or
new.
Not sure why ADMT would be any different however.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: Monday, May 15, 2006 11:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO wierdness during forest migration
Hi all
Migrating from one forest into another, one way trust treating the source as
a resource forest.
Migrating using Quest Migration Manager with Sidhistory.
Weird thing is that on the users machine, gpresult gives me source and
target GPO's as applied, however target GPO's are applying
Havent lurked on the
list for a while, so apologies if Im asking the answered, however:
Bearing in mind the non-goals of the
paper,
i.e.
Finding
a precise database size at which the 64-bit version becomes more advantageous
than the 32-bit version.
Finding
a precise amount of RAM to
If objects disappear inside ESM, often the right to read the object or the
right to read the permission of the object has been lost, mangled, whatever.
You CAN expose this object using ADSIEDIT, by browsing to the config
partition,services,exchange,orgname, which then exposes the top level
Dont bother going the clustering
route. ISA has a very decent version of NLB thats built in, and will
work in a highly available configuration for a single route.
Adding clustering to this will obscure and
complicate things. Suggest you stick with the built in NLB, since adjacent
Proxy
Peter,
Not trying to oversimplify things
but a really easy way to find most attributes, it to put a really obvious value
in the attrib for a specific user, and examine the object with LDP or ADSI edit
afterwards and see what got populated.
As such, there is no expiry date attrib
that
] On Behalf Of Jorge de Almeida
Pinto
Sent: 21 April 2005 01:17 PM
To: 'Nicolas Blank '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Native Mode Switch
As you know, changing the mode or FL switch to an upper level introduces new
features. One of the consequences
:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 20 April 2005 09:07 PM
To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org
'
Subject: RE: [ActiveDir] Native Mode Switch
Manually re-writing the attribute will not work.
Also see:
http://support.microsoft.com/kb/322692
Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience.
What happens EXACTLY in Win2k on a DC(s) when the native mode switch is
pushed, and what are the ramifications of changing the attribute back to
reflect mixed mode one this has happened?
I have a customer with a nervous
Sorry, hijacked the topic by mistake. Appologies.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: 20 April 2005 07:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC's
Eric,Joe,Al,Carlos,Guido Question for you guys
[mailto:[EMAIL PROTECTED]
Sent: 20 April 2005 08:17 PM
To: 'Nicolas Blank '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Native Mode Switch
When you convert the domain to native mode the attribute nTMixedDomain on
the domain NC head of the replica where the change
I have a customer with small links and 1200+ wan sites. Problem I'm having
is that without local DC's GPO's aren't applied properly on the workstations
on logon, and the workstations are not locked down. The customer is not
willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the
Daniel, have to agree with Al. Depending on the state of these DB's you may
have absolute garbage.
If the DB shutdown in a dirty state and you don't have logs to replay -
problem, means a hard recovery.
If a hard recovery works you may only loose a little data. If a hard recover
fails you have
Are
you the only person experiencing this problem?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George
ArezinaSent: 16 March 2005 11:09 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Double Email
Messages
No, no rules were
reconfigured.
From:
help to differentiate.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall
Sent: Tuesday, March 08, 2005 6:45 AM
To: ActiveDir@mail.activedir.org; Nicolas Blank
Subject: RE: [ActiveDir] LDAP dir syncproduct to AD
Nic, we have implemented
Hi all
Anyone ever have to choose between Simple Sync and Imanami Directory
Transformation Manager ?
I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks
the better choice.
Anyone have any recommendations either way?
I've seen simple sync mentioned at least once on this list
What you should look for are corrupted messages. These will typically be
exemplified either by messages that cannot be moved/opened or deleted. You
might see event log entries either from the Exchange store or even from your
backup software, complaining about messages that can't be opened or be
Title: Ladies and Gentleman, A complex AD/Exchange issue.
Sounds like a process winning over
technology issue here:
A inter-forrest migration tool that will
support a migration with Sid-history and offer an ACL
cleanup should do the job.
What youre looking for is
a) Transparency for
Title: Delegation of group membership changes to add users and not to add other
groups
a) third party provisioning tools, Quest/Aelita/Similar
b) run a scheduled script to strip out groups within
groups every fifteen minutes
c) publicly beat a helpdesk employee to make an example of them
Further roles can be found on the fSMORoleOwner attribute on the following
partitions:
Primary Domain Controller (PDC) FSMO:
LDAP://DC=MICROSOFT,DC=COM
RID Master FSMO:
LDAP://CN=Rid Manager$,CN=System,DC=Domain,DC=COM
Schema Master FSMO:
LDAP://CN=Schema,CN=Configuration,DC= Domain,DC=Com
Note the header below,
Cyrus didn't specify a valid domain suffix for his email address, and as a
result your mail clients/mail routing software are appending a domain.
Received: from mail.activedir.org ([64.245.160.7])
Received: from ams004.ftl.affinity.com [216.219.253.138] by
Youll notice that those permissions
on the store object arent explicit, but inherited and to use Joes
exchange as an example are defined here:
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com
As
Allow DOMAIN\Exchange Domain
Servers List Children, Read
Do you want to view the container, or what's in it? The container can't be
exposed to something like aduc, but can be viewed with LDP, etc, where an
ACL edit of sorts can be done.
