|
Active
Directory 0702
Top
From: Phillip Drummond <w@s.com>
To:
none
Subject:
Re: I cant put a Group in a Group ??
Date:
09/27/2007 12:06:50
google
and learn the differences between global groups and domain local
groups
"steve"
<stevesemple@lycos.com> wrote in message
news:1190910758.608600.58960@50g2000hsm.googlegroups.com...
>
Through some advice on this group Im trying to stop all but
>
administrators and specific users and groups from being able to log on
>
to a couple of computers.
>
This means that I go to
>
>
Start / Programs / Administrative Tools / Local Security Policy
>
>
Then /Security Settings / Local Policies / User Rights Assignments
>
and remove Users from the Logon Locally Profile and then add the
>
groups and/or users I specifically want to access this computer.
>
>
I have tested this by removing users and then specifically adding user
>
joe1 and it works great.
>
>
In our small school, for our purposes we have two groups staff and
>
students.
>
>
We want staff to be able to access this computer and just a few
>
students.
>
>
I thought, it would make sense to create a group in AD called Library
>
and then add to that group all the Groups and users that I want to
>
have access to that computer.
>
>
However I cant seem to add the group Staff to the Library group. When
>
I search for groups it only finds the built in groups not any of the
>
groups that we created.
>
>
I dont understand this.
>
>
Cant I add a security group that I created to another group. This
>
would mean that when ever I put Library group into permissions
>
properties it would include staff and other individuals that I
>
explicityly put in it ??
>
>
Thanks
>
Top
From: steve <stevesemple@lycos.com>
To:
none
Subject:
Re: I cant put a Group in a Group ??
Date:
09/27/2007 14:26:59
Ok
I pulled out my book and and did some reading. I have never quite
understood
this but I think what you are saying is.
I
would apreaciate some feed back on if Im right. A Global Group can
have
users added and I suppose Universal Groups added, but it cant
have
other Global groups added. I need to create a Local Group and
then
add the Global groups to it. Am I right on that.
I
have read several articles on it but still have not got my head
around
it.
Thanks.
Top
From: steve <stevesemple@lycos.com>
To:
none
Subject:
Re: I cant put a Group in a Group ??
Date:
09/27/2007 15:01:34
Actually
I miss spoke
Global
Groups Cannot be added to Local Groups
Local
Groups CAN be added to Global Groups
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: I cant put a Group in a Group ??
Date:
09/27/2007 20:25:29
"steve"
<stevesemple@lycos.com> wrote in message
news:1190923294.629122.29670@50g2000hsm.googlegroups.com...
>
Actually I miss spoke
>
>
Global Groups Cannot be added to Local Groups
>
>
Local Groups CAN be added to Global Groups
Assuming
the domain is not in Windows 2000 Mixed Mode:
Global
groups can:
1.
Have users accounts and global groups (in the same domain) as members.
2.
Be members of Universal and domain local groups in any domain, and global
groups
in the same domain.
Domain
Local groups can:
1.
Have users, global groups, and universal groups from any domain as
members,
and domain local groups from the same domain.
2.
Be members of domain local groups in the same domain.
Universal
Groups can:
1.
Have users, global groups, and universal groups from any domain as
members.
2.
Be members of domain local and universal groups in any domain.
If
you are in Windows 2000 Mixed Mode the only group nesting allowed is:
Global
groups can be members of domain local groups.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
Top
From: alazarevich@gmail.com
<alazarevich@gmail.com>
To:
none
Subject:
Re: ifmember.exe bat script fails due to perms...
Date:
09/26/2007 10:45:41
Nevermind,
it was some other problem, stupid on my part. ifmember.exe
works
fine.
On
Sep 25, 8:22 pm,
"alazarev...@gmail.com" <alazarev...@gmail.com>
wrote:
>
Hi,
>
>
On an NT4 PDC (server1), the following NETLOGON batch script runs
>
fine:
>
>
\\server1\NETLOGON\ifmember.exe "DOMAIN\Projects"
>
if errorlevel 1 (
>
net use /delete p:
>
net use p: \\samba-server\projects
>
)
>
>
That same batch script on a 2003 AD domain controller fails with:
>
>
System error 1314 has occurred.
>
A required privilege is not held by the client.
>
>
Other parts of the script run fine, so it''s not an issue with the
>
script running. What is the actual privilege that I need to give.
>
ifmember.exe already has R+X, so I'm gussing 2003 AD has some
>
restrictions on the group policy objects that I need to allow access
>
to by a regular domain user. What is that policy object, and what are
>
the perms I need to give?
>
>
I really prefer not to use VB or anything complication. All I need are
>
simple batch scripts to do a couple of simple group checks and mount
>
shares if needed.
>
>
Thanks in advance!
>
>
Alex
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
RE: listing windows 2000 domains
Date:
09/27/2007 22:25:01
Hi
TDR,
Do
you have multiple domains and domain controllers? Or is it a single
domain
with only one domain controller or only 2003 domain controllers?
If
it is a single domain and only 2003 domain controllers, then the 2003
domain
will be an "upgraded" version of the 2000 domain. If you still
have a
2000
domain controller it will still need be running in mixed mode, rather
than
"Windows Server 2003" functionality mode. If it is still in mixed
mode
and
you only have Windows 2003 domain controllers, it can be safely changed
to
native mode.
To
check, go to AD Users and Computers, right-click on your domain and click
on
"Properties." You should get your answer on the
"General" tab.
Hope
that helps,
--
Leigh
MCSE
(NT4, 2000)
"TDR"
wrote:
>
hi, i'm wondering if it is possible to list the windows 2000 domains that
>
exist on a windows 2003 server. would they show in active directory
if the
>
upgrade (which was done by an external IT person 2 years ago, who was
>
managing our network and who is now not available) was completed properly?
>
>
how do i determine what steps were not completed during the upgrade?
>
>
thanks,
Top
From: Chris M
<nobody@nowhere.special>
To:
none
Subject:
Re: Login restriction
Date:
09/26/2007 10:28:23
NH
wrote:
>
Is it possible to restrict login on a computer for 1 username ?
>
if yes, how can I do that ?
>
Thanks.
You
can change the computer's local security policy and add the username
to
the 'Deny logon locally' policy setting.
Make
sure that the changes won't get overwritten by a group policy from
the
domain. Alternatively you could put the computer into its own OU and
apply
a domain GPO to that.
Cheers,
Chris.
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Login restriction
Date:
09/26/2007 12:17:37
Hi
You
want to allow only one person to logon in a given computer?
As
Chris said you can achieve this by using GPO, but what about the Admins?
They
should be allowed to logon in all computers to troubleshooting and
Workstationn
maintenance, etc (Administrative Tasks).
or
You
want that a given user account be allowed to logon only in one computer
for
that domain?
If
this is your objective, then you can use the user account properties
"Allow
log on to..." in AD to restrict the machine(s) where the user is
allowed
to login.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"NH"
<nh@noreply.com> wrote in message
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>
Is it possible to restrict login on a computer for 1 username ?
>
if yes, how can I do that ?
>
Thanks.
>
Top
From: NH <nh@noreply.com>
To:
none
Subject:
Re: Login restriction
Date:
09/26/2007 13:55:56
I want
to allow only 1 user (and members of domain administrator group) to
logon
on 12 different computers. If another user try to logon on one of
these
computers, access must be denied.
"Jorge
Silva" <jorgesilva_pt@hotmail.com> a écrit dans le message de
news:
%23G5kdEGAIHA.2268@TK2MSFTNGP02.phx.gbl...
>
Hi
>
You want to allow only one person to logon in a given computer?
>
As Chris said you can achieve this by using GPO, but what about the
>
Admins? They should be allowed to logon in all computers to
>
troubleshooting and Workstationn maintenance, etc (Administrative Tasks).
>
or
>
You want that a given user account be allowed to logon only in one
>
computer for that domain?
>
If this is your objective, then you can use the user account properties
>
"Allow log on to..." in AD to restrict the machine(s) where the
user is
>
allowed to login.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"NH" <nh@noreply.com> wrote in message
>
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>
Is it possible to restrict login on a computer for 1 username ?
>>
if yes, how can I do that ?
>>
Thanks.
>>
Top
From: Jorge Silva <jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Login restriction
Date:
09/26/2007 14:48:33
In
that case you can use the GPO option provided by me and Chris.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"NH"
<nh@noreply.com> wrote in message
news:eQwI07GAIHA.4584@TK2MSFTNGP03.phx.gbl...
>I
want to allow only 1 user (and members of domain administrator group) to
>logon
on 12 different computers. If another user try to logon on one of
>these
computers, access must be denied.
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> a écrit dans le
message de news:
>
%23G5kdEGAIHA.2268@TK2MSFTNGP02.phx.gbl...
>>
Hi
>>
You want to allow only one person to logon in a given computer?
>>
As Chris said you can achieve this by using GPO, but what about the
>>
Admins? They should be allowed to logon in all computers to
>>
troubleshooting and Workstationn maintenance, etc (Administrative Tasks).
>>
or
>>
You want that a given user account be allowed to logon only in one
>>
computer for that domain?
>>
If this is your objective, then you can use the user account properties
>>
"Allow log on to..." in AD to restrict the machine(s) where the
user is
>>
allowed to login.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"NH" <nh@noreply.com> wrote in message
>>
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>
Is it possible to restrict login on a computer for 1 username ?
>>>
if yes, how can I do that ?
>>>
Thanks.
>>>
Top
From: NH <nh@noreply.com>
To:
none
Subject:
Re: Login restriction
Date:
09/27/2007 06:26:36
And
what options should I choose in GPO to be able to do what I want ?
Thanks
for your support.
"Jorge
Silva" <jorgesilva_pt@hotmail.com> a écrit dans le message de
news:
uM6hzYHAIHA.4656@TK2MSFTNGP04.phx.gbl...
>
In that case you can use the GPO option provided by me and Chris.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"NH" <nh@noreply.com> wrote in message
>
news:eQwI07GAIHA.4584@TK2MSFTNGP03.phx.gbl...
