes (like changing UPN from @ABD to ABCDomain.com and the like) ** ** *From:* Tom Miller [mailto:tmil...@sfgtrust.com] *Sent:* Monday, November 05, 2012 8:21 AM *To:* NT System Admin Issues *Subject:* New job: AD is a mess ** ** Hi Folks, ** ** I started a new job a week ago and I'm auditing the various systems for which I am responsible. ** ** Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. ** ** The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). ** ** Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). ** ** I'm sure I'm missing something. Comments/recommendations appreciated. ** ** Tom ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: New job: AD is a mess
There are still plenty of cases where it is normal/expected to enter the domain short name rather than the domain FQDN... would need to see a bit more detail to suggest whether what you're seeing is a problem or not. There is *probably* nothing mandatory to change on the user accounts in this regard. As a general rule you can use ABC\User or u...@abcdomain.com syntax but not ABCDomain naming by itself. The list of things to review on a neglected AD environment is a long one, including (but not limited to) such topics as: replication and site/subnet topology and health, SYSVOL/NTFRS health, security policies, AD permissions and privileged users, membership of built-in groups, trusts, actual GPO settings, Enterprise CA status, etc. The implementation of printer and drive mappings would be great to clean up with GPP, but definitely would not make it onto my list of high-priority fix the domain tasks. --Steve On Mon, Nov 5, 2012 at 11:20 AM, Tom Miller tmil...@sfgtrust.com wrote: Hi Folks, ** ** I started a new job a week ago and I'm auditing the various systems for which I am responsible. ** ** Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. ** ** The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). ** ** Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). ** ** I'm sure I'm missing something. Comments/recommendations appreciated. ** ** Tom ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: New job: AD is a mess
+1 From: Damien Solodow [mailto:damien.solo...@harrison.edu] Sent: Monday, November 5, 2012 12:21 PM To: NT System Admin Issues Subject: RE: New job: AD is a mess MBS Or you could do it in PowerShell... /MBS DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: David Lum [mailto:david@nwea.org] Sent: Monday, November 05, 2012 12:20 PM To: NT System Admin Issues Subject: RE: New job: AD is a mess Learn ADFIND and OLDCOMP.exe for AD cleanup. Also LDIFDE and CSVDE if you need to make bulk changes (like changing UPN from @ABD to ABCDomain.com and the like) From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Monday, November 05, 2012 8:21 AM To: NT System Admin Issues Subject: New job: AD is a mess Hi Folks, I started a new job a week ago and I'm auditing the various systems for which I am responsible. Active Directory is a mess. It is still at Windows 2000 functional level. I need to address this before a planned migration to Exchange 2010. There are a few Windows 2000 domain controllers that I need to decommission, and my memory is foggy on Windows 2000. The name for the AD domain is like ABCdomain.com. The pre- Windows 2000 name is just ABC. Oddly, a number of systems seem to want to use ABC and not ABCdomain - these are 2003 servers and PCs mostly. Are there any tools anyone knows of that can tell me which systems refer to that. Since I'm new and the previous person left no documentation, I'm hunting alot now. All of the user IDs have the ABD domain name listed in the Account tab of their accounts, and the field is user logon name (Pre-Windows 2000). Here's the plan to at least remove the 2000 domain controllers (there are 2003/2008 DCs): 1. create new GPOs to address printer and drive mappings. Currently done via mix of batch and kixtart files. 2. Update the account information for users accounts from ABC to ABCdomain (necessary?? ). 3. Demote Windows 2000 domain controllers. 4. Change domain/functional levels to 2003 (minimum required for Exchange 2010). I'm sure I'm missing something. Comments/recommendations appreciated. Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin