Hello,
I do not understand your scenario correctly. If you had multiple DCs, and
you deleted one of them, the GPO will still be on the other DCs.
If you had a single DC, and you reinstalled it but forgot to export your
GPO, you can do that as you describe with the following modifications:
1.
Yea, all of the dc is SP1 installed long time back. There is few other NT4
trust in win2k3 domain, by not taking the risk, so we decided not to re-apply
again. Further, we've only a single domain, no child; policy settings are
identical among them.
Thanks for the info. However, the nt4 domain
Title: [ActiveDir] external trust between NT4 domain and windows 2003 fails
Nope, not virtualized, but HP proliant
and netserver machine. Read Joes blog about the AD issue with vmware. But
it is not the scenario I have.
Best Regards,
Raynus Ky CHOO
Windows Administrator (ADSM/NT
the GPOs are part of your systemstate + sysvol backup. Assuming you only have
one DC, otherwise you'd still have everyting on it's replication partner DC.
when you restore the DC on another Win2003 installation, you don't have to make
this a DC prior to running your restore - just run a normal
both NTLM Authentication and This Organization are so called
well-known-security principals. They are added dynamically to the token of a
user when the users authenticate in their domain or accross a trust.
However, they're not groups that you can read any memberships from like you can
with
most secure way is simply to remove any write-permissions
for SELF on user objects. This is best done prior to user creation by changing
the default security descriptor of the user-class object in the schema -
otherwise you're going to have to script the removal from all users since the
I amtrying to design a full DR solution,but as Ihave never done one, I am sort of trying to compile a list of things which occur or I need to deal with on a daily basis and documenting a procedure for them.So far I have looked atprocesses for schema modification, I am now working on recovery
Todd,You mentioned 'potentially has the ability to create more problems'Could you outline the problemsthat are on your mind? I see Lag Sites as a solution to save the business money frompurchasing a solution, but I still need to think about business risk if such a solution was to be
Guido, this is really useful information.I have a single domain forest so I feel comfortable with the Lag Site idea.With multi domain forest, I would assume the addtional cost in maintainingthis environmentwouldjustify the cost of purchasing a recovery solution.Your point about Forced
Frank - I'd also be interested to hear how others protect
themselves from forced replication in a lagsite - I'm sure most aren't aware
it's a potential riskin the first place. As mentioned below, an option
would be to automatically enable and disable the NIC of the respective lagsite
DC
I'm going to ask what may be a dumb question, but I can't find anything
on it in the literature. I am trying to get a better understanding of
how SYSVOL functions, and I think I've got a pretty decent idea. But
when it comes to Junction Points, I'm a bit mystified.
I have read the literature,
The problem with using NoMAS is that you are always chasing your tails. You
have to remember to run it often, and in the meantime, your exchange server
is being crippled by eventid 9548 . The fix for this issue is more
process than technical.
You need to work out a termination process with your
On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
When talking about a software solution to restore deleted objects I know
about:
Netpro's RestoreADmin
Quest's Recovery Manage for AD
I don't know the price of both products (I guess per managed object or
something like that) but
I meant the number of users in the AD.
Sorry for the confusion.
On 3/4/06, Irwan Hadi [EMAIL PROTECTED] wrote:
On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
When talking about a software solution to restore deleted objects I know
about:
Netpro's RestoreADmin
Quest's
How Secure is a Domain Controller that is fully patched on a
default install of Windows 2003? When promoted the domain controller has
the two default policies, both of which are recommended not to be
modified. But there are things that could be done better for added
security. For example,
Boy that's an open question isn't it?
Books and white papers have been written on this issue alone.
I'd recommend that you grab the Threats and Countermeasures guide and
look at the Security Configuration Wizard.
See:
http://www.cisecurity.org/tools2/win2000/CIS_Win2003_DC_Benchmark_v1.2.pdf
Happy reading.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried
Also have a look at the Windows Server 2003 Security Guide, which contains
information and sample Group Policy templates for DCs.
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-
b655-521ea6c7b4dbdisplaylang=en
Tony
-Original Message-
From: [EMAIL PROTECTED]
18 matches
Mail list logo