>>I
want to allow only 1 user (and members of domain administrator group) to
>>logon
on 12 different computers. If another user try to logon on one of
>>these
computers, access must be denied.
>>
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> a écrit dans le
message de
>>
news: %23G5kdEGAIHA.2268@TK2MSFTNGP02.phx.gbl...
>>>
Hi
>>>
You want to allow only one person to logon in a given computer?
>>>
As Chris said you can achieve this by using GPO, but what about the
>>>
Admins? They should be allowed to logon in all computers to
>>>
troubleshooting and Workstationn maintenance, etc (Administrative
>>>
Tasks).
>>>
or
>>>
You want that a given user account be allowed to logon only in one
>>>
computer for that domain?
>>>
If this is your objective, then you can use the user account properties
>>>
"Allow log on to..." in AD to restrict the machine(s) where the
user is
>>>
allowed to login.
>>>
>>>
--
>>>
I hope that the information above helps you.
>>>
Have a Nice day.
>>>
>>>
Jorge Silva
>>>
MCSE, MVP Directory Services
>>>
"NH" <nh@noreply.com> wrote in message
>>>
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>
Is it possible to restrict login on a computer for 1 username ?
>>>>
if yes, how can I do that ?
>>>>
Thanks.
>>>>
Top
From: Chris M
<nobody@nowhere.special>
To:
none
Subject:
Re: Login restriction
Date:
09/27/2007 08:18:13
NH
wrote:
>
And what options should I choose in GPO to be able to do what I want ?
>
Thanks for your support.
Put
the 12 computers into their own OU in Active Directory and create a
new
GPO linked to that OU.
In
the GPO, go to Computer Configuration -> Windows Settings -> Security
Settings
-> Local Policies -> User Rights Assignment
Define
the 'Log on locally' setting to only include the Domain Admins
group
and the user that you wish to allow access.
When
your computers refresh their policy (doing gpupdate /force on each
machine
will do it immediately), the settings will be in place.
Hope
this helps.
--
Chris.
>>
"NH" <nh@noreply.com> wrote in message
>>
news:eQwI07GAIHA.4584@TK2MSFTNGP03.phx.gbl...
>>>
I want to allow only 1 user (and members of domain administrator group) to
>>>
logon on 12 different computers. If another user try to logon on one
of
>>>
these computers, access must be denied.
>>>
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> a écrit dans le
message de
>>>
news: %23G5kdEGAIHA.2268@TK2MSFTNGP02.phx.gbl...
>>>>
Hi
>>>>
You want to allow only one person to logon in a given computer?
>>>>
As Chris said you can achieve this by using GPO, but what about the
>>>>
Admins? They should be allowed to logon in all computers to
>>>>
troubleshooting and Workstationn maintenance, etc (Administrative
>>>>
Tasks).
>>>>
or
>>>>
You want that a given user account be allowed to logon only in one
>>>>
computer for that domain?
>>>>
If this is your objective, then you can use the user account properties
>>>>
"Allow log on to..." in AD to restrict the machine(s) where the
user is
>>>>
allowed to login.
>>>>
>>>>
--
>>>>
I hope that the information above helps you.
>>>>
Have a Nice day.
>>>>
>>>>
Jorge Silva
>>>>
MCSE, MVP Directory Services
>>>>
"NH" <nh@noreply.com> wrote in message
>>>>
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>>
Is it possible to restrict login on a computer for 1 username ?
>>>>>
if yes, how can I do that ?
Top
From: NH <nh@noreply.com>
To:
none
Subject:
Re: Login restriction
Date:
09/27/2007 12:37:28
Thank
you very much.
"Chris
M" <nobody@nowhere.special> a écrit dans le message de news:
fdgak7$i5f$1@aioe.org...
>
NH wrote:
>>
And what options should I choose in GPO to be able to do what I want ?
>>
Thanks for your support.
>
>
Put the 12 computers into their own OU in Active Directory and create a
>
new GPO linked to that OU.
>
>
In the GPO, go to Computer Configuration -> Windows Settings ->
Security
>
Settings -> Local Policies -> User Rights Assignment
>
>
Define the 'Log on locally' setting to only include the Domain Admins
>
group and the user that you wish to allow access.
>
>
When your computers refresh their policy (doing gpupdate /force on each
>
machine will do it immediately), the settings will be in place.
>
>
Hope this helps.
>
>
--
>
Chris.
>
>>>
"NH" <nh@noreply.com> wrote in message
>>>
news:eQwI07GAIHA.4584@TK2MSFTNGP03.phx.gbl...
>>>>
I want to allow only 1 user (and members of domain administrator group)
>>>>
to logon on 12 different computers. If another user try to logon on
>>>>
one of these computers, access must be denied.
>>>>
>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> a écrit dans le
message de
>>>>
news: %23G5kdEGAIHA.2268@TK2MSFTNGP02.phx.gbl...
>>>>>
Hi
>>>>>
You want to allow only one person to logon in a given computer?
>>>>>
As Chris said you can achieve this by using GPO, but what about the
>>>>>
Admins? They should be allowed to logon in all computers to
>>>>>
troubleshooting and Workstationn maintenance, etc (Administrative
>>>>>
Tasks).
>>>>>
or
>>>>>
You want that a given user account be allowed to logon only in one
>>>>>
computer for that domain?
>>>>>
If this is your objective, then you can use the user account
>>>>>
properties "Allow log on to..." in AD to restrict the machine(s)
where
>>>>>
the user is allowed to login.
>>>>>
>>>>>
--
>>>>>
I hope that the information above helps you.
>>>>>
Have a Nice day.
>>>>>
>>>>>
Jorge Silva
>>>>>
MCSE, MVP Directory Services
>>>>>
"NH" <nh@noreply.com> wrote in message
>>>>>
news:OF0KlxEAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>>>
Is it possible to restrict login on a computer for 1 username ?
>>>>>>
if yes, how can I do that ?
Top
From: Jeff Flack
<jeffflack@hotmail.com>
To:
none
Subject:
Re: LSASS.exe consuming 100% of CPU on Windows 2003 DC/GC
Date:
09/26/2007 10:47:08
Download
some diagnostic tools. Handle in particular. Get the PID and
then
run
a handle on it from command line. It should give you a little more
info
- For instance, I was able to see that windows UPDATE was killing me
(SUS,
rather) by running handles.
Cheers
flack-
"David"
<david.fike@gmail.com> wrote in message
news:1190816388.906574.55550@g4g2000hsf.googlegroups.com...
>
Hello all,
>
>
This issue of mine has already been resolved for the time being,
>
but I was hoping someone might be able to identify what caused the
>
issue to begin with. What I've got here is:
>
>
A Windows 2003 SP1 Domain Controller that is also a Global Catalog. It
>
is not holding any of the FSMO roles in our domain/forest. Early
>
yesterday, I discovered that the LSASS.exe process was spiking with
>
85%-100% usage of the CPU. It maintained this level all throughout the
>
day and into the evening. I disconnected the NIC and the LSASS process
>
immediately dropped to its normal usage (2%-4%) and I left the NIC
>
disconnected for 30 minutes. After reconnecting the NIC, the process
>
immediately resumed its spike. I decided to install SP2 on this
>
server, and after the installation and reboot LSASS had dropped a
>
little bit to about 70%-80% sustained CPU usage. However, when I came
>
in this morning I saw that LSASS has dropped back down to its normal
>
levels sometime in the middle of the night and it appears to be
>
remaining at normal levels. There are no unusual events in the Event
>
Log, and the other GC in this domain was not experiencing any issues.
>
I was hoping someone might be able to tell me what the cause of this
>
may have been and why it seemed to work itself out. Thanks!
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 12:29:34
Hi
Check
inline:
>
getting down to the wire now so i need to make final decisions...
>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>
org.
>
need to consolidate all of this into a new forest with a new exchange org.
Ok.
>
the new forest will be a simple one with only a secure root domain, and an
>
HQ child domain.
Secure
root Domain? what is that?
>
so the users and machines from the current 3 domains will be moved into
>
the HQ domain.
Doesn't
sound a good option to have a child domain with that description.
>
does everyone recommend ADMT?
ADMT
is good and easy to implement.
>
if so what gotchas can i expect?
The
best is to test it, but most situations everything goes well.
>
can ADMT handle this job easily?
Yes.
>
how will existing mailboxes be handled?
You
don't mentioned anything about exchange in the second forest, but you
can
use the exchange migration tool to migrate the mailboxes to the other
fores
and then connect the mailboxes to the user accounts. You can get more
detail
about this in MS sweb site or in Exchange ngs.
>
is there true domain synchronization?
No.
Is an object migration.
>
when its over is the new domain a mess that needs tons of cleanup?
You
only migrate what you want to, so you shouldn't need to clean nothing
after
migration.
>
i have done several very large migrations but have always used Quest
>
tools. i am not familiar with ADMT.
Download
the White paper ADMT and test it on a lab..
>
if someone with experience could give me a VERY high level step by step as
>
to what order i should do things in,
>
based on your experience, i would greatly appreciate it.
everything
is in MS web site and how to use that tool.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Phillip
Drummond" <w@s.com> wrote in message
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>
getting down to the wire now so i need to make final decisions...
>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>
org.
>
need to consolidate all of this into a new forest with a new exchange org.
>
>
the new forest will be a simple one with only a secure root domain, and an
>
HQ child domain.
>
so the users and machines from the current 3 domains will be moved into
>
the HQ domain.
>
>
does everyone recommend ADMT?
>
if so what gotchas can i expect?
>
can ADMT handle this job easily?
>
how will existing mailboxes be handled?
>
is there true domain synchronization?
>
when its over is the new domain a mess that needs tons of cleanup?
>
>
i have done several very large migrations but have always used Quest
>
tools. i am not familiar with ADMT.
>
if someone with experience could give me a VERY high level step by step as
>
to what order i should do things in,
>
based on your experience, i would greatly appreciate it.
>
>
thank you
>
Top
From: Phillip Drummond <w@s.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 12:46:50
thank
you. yes, the root domain will exist solely to hold child domains.
there
will be no users or computers in the root domain.
does
ADMT include the exchange migration piece or is this a separate tool?
the
new forest will have a new exchange org
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>
Hi
>
Check inline:
>>
getting down to the wire now so i need to make final decisions...
