Hi all
Migrating from one forest into another, one way trust treating the source as
a resource forest.
Migrating using Quest Migration Manager with Sidhistory.
Weird thing is that on the users machine, gpresult gives me source and
target GPO's as applied, however target GPO's are applying inconsi
is old or
new.
Not sure why ADMT would be any different however.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: Monday, May 15, 2006 11:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO wierdness during forest
If objects "disappear" inside ESM, often the right to read the object or the
right to read the permission of the object has been lost, mangled, whatever.
You CAN expose this object using ADSIEDIT, by browsing to the config
partition,services,exchange,orgname, which then exposes the top level
objec
Haven’t “lurked” on the
list for a while, so apologies if I’m asking the answered, however:
Bearing in mind the non-goals of the
paper,
i.e.
· Finding
a precise database size at which the 64-bit version becomes more advantageous
than the 32-bit version.
· Finding
a precise am
yes.
The max message size in KB is 400, however there are session size limits to
take into account as well.
The
session size is the next field underneath the size field limits the size of the
message sent per session, and therefore needs to be greater than the largest
message size. You
Do this with ADSIEDIT – more permissions,
no fiddling ;)
From: Dan Holme
[mailto:[EMAIL PROTECTED]
Sent: 19 July 2005 09:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User with
LDAP userPassword permissions
I didn’t see any responses to
this… don’t know
Simplest solution is the one you
mentioned. Otherwise you can set the third byte in the DSHEURISTICS attribute
to 1, i.e. xx1 – leave the other two values alone, as they influence your
ANR set and how search results get returned. This enables the list permission
in AD.
With this permissio
Peter,
Not trying to oversimplify things –
but a really easy way to find most attributes, it to put a really obvious value
in the attrib for a specific user, and examine the object with LDP or ADSI edit
afterwards and see what got populated.
As such, there is no expiry date attrib
that
Don’t bother going the clustering
route. ISA has a very decent version of NLB that’s built in, and will
work in a highly available configuration for a single route.
Adding clustering to this will obscure and
complicate things. Suggest you stick with the built in NLB, since adjacent
Proxy s
Title: Exchange 2003 Migration Question
Kent
There’s a number of factor you need
to consider here, and three of the biggest one’s that come to mind are
co-existence, user profile re-pointing, and freezing the admin environment for
the duration on one or both sides.
You didn’t mention how
Debbie, unless you want to take advantage
of the features which the directory client provides, there’s very little
that needs doing to member server. I find that depending on what the servers
are hosting, that re/acl-ing and moving them to the
target domain is all that needs doing. Is there
profile connected with the PST(s) but also
migrate all the email in the PST back to Exchange.
Thank you!
Kent
-Original Message-
From: Nicolas Blank
[mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004
3:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
Title: Extended Rights
You can do this in two places - you can edit dssec.dat as mentioned to
expose extra rights or you can use ADSIEDIT which has no limitations. Drawback
to editing dssec.dat is that you need to do it on all the machines you want to
delegate from, and you need to know wh
SELF should DEFINITELLY stay there !
IF an ACL shows inherited permissions then they generally come from the
database object or the store object above it. Enable the showpermission
regkey you saw posted earlier, and examine the database permissions and the
store permissions.
Also sidHistory won't b
Then there's the little gripe of.
Publishing an Exchange attribute in MSDN and then UN-publishing it in "oops"
style, after you find out you really really WANT to address this multi value
attribute in a script, and not a one line GUI...
*SIGH*
-Original Message-
From: [EMAIL PROTEC
Another might be to check where the groups
are being used. If they’re used to secure file/print type resources and/or
AD resources then they may be discovered using a decent reporting tool, i.e
check if group X is used in AD anywhere, or is present on THAT server. You could
explore this via
Hang on, in order to migrate groupwise accounts, you require visibility of
groupwise, which may be achieved using the client, without resorting to
installing gateway services. Why do you need the gateway ?
