Full Armor's GPO Repository would be a good choice.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Darren Mar-Elia
Sent: Wednesday, July 07, 2004 12:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question on Auditing GPO Changes
David-
It depends
Hi
I have an issue when using DCPROMO /forceremove to remove a DC from a domain.I get so far with Metadata Cleanup (following the MS article 216498 that 99% of people probably use!) and get the error lsited below when Itry to remove the select server.
DsRemoveDsServerW error 0x2098(Insufficient
Hi,
I'm planning to upgrade my NT4.0 domains to Windows
2000. I have NT domains that have two-way trusts to each other.
The first domain is where all my users, printers, file
server and mail servers are and the second domain is just for my SAP
applications run. My SAP servers are
I would start fresh with a new forest then migrate
over users services using MS migration tools which work well. I have
previously done an in place upgradeofNT4 although it
workedwell there is more flexibility with with a new domain.
Obviously the additional hardware requirements can
sorry, new kit is out of the question, I should have
mentioned that.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Henderson
RichardSent: 08 July 2004 11:47To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains
to a Forrest
I would start fresh with a new forest
Would someone please be able to verify if defragmenting a
disk is safe on a domain controller?
I want to install and use Diskkeeper but would like to get
some assurance of its use before its implementation.
Thank you in advance for your replies.
Edwin
Title: Message
It's
safe.. I'd just recommend doing it in a quiet period.
BR
Rob
-Original Message-From: Edwin
[mailto:[EMAIL PROTECTED] Sent: 08 July 2004
13:51To: Active DirectorySubject: [ActiveDir] Disk
Defragmenting
Would someone please be able to
verify if
Title: Message
Not
knowing all of the details to your current situation, those you provided lead me
to recommend having one forest, but 2 domains. You can upgrade your user
domain and have that as your forest root, then upgrade the SAP domain as a new
domain in the forest. With that
Title: Message
OKThanks.
I have it scheduled for 2:00am 4:00
am every day. There are only 2 people here at that time and they would
have already logged into the domain hours before.
Thank you!
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Return Receipt
Your document:
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
was received by:
Justin Leney/US/DCI
at:
07/08/2004 09:48:33 AM
Title: Message
Almost
right (as I understand your interpretation). Your SAP domain will be a
parallel domain to your user domain, but in the same forest. For example,
let's say your current user domain is called 'tuv' with a DNS entry of 'tuv.com'
and your SAP domain is called 'wxy' with a
We have a domain controller/adi dns
server that has not been behaving lately (blue screened a couple of times).
I am going to rebuild the system.
Here is my question: Should I uninstall
DNS before running dcpromo, or run dcpromo first and then remove DNS?
I'm sure there are other paramaters
Title: Message
I
recommend running dcpromo, then uninstall DNS. I also recommend checking
with the hardware manufacturer first to determine if any updated hardware
drivers are available for the system. Most BSODs are caused by bad
hardware drivers, then by bad hardware.
Kenneth W. (Ken)
shameless product plug
NetPro's Change Auditor for AD also tracks GPO changes, along with _all_
other aspects of AD configuration, and provides who, what, when, where, and
why something was changed, as well as before and after values for each
changed configuration items. See
Free enterprise licenses to all members of this list? ;
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
Kirkpatrick
Sent: Thursday, July 08, 2004 11:32
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question on Auditing GPO Changes
All,
We
are in the process of upgrading our AD domain from Win2k SP4 to Win 2003.
We have a single forest with 2 domains with an empty mgmt root domain. We
have been swapping out the Win2k DCs with freshly built Win2k3 DCs
one at a time. We completed the empty root domain without any
Graham,
We just went through this about two weeks ago. When we did our
testing we found that the repadmin /disable_outbound_repl command only
stops inter-site replication, it does NOT disable intra-site
replication. After running that command run /showreps and you will see
that all of
Title: Message
Just out of curiosity, any particular reason that led
wanting to defrag the drives? I can understand defragging the db's, but
the drives is something I haven't seen done a tremendous amount of the
time.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: Message
It
sounds like you need to change the policy to send unencrypted passwords to
down-level / SMB devices.
Kenneth W. (Ken) Adams, MCSA, MCSE
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Wright, T. MR NSSBSent: Thursday, July 08,
*Sounds* like something to do with the pre-authentication
settings. Have you already captured a network trace? If not, you may
want that and may want to check the websites of those products for your versions
to see if any issues have been logged there.
Al
From: [EMAIL PROTECTED]
Title: Message
I had the
same concerns... But I did install Diskeeper and have had not problems.I
would recommend that you give it more time than what you had already scheduled.
I tried it with that schedule and found out that I wasn't giving Diskeeper
enough time to get things done. My
Title: Message
This was along the lines of what I was
thinking, but then when I look at the default domain controllers policy it
seems to have kept all of the settings from the Win2k domain controllers policy.