>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>
org.
>>
need to consolidate all of this into a new forest with a new exchange
>>
org.
>
Ok.
>
>>
the new forest will be a simple one with only a secure root domain, and
>>
an HQ child domain.
>
Secure root Domain? what is that?
>
>>
so the users and machines from the current 3 domains will be moved into
>>
the HQ domain.
>
Doesn't sound a good option to have a child domain with that description.
>
>>
does everyone recommend ADMT?
>
ADMT is good and easy to implement.
>
>>
if so what gotchas can i expect?
>
The best is to test it, but most situations everything goes well.
>
>>
can ADMT handle this job easily?
>
Yes.
>
>>
how will existing mailboxes be handled?
>
You don't mentioned anything about exchange in the second forest, but you
>
can use the exchange migration tool to migrate the mailboxes to the other
>
fores and then connect the mailboxes to the user accounts. You can get
>
more detail about this in MS sweb site or in Exchange ngs.
>
>>
is there true domain synchronization?
>
No. Is an object migration.
>
>>
when its over is the new domain a mess that needs tons of cleanup?
>
You only migrate what you want to, so you shouldn't need to clean nothing
>
after migration.
>
>>
i have done several very large migrations but have always used Quest
>>
tools. i am not familiar with ADMT.
>
Download the White paper ADMT and test it on a lab..
>
>>
if someone with experience could give me a VERY high level step by step
>>
as to what order i should do things in,
>>
based on your experience, i would greatly appreciate it.
>
everything is in MS web site and how to use that tool.
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Phillip Drummond" <w@s.com> wrote in message
>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>
getting down to the wire now so i need to make final decisions...
>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>
org.
>>
need to consolidate all of this into a new forest with a new exchange
>>
org.
>>
>>
the new forest will be a simple one with only a secure root domain, and
>>
an HQ child domain.
>>
so the users and machines from the current 3 domains will be moved into
>>
the HQ domain.
>>
>>
does everyone recommend ADMT?
>>
if so what gotchas can i expect?
>>
can ADMT handle this job easily?
>>
how will existing mailboxes be handled?
>>
is there true domain synchronization?
>>
when its over is the new domain a mess that needs tons of cleanup?
>>
>>
i have done several very large migrations but have always used Quest
>>
tools. i am not familiar with ADMT.
>>
if someone with experience could give me a VERY high level step by step
>>
as to what order i should do things in,
>>
based on your experience, i would greatly appreciate it.
>>
>>
thank you
>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 12:56:33
>
thank you. yes, the root domain will exist solely to hold child domains.
>
there will be no users or computers in the root domain.
In
my opinion this is a bad design, and all it does "according with your
needs"
is a waste of resources, hardware and people.
>
does ADMT include the exchange migration piece or is this a separate tool?
>
the new forest will have a new exchange org
Is
a separate tool, comes with exchange.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Phillip
Drummond" <w@s.com> wrote in message
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>
thank you. yes, the root domain will exist solely to hold child domains.
>
there will be no users or computers in the root domain.
>
>
does ADMT include the exchange migration piece or is this a separate tool?
>
the new forest will have a new exchange org
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>
Hi
>>
Check inline:
>>>
getting down to the wire now so i need to make final decisions...
>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>
org.
>>>
need to consolidate all of this into a new forest with a new exchange
>>>
org.
>>
Ok.
>>
>>>
the new forest will be a simple one with only a secure root domain, and
>>>
an HQ child domain.
>>
Secure root Domain? what is that?
>>
>>>
so the users and machines from the current 3 domains will be moved into
>>>
the HQ domain.
>>
Doesn't sound a good option to have a child domain with that description.
>>
>>>
does everyone recommend ADMT?
>>
ADMT is good and easy to implement.
>>
>>>
if so what gotchas can i expect?
>>
The best is to test it, but most situations everything goes well.
>>
>>>
can ADMT handle this job easily?
>>
Yes.
>>
>>>
how will existing mailboxes be handled?
>>
You don't mentioned anything about exchange in the second forest, but you
>>
can use the exchange migration tool to migrate the mailboxes to the other
>>
fores and then connect the mailboxes to the user accounts. You can get
>>
more detail about this in MS sweb site or in Exchange ngs.
>>
>>>
is there true domain synchronization?
>>
No. Is an object migration.
>>
>>>
when its over is the new domain a mess that needs tons of cleanup?
>>
You only migrate what you want to, so you shouldn't need to clean nothing
>>
after migration.
>>
>>>
i have done several very large migrations but have always used Quest
>>>
tools. i am not familiar with ADMT.
>>
Download the White paper ADMT and test it on a lab..
>>
>>>
if someone with experience could give me a VERY high level step by step
>>>
as to what order i should do things in,
>>>
based on your experience, i would greatly appreciate it.
>>
everything is in MS web site and how to use that tool.
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Phillip Drummond" <w@s.com> wrote in message
>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>
getting down to the wire now so i need to make final decisions...
>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>
org.
>>>
need to consolidate all of this into a new forest with a new exchange
>>>
org.
>>>
>>>
the new forest will be a simple one with only a secure root domain, and
>>>
an HQ child domain.
>>>
so the users and machines from the current 3 domains will be moved into
>>>
the HQ domain.
>>>
>>>
does everyone recommend ADMT?
>>>
if so what gotchas can i expect?
>>>
can ADMT handle this job easily?
>>>
how will existing mailboxes be handled?
>>>
is there true domain synchronization?
>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>
>>>
i have done several very large migrations but have always used Quest
>>>
tools. i am not familiar with ADMT.
>>>
if someone with experience could give me a VERY high level step by step
>>>
as to what order i should do things in,
>>>
based on your experience, i would greatly appreciate it.
>>>
>>>
thank you
>>>
>
Top
From: Phillip Drummond <w@s.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 13:06:20
the
root/child design allows for growth and delagation of rights at the
domain
level. its actually a microsoft recommended design for the type of
growth
we expect
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uRdJOaGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>
thank you. yes, the root domain will exist solely to hold child domains.
>>
there will be no users or computers in the root domain.
>
In my opinion this is a bad design, and all it does "according with
your
>
needs" is a waste of resources, hardware and people.
>
>>
does ADMT include the exchange migration piece or is this a separate
>>
tool?
>>
the new forest will have a new exchange org
>
Is a separate tool, comes with exchange.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Phillip Drummond" <w@s.com> wrote in message
>
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>
thank you. yes, the root domain will exist solely to hold child domains.
>>
there will be no users or computers in the root domain.
>>
>>
does ADMT include the exchange migration piece or is this a separate
>>
tool?
>>
the new forest will have a new exchange org
>>
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>
Hi
>>>
Check inline:
>>>>
getting down to the wire now so i need to make final decisions...
>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>
org.
>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>
org.
>>>
Ok.
>>>
>>>>
the new forest will be a simple one with only a secure root domain, and
>>>>
an HQ child domain.
>>>
Secure root Domain? what is that?
>>>
>>>>
so the users and machines from the current 3 domains will be moved into
>>>>
the HQ domain.
>>>
Doesn't sound a good option to have a child domain with that
>>>
description.
>>>
>>>>
does everyone recommend ADMT?
>>>
ADMT is good and easy to implement.
>>>
>>>>
if so what gotchas can i expect?
>>>
The best is to test it, but most situations everything goes well.
>>>
>>>>
can ADMT handle this job easily?
>>>
Yes.
>>>
>>>>
how will existing mailboxes be handled?
>>>
You don't mentioned anything about exchange in the second forest, but
>>>
you can use the exchange migration tool to migrate the mailboxes to the
>>>
other fores and then connect the mailboxes to the user accounts. You can
>>>
get more detail about this in MS sweb site or in Exchange ngs.
>>>
>>>>
is there true domain synchronization?
>>>
No. Is an object migration.
>>>
>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>
You only migrate what you want to, so you shouldn't need to clean
>>>
nothing after migration.
>>>
>>>>
i have done several very large migrations but have always used Quest
>>>>
tools. i am not familiar with ADMT.
>>>
Download the White paper ADMT and test it on a lab..
>>>
>>>>
if someone with experience could give me a VERY high level step by step
>>>>
as to what order i should do things in,
>>>>
based on your experience, i would greatly appreciate it.
>>>
everything is in MS web site and how to use that tool.
>>>
--
>>>
I hope that the information above helps you.
>>>
Have a Nice day.
>>>
>>>
Jorge Silva
>>>
MCSE, MVP Directory Services
>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>>
getting down to the wire now so i need to make final decisions...
>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>
org.
>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>
org.
>>>>
>>>>
the new forest will be a simple one with only a secure root domain, and
>>>>
an HQ child domain.
>>>>
so the users and machines from the current 3 domains will be moved into
>>>>
the HQ domain.
>>>>
>>>>
does everyone recommend ADMT?
>>>>
if so what gotchas can i expect?
>>>>
can ADMT handle this job easily?
>>>>
how will existing mailboxes be handled?
>>>>
is there true domain synchronization?
>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>
>>>>
i have done several very large migrations but have always used Quest
>>>>
tools. i am not familiar with ADMT.
>>>>
if someone with experience could give me a VERY high level step by step
>>>>
as to what order i should do things in,
>>>>
based on your experience, i would greatly appreciate it.
>>>>
>>>>
thank you
>>>>
>>
Top
From: Phillip Drummond <w@s.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 13:53:11
with
ADMT in my configuration, will i have to do migrate one domain at a
time
to the target domain? or can i do multiple? if only one, how do you
recommend
i go about this so that there are no permission problems while one
domain
is migrated and others are not?
"Phillip
Drummond" <w@s.com> wrote in message
news:edyXGgGAIHA.3400@TK2MSFTNGP03.phx.gbl...
>
the root/child design allows for growth and delagation of rights at the
>
domain level. its actually a microsoft recommended design for the type of
>
growth we expect
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:uRdJOaGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>>
thank you. yes, the root domain will exist solely to hold child domains.