Connecting Exchange to groupwise is achieved using the mail connector and
not the gateway.
A
Calling Greg..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Administrator
Sent: 22 March 2004 07:38 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [MailServer Notification]To Recipient file blocking
settings matched and action taken.
ScanMail for Mi
Exchange wont just “not install”. Have you got
an error message?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Holstrom
Sent: 23 March 2004 11:30 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Making a test
Network, 3 w2k srvs
Hello,
I have 3 W2K Srv,
I have used Quest’s migratory product
in similar situations where the user base was populated, but all we wanted was
symbolic linkage for groups, reacling and sidhistory, without disturbing what
was there already, and nothing “broke”, including mail. I’ve
also done a non ADC migration’s usi
SAMACCOUNTNAME - if old and new match then they can be considered the
"same". ADC does similar matching, although it can be extended to do
matches on EX5.5 primary nt account to an AD accounts sidhistory.
Since you've done script population, you need to match on a similar
attribute. If nothing mat
I have chased Ms on this for an official KB article without success. I
have done this in production without any hassles though on exactly the
same scenario you described: third party kit that like inetorgPerson
better than the user class.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:
If you want to have something show up on the users property pages, then
you need to register a handler to do so, see the MSDN link.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/e
xtending_the_user_interface_for_directory_objects.asp
for another view on this, see this l
Services may be ACL'd directly, just like files, AD objects, etc.
You can use subinacl.exe from win2k3 & win2k res kit
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4
ae7-96ee-b18c4790cffd&displaylang=en
to achieve this.
You can delegate the following rights on a service:
Title: RE: [ActiveDir] win98
Lots of third party tools to do this –
I did exactly this for a client the other day using Quest Reporter –
published to HTML, excel, whatever automatically & collected into a DB for
auditing – was an auditing requirement for a health provider.
File/folder mod
Title: Looking for a tool that displays SID
Bind to the object using the LDAP:// or
the WINNT:// provider and output to screen as below, pipe it or write it where
needed.
Can’t claim this as my own – source
is Richard Mueller,
http://groups.google.co.uk/groups?q=Function+HexStrToSidS
Authoritive restore or if you can't recover this puppy, re-run forest
prep and nominate another account.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clist
Sent: 31 May 2004 06:20 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] HELP URGENT how to recover
Amit,
Depending on how the accounts were
created, it is possible to use the ADC to match accounts already existing in
AD. If no match is found for a 5.5 mailbox, a duplicate account will be created
in AD. The default matching rule will match the 5.5 associated-NT-Account
field to the AD a
Group Information
Technology
Tel.: +966-1-461-0077 x.209
Moble.: +966-509774015
Email: [EMAIL PROTECTED]
"Save Internet, Keep all the
systems patched"
Web: http://alfaisaliah.com
-Original Message-----
From: Nicolas Blank [mailto:[EMAIL PROTECTED]]
Sent: Monday, 31 May 20
:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: 01 June 2004 10:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] exchange
5.5, active directory and ADC
Amit,
Depending
on how the accounts were created, it is possible to use the ADC to match
accounts already existing in AD. If no match is
:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: 01 June 2004 10:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] exchange
5.5, active directory and ADC
Yip, the
AD container/OU is selectable whilst creating the recipient agreement
connection. Suggest the first
Cannot do this with Display specifier, you will have to create your own
DLL to do this and register on every machine you want the extension to
be visible.
Have a look in the archive for this list for some detailed posts on
this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PR
Neither one of them is more "efficient" but one is "more compliant" than
thee other to the X500 "user" definition.
If you are interoperating with other directories or products with Directory
Connectors, then of the InterOrgPerson is the preferred class of object to
use for the sync job. This precl
The easiest way of figuring out what rights you need to do anything on a
member server, AD, service right delegation etc, etc, is to turn on auditing
on success/failure and try what you're doing again. Read the security event
log, and the rights that are missing are exposed in the failure log. This
Do you want to view the container, or what's in it? The container can't be
exposed to something like aduc, but can be viewed with LDP, etc, where an
ACL edit of sorts can be done.
