Title: Setting FFL=2 automatically when building first DC in forest
"Am hwyl, dwi am ymateb drwy beidio a dweud dim
byd mwy nag adlewyrchu dy bwynt!"
=
"Just for fun, I'll respond with an answer that
says nothing but simply illustrates your point."
- Original Message -
You simply need to install the Exchange Admin
tools on the system that you want these tabs. Therefore, in your case, you
should install them on your computer and possibly on a DC or two too (depending
on how you work).
--Paul
- Original Message -
From:
HBooGz
To:
Check out Ryan's take on it...
-- http://dunnry.com/blog/msDsUserAccountControlComputedNotSoSpiffy.aspx
--Paul
- Original Message -
From: David Aragon [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 01, 2006 11:49 PM
Subject: [ActiveDir] Different (open)LDAP
Yeah, I'm in the same boat now. Got a requirement for fully autonomous DC
deployment with a largish DIT. Single domain forest so everything is GC. I
was frustrated to find out that one of the scripting guys told me that that
option didn't work. I plan on working round this by promoting the
Agree. Due to the number of servers some of
our guys have to look at virtualisation. I've said a flat no to the DCs
though. We're standardising on x64 with 32 GB RAM for our DCs.
There's no way we're going to take a perf hit because someone much further up
the chain wants fewer boxes.
I
The problem with this is delegating the ability
to support the remote systems. Possible of course -web based admin of the
VM, and all that, but usually a pain. ANd if done wrong...
--Paul
- Original Message -
From:
Matt
Hargraves
To: ActiveDir@mail.activedir.org
Are you talking about having Options minimised by default and educating
users to logon with UPN or domain\samaccountname syntax or are you talking
about actually modifying the list built by Winlogon?
There's probably a number of options. As Tony says you can modify the list
of domains
Write all properties is overkill! Joe'll go
wild when he sees that that is written in the MSFT delegation
guide... :P
I believe you require:
WRITE_PROP for name and
cn
Summarised, you're modify the RDN.
--Paul
- Original Message -
From:
O'Brien,
Cathy
To:
Nice answer Steve. Thanks for the info. and
the KB.
- Original Message -
From:
Steve
Linehan
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 7:41 PM
Subject: RE: [ActiveDir] Always point a
DC with DNS installed to itself as the preferred DNS
I can't see how you can get a duplicate NDNC as the creation of such objects
is targetted at the DN master. The DN master will check the existing
crossRefs and stop this happening, as we can't rely on the DS stopping it as
the RDN is different for each NDNC (unless they've used well-known GUIDs
If you create a new domain in your forest for this requirement, and in the
future they are bought by another company, then your only supported option
is to migrate to the new or existing forest on the other side.
It is probably easier, and safer, to create a new forest with an external
trust.
The last place I worked, we used WinSSH for this
purpose. Trivial to setup and cheap (about $100/ £65). This allows
you to tunnel FTP and use Windows auth. There's also additional options to
allow some additional access control, e.g. only specific groups can use the
tunnel, etc.
If I
We team everything. It seems stupid not too. Use fault tolerance only (as
opposed to load balancing) and you've got additional resilliency. FT works
fine with different paths, e.g. different switches.
--Paul
- Original Message -
From: Freddy HARTONO [EMAIL PROTECTED]
To:
corruption issues (Taken from
the Directory Services Blueprint - page 29)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Paul Williams
Sent: Thursday, July 13, 2006 13:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain
Title: Multihomed Domain Controllers
Couple of points. Most have probably been
covered, or read by you:
Clearly label the NICs, e.g. LAN00 and
BACKUP00.
Adjust the binding order so that LAN00 is above
BACKUP00.
If you don't require NetBT, disable it on
BACKUP00 (BackupExec will
You don't even need full control (an error in
Microsoft's documentation if you ask me). You just need create and delete
dHCPClass objects in that container.
You need to do this via ADSIEDIT, DSACLS, LDP or
code.