>>>
there will be no users or computers in the root domain.
>>
In my opinion this is a bad design, and all it does "according with
your
>>
needs" is a waste of resources, hardware and people.
>>
>>>
does ADMT include the exchange migration piece or is this a separate
>>>
tool?
>>>
the new forest will have a new exchange org
>>
Is a separate tool, comes with exchange.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Phillip Drummond" <w@s.com> wrote in message
>>
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>>
thank you. yes, the root domain will exist solely to hold child domains.
>>>
there will be no users or computers in the root domain.
>>>
>>>
does ADMT include the exchange migration piece or is this a separate
>>>
tool?
>>>
the new forest will have a new exchange org
>>>
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>
Hi
>>>>
Check inline:
>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>>
org.
>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>
org.
>>>>
Ok.
>>>>
>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>
and an HQ child domain.
>>>>
Secure root Domain? what is that?
>>>>
>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>
into the HQ domain.
>>>>
Doesn't sound a good option to have a child domain with that
>>>>
description.
>>>>
>>>>>
does everyone recommend ADMT?
>>>>
ADMT is good and easy to implement.
>>>>
>>>>>
if so what gotchas can i expect?
>>>>
The best is to test it, but most situations everything goes well.
>>>>
>>>>>
can ADMT handle this job easily?
>>>>
Yes.
>>>>
>>>>>
how will existing mailboxes be handled?
>>>>
You don't mentioned anything about exchange in the second forest, but
>>>>
you can use the exchange migration tool to migrate the mailboxes to the
>>>>
other fores and then connect the mailboxes to the user accounts. You
>>>>
can get more detail about this in MS sweb site or in Exchange ngs.
>>>>
>>>>>
is there true domain synchronization?
>>>>
No. Is an object migration.
>>>>
>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>
You only migrate what you want to, so you shouldn't need to clean
>>>>
nothing after migration.
>>>>
>>>>>
i have done several very large migrations but have always used Quest
>>>>>
tools. i am not familiar with ADMT.
>>>>
Download the White paper ADMT and test it on a lab..
>>>>
>>>>>
if someone with experience could give me a VERY high level step by
>>>>>
step as to what order i should do things in,
>>>>>
based on your experience, i would greatly appreciate it.
>>>>
everything is in MS web site and how to use that tool.
>>>>
>>>>
>>>>
--
>>>>
I hope that the information above helps you.
>>>>
Have a Nice day.
>>>>
>>>>
Jorge Silva
>>>>
MCSE, MVP Directory Services
>>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>>
org.
>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>
org.
>>>>>
>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>
and an HQ child domain.
>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>
into the HQ domain.
>>>>>
>>>>>
does everyone recommend ADMT?
>>>>>
if so what gotchas can i expect?
>>>>>
can ADMT handle this job easily?
>>>>>
how will existing mailboxes be handled?
>>>>>
is there true domain synchronization?
>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>>
>>>>>
i have done several very large migrations but have always used Quest
>>>>>
tools. i am not familiar with ADMT.
>>>>>
if someone with experience could give me a VERY high level step by
>>>>>
step as to what order i should do things in,
>>>>>
based on your experience, i would greatly appreciate it.
>>>>>
>>>>>
thank you
>>>>>
>>>>
>>>>
>>>
>
Top
From: Jorge Silva <jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/26/2007 15:01:47
Inline:
>
the root/child design allows for growth and delagation of rights at the
>
domain level. its actually a microsoft recommended design for the type of
>
growth we expect
I
don't see the need. You can do delegation at the top root domain, you
don't
gain anything by having child domains to do that. Remember Domains are
not
Security Boundaries, only Forests are.
>with
ADMT in my configuration, will i have to do migrate one domain at a
>time
to the target domain? or can i do multiple? if only one, how do you
>recommend
i go about this so that there are no permission problems while
>one
domain is migrated and others are not?
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Phillip
Drummond" <w@s.com> wrote in message
news:edyXGgGAIHA.3400@TK2MSFTNGP03.phx.gbl...
>
the root/child design allows for growth and delagation of rights at the
>
domain level. its actually a microsoft recommended design for the type of
>
growth we expect
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:uRdJOaGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>>
thank you. yes, the root domain will exist solely to hold child domains.
>>>
there will be no users or computers in the root domain.
>>
In my opinion this is a bad design, and all it does "according with
your
>>
needs" is a waste of resources, hardware and people.
>>
>>>
does ADMT include the exchange migration piece or is this a separate
>>>
tool?
>>>
the new forest will have a new exchange org
>>
Is a separate tool, comes with exchange.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Phillip Drummond" <w@s.com> wrote in message
>>
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>>
thank you. yes, the root domain will exist solely to hold child domains.
>>>
there will be no users or computers in the root domain.
>>>
>>>
does ADMT include the exchange migration piece or is this a separate
>>>
tool?
>>>
the new forest will have a new exchange org
>>>
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>
Hi
>>>>
Check inline:
>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>>
org.
>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>
org.
>>>>
Ok.
>>>>
>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>
and an HQ child domain.
>>>>
Secure root Domain? what is that?
>>>>
>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>
into the HQ domain.
>>>>
Doesn't sound a good option to have a child domain with that
>>>>
description.
>>>>
>>>>>
does everyone recommend ADMT?
>>>>
ADMT is good and easy to implement.
>>>>
>>>>>
if so what gotchas can i expect?
>>>>
The best is to test it, but most situations everything goes well.
>>>>
>>>>>
can ADMT handle this job easily?
>>>>
Yes.
>>>>
>>>>>
how will existing mailboxes be handled?
>>>>
You don't mentioned anything about exchange in the second forest, but
>>>>
you can use the exchange migration tool to migrate the mailboxes to the
>>>>
other fores and then connect the mailboxes to the user accounts. You
>>>>
can get more detail about this in MS sweb site or in Exchange ngs.
>>>>
>>>>>
is there true domain synchronization?
>>>>
No. Is an object migration.
>>>>
>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>
You only migrate what you want to, so you shouldn't need to clean
>>>>
nothing after migration.
>>>>
>>>>>
i have done several very large migrations but have always used Quest
>>>>>
tools. i am not familiar with ADMT.
>>>>
Download the White paper ADMT and test it on a lab..
>>>>
>>>>>
if someone with experience could give me a VERY high level step by
>>>>>
step as to what order i should do things in,
>>>>>
based on your experience, i would greatly appreciate it.
>>>>
everything is in MS web site and how to use that tool.
>>>>
>>>>
>>>>
--
>>>>
I hope that the information above helps you.
>>>>
Have a Nice day.
>>>>
>>>>
Jorge Silva
>>>>
MCSE, MVP Directory Services
>>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an exchange
>>>>>
org.
>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>
org.
>>>>>
>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>
and an HQ child domain.
>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>
into the HQ domain.
>>>>>
>>>>>
does everyone recommend ADMT?
>>>>>
if so what gotchas can i expect?
>>>>>
can ADMT handle this job easily?
>>>>>
how will existing mailboxes be handled?
>>>>>
is there true domain synchronization?
>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>>
>>>>>
i have done several very large migrations but have always used Quest
>>>>>
tools. i am not familiar with ADMT.
>>>>>
if someone with experience could give me a VERY high level step by
>>>>>
step as to what order i should do things in,
>>>>>
based on your experience, i would greatly appreciate it.
>>>>>
>>>>>
thank you
>>>>>
>>>>
>>>>
>>>
>
Top
From: Phillip Drummond <w@s.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/27/2007 08:16:02
the
design aloows for true separation during mergers and acquisitions...
most
companies, when bought out dont want to become an OU in someone elses
domain.
so this allows us to create child domains for them, and allow them
to
simply control their own domain without having to granularly delagate
rights
at the ou level... make sense?
how
does ADMT handle mailboxes? or doesnt it? in other words when i migrate
a
user will their mailbox be created in the new domain or will i have to
either
manually create a mailbox for every user, or use exchange mnigration
tools
after the user is migrated?
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:%23KsjMgHAIHA.5752@TK2MSFTNGP02.phx.gbl...
>
Inline:
>>
the root/child design allows for growth and delagation of rights at the
>>
domain level. its actually a microsoft recommended design for the type of
>>
growth we expect
>
I don't see the need. You can do delegation at the top root domain, you
>
don't gain anything by having child domains to do that. Remember Domains
>
are not Security Boundaries, only Forests are.
>
>>with
ADMT in my configuration, will i have to do migrate one domain at a
>>time
to the target domain? or can i do multiple? if only one, how do you
>>recommend
i go about this so that there are no permission problems while
>>one
domain is migrated and others are not?
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
>
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Phillip Drummond" <w@s.com> wrote in message
>
news:edyXGgGAIHA.3400@TK2MSFTNGP03.phx.gbl...
>>
the root/child design allows for growth and delagation of rights at the
>>
domain level. its actually a microsoft recommended design for the type of
>>
growth we expect
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:uRdJOaGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>>>
thank you. yes, the root domain will exist solely to hold child
>>>>
domains. there will be no users or computers in the root domain.
>>>
In my opinion this is a bad design, and all it does "according with
your
>>>
needs" is a waste of resources, hardware and people.
>>>
>>>>
does ADMT include the exchange migration piece or is this a separate
>>>>
tool?
>>>>
the new forest will have a new exchange org
>>>
Is a separate tool, comes with exchange.
>>>
>>>
--
>>>
I hope that the information above helps you.
>>>
Have a Nice day.
>>>
>>>
Jorge Silva
>>>
MCSE, MVP Directory Services
>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>>>
thank you. yes, the root domain will exist solely to hold child
>>>>
domains. there will be no users or computers in the root domain.
>>>>
>>>>
does ADMT include the exchange migration piece or is this a separate
>>>>
tool?
>>>>
the new forest will have a new exchange org
>>>>
>>>>
>>>>
>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>>
Hi
>>>>>
Check inline:
>>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an
>>>>>>
exchange org.
>>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>>
org.
>>>>>
Ok.
>>>>>
>>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>>
and an HQ child domain.
>>>>>
Secure root Domain? what is that?
