Went through the Q article and was already doing everything as proscribed -
still couldn't get the schema updated. Turned out that in the test
environment there was a child domain that was never DCPROMO'd out - the
server was just rebuilt. Hence, the schema update was trying to update that
AD
If you use group filtering in this way, it is recommended not to use Deny. Instead
use positive filtering. To do this, remove the Authenticated Users group from the ACL
and then add the groups you want it to apply to using Apply Group Policy.
Another approach would be to create an OU layer
I have built many W2K networks using SonicWall VPN to connect branch
offices (BO) to a central site. This has always worked very well.
One site continues to trouble me though. This site has a W2K+Sp3 server
that refuses to join the main AD domain. DNS WINS on this server point
across the VPN to
DO you have links to any articles that show how to do WMI filtering in
GPO's? I've not run across that idea, although it sounds slick.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original
For you Roger...of course :-)
The Group Policy Infrastructure White Paper is a good read if you have a spare couple
of days.
http://www.microsoft.com/downloads/details.aspx?FamilyID=d26e88bc-d445-4e8f-aa4e-b9c27061f7caDisplayLang=en
Appendix C covers WMI filtering quite comprehensively.
Tony
It probably is a port issue. Have a look at the following article, which lists the
domain controller default ports. Probably the most obvious is the ldap port (389).
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q289/2/41.ASPNoWebContent=1
have the new server look to the main site ad server running dns for dns.
- Original Message -
From: Ian Moran [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 2:45 AM
Subject: [ActiveDir] Difficulty joining domain
I have built many W2K networks using SonicWall VPN
Hey Tony,
What's the thinking behind the recommendation not to use Deny for group
filtering?
-gil
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 12:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OU and GPO Design Comments
If you use
Has anyone extended the active directory to include the employee number
as a displayed field? I understand that this field exists, but not no
attributes has been set. I want to add the employee number in the
displayed items when setting up the user account.
Running W2K Sp3...
Ron Pennell
The short answer: Because BJ Whalen (Group Policy Program Manager) told me not to at
TechEd last week. :-)
The longer answer: I think it has to do with the fact that Deny permissions always
beat Allow in the ACE. So for someone who is a member of two groups, one allowing the
policy to be
Thanks...
-g
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 9:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU and GPO Design Comments
The short answer: Because BJ Whalen (Group Policy Program Manager) told me
not to at TechEd last
Looks intelligent to me :)
Mine is more like:
|--Branches
|--Enterprise
|--Users
|--Computers
|--Groups
|--HR
|--Users
|--Computers
|--Groups
|--Engineering
|--Users
|--Computers
It's doing that already. TCP/IP properties on the BO server reference
DNS and WINS servers in the central site.
Ian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds
Sent: 10 June 2003 14:03
To: [EMAIL PROTECTED]
have the new
Run a port scanner from the side having troubles joining the domain. Look at the list
of ports necessary in the previous post. Dynamic rpc operations are part of normal ad
functions so access to randomhigh numbered ports is needed. If the port scanner tells
you that some of thee needed ports
It does seem like that but there's a VPN tunnel between the two networks
and my understanding has always been that these are protocol transparent
- everything can pass. IOW, no need to open ports on either firewall.
Ian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Do you still store groups that are created by default (such as Exchange groups or
built-in groups) in the Users container?
... 'Cause I had big problems when I tried to move an Exchange Admins group during
initial deployment.
Dave
-Original Message-
From: deji [mailto:[EMAIL
the vpn settings are all the same???
- Original Message -
From: Ian Moran [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 11:24 AM
Subject: RE: [ActiveDir] Difficulty joining domain
I think I tried that already, I'll have another go.
I should say though that I've
correct,
I do remember some hardware vpn's having a check mark to allow icmp??
and are you sure tcpip traffic does route thru the vpn to the other end??
