Forgot to mention earlier...
Yes, it is also correct the article mentions to disable the DLT server service
while it still will do the cleanup. That is not correct.
My apologies for not bringing that up earlier
Jorge
From: [EMAIL PROTECTED] on behalf of
understood :)
Yann
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de
joeEnvoyé: lundi 28 novembre 2005 23:29À:
ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] When is a
domain Admin not a domain Admin?
Base assumption that I took and I expect Hunter took is
that FC was
Yep, that was one one of the 1st things I tried. It works, as does changing
focus of AD tools and eventvwr to point to the other domain.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: 28 November 2005 17:56
To:
Got it. I dumbed down all the signing, encrypting and NTLM prerequisites
(ie, LM and NTLM, not NTLM2) and it worked. Now I need to slowly beef it up
again and see what I can get away with before things start to fail.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.and it only seems to work with a net use connection to C$ in place at
the same time. I have to apologise if this thread is useless for others,
this is probably related more to our Server build than anything else.
Thanks for all the pointers though.
-Original Message-
From:
Hi,
Do not change any more values without an understanding of the root cause of
the issue. Do not uncheck that checkbox, and do not change the security zone
that the site is in.
a) What do your IIS logfiles say for the requests in question?
b) What do your event logs say as far as failed logon
Hi Ken,
Thanks heaps for your respond.
Currently I can give the following answers:
A) the IIS log files say nothing in particular they all look the same as
before the incident
B) I get no log entry in the security that authentication is failing -
seems to not get through at all so it keeps
Yep I think that has been discussed here before. Maybe not. Even more fun is
that it isn't configured by default to be available on any objects.
There are quite a few items like that, I think you will find Sakari pointed
out a few in his book as well.
joe
-Original Message-
From:
Thanks!
I'm not as bad off as I thought. I do most of
that. Just need to look further into the filelinks, lost and found and a
couple of others.
Bob
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joePosted
At: Monday, November 28, 2005 4:45 PMPosted To:
No Prob. On both the domains, I turned off all digital signing and
enrcypting that can be found under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options.
I also set LAN Manager Authentication level to LM NTLM only
I also set restrict anonymous access to
Unfortunately the service manager used to bea former techie who did my role and therefore is quite difficult to reason with as he sees it as the 'only way'We have a project board, so I aim to put forward the reasons against his idea and let the business decide.thanks for everyones
Hi guys,We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on
Hi guys,We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on
First, look at each role and see
what it does...
Forest FSMOs
* Schema Master -- needed
when updating the schema
* Domain Naming master --
needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator -- needed for
legacy clients (NT4, W9x) when changing passwords,
Well, if he was a techie.. he
should understand why outlook should not be installed on the
DC
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Tuesday, November 29, 2005 16:38To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
Just curious, not i'm i want to implement this solution but for my own knowldge, how does expiring accounts get around an audit?
If i expire and then unexpire an account, does the password age go back to 1?
is that it?
thanks
On 11/23/05, joe [EMAIL PROTECTED] wrote:
Yeah this is firmly outside
Sorry, but for peace of mind, I *would* transfer the roles.
If there is opportunity to do so, then why not transfer? It's a trivial task and
will take no time to replicate (assuming the other DC is in the same
site).
More worrying perhaps, is the fact that if clients point to
one (or both)
Tuesday, November 29, 2005, 5:08:52 PM, you wrote:
First, look at each role and see what it does...
Forest FSMOs
* Schema Master -- needed when updating the schema
* Domain Naming master -- needed when adding or removing domains within the
forest
Domain FSMOs
* PDC Emulator -- needed for
It probably depends on what youre
doing during those 2 hours. If I were installing SP1 on a DC that had problems
rebooting/booting in the past, or has known HW issues, or for some odd reason
the machine is not on a UPS when installing a Service Pack, I think it would be
easier to move the
Yes, but I believe it is set to 0, not 1.
---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS
Going by the If it aint broke dont
fix it adage or the idea of Dont mess with the production
environment while IN production I would still say leave the FSMO roles
where they are.
If you want to try or tinker with or test
transferring or (actually) seizing FSMO roles set up a test
. . . . . . .and THAT my friend is why hes
management now J
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Frank Abagnale
Sent: Tuesday, November 29, 2005
11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook
installed on a DC
Yes, he
You can have the servers down for 2 hours with the Forest FSMO roles and/or
the Domain FSMO roles for cleanup without concern. It would become more of
an issue if for a day or more. Also bear in mind what each FSMO roles does
since each is unique to a domain or the entire forest so that you
If something went wrong you could still seize the FSMO roles as an option
rather than doing a transfer. Of course the procedures for all of these
for the 5 FSMOs should be documented just in case needed..
Chuck
OK,
I've been witing for this
one.
If we have yet to move our 2K3
FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns
like "No one being able to log on", would you move the roles first (ie: Off the
Forest Root FSMO and the Child Domain FSMO)?
Is that
prudent?
A
Well we knew he wasnt a good
techie. How to you think he became your boss. You cant get rid of him,
so promote him. J
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Tuesday, November 29, 2005
11:49 AM
To: ActiveDir@mail.activedir.org
Subject:
I'm not a heavyweight by any stretch of the imagination (at
least not in the context of this thread) but I would move the roles prior to
maintenance, since it takes about two minutes to do, there's a credible up-side
and no real down-side. I'm rather surprised that there's all this
Theres a difference between techie
and tech a techie is what non-technical people call geeky people who
know just enough to be dangerous, and they spend all their time at home (running
Windows Me) surfing for shell replacements, utilities, and warez; and shmooze
with managers telling them
Amy,
You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices:
1. install base os and do a full system restore from the tapes of the old server.
or
2. install base os and run
If you want 100% insurance then yes transfering the FSMO roles prior to the
maintenance task could prevent an eventual seize if the particular DC dies for
some reason.