I think the new 2003 DC policy would have taken effect only if I had built a
We're not expecting DHCP to manage addersses outside of DHCP scopes. Our network
group is looking for a product to ease their management of addresses outside of the
DHCP scopes. For example, they need to doc the router management addresses or servers
that have static addresses that are
Gil,
Thanks. Yep, that's one of the products they're investigating now. They dropped QIP
but added Men and Mice to MetaIP as candidate products. I'm hoping, though, that we
can accomplish this without spending that kind of money.
Thanks,
Mike
Mike,
Check out
Title: Account name as Common Name
Hi all,
Just a quick question I don't find on google at first site..
We are implementing AD on W2K3 and we want that the common name of the user object = the account name and not the first + last name..
Currently we create a user and then have to
Title: Account name as Common Name
http://support.microsoft.com/?kbid=250455
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart
VandyckSent: Thursday, July 08, 2004 12:46 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Account name as
Common Name
Hi all,
Just a quick
First off, you may want to look into what you can do with
that SAP app in the future, your hands are bound in a bad way and at some point
you will find yourself between a rock and hard place for something due to it. If
you guys wrote the SAP app, work on making it more flexible, if someone
Were your problems with upgraded machines or the upgraded
domain? I would say that there are far more upgraded domains than brand new
domains with everything moved into them. The second option tends to be pretty
much unfeasible for any large company.
joe
From: [EMAIL PROTECTED]
Title: Message
Ok, so after doing some network traces from the CF App Server, I have derived the following: The CF developers hard coded a specific domain controller into their code, the CF page submit the username and password to that DC and when the DC replies it answers with a referral to
Ive
seen where the password expiry warning (number of days) can be changed on a
workstation is that for domain password, local accounts, or both? I
thought that setting would be on the domain controller side, as part of the
domain default group policy, but I dont see it there. So to
Mark,
Check out KB 135403. In Windows
2003, the group policy setting is Interactive
Logon: Prompt user to change password before expiration in there
you can enter the number of days that youd like set.
HTH,
Katherine
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Hey Todd.
If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe it
will pull the PDC functionality to it. If you DCPROMO in a fresh K3 it will
not pull the role from what I have seen with the domains I have been
involved with. Personally though, I am not into upgrades of OSes,
Title: Account name as Common Name
Wow, never seen that article, it is like 14 steps too long.
It should just say, run this script and supply the script. I am going to see if
I can get that changed.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free,
BobSent:
You should possibly consider setting up some provisioning
system that is specific to you guys. It asks the questions of the things you
specifically need to know and then configures the proper settings. That way you
have consistency in how your users are configured. It can save tremendous
Correct.
If you are in native mode and can't find a GC and don't have the
ignoregcfailures switch set I would say you would have issues anyway. But
then I am a proponent of setting the ignoregcfailures switch and not using
universal groups for security principals and definitely never using them
The page I know about at MS is
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/chara
cteristics_of_attributes.asp
It tells you what the search flags are but doesn't talk about how to update
the schema, but there are lots of other papers on doing that. It isn't
rocket
I am thinking this wouldn't be a good technique for feeling safe about deleting user
accounts. Either disable them or disable them and throw them into an OU that no one
except say ent admins have access to; ditto for computer accounts. As for security
groups, convert them to DLs. If you need
Hey Ulf -can you just script it?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Wednesday, July 07, 2004 6:32 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Delegation of
Callback-Number
Hi there,I have a customer
who where we implemented
Throw the DC you are using to do the update into a site with a long
replication frequency but not over a week. Do your update, then when you are
ready, do a repadmin /sync on one or more of the connections.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: Message
Unless you are doing file sharing on the DCs I am not
thinking you need to defrag that much. You should be able to go months without a
defrag without issue as defragging the disks won't help the most heavily changed
portion of the storage, the DIT. That is cleaned up with DB
Is there a reason you are configuring any servers
specifically to be bridgeheads or are you doing it because someone said you
should?
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael
M.Sent: Saturday, June 26, 2004 9:17 AMTo: Active
Directory Mailing
Let's just hope the chicken littles aren't capable of reading this list or
it could get worse. :o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Monday, June 28, 2004 2:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Definitely agree with Guido's parting remarks:
At last, every Domain Admin is basically an Enterprise Admin (or could
become one, no matter which domain in the forest - should be clear what I
mean). So whatever you do, keep the members in DA restricted to the same
bare-minimum possible as your
Microsoft has stated that their direction is to move toward LDIF formats
rather than CSV formats.
Anything you can point at to substantiate this comment?
For this reason, LDIFDE has more functionality than CSVDE.
What specifically?
I agree that people should be familiar with the LDIF
I know the party is over on this but this is one good
reason for using a password expiration policy. Note that if you do use that
policy, you can actually use my oldcmp on the user objects just as easily as you
can on computers.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Greetings,
I have made two exchange forest in my test lab environment. Now I want that a user from organization one should be able to send mail to another organization. So which connector (I think i have to create SMTP connector) should i need to creat so that a user from one organization
Manjeet -
This
sounds like a setup question for SimpleSync - but nonetheless I am compelled to
reply :)
You
can use SimpleSync from CPS Systems to share (synchronize) the GALs between your
Forests. Over 200 companies worldwide have selected SimpleSync to
accomplish this goal. 4MB download,
47 matches
Mail list logo