If you're looking to display deleted objects, that's quite easy, look at
this to start off with:
The easiest way of figuring out what rights you need to do anything on a
member server, AD, service right delegation etc, etc, is to turn on auditing
on success/failure and try what you're doing again. Read the security event
log, and the rights that are missing are exposed in the failure log.
Neither one of them is more efficient but one is more compliant than
thee other to the X500 user definition.
If you are interoperating with other directories or products with Directory
Connectors, then of the InterOrgPerson is the preferred class of object to
use for the sync job. This precludes
Cannot do this with Display specifier, you will have to create your own
DLL to do this and register on every machine you want the extension to
be visible.
Have a look in the archive for this list for some detailed posts on
this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Technology
Tel.: +966-1-461-0077 x.209
Moble.: +966-509774015
Email: [EMAIL PROTECTED]
Save Internet, Keep all the
systems patched
Web: http://alfaisaliah.com
-Original Message-
From: Nicolas Blank [mailto:[EMAIL PROTECTED]]
Sent: Monday, 31 May 2004 8:17 PM
To: [EMAIL PROTECTED
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: 01 June 2004 10:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] exchange
5.5, active directory and ADC
Yip, the
AD container/OU is selectable whilst creating the recipient agreement
connection. Suggest the first thing you
Title: Looking for a tool that displays SID
Bind to the object using the LDAP:// or
the WINNT:// provider and output to screen as below, pipe it or write it where
needed.
Cant claim this as my own source
is Richard Mueller,
Authoritive restore or if you can't recover this puppy, re-run forest
prep and nominate another account.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clist
Sent: 31 May 2004 06:20 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] HELP URGENT how to recover
Title: RE: [ActiveDir] win98
Lots of third party tools to do this
I did exactly this for a client the other day using Quest Reporter
published to HTML, excel, whatever automatically collected into a DB for
auditing was an auditing requirement for a health provider.
File/folder mods
If you want to have something show up on the users property pages, then
you need to register a handler to do so, see the MSDN link.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/e
xtending_the_user_interface_for_directory_objects.asp
for another view on this, see this
I have chased Ms on this for an official KB article without success. I
have done this in production without any hassles though on exactly the
same scenario you described: third party kit that like inetorgPerson
better than the user class.
-Original Message-
From: [EMAIL PROTECTED]
SAMACCOUNTNAME - if old and new match then they can be considered the
same. ADC does similar matching, although it can be extended to do
matches on EX5.5 primary nt account to an AD accounts sidhistory.
Since you've done script population, you need to match on a similar
attribute. If nothing
I have used Quests migratory product
in similar situations where the user base was populated, but all we wanted was
symbolic linkage for groups, reacling and sidhistory, without disturbing what
was there already, and nothing broke, including mail. Ive
also done a non ADC migrations using
Exchange wont just not install. Have you got
an error message?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Holstrom
Sent: 23 March 2004 11:30 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Making a test
Network, 3 w2k srvs
Hello,
I have 3 W2K Srv,
Calling Greg..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Administrator
Sent: 22 March 2004 07:38 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [MailServer Notification]To Recipient file blocking
settings matched and action taken.
ScanMail for
Hang on, in order to migrate groupwise accounts, you require visibility of
groupwise, which may be achieved using the client, without resorting to
installing gateway services. Why do you need the gateway ?
Connecting Exchange to groupwise is achieved using the mail connector and
not the gateway.
Another might be to check where the groups
are being used. If theyre used to secure file/print type resources and/or
AD resources then they may be discovered using a decent reporting tool, i.e
check if group X is used in AD anywhere, or is present on THAT server. You could
explore this via
Then there's the little gripe of.
Publishing an Exchange attribute in MSDN and then UN-publishing it in oops
style, after you find out you really really WANT to address this multi value
attribute in a script, and not a one line GUI...
*SIGH*
-Original Message-
From: [EMAIL
SELF should DEFINITELLY stay there !
IF an ACL shows inherited permissions then they generally come from the
database object or the store object above it. Enable the showpermission
regkey you saw posted earlier, and examine the database permissions and the
store permissions.
Also sidHistory won't
with the PST(s) but also
migrate all the email in the PST back to Exchange.
Thank you!
Kent
-Original Message-
From: Nicolas Blank
[mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004
3:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange
2003 Migration
Title: Extended Rights
You can do this in two places - you can edit dssec.dat as mentioned to
expose extra rights or you can use ADSIEDIT which has no limitations. Drawback
to editing dssec.dat is that you need to do it on all the machines you want to
delegate from, and you need to know
Debbie, unless you want to take advantage
of the features which the directory client provides, theres very little
that needs doing to member server. I find that depending on what the servers
are hosting, that re/acl-ing and moving them to the
target domain is all that needs doing. Is there
44 matches
Mail list logo