Note. If I remember correctly, some of the
behaviour changed between 2k and
Title: Kerberos MaxTokenSize and too many groups issues
You might also want to review this interesting
white paper:
-- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en
(that took me ages to find so please read it
;-)
--Paul
If you're running 2003 then I don't believe you
need to run /DOMAINPREP. That's only to do what it does for 2k
domains.
So it's just /FORESTPREP.
- Original Message -
From:
Brian
Desmond
To: ActiveDir@mail.activedir.org
Sent: Monday, April 03, 2006 4:01
PM
What are the options in the Winlogon box? You should only have the choice
of the NetBIOS domain name or the local box (and any trusted domains).
To use the DNS name you need to use a UPN.
--Paul
- Original Message -
From: Douglas M. Long [EMAIL PROTECTED]
To:
Morning all,
If we delete the NETLOGON.DNS file and restart NETLOGON it is recreated.
Where is it (NETLOGON) getting those values from?
Tell me it's not hard-coded and I can modify it somehow.
Thanks,
--Paul
List info : http://www.activedir.org/List.aspx
List FAQ:
file?
I hope I make sense??
Regards
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 26 Jan 2006 9:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NETLOGON.DNS
Morning all,
If we delete the NETLOGON.DNS file and restart
WP on the user object's userAccountControl
attribute.
is there anyway to have these log files save things not by size, but by
day to ensure that tracking between the logs can be done? [I'm pretty sure
the answer is no, and the only thing we can do is bump the size of those
logs but I thought I'd
ask the blonde question anyway]
Yes. There are a
Only when it was last modified. Groups don't have passwords or the like.
Objects that have a group as an ACE in their ACL don't need to speak to
the group about it at all.
So you'd have to search for old groups by modified date. Or you could dump
all groups, their locations and modified
It's a good way of preparing management for what you want at the Christmas
party.
We also put quantity in there!
- Original Message -
From: Dean Wells [EMAIL PROTECTED]
To: Send - AD mailing list [EMAIL PROTECTED]
Sent: Wednesday, November 30, 2005 2:29 AM
Subject: RE: [ActiveDir]
Title: RE: [ActiveDir] AD Schema Attribute
Uhh..hmmm!
You're British, not American! Don't forget
about Wales! Cardiff has been on the news quite a bit - there's been that
much drunken violence...
- Original Message -
From:
[EMAIL PROTECTED]
To:
I believe Joe's memberOf tool is what you are looking for:
-- http://joeware.net/win/free/tools/memberof.htm
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
They're being rebranded anyway. I believe
the DS guys at the summit said IIFP will become Active Directory Meta Directory
Services. Not sure if MIIS' name will change. Certificates and AD as
we know it are all going to be rebranded, in what would appear to be a much more
meaningful set of
Title: Message
I always do it this way:
-- Global group in source contains user
objects.
-- Domain Local in target is assigned
permissions to resource.
-- Global group is a member of the domain
local.
Throwing universal groups into this
mix is just silly.
Also, bear in mind there will
Logon as an administrator and take ownership of the drive. Then grant
adequate permissions again.
Reinstalling Windows will obviously fix it, but is a drastic measure.
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, October 16, 2005 5:43
Yep. Me too.
- Original Message -
From: Al Mulnick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, October 16, 2005 6:38 PM
Subject: RE: [ActiveDir] Knowing when users were deleted.
I'd be interested to see that argument as well, Brett.
-Original
Title: Adding users to local Admin group
Doesn't matter. Computer policy is computer
policy. You can also simply link the GPO to the domain and filter it based
on another security group - one that simply holds the computer accounts in
question.
Here's an article on what you want to
do:
--
I believe the _msdcs sub domain is Microsoft/ Windows only. Non-Windows
clients will use _ldap._tcp.domain-name or _ldap._tcp.site
name._sites.domain-name.
- Original Message -
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org;
101 - 133 of 133 matches
Mail list logo