Maybe dependent on the maintenance task that is performed a decision should be
made if the FSMO roles should be transfered or
Yeah, I think a lot of it is carry-over from the legacy X.500 schema. I
remember the attribute being present in a number of early X.500
implementations as part of the Paradise project (an attempt in the early
90s to pilot a global directory using X.500). The UK English spelling
for favourite
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller:
http://support.microsoft.com/kb/255504
And XPs and Outlook 2003 will use cached credentials and cached storage
of Outlook so even if the DC is down, Exchange is horked, even in a
single DC setting your end users aren't
In production I always move the domainroles prior to
working on a DC or even rebooting a DC. As you mention, the role move is trivial
and if something does dork up you have less to think about and aren't wondering
at what point you should be seizing. I am not so worried about the forest
Since you specifically mentioned me. I always move the
roles for reboots and maintenance.
Brett don't much
care about roles, ESE doesn't care about them.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky
HabeebSent: Tuesday, November 29, 2005 1:02 PMTo:
Yep it acts like the password was just changed because it
sets the pwdLastSet value to the current date/time.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
MilburnSent: Tuesday, November 29, 2005 11:48 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quest
Whats the easiest way to get a list of ALL my DCs
and GCs in my forest along with IP address?
Devon Harding
Windows Systems Engineer
Southern Wine Spirits
- BSG
954-602-2469
__This message and any
I generalize horribly but management tends to fail upward
until they get to the point that they get their golden parachute and then leave
the company when it is stumbling, only to later come back as a very overpaid
consultant when the company has finally corrected itself from the previous
Simple is good.The only place Outlook belongs is on a
workstation.
Regards,
Mike Burns
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, November 29, 2005 4:00 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
installed on a DC
I
Amy the easiest path for your new hardware
comment is Ys #2 below new server, dcpromo, AND MOVE FSMOs, and
then decom the old one. Note that if there is DNS involved, and DHCP, and
WINS, theres a bit more to it computer names etc you can
get around those issues by demoting the old box,
Yeah but having seize the FSMOs instead
of moving them as your fallback plan is like making sure you have a
current backup in case yanking the power cord instead of Start
Shutdown Restart causes file system corruption J
If the insurance is guarding against apps/services/etc that
may need the FSMO holders while they're offline, then I can agree with
this. If it's out of fear that something unexpected will happen that takes
out the FSMO holders completely, then I don't think it's worth the effort.
If the
Hi David,
Im with you on this one!
Mike Thommes
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Tuesday, November 29, 2005
4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role
transfer
If the
to view all DCs in the forest
* repadmin /viewlist *
to view all DCs in the domain
* run nslookup and configure set type=srv and query for
_ldap._tcp.dc._msdcs.yourdomain.tld (per domain)
* NLTEST /DCLIST:DomainName
* netdom query dc
* run replmon and ask for show domain controllers in domain
By definition, the impact of a maintenance task is expected to be low.
But the behavior of a server isn't always predictable after you change
the software and/or configuration and reboot it. Sometimes just the
power or temperature fluctuation is enough to kick a marginal component
over the edge.
I've not worried about transferring the FSMO roles for general maintenance
such as defragmentation or updating SPs, etc. It's up to how flaky or
solid the DCs are -- if they are that flaky then maybe it's time to buy
some newer hardware ...
Chuck
Harding, Devon wrote:
What’s the easiest way to get a list of ALL my DC’s and GC’s in my
forest along with IP address?
Quickest way will be to use nslookup:
nslookup -q=SRV _ldap._tcp.dc._msdcs.domain - for DCs
nslookup -q=SRV _ldap._tcp.gc._msdcs.domain - for GCs
--
Tomasz Onyszko
I would only agree if you told me your DC's regularly fail
to come back after a reboot. And if you did tell me that I'd have to say
you're doing something wrong.
I suppose I don't consider rebooting a DC to be quite the
dangerous act as others do. To what degree is this taken? If it
holds
Note instead of repadmin /options *, look for GC flag, you can run
repadmin /viewlist gc:
Gives only all GCs in your forest ... something I thought would probably
be useless when I implemented it.
Cheers,
-BrettSh [msft - ESE - SDE]
On Tue, 29 Nov 2005, Almeida Pinto, Jorge de wrote:
to view
How about making /options work with /csv...? :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, November 29, 2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC list
Note instead of repadmin
Actually I make all DCs that have a possibility of being
the forest root PDC synchronize from an external source. I haven't ever run DNS
on DCs so I can't say anything to that, however if I did, I might consider it.
There really is nothing to moving FSMO roles. Have you had
a FSMO role
Note that it's multi-valued ... what can I say, we're British and there's
[EMAIL PROTECTED] all else to do :o)
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Hi,
A) IIS logfiles must have something. The browser pops-up the credentials
dialogue when it receives a 401 HTTP status (Access Denied) back from the
server. Can you look in your IIS logfiles please, and post the corresponding
logfile entries please? If there is nothing in the IIS logfiles, then
Right, but the good admins have all got it added to the user class and
populated appropriately for their accounts. Of course they've also got a
tool for whoever handles these things to look up the data.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
Yes. Expired password is just pwdlastset = 0 or -1 I forget
which.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tom Kern
Sent: Tuesday, November 29, 2005
11:10 AM
To:
Talking about the Britisch... In the UK pub opening hours are around the clock
since a week or so...I think a pub owner could introduce his own AD and use
this very interesting attribute for his customers.. ;-)
I also looked if it had a sigar(s) attribute, but no luck! ;-)
Jorge
55 matches
Mail list logo