>>>>>
>>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>>
into the HQ domain.
>>>>>
Doesn't sound a good option to have a child domain with that
>>>>>
description.
>>>>>
>>>>>>
does everyone recommend ADMT?
>>>>>
ADMT is good and easy to implement.
>>>>>
>>>>>>
if so what gotchas can i expect?
>>>>>
The best is to test it, but most situations everything goes well.
>>>>>
>>>>>>
can ADMT handle this job easily?
>>>>>
Yes.
>>>>>
>>>>>>
how will existing mailboxes be handled?
>>>>>
You don't mentioned anything about exchange in the second forest, but
>>>>>
you can use the exchange migration tool to migrate the mailboxes to
>>>>>
the other fores and then connect the mailboxes to the user accounts.
>>>>>
You can get more detail about this in MS sweb site or in Exchange ngs.
>>>>>
>>>>>>
is there true domain synchronization?
>>>>>
No. Is an object migration.
>>>>>
>>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>>
You only migrate what you want to, so you shouldn't need to clean
>>>>>
nothing after migration.
>>>>>
>>>>>>
i have done several very large migrations but have always used Quest
>>>>>>
tools. i am not familiar with ADMT.
>>>>>
Download the White paper ADMT and test it on a lab..
>>>>>
>>>>>>
if someone with experience could give me a VERY high level step by
>>>>>>
step as to what order i should do things in,
>>>>>>
based on your experience, i would greatly appreciate it.
>>>>>
everything is in MS web site and how to use that tool.
>>>>>
>>>>>
>>>>>
--
>>>>>
I hope that the information above helps you.
>>>>>
Have a Nice day.
>>>>>
>>>>>
Jorge Silva
>>>>>
MCSE, MVP Directory Services
>>>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>>>>
getting down to the wire now so i need to make final decisions...
>>>>>>
currently have 3 forests, each with 1 domain. 1 domain has an
>>>>>>
exchange org.
>>>>>>
need to consolidate all of this into a new forest with a new exchange
>>>>>>
org.
>>>>>>
>>>>>>
the new forest will be a simple one with only a secure root domain,
>>>>>>
and an HQ child domain.
>>>>>>
so the users and machines from the current 3 domains will be moved
>>>>>>
into the HQ domain.
>>>>>>
>>>>>>
does everyone recommend ADMT?
>>>>>>
if so what gotchas can i expect?
>>>>>>
can ADMT handle this job easily?
>>>>>>
how will existing mailboxes be handled?
>>>>>>
is there true domain synchronization?
>>>>>>
when its over is the new domain a mess that needs tons of cleanup?
>>>>>>
>>>>>>
i have done several very large migrations but have always used Quest
>>>>>>
tools. i am not familiar with ADMT.
>>>>>>
if someone with experience could give me a VERY high level step by
>>>>>>
step as to what order i should do things in,
>>>>>>
based on your experience, i would greatly appreciate it.
>>>>>>
>>>>>>
thank you
>>>>>>
>>>>>
>>>>>
>>>>
>>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: migration planning, need suggestions/advice
Date:
09/27/2007 13:39:17
Phillip
Drummond wrote:
>
the design aloows for true separation during mergers and
>
acquisitions... most companies, when bought out dont want to become
>
an OU in someone elses domain. so this allows us to create child
>
domains for them, and allow them to simply control their own domain
>
without having to granularly delagate rights at the ou level... make
>
sense?
The
forest empty root domain faded from popularity when the true AD security
boundary
(forest) was understood. Many "recommendations" remain in MS KB's
that
are really obsolete. If you have a TAM, you could be eligible for a
free
MCS AD design review which would well be worth your while. You have
alternative
choices for your design objectives.
>
>
how does ADMT handle mailboxes? or doesnt it? in other words when i
>
migrate a user will their mailbox be created in the new domain or
>
will i have to either manually create a mailbox for every user, or
>
use exchange mnigration tools after the user is migrated?
ADMT
doesn't migrate anything Exchange. You will need to use Exchange
migration
tools, Exchange version dependant.
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:%23KsjMgHAIHA.5752@TK2MSFTNGP02.phx.gbl...
>>
Inline:
>>>
the root/child design allows for growth and delagation of rights at
>>>
the domain level. its actually a microsoft recommended design for
>>>
the type of growth we expect
>>
I don't see the need. You can do delegation at the top root domain,
>>
you don't gain anything by having child domains to do that. Remember
>>
Domains are not Security Boundaries, only Forests are.
>>
>>>
with ADMT in my configuration, will i have to do migrate one domain
>>>
at a time to the target domain? or can i do multiple? if only one,
>>>
how do you recommend i go about this so that there are no
>>>
permission problems while one domain is migrated and others are not?
>>
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
>>
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Phillip Drummond" <w@s.com> wrote in message
>>
news:edyXGgGAIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>
the root/child design allows for growth and delagation of rights at
>>>
the domain level. its actually a microsoft recommended design for
>>>
the type of growth we expect
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:uRdJOaGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>>>>
thank you. yes, the root domain will exist solely to hold child
>>>>>
domains. there will be no users or computers in the root domain.
>>>>
In my opinion this is a bad design, and all it does "according
>>>>
with your needs" is a waste of resources, hardware and people.
>>>>
>>>>>
does ADMT include the exchange migration piece or is this a
>>>>>
separate tool?
>>>>>
the new forest will have a new exchange org
>>>>
Is a separate tool, comes with exchange.
>>>>
>>>>
--
>>>>
I hope that the information above helps you.
>>>>
Have a Nice day.
>>>>
>>>>
Jorge Silva
>>>>
MCSE, MVP Directory Services
>>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>>
news:eebEPVGAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>>>>
thank you. yes, the root domain will exist solely to hold child
>>>>>
domains. there will be no users or computers in the root domain.
>>>>>
>>>>>
does ADMT include the exchange migration piece or is this a
>>>>>
separate tool?
>>>>>
the new forest will have a new exchange org
>>>>>
>>>>>
>>>>>
>>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>>>
news:uHxYJLGAIHA.5312@TK2MSFTNGP02.phx.gbl...
>>>>>>
Hi
>>>>>>
Check inline:
>>>>>>>
getting down to the wire now so i need to make final
>>>>>>>
decisions... currently have 3 forests, each with 1 domain. 1
>>>>>>>
domain has an exchange org.
>>>>>>>
need to consolidate all of this into a new forest with a new
>>>>>>>
exchange org.
>>>>>>
Ok.
>>>>>>
>>>>>>>
the new forest will be a simple one with only a secure root
>>>>>>>
domain, and an HQ child domain.
>>>>>>
Secure root Domain? what is that?
>>>>>>
>>>>>>>
so the users and machines from the current 3 domains will be
>>>>>>>
moved into the HQ domain.
>>>>>>
Doesn't sound a good option to have a child domain with that
>>>>>>
description.
>>>>>>
>>>>>>>
does everyone recommend ADMT?
>>>>>>
ADMT is good and easy to implement.
>>>>>>
>>>>>>>
if so what gotchas can i expect?
>>>>>>
The best is to test it, but most situations everything goes well.
>>>>>>
>>>>>>>
can ADMT handle this job easily?
>>>>>>
Yes.
>>>>>>
>>>>>>>
how will existing mailboxes be handled?
>>>>>>
You don't mentioned anything about exchange in the second
>>>>>>
forest, but you can use the exchange migration tool to migrate
>>>>>>
the mailboxes to the other fores and then connect the mailboxes
>>>>>>
to the user accounts. You can get more detail about this in MS
>>>>>>
sweb site or in Exchange ngs.
>>>>>>>
is there true domain synchronization?
>>>>>>
No. Is an object migration.
>>>>>>
>>>>>>>
when its over is the new domain a mess that needs tons of
>>>>>>>
cleanup?
>>>>>>
You only migrate what you want to, so you shouldn't need to clean
>>>>>>
nothing after migration.
>>>>>>
>>>>>>>
i have done several very large migrations but have always used
>>>>>>>
Quest tools. i am not familiar with ADMT.
>>>>>>
Download the White paper ADMT and test it on a lab..
>>>>>>
>>>>>>>
if someone with experience could give me a VERY high level step
>>>>>>>
by step as to what order i should do things in,
>>>>>>>
based on your experience, i would greatly appreciate it.
>>>>>>
everything is in MS web site and how to use that tool.
>>>>>>
>>>>>>
>>>>>>
--
>>>>>>
I hope that the information above helps you.
>>>>>>
Have a Nice day.
>>>>>>
>>>>>>
Jorge Silva
>>>>>>
MCSE, MVP Directory Services
>>>>>>
"Phillip Drummond" <w@s.com> wrote in message
>>>>>>
news:%23dqfkGEAIHA.4592@TK2MSFTNGP03.phx.gbl...
>>>>>>>
getting down to the wire now so i need to make final
>>>>>>>
decisions... currently have 3 forests, each with 1 domain. 1
>>>>>>>
domain has an exchange org.
>>>>>>>
need to consolidate all of this into a new forest with a new
>>>>>>>
exchange org.
>>>>>>>
>>>>>>>
the new forest will be a simple one with only a secure root
>>>>>>>
domain, and an HQ child domain.
>>>>>>>
so the users and machines from the current 3 domains will be
>>>>>>>
moved into the HQ domain.
>>>>>>>
>>>>>>>
does everyone recommend ADMT?
>>>>>>>
if so what gotchas can i expect?
>>>>>>>
can ADMT handle this job easily?
>>>>>>>
how will existing mailboxes be handled?
>>>>>>>
is there true domain synchronization?
>>>>>>>
when its over is the new domain a mess that needs tons of
>>>>>>>
cleanup? i have done several very large migrations but have always
>>>>>>>
used
>>>>>>>
Quest tools. i am not familiar with ADMT.
>>>>>>>
if someone with experience could give me a VERY high level step
>>>>>>>
by step as to what order i should do things in,
>>>>>>>
based on your experience, i would greatly appreciate it.