If you're looking to display deleted objects, that's quite easy, look at
this to start off with:
http://support.micros
You’ll notice that those permissions
on the store object aren’t explicit, but inherited and to use Joe’s
exchange as an example are defined here:
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com
As
Allow DOMAIN\Exchange Domain
Servers
Hi all
Anyone ever have to choose between Simple Sync and Imanami Directory
Transformation Manager ?
I'm talking to a mainframe via LDAP going to AD and on "paper" Imanami looks
the better choice.
Anyone have any recommendations either way?
I've seen simple sync mentioned at least once on this lis
to sync? Passwords?
Accounts?
Questions like that should help to differentiate.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall
Sent: Tuesday, March 08, 2005 6:45 AM
To: ActiveDir@mail.activedir.org; Nicolas Blank
Subject: RE: [Acti
Are
you the only person experiencing this problem?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George
ArezinaSent: 16 March 2005 11:09 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Double Email
Messages
No, no rules were
reconfigured.
From:
[
I have a customer with small links and 1200+ wan sites. Problem I'm having
is that without local DC's GPO's aren't applied properly on the workstations
on logon, and the workstations are not locked down. The customer is not
willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the size
Daniel, have to agree with Al. Depending on the state of these DB's you may
have absolute garbage.
If the DB shutdown in a dirty state and you don't have logs to replay -
problem, means a hard recovery.
If a hard recovery works you may only loose a little data. If a hard recover
fails you have zero
Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience.
What happens EXACTLY in Win2k on a DC(s) when the native mode switch is
pushed, and what are the ramifications of changing the attribute back to
reflect mixed mode one this has happened?
I have a customer with a nervous disposi
Sorry, hijacked the topic by mistake. Appologies.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank
Sent: 20 April 2005 07:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC's
Eric,Joe,Al,Carlos,Guido Question for you guy
[mailto:[EMAIL PROTECTED]
Sent: 20 April 2005 08:17 PM
To: 'Nicolas Blank '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Native Mode Switch
When you convert the domain to native mode the attribute nTMixedDomain on
the domain NC head o
:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 20 April 2005 09:07 PM
To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org
'
Subject: RE: [ActiveDir] Native Mode Switch
Manually re-writing the attribute will not work.
Also see:
http://support.mic
L PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 21 April 2005 01:17 PM
To: 'Nicolas Blank '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Native Mode Switch
As you know, changing the mode or FL switch to an upper level introd
Note the header below,
Cyrus didn't specify a valid domain suffix for his email address, and as a
result your mail clients/mail routing software are appending a domain.
Received: from mail.activedir.org ([64.245.160.7])
Received: from ams004.ftl.affinity.com [216.219.253.138] by
mail.activedir.org
Further roles can be found on the fSMORoleOwner attribute on the following
partitions:
Primary Domain Controller (PDC) FSMO:
LDAP://DC=MICROSOFT,DC=COM
RID Master FSMO:
LDAP://CN=Rid Manager$,CN=System,DC=Domain,DC=COM
Schema Master FSMO:
LDAP://CN=Schema,CN=Configuration,DC= Domain,DC=Com
Title: Delegation of group membership changes to add users and not to add other
groups
a) third party provisioning tools, Quest/Aelita/Similar
b) run a scheduled script to strip out groups within
groups every fifteen minutes
c) publicly beat a helpdesk employee to make a
Title: Ladies and Gentleman, A complex AD/Exchange issue.
Sounds like a process winning over
technology issue here:
A inter-forrest migration tool that will
support a migration with Sid-history and offer an ACL
cleanup should do the job.
What you’re looking for is
a) Transparency f
What you should look for are corrupted messages. These will typically be
exemplified either by messages that cannot be moved/opened or deleted. You
might see event log entries either from the Exchange store or even from your
backup software, complaining about messages that can't be opened or be
bac
51 matches
Mail list logo
