"I'm having trouble adding a new server to an AD domain. There are20 servers on the network, all are Windows 2003 .Three were domain controllers. One DC housing Infrustructure FSMO Role crashed.A new server was buit. When trying to add it as a DC using dcpromo wizard we see:The Wizard is
Hi Gene,
the Infrastructure Master is not the most critical role.
However if you have a backup of that system I'd recommend a restore of the
Systemstate. If not, I'd seize the Infrastructure Master to another server,
clean up the Active Directory from the remainers of the old server
Gene,
When the DC crashed I assume you were never able to gracefully use dcpromo on it. What you need to do is follow the steps in this article
http://support.microsoft.com/?kbid=216498
How to remove data in Active Directory after an unsuccessful domain controller demotion
The new version of
Thank you, for your response. Before I action your pointers . Could I please ask you to look at the dcdiag results below? C:\Program Files\Support ToolsdcdiagDomain Controller DiagnosisPerforming initial setup: Done gathering initial info.Doing initial required tests
Thank you, for your response. Before I action your pointers . Could I please ask you to look at the dcdiag results below? C:\Program Files\Support ToolsdcdiagDomain Controller DiagnosisPerforming initial setup: Done gathering initial info.Doing initial required tests
You need to seize the IM role because of what happned to your DC. Metadata cleanup (2k3 sp1) will do it or you can use these steps.
http://support.microsoft.com/?id=255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
Thanks
Mike
On 3/3/06, Gene Sibbs [EMAIL
Many thanks All.The seizure did the trick. Kindest Regards, Genemike kline [EMAIL PROTECTED] wrote:You need to seize the IM role because of what happned to your DC. Metadata cleanup (2k3 sp1) will do it or you can use these steps.http://support.microsoft.com/?id=255504 Using
Thanks all for the help with this.
Turned out he was logging on to his laptop locally, with the same
username as his domain account, but with a different password.
All sorted now.
--
AdamT
'Thank-you for not requesting read receipts'
List info : http://www.activedir.org/List.aspx
List FAQ
You could always select the 'Keep printed documents'
using the printer properties Window under the Advanced tab. Just be sure
togive only authorizedusers to manage the printers under the
security tab.
Hope this helps.
-Nav
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf
I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called NTLM
Authentication which dynamically contains the list of people who
authenticated via
In the NTDS performance object there are two counters: NTLM Authentcations and Kerberos Authentications. They wouldn't be able to tell you who is authencating using those methods, but they would be able to provide a better idea. Both counters are in number of requests per second.
Ryan
On 3/3/06,
If you are auditing logon events you can query the domain controller
security logs for NTLM logon events.
You'll need to use eventcombmt or some other utility to query all DCs for
these events.
Win2000 DCs records successful NTLM logons in event 680 and failed logons in
event 681.
Win2003 DCs
That would be helpful, but I was also
thinking how useful it would be if I could somehow use that information to
correlate back to which users were using NTLM so I could see if these were
users that were running NT, XP, etc. Also, I could find out if certain lines
of business were using
Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing
well yes
OR
create subnet definitions of the IP addresses of the
DCs...
Lets say you have 2 DCs in the lag site and 4 in the
"normal" site:
DC01: 10.1.1.1/24
DC02: 10.1.1.2/24
DC03: 10.1.1.3/24
DC04:
10.1.1.4/24
DC05:
10.1.1.5/24
DC06:
10.1.1.6/24
For the DCs in the normal site you
Here's a good explanation of the setup.
http://www.windowsitpro.com/Windows/Articles/ArticleID/42932/pg/1/1.html
You are required to some how isolate the delayed servers in
a unique site to control the replication window. The subnet scope can be as
narrow astheip address of the
DC.
The last
As Jorge mentioned you do not have to follow your physical
subnets for Lag-Sites. Usually you would use that as a guideline, but for
lag-sites you can do a sub-subnetting. AD replication does not care about the
physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares
Ideally, you would place the DR DCs in a separate DR
location (for obvious reasons)which would have its own set of subnets
assigned. This approach caters for true DR as well as object recovery from a lag
site.
If not possible, then Jorge's approach will work (although
true DR is not
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
Pizza boxes are available from Dell for like under 2 grand rack rate most
days, so thats probably questionable.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent:
You can also just define /32 aka host subnets. So you create Lag Site 1,
and subnet 10.1.2.3 255.255.255.255 (the IP of your lag dc).
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
I like this one:
http://www.sunbelt-software.com/Community.cfm
Couple down on the list,
NTSYSADMIN.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex
FontanaSent: Thursday, March 02, 2006 9:46 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows
I have just finished installing and configuring ADMT v3, and can't
seem to find the option to do a Test Migration, just to see if the
operation will work properly. This was possible with ADMT v2, but
appears to be missing from v3. Can anyone verify this, or inform me
how to do a test the
I think Rick Kingslan did something like this with virtual
machines. I'll ping him to see if he has any comment.