>>>>>>>
>>>>>>>
thank you
--
/kj
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: Netlogon Errors
Date:
09/27/2007 12:43:06
looks
like connectivity problem .check the imp services and the DNS entry
"Jeff"
wrote:
>
On several servers this morning I was unable to login and received the
>
following message:
>
>
Event Type: Error
>
Event Source: NETLOGON
>
Event Category: None
>
Event ID: 5719
>
Date: 9/27/2007
>
Time: 8:16:32 AM
>
User: N/A
>
Computer: Server
>
Description:
>
This computer was not able to set up a secure session with a domain
>
controller in domain <mydomain> due to the following:
>
Not enough storage is available to process this command.
>
This may lead to authentication problems. Make sure that this computer is
>
connected to the network. If the problem persists, please contact your
>
domain administrator.
>
>
ADDITIONAL INFO
>
If this computer is a domain controller for the specified domain, it sets
up
>
the secure session to the primary domain controller emulator in the
>
specified domain. Otherwise, this computer sets up the secure session to
any
>
domain controller in the specified domain.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Data:
>
0000: 17 00 00
c0
...À
>
>
>
There were also corresponding events related to the browser service:
>
>
Event Type: Warning
>
Event Source: BROWSER
>
Event Category: None
>
Event ID: 8021
>
Date: 9/27/2007
>
Time: 4:58:47 AM
>
User: N/A
>
Computer: Server
>
Description:
>
The browser service was unable to retrieve a list of servers from the
>
browser master \\browsemaster on the network
>
\Device\NetBT_Tcpip_{ACFFABF0-6F47-49AC-A2F4-74B69CA04954}.
>
>
Browser master: \\browsemaster Network:
>
\Device\NetBT_Tcpip_{ACFFABF0-6F47-49AC-A2F4-74B69CA04954}
>
>
This event may be caused by a temporary loss of network connectivity. If
>
this message appears again, verify that the server is still connected to
the
>
network. The return code is in the Data text box.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Data:
>
0000: 34 00 00
00
4...
>
>
>
How do I troubleshoot this?
>
>
Thanks,
>
>
Jeff
Top
From: Al Mulnick <amulnick_No_SPAM@ncDOTrr.com>
To:
none
Subject:
Re: Netlogon Errors
Date:
09/27/2007 12:52:52
Did
you get any patches lately? New applications?
Have
any lan issues lately? Any other changes?
You
may be able to get past it just with a simple reboot to allow whatever
changed
to fully install. If the error persists, you may want to have a
closer
look. Performance monitor might be a good place to start looking for
resources
leaks, especially in non-paged memory.
Al
"Jeff"
<jeffpoling@yahoo.com> wrote in message
news:uM70%23DSAIHA.4844@TK2MSFTNGP02.phx.gbl...
>
On several servers this morning I was unable to login and received the
>
following message:
>
>
Event Type: Error
>
Event Source: NETLOGON
>
Event Category: None
>
Event ID: 5719
>
Date: 9/27/2007
>
Time: 8:16:32 AM
>
User: N/A
>
Computer: Server
>
Description:
>
This computer was not able to set up a secure session with a domain
>
controller in domain <mydomain> due to the following:
>
Not enough storage is available to process this command.
>
This may lead to authentication problems. Make sure that this computer is
>
connected to the network. If the problem persists, please contact your
>
domain administrator.
>
>
ADDITIONAL INFO
>
If this computer is a domain controller for the specified domain, it sets
>
up the secure session to the primary domain controller emulator in the
>
specified domain. Otherwise, this computer sets up the secure session to
>
any domain controller in the specified domain.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Data:
>
0000: 17 00 00
c0
...À
>
There were also corresponding events related to the browser service:
>
>
Event Type: Warning
>
Event Source: BROWSER
>
Event Category: None
>
Event ID: 8021
>
Date: 9/27/2007
>
Time: 4:58:47 AM
>
User: N/A
>
Computer: Server
>
Description:
>
The browser service was unable to retrieve a list of servers from the
>
browser master \\browsemaster on the network
>
\Device\NetBT_Tcpip_{ACFFABF0-6F47-49AC-A2F4-74B69CA04954}.
>
>
Browser master: \\browsemaster Network:
>
\Device\NetBT_Tcpip_{ACFFABF0-6F47-49AC-A2F4-74B69CA04954}
>
>
This event may be caused by a temporary loss of network connectivity. If
>
this message appears again, verify that the server is still connected to
>
the network. The return code is in the Data text box.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Data:
>
0000: 34 00 00
00
4...
>
How do I troubleshoot this?
>
>
Thanks,
>
>
Jeff
Top
From: Charles Woolever <info@existingstations.com>
To:
none
Subject:
Re: NT Domain to AD migration
Date:
09/25/2007 16:20:18
Right
now we're upgrading to W2K. You mention 2003. Is the process the
same?
Charles
In
article <#KkHFqw$HHA.5360@TK2MSFTNGP03.phx.gbl>,
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote:
>
Hi
>
* Backup the Servers.
>
>
* Take at least one BDC Offline (In case of UPGRADE FAILURE you always can
>
promote it to a PDC). The only drawback to this method is that all changes
>
that were made while the safe BDC was offline are lost. To minimize this
>
loss, you could periodically turn the safe BDC on and off (when the domain
>
is in a stable state) during the upgrade process, to update its safe copy
of
>
the directory.
>
>
To convert the BDC to a PDC: Start -> Programs -> Administrative
Tools ->
>
Server Manager -> Select the BDC, then go to the Computer Menu ->
choose
>
Promote to primary Domain Controller.
>
>
* Make sure that the Hardware and apps meets the requirements.
>
>
* Make sure that all Apps installed are compatible with W2K3 and don't
cause
>
problems with the upgrade process or pos upgrade process.
>
>
* Run from command prompt:
>
>
Cdsource\I386\winnt32.exe /checkupgradeonly
>
>
- Before Upgrade:
>
>
* You can install a new computer (more powerful) make it a BDC, SYNCRONIZE
>
and promote it to PDC and them perform the upgrade on the new PDC.
>
>
* Windows 2000/XP always prefer Kerberos authentication, so if the newly
>
upgraded NT4 to Windows 2003 goes down (Offline), the client machines won't
>
be able to authenticate in the domain.
>
>
* If this is the case, before upgrade the NT.4 PDC, make the necessary
>
changes on the registry (NT4Emulator). If the NT4Emulator is configured on
>
the newly PDC, and you want o upgrade the Existent BDCs, you also need to
>
create a registry entry on the BDCs (NeutralizeNT4Emulator) before the
>
upgrade.
>
>
Check:
>
>
Windows 2000-based clients connect only to the domain controller that was
>
upgraded from Windows NT 4.0 in a mixed-mode domain
>
>
http://support.microsoft.com/?kbid=284937
>
>
How to prevent overloading on the first domain controller during domain
>
upgrade
>
>
http://support.microsoft.com/kb/298713/
>
>
Once that all domain controllers are upgraded, remove the registry settings
>
created in the previous steps.
>
>
Note: This sometimes may not need: E.g - if all existent BDCs will be sun
>
upgraded to Windows 2003.
>
>
- Dns Planning:
>
>
Prior to beginning the upgrade from Windows NT Server 4.0 to the Windows
>
Server 2003 Active Directory service, ensure that you have designed a DNS
>
and Active Directory namespace and have either configured DNS servers or
are
>
planning to have the Active Directory Installation Wizard automatically
>
install the DNS service on the domain controller.
>
>
Active Directory is integrated with DNS in the following ways:
>
>
Active Directory and DNS have the same hierarchical structure. Although
>
separate and implemented differently for different purposes, an
>
organization's namespace for DNS and Active Directory have an identical
>
structure. For example, microsoft.com is both a DNS domain and an Active
>
Directory domain.
>
>
DNS zones can be stored in Active Directory. If you are using the Windows
>
Server DNS service, primary zone files can be stored in Active Directory
for
>
replication to other Active Directory domain controllers.
>
>
Active Directory uses DNS as a locator service, resolving Active Directory
>
domain, site, and service names to an IP address. To log on to an Active
>
Directory domain, an Active Directory client queries its configured DNS
>
server for the IP address of the Lightweight Directory Access Protocol
>
(LDAP) service running on a domain controller for a specified domain.
>
>
While Active Directory is integrated with DNS and they share the same
>
namespace structure, it is important to distinguish the basic difference
>
between them:
>
>
DNS is a name resolution service. DNS clients send DNS name queries to
their
>
configured DNS server. The DNS server receives the name query and either
>
resolves the name query through locally stored files or consults another
DNS
>
server for resolution. DNS does not require Active Directory to function.
>
Active Directory is a directory service. Active Directory provides an
>
information repository and services to make information available to users
>
and applications. Active Directory clients send queries to Active Directory
>
servers using LDAP. In order to locate an Active Directory server, an
Active
>
Directory client queries DNS. Active Directory requires DNS to function.
>
>
If use BIND DNS servers Make sure that you have BIND 8.1.2
>
>
- Supports: Srv records, Dynamic Updates, Doesn't Support Secure Dynamic
>
Updates (this is one disadvantage over the MS Dns server Servers, and
>
represents security issues).
>
>
- Create Primary Zone
>
>
If Use 2003 DNS
>
>
* Create Primary Zone
>
>
* You can use an pre existent Dns or you can create it during the upgrade
>
process.
>
>
* Convert to AD-Integrated.
>
>
* NetDiag /fix (This is an extra measure, to register the necessary dns
>
records).
>
>
Check:
>
>
Troubleshooting DNS
>
>
http://technet2.microsoft.com/windowsserver/en/library/e42d510a-443d-4c31-96da
>
-f66a67a89d861033.mspx?mfr=true
>
>
How to Verify the Creation of SRV Records for a Domain Controller
>
>
http://support.microsoft.com/?id=241515
>
>
Verify DNS server responsiveness using the nslookup command
>
>
http://technet2.microsoft.com/windowsserver/en/library/f8761f04-d665-4507-9509
>
-ebb92bbb66ef1033.mspx?mfr=true
>
>
- The Upgrade.
>
>
* Check if you're on the PDC -> Start -> Programs ->
Administrative Tools ->
>
Server Manager. Right click on Network Neighborhood -> check the name.