- Original Message -
From: Ian Moran [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 11:09 AM
Subject: RE:
Error message is The specified network name is no longer available
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 10 June 2003 12:08
To: [EMAIL PROTECTED]
It probably is a port issue. Have a look at the following
article,
Sorry, don't follow what you're asking. I have 4 w2k client Forests out
there all bolted together using Sonic VPN.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds
Sent: 10 June 2003 19:28
To: [EMAIL PROTECTED]
the vpn settings
Because BJ Whalen (Group Policy Program Manager) told me not to at TechEd last week.
:-)
He told me the same thing at DEC last month so it must be true :-]
(It was also prominently featured on one of his slides)
As far as your longer answer, that is also clearly noted in the GP white paper.
Does anyone know where I can find a copy of a existing RFP for Wireless
LAN's. We may be asking for bids on vendors to implement a Wireless LAN.
Any help is appreciated.
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
917.455.0110 cell
No. THOSE guys I leave alone.
I have not had any reason to-date to apply unique policies to any default
account.
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
-Original Message-
I am thinking about something similar, such as adding attributes like
allowAccessToApplicationX, allowAccessToApplicationY and so on, for users.
How easy is doing something like this, anyone ?
./Shshank
-Original Message-
From: Pennell, Ronald B. [mailto:[EMAIL PROTECTED]
Sent:
SWAG but sometimes overlooked, is the server's time within 5 minutes of
the domain?
-Original Message-
From: Ian Moran [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 11:24 AM
To: [EMAIL PROTECTED]
I think I tried that already, I'll have another go.
I should say though that
A better (read: more extensible) scheme would be create a single application
object for each application you wish to secure, and use the ACLs on the
objects to control access to the application. For instance, if the
application is domain specific, you might put the application object in the
Title: Message
Still having DNS problems!
I was able to run NLTEST and it passed.
Went through both SERVERS and verified that it had 172.16.0.30 for DNS setting.
S2.fanmats.com.
NSLOOKUP fails on both servers with
errors. Please refer to NSLOOKUP.txt.
DCDDIAG.EXE FAILS. Please
Title: Message
Can't
find server name for address 172.16.0.30
If NSlookup can't connect to that IP address, something is fubar with the
DNS service on 172.16.0.30. Can you telnet to port 53 (DNS) on that
box? "telnet 172.16.0.30 53"
Diane
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Bob - time is accurate.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: 10 June 2003 21:46
To: [EMAIL PROTECTED]
SWAG but sometimes overlooked, is the server's time within 5
minutes of the domain?
-Original
The short answer: Because BJ Whalen (Group Policy Program Manager) told
me
not to at TechEd last week. :-)
and since it was 3:45PM on Friday the fact not the logic registered...
better then me .. I stop hearing after he said never redirect application
data folders
List info :
Title: Message
Steve,
Diane -
I
agree that there is clearly something wrong with the DNS. But, I'm not so
sure that this is the indication. This can also be caused (most likely) by
a missing Reverse Lookup. This was mentioned once before - have you
looked into this yet, Steve?
I'm
much
Yes they are.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds
Sent: 10 June 2003 21:16
To: [EMAIL PROTECTED]
What I meant was are all the vpn tunnels setup the same, It
sounds like they are.
- Original Message -
Title: Message
Not being there, it hard to guess the problem via an email thread _but_
if NSlookup won't connect to a name server by IP address, that gives me a clear
indication that something is up with DNS. A missing PTR record(s) should
have not impact with connecting to the name server
Title: Message
Replying off-line, as this whole thing is a bit out of
control.
By all
means, Diane - you're right. It 1) shouldn't bethis flippin' hard
and 2) shouldn't be this flippin' hard.
As I'm
sure tht you've followed, I've suggested the same thing at least twice, and
Steve never
Title: Message
ooops. :/
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Tuesday, June 10, 2003 10:42 PMTo:
[EMAIL PROTECTED]
Replying off-line, as this whole thing is a bit out of
control.
By all
means, Diane - you're right. It 1) shouldn't
35 matches
Mail list logo