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: Saturday, 4 March 2006 5:17 a.m.To:
ActiveDir@mail.activedir.orgSubject: RE:
BTW, if anyone is interested, I have prepared a detailed how to for ADMT
v3 installation. I can email it to anyone interested.
I'm sure there would be a lot of interest in this. Why not put it up as an
article on ActiveDir.org? All you need to do is register, log-in and you're
ready to go.
When talking about a software solution to restore deleted objects I know
about:
Netpro's RestoreADmin
Quest's Recovery Manage for AD
I don't know the price of both products (I guess per managed object or
something like that) but I would be interested in knowing where the break even
point is
Hi,
Need help desperately to setup trust between NT4 and win2k3. I've error 'domain
controller not found'.
I'm pretty sure the name resolution for each other is fine (by lhmost), the
trust was working before, however after it's broke, I can't re-establish again.
Seen someone has the same
You might get more information if you run a network trace (e.g. using
NetMon).
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, 4 March 2006 8:21 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] external
I think you're trying to compare apples and oranges. Yes, both solutions
can help reduce the time it takes to perform a restore (give a specific
scenario), but that's basically it. Lag sites are single snapshots based on
the number of lag sites you deploy. The products you mention below are
Think virtualisation - where I've implemented lag-sites
they are running on VMs. The software-solutions I was looking at at this point
were way more expensive than running 4 DCs virtualized on the same machine (1
root-dc and one account-dc per lag-site).
I do not agree that lag-sites need
Agreed.
Not a big fan of the Lag-Site,
I think it potentially has the ability to create more problems. At least
MS added some limited functionality in 2003, now if they would just finish the
job in Vista this topic might goto rest. (Are you there Stewart?)
I do see value in Creative
It's been a while, but I created a bunch of these a while back. First off,
remove the trusts from both sides. Then reboot both the NT PDC and the 2003
PDCE. When they come back up try to establish the trust again. If it still
fails then look at the tips below.
Make sure that the
Can you get me a free copy of VMware??!! J I like the sunbelt site
too.
Alex Alborzfard
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Thursday, March 02, 2006
9:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Windows
Server
Is the w2k3 forest SP1?
If so then the security settings in the default DC policy may have to be
altered. I had this issue which caused be to role back SP1 upgrades until I
could resolve the trust issues between SP1 and NT4.0 the settings that had
to change were not the ones detailed in the
Great idea. Unfortunately I don't have time to post them right now
because I need to finish writing a few other documents. But will post
them ASAP and send a message to the list letting everyone know.
Have a good weekend.
Joe
On 3/3/06, Tony Murray [EMAIL PROTECTED] wrote:
BTW, if anyone
VMware has a free server product-
http://www.vmware.com/products/server/
On 3/3/06, Alborzfard, Alex [EMAIL PROTECTED] wrote:
Can you get me a free copy of VMware??!!
J I like the sunbelt site too.
Alex Alborzfard
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Alex
Hello,
A few years
back we had changed the way we disabled AD user accounts from disabling the
account to restricting logon hours (restricted 24x7) and hiding from GAL. We did this because mail sent to disabled
accounts was getting rejected and the sender was getting a NDR. Also,
I believe this issue really
depended on the permissions on the mailbox and the synchronization of the
security attributes. I can't recall but I believe it did behave a bit different
in Exchange 2000.
I useNOMAS.exe to fix
and sync the permissions when I enable/disable accounts. All my
Title: [ActiveDir] external trust between NT4 domain and windows 2003 fails
Are any of these
domain controllers on VMWARE?
Ion
From: [EMAIL PROTECTED] on
behalf of [EMAIL PROTECTED]Sent: Fri 3/3/2006 11:20
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
external trust
www.vmware.com under the VMWare
Server section
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex
Sent: Friday, March 03, 2006 3:49
PM
To: ActiveDir@mail.activedir.org
Subject:
this feature was removed from ADMTv3 - the problem with the Test Migration
feature has always been, that the test usually worked fine, but when you'd
perform the same task productively, you'd run into various issues.
no reason, to keep a feature that doesn't work. So MSFT decided to remove it.
Dear All,
We were having a Server As Domain Controller called DC1.Mydomain.com
this server had several OU and each OU inside it, and it has a group Policy
applied to it.
we used to take the Backup of This server as :-
1- System State .
2- SYSVOL Folder.
for some resoans, this server has
an important factor is missing in this discussion -
theoportunity and costs forleveraging lagsites highly depends on
your forest structure. Even though you can use virtualization to reduce
the number of physical boxes required to host a DC in a lagsite, you still need
to host at least one
43 matches
Mail list logo