>
>
Run from command prompt:
>
>
Cdsource\I386\winnt32
>
>
* The first server running Windows NT Server 4.0 that you must upgrade is
>
the primary domain controller (PDC), then you upgrade all remaining BDCs.
To
>
check if you're on the PDC: Start -> Programs -> Administrative Tools
->
>
Server Manager.
>
>
Check:
>
>
How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based
>
Domain Controller
>
http://support.microsoft.com/?id=326209
>
>
If you don't have windows 2000 (Only NT4 and Windows 2003) in the domain
>
choose the FFL (Forest Functional Level) Windows 2003 interim.
>
>
* Make sure that your DCs Dns properties point to Right Dns server (usually
>
the Dc is also a Dns server so it must point to itself).
>
>
* Once you have upgraded the Windows NT Server 4.0 and earlier PDC, you can
>
proceed to upgrade all remaining BDCs.
>
>
* Make sure that you have 1 GC per site (GCs are needed unless: you only
>
have one domain, or the DFL is prior to Windows 2000 or Windows 2003).
>
>
* Make sure that network clients point to the Network Dns server only
>
(Usually the DC).
>
>
* If everything is ok, then and if all DCs are already Windows 2003, now
>
it's time to remove the registry entries (NT4Emulator,
>
NeutralizeNT4Emulator), and make the DFL and FFL windows 2003.
>
>
Verifying Active Directory Installation
>
>
http://technet2.microsoft.com/WindowsServer/en/Library/3d157c1a-5c80-...
>
>
>
Migrating from Windows NT Server 4.0 to Windows Server 2003
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f...
>
Upgrading from Windows NT Server 4.0
>
http://www.microsoft.com/windowsserver2003/upgrading/nt4/default.mspx
>
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Charles Woolever" <info@existingstations.com> wrote in
message
>
news:info-386A50.20013724092007@news-server.rochester.rr.com...
>
> I'm helping a small company move from an NT Domain to active
directory.
>
> I've prepped a few things. Some added details:
>
>
>
> 1) 1 PCD and 3 BDCs. All 4 have NT4. PCD and 1 BDC are too old to
>
> upgrade to W2K Server. One BDC on a "newer" machine will get
promoted to
>
> a PCD (old PCD demoted). Old PCD will be left running as a member. Old
>
> BDC will get turned off. This leaves "newer" PCD and
"newer" BDC.
>
>
>
> 2) Two "newer" machines will be upgraded to W2K Server. The
PDC will
>
> have AD enabled.
>
>
>
> 3) My understanding is that the wizard for AD will see that it was a
PDC
>
> and "convert" things over.
>
>
>
> 4) The current domain for NT is..."NT_DOMAIN". I assume that
AD will
>
> want the domain that is used in Internal DNS and what externally is
>
> used, abcde.com. How will the wizard convert users from
"NT_DOMAIN" to
>
> abcde.com? The suffix used all over already is abcde.com. I was using
>
> BIND on a Linux box and I'm converting over to MS DDNS for AD and
>
> dynamic support.
>
>
>
> 5) Domain is a simple domain, no tree or forests. No branch offices.
It
>
> actually serves them fine but they want to upgrade to a better
Exchange
>
> and SQL version. All other servers are already W2K. Desktops are W2K
and
>
> XP Pro.
>
>
>
> This is a small company with minimal use of servers. There is a file
>
> server with permissions set via groups for that. There is no print
>
> server; printers are accessed via TPC/IP. They have Exchange 5.5 SP4.
>
> Once they move to AD, then they are going to upgrade to Exchange 2003.
I
>
> know I need the AD connector from the W2K server CD for Exchange.
There
>
> is also WINS and DHCP on W2K server.
>
>
>
> One other possible issue is a MS SQL 6.5 server that handles a
financial
>
> package. My understanding is they have talked to the company who made
>
> the software and they are stuck with 6.5. They are looking at
purchasing
>
> a new package ($10K+) but are stuck right now with SQL6.5.
>
>
>
> I'd love to hear some tips and suggestions for getting migrated over.
>
> What to do first, etc.?
>
>
>
> Thanks,
>
>
>
> Charles
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: NT Domain to AD migration
Date:
09/25/2007 16:34:50
Windows
2000? Remember that 2000 is under MS extended support, and soon will
be
no support for 2000.
The
steps are basically the same.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Charles
Woolever" <info@existingstations.com> wrote in message
news:info-C59B1D.17201825092007@news-server.rochester.rr.com...
>
Right now we're upgrading to W2K. You mention 2003. Is the process the
>
same?
>
>
Charles
>
>
In article <#KkHFqw$HHA.5360@TK2MSFTNGP03.phx.gbl>,
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote:
>
>>
Hi
>>
* Backup the Servers.
>>
>>
* Take at least one BDC Offline (In case of UPGRADE FAILURE you always
>>
can
>>
promote it to a PDC). The only drawback to this method is that all
>>
changes
>>
that were made while the safe BDC was offline are lost. To minimize this
>>
loss, you could periodically turn the safe BDC on and off (when the
>>
domain
>>
is in a stable state) during the upgrade process, to update its safe copy
>>
of
>>
the directory.
>>
>>
To convert the BDC to a PDC: Start -> Programs -> Administrative
Tools ->
>>
Server Manager -> Select the BDC, then go to the Computer Menu ->
choose
>>
Promote to primary Domain Controller.
>>
>>
* Make sure that the Hardware and apps meets the requirements.
>>
>>
* Make sure that all Apps installed are compatible with W2K3 and don't
>>
cause
>>
problems with the upgrade process or pos upgrade process.
>>
>>
* Run from command prompt:
>>
>>
Cdsource\I386\winnt32.exe /checkupgradeonly
>>
>>
- Before Upgrade:
>>
>>
* You can install a new computer (more powerful) make it a BDC,
>>
SYNCRONIZE
>>
and promote it to PDC and them perform the upgrade on the new PDC.
>>
>>
* Windows 2000/XP always prefer Kerberos authentication, so if the newly
>>
upgraded NT4 to Windows 2003 goes down (Offline), the client machines
>>
won't
>>
be able to authenticate in the domain.
>>
>>
* If this is the case, before upgrade the NT.4 PDC, make the necessary
>>
changes on the registry (NT4Emulator). If the NT4Emulator is configured
>>
on
>>
the newly PDC, and you want o upgrade the Existent BDCs, you also need to
>>
create a registry entry on the BDCs (NeutralizeNT4Emulator) before the
>>
upgrade.
>>
>>
Check:
>>
>>
Windows 2000-based clients connect only to the domain controller that was
>>
upgraded from Windows NT 4.0 in a mixed-mode domain
>>
>>
http://support.microsoft.com/?kbid=284937
>>
>>
How to prevent overloading on the first domain controller during domain
>>
upgrade
>>
>>
http://support.microsoft.com/kb/298713/
>>
>>
Once that all domain controllers are upgraded, remove the registry
>>
settings
>>
created in the previous steps.
>>
>>
Note: This sometimes may not need: E.g - if all existent BDCs will be sun
>>
upgraded to Windows 2003.
>>
>>
- Dns Planning:
>>
>>
Prior to beginning the upgrade from Windows NT Server 4.0 to the Windows
>>
Server 2003 Active Directory service, ensure that you have designed a DNS
>>
and Active Directory namespace and have either configured DNS servers or
>>
are
>>
planning to have the Active Directory Installation Wizard automatically
>>
install the DNS service on the domain controller.
>>
>>
Active Directory is integrated with DNS in the following ways:
>>
>>
Active Directory and DNS have the same hierarchical structure. Although
>>
separate and implemented differently for different purposes, an
>>
organization's namespace for DNS and Active Directory have an identical
>>
structure. For example, microsoft.com is both a DNS domain and an Active
>>
Directory domain.
>>
>>
DNS zones can be stored in Active Directory. If you are using the Windows
>>
Server DNS service, primary zone files can be stored in Active Directory
>>
for
>>
replication to other Active Directory domain controllers.
>>
>>
Active Directory uses DNS as a locator service, resolving Active
>>
Directory
>>
domain, site, and service names to an IP address. To log on to an Active
>>
Directory domain, an Active Directory client queries its configured DNS
>>
server for the IP address of the Lightweight Directory Access Protocol
>>
(LDAP) service running on a domain controller for a specified domain.
>>
>>
While Active Directory is integrated with DNS and they share the same
>>
namespace structure, it is important to distinguish the basic difference
>>
between them:
>>
>>
DNS is a name resolution service. DNS clients send DNS name queries to
>>
their
>>
configured DNS server. The DNS server receives the name query and either
>>
resolves the name query through locally stored files or consults another
>>
DNS
>>
server for resolution. DNS does not require Active Directory to function.
>>
Active Directory is a directory service. Active Directory provides an
>>
information repository and services to make information available to
>>
users
>>
and applications. Active Directory clients send queries to Active
>>
Directory
>>
servers using LDAP. In order to locate an Active Directory server, an
>>
Active
>>
Directory client queries DNS. Active Directory requires DNS to function.
>>
>>
If use BIND DNS servers Make sure that you have BIND 8.1.2
>>
>>
- Supports: Srv records, Dynamic Updates, Doesn't Support Secure Dynamic
>>
Updates (this is one disadvantage over the MS Dns server Servers, and
>>
represents security issues).
>>
>>
- Create Primary Zone
>>
>>
If Use 2003 DNS
>>
>>
* Create Primary Zone
>>
>>
* You can use an pre existent Dns or you can create it during the upgrade
>>
process.
>>
>>
* Convert to AD-Integrated.
>>
>>
* NetDiag /fix (This is an extra measure, to register the necessary dns
>>
records).
>>
>>
Check:
>>
>>
Troubleshooting DNS
>>
>>
http://technet2.microsoft.com/windowsserver/en/library/e42d510a-443d-4c31-96da
>>
-f66a67a89d861033.mspx?mfr=true
>>
>>
How to Verify the Creation of SRV Records for a Domain Controller
>>
>>
http://support.microsoft.com/?id=241515
>>
>>
Verify DNS server responsiveness using the nslookup command
>>
>>
http://technet2.microsoft.com/windowsserver/en/library/f8761f04-d665-4507-9509
>>
-ebb92bbb66ef1033.mspx?mfr=true
>>
>>
- The Upgrade.
