Ask the PSS security guys and they want success and failure. Only
having half the story... is only half the story
Buy bigger harddrives and archive.
Sitton Glen E wrote:
I don't know that there is a 'general consensus' because everyone's
business needs differ. My environment has around 1
Your DIT will grow (size of photo) * (# of users). It’s
certainly doable and if you have some sort of business reason, consider doing
it, but, you could just as well store a path to a jpeg or something…
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[
The option chosen for my environment is:
c) Invest in a fancy log management system that will collect, index, and
retain all of your logs.
The product we employ is EventSenty
(http://www.eventsentry.com/features.php?FEATURE=EVENTLOG) Though not
that fancy but good enough to do what is needed.
Th
I don't know that there is a 'general consensus' because everyone's
business needs differ. My environment has around 100K users and you're
right, there's a ridiculously high volume of logon events. We set the
security log size very high on the domain controllers, and collect and
clear the securit
Have they actually captured a sniff of
this traffic while it’s going on? Is this actually AD replication
traffic? Or maybe something like the printer thing that was discussed
recently? Have you examined Sites & Services for other servers that are supposedly
talking with this server to see
Can anyone else get to the archives? Specifically, I was
looking for a thread from, I think, a couple of years ago where there was
discussion about storing (not storing?) employee pictures in AD. I am concerned
about how that attribute will grow our DIT. I seem to recall that maybe just
Depends on how much info you need but doing it through the native event
log in an environment of that size is nearly futille unless you have SAN
space and CPU cycles to burn, ours is 1/4 that size and I tried it and
did the calcs and it's storage reqs were unbelievable. IIRC I was also
seeing more
--- Begin Message ---
We made every domain controller (80+) in our forest a GC. We did this because
if a link went down, we wanted each DC to be able to hold its own. Maybe this
wasn't such a good plan?
From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Se
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednes
One more thing to add. If you want to see why we are
building the topology the way we are you can use ADLB in verbose reporting mode
and it will help you determine why the selections were made. You can of
course download ADLB from microsoft.com.
Thanks,
-Steve
From:
The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx
Read-only and Writable Replicas
When computing the replication topology, the KCC must consider
whether a replica is writable or re
No.
GCs can replicate partitions that they don't own to other GCs. They can't
replicate them to DCs for the domains in question, but they *can* replicate
their read-only partitions to other GCs.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David
Cliffe
I have a pretty small site, and this probably won't scale very well, but
I have a script scheduled to run every day at midnight that backs up the
security log to a compressed folder & clears it. I have the log size set
ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
That should be "GCs cannot replicate
partitions they don't own" right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Laura A. RobinsonSent: Wednesday, August 30, 2006
5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] AD Site replication settings/cost
Hi Rezuma,
You would want to perform a metadata cleanup through NTDSUTIL to remove
the child domain.
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Wednesday, August 30, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [Acti
Is it
a GC? If so, then yes, that's to be expected. You may have *thought* that you
gave it only one replication partner, but if you're seeing additional connection
objects, then it has more than one replication partner. When planning
replication, you must be aware of every partition that th
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per seco
Hello Victor,
yes, the on resume allow display no error message if the folder exist
already, it will exit in error, saying nothing...
It's dirty, i know, but it does the job we pay for !!
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Wednesday, August 30, 2006, 10:44:57 PM, you w
He said that it *isn't* enabled...
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, August 30, 2006 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site replication settings/costs
You have site link bridging enabled so
Hi,
We had a DC that was taking out of AD without being demote. That DC was
also the only domain controller for that child domain, child.domain.com
I want to remove entirely that domain from the AD, any ideas on the step
I should follow?
I don't have access to that DC, so I cant do a clean remov
In order to move an object in DS, you need the following three permissions:
1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN
(or whatever happens to be the rdn attribute for this class, i.e.
Hello Victor,
sorry.
Here is the working for the Root folder:
On Error Resume Next
set olApp = CreateObject("Outlook.Application")
set inbox = olApp.GetNamespace("MAPI").getDefaultFolder(6).Parent
set temp5 = inbox.folders.add("Added by vbscript",6)
Regards,
Mathieu CHATEAU
http://lordofthepin
http://blog.joeware.net/2005/07/17/48/M@On 8/30/06, David Cliffe <
[EMAIL PROTECTED]> wrote:
Hi Jim,
Yes, I have found this to be
true...there is no "move object" delegation. We have to use the
create and delete. I wonder if that will change in future (I have a
feeling it's been me
Hi Jim,
Yes, I have found this to be
true...there is no "move object" delegation. We have to use the
create and delete. I wonder if that will change in future (I have a
feeling it's been mentioned here several times before, but can't
remember).
-DaveC
From: [EMAIL PROTECTE
Yep, you need to manually create site
links between sites to control what replication connections get created. For example
create a site link between the HUB site and the site with slow bandwidth. This
will only allow replications connection to be created with DCs in those two
sites.
I am I correct that to delegate moving user accounts from
OU to OU I will have to allow them the ability to delete accounts. It appears
accounts work similar to documents, a move is really a copy then delete.
You have site link bridging enabled so this is quite plausible...
From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Wed 8/30/2006 1:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site replication settings/costs
It's a Windows 2000 na
Are these manual or automatically generated connection
objects? If automatic, were they created back when bridge all site links
was enabled? If so, if you delete them, do they come back? Do the
site links only have 2 sites, the remote and its designated hub, or do they have
multiple sites
It's a Windows 2000 native domain, we're about 4 upgrades
from having all Win2k3 DCs and from what I've read, that should help a lot with
replication.
Automatic site link bridging isnt enabled, and we have 0
site link bridges.
We're a worldwide company with 3 main hubs, but it is a
mes
Thanks for this Mathieu, the script which creates the folder under the inbox
works good.
To create it in the root must be a little more complex because this doesnt
work yet.
When I fire up the script it prompts me with the following error:
Error: Object doesnt support this property or method:
'ol
Is this a hub and spoke or are there multiple levels of hub & spoke...costs
don't always make much if any difference.
Intervals vary by business requirements, link speeds & saturations, etc. I've
run everything from 15 minutes to certain days of the week...
--brian
__
Intervals vary by company, domain structure, network topology and latency
tolerances. That said, there is nothing inherently wrong with the replication
parameters you list below. Are they the best parameters for your environment?
That depends. Is this a Windows 2000 environment? Is automatic
We
have about 80 AD sites with DCs. All sites are set for a cost of 100 on
the site to site replication, and a replication interval of 15 minutes.
I'm presuming this is probably not a good thing.
One
slow bandwidth site is complaining that their DC is talking to every DC in the
domain
Yes, but you can exclude machines which don't have printers attached.
Don't know what your network is like but most of our machines don't have
a local printer - they're networked from servers - so the standard
browse list has loads of machines which don't have printers.
Steve
-Original Messag
34 matches
Mail list logo