>>
>>
* Check if you're on the PDC -> Start -> Programs ->
Administrative
>>
Tools ->
>>
Server Manager. Right click on Network Neighborhood -> check the name.
>>
>>
Run from command prompt:
>>
>>
Cdsource\I386\winnt32
>>
>>
* The first server running Windows NT Server 4.0 that you must upgrade is
>>
the primary domain controller (PDC), then you upgrade all remaining BDCs.
>>
To
>>
check if you're on the PDC: Start -> Programs -> Administrative Tools
->
>>
Server Manager.
>>
>>
Check:
>>
>>
How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based
>>
Domain Controller
>>
http://support.microsoft.com/?id=326209
>>
>>
If you don't have windows 2000 (Only NT4 and Windows 2003) in the domain
>>
choose the FFL (Forest Functional Level) Windows 2003 interim.
>>
>>
* Make sure that your DCs Dns properties point to Right Dns server
>>
(usually
>>
the Dc is also a Dns server so it must point to itself).
>>
>>
* Once you have upgraded the Windows NT Server 4.0 and earlier PDC, you
>>
can
>>
proceed to upgrade all remaining BDCs.
>>
>>
* Make sure that you have 1 GC per site (GCs are needed unless: you only
>>
have one domain, or the DFL is prior to Windows 2000 or Windows 2003).
>>
>>
* Make sure that network clients point to the Network Dns server only
>>
(Usually the DC).
>>
>>
* If everything is ok, then and if all DCs are already Windows 2003, now
>>
it's time to remove the registry entries (NT4Emulator,
>>
NeutralizeNT4Emulator), and make the DFL and FFL windows 2003.
>>
>>
Verifying Active Directory Installation
>>
>>
http://technet2.microsoft.com/WindowsServer/en/Library/3d157c1a-5c80-...
>>
Migrating from Windows NT Server 4.0 to Windows Server 2003
>>
>>
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f...
>>
Upgrading from Windows NT Server 4.0
>>
http://www.microsoft.com/windowsserver2003/upgrading/nt4/default.mspx
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Charles Woolever" <info@existingstations.com> wrote in
message
>>
news:info-386A50.20013724092007@news-server.rochester.rr.com...
>>
> I'm helping a small company move from an NT Domain to active
directory.
>>
> I've prepped a few things. Some added details:
>>
>
>>
> 1) 1 PCD and 3 BDCs. All 4 have NT4. PCD and 1 BDC are too old to
>>
> upgrade to W2K Server. One BDC on a "newer" machine will get
promoted
>>
> to
>>
> a PCD (old PCD demoted). Old PCD will be left running as a member. Old
>>
> BDC will get turned off. This leaves "newer" PCD and
"newer" BDC.
>>
>
>>
> 2) Two "newer" machines will be upgraded to W2K Server. The
PDC will
>>
> have AD enabled.
>>
>
>>
> 3) My understanding is that the wizard for AD will see that it was a
>>
> PDC
>>
> and "convert" things over.
>>
>
>>
> 4) The current domain for NT is..."NT_DOMAIN". I assume that
AD will
>>
> want the domain that is used in Internal DNS and what externally is
>>
> used, abcde.com. How will the wizard convert users from
"NT_DOMAIN" to
>>
> abcde.com? The suffix used all over already is abcde.com. I was using
>>
> BIND on a Linux box and I'm converting over to MS DDNS for AD and
>>
> dynamic support.
>>
>
>>
> 5) Domain is a simple domain, no tree or forests. No branch offices.
It
>>
> actually serves them fine but they want to upgrade to a better
Exchange
>>
> and SQL version. All other servers are already W2K. Desktops are W2K
>>
> and
>>
> XP Pro.
>>
>
>>
> This is a small company with minimal use of servers. There is a file
>>
> server with permissions set via groups for that. There is no print
>>
> server; printers are accessed via TPC/IP. They have Exchange 5.5 SP4.
>>
> Once they move to AD, then they are going to upgrade to Exchange 2003.
>>
> I
>>
> know I need the AD connector from the W2K server CD for Exchange.
There
>>
> is also WINS and DHCP on W2K server.
>>
>
>>
> One other possible issue is a MS SQL 6.5 server that handles a
>>
> financial
>>
> package. My understanding is they have talked to the company who made
>>
> the software and they are stuck with 6.5. They are looking at
>>
> purchasing
>>
> a new package ($10K+) but are stuck right now with SQL6.5.
>>
>
>>
> I'd love to hear some tips and suggestions for getting migrated over.
>>
> What to do first, etc.?
>>
>
>>
> Thanks,
>>
>
>>
> Charles
Top
From: Charles Woolever
<info@existingstations.com>
To:
none
Subject:
Re: NT Domain to AD migration
Date:
09/25/2007 17:05:07
Yes,
I knew that. The first step is to 2000 and then to 2003. Thanks.
Charles
In
article <u5ncjv7$HHA.4476@TK2MSFTNGP06.phx.gbl>,
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote:
>
Windows 2000? Remember that 2000 is under MS extended support, and soon will
>
be no support for 2000.
>
The steps are basically the same.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: NT Domain to AD migration
Date:
09/25/2007 18:09:10
Good
luck.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Charles
Woolever" <info@existingstations.com> wrote in message
news:info-040D89.18050625092007@news-server.rochester.rr.com...
>
Yes, I knew that. The first step is to 2000 and then to 2003. Thanks.
>
>
Charles
>
>
In article <u5ncjv7$HHA.4476@TK2MSFTNGP06.phx.gbl>,
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote:
>
>>
Windows 2000? Remember that 2000 is under MS extended support, and soon
>>
will
>>
be no support for 2000.
>>
The steps are basically the same.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Planning to Deploy SP2 on Windows Server 2003 with AD (GC)
Date:
09/26/2007 02:02:19
Hello
saqib,
Please
post the complete error message. Also check the event viewer for errors
and
post them here.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Dear,
>
>
Iam trying to update my server SP2 on Windows Server 2003 with AD its
>
our Global catlog server but its not able to be deployed giving the
>
msg Access denid even iam using admin ID. please tell which steps to
>
be taken before deployment so that I can deploy it without any network
>
disturbance.
>
>
saqib ahmad
>
Top
From: saqib ahmad
<saqibahmad@discussions.microsoft.com>
To:
none
Subject:
Re: Planning to Deploy SP2 on Windows Server 2003 with AD (GC)
Date:
09/27/2007 04:18:00
Dear
,
It
just gives the msg "Access denied" and rollout back every thing.
"Meinolf
Weber" wrote:
>
Hello saqib,
>
>
Please post the complete error message. Also check the event viewer for
errors
>
and post them here.
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Dear,
>
>
>
> Iam trying to update my server SP2 on Windows Server 2003 with AD its
>
> our Global catlog server but its not able to be deployed giving the
>
> msg Access denid even iam using admin ID. please tell which steps to
>
> be taken before deployment so that I can deploy it without any network
>
> disturbance.
>
>
>
> saqib ahmad
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Planning to Deploy SP2 on Windows Server 2003 with AD (GC)
Date:
09/27/2007 04:27:01
Hello
saqib,
Do
you work at the server or how will you install it. GPO or RDP?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Dear ,
>
>
It just gives the msg "Access denied" and rollout back every
thing.
>
>
"Meinolf Weber" wrote:
>
>>
Hello saqib,
>>
>>
Please post the complete error message. Also check the event viewer
>>
for errors and post them here.
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Dear,
>>>
>>>
Iam trying to update my server SP2 on Windows Server 2003 with AD
>>>
its our Global catlog server but its not able to be deployed giving
>>>
the msg Access denid even iam using admin ID. please tell which
>>>
steps to be taken before deployment so that I can deploy it without
>>>
any network disturbance.
>>>
>>>
saqib ahmad
>>>
Top
From: saqib ahmad
<saqibahmad@discussions.microsoft.com>
To:
none
Subject:
Re: Planning to Deploy SP2 on Windows Server 2003 with AD (GC)
Date:
09/27/2007 23:27:00
Dear
Ian
directly deploying on server by administrator ID .
saqib
ahmad
"Meinolf
Weber" wrote:
>
Hello saqib,
>
>
Do you work at the server or how will you install it. GPO or RDP?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Dear ,
>
>
>
> It just gives the msg "Access denied" and rollout back every
thing.
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello saqib,
>
>>
>
>> Please post the complete error message. Also check the event
viewer
>
>> for errors and post them here.
>
>>
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Dear,
>
>>>
>
>>> Iam trying to update my server SP2 on Windows Server 2003 with
AD
>
>>> its our Global catlog server but its not able to be deployed
giving
>
>>> the msg Access denid even iam using admin ID. please tell
which
>
>>> steps to be taken before deployment so that I can deploy it
without
>
>>> any network disturbance.
>
>>>
>
>>> saqib ahmad
>
>>>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Planning to Deploy SP2 on Windows Server 2003 with AD (GC)
Date:
09/28/2007 01:45:47
Hello
saqib,
Check
out this one, even it is for SP1:
http://support.microsoft.com/kb/873148
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Dear
>
>
Ian directly deploying on server by administrator ID .
>
>
saqib ahmad
>
>
"Meinolf Weber" wrote:
>
>>
Hello saqib,
>>
>>
Do you work at the server or how will you install it. GPO or RDP?
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Dear ,
>>>
>>>
It just gives the msg "Access denied" and rollout back every
thing.
>>>
>>>
"Meinolf Weber" wrote:
>>>
>>>>
Hello saqib,
>>>>
>>>>
Please post the complete error message. Also check the event viewer
>>>>
for errors and post them here.
>>>>
>>>>
Best regards
>>>>
>>>>
Meinolf Weber
>>>>
Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>
and
>>>>
confers
>>>>
no rights.
>>>>>
Dear,
>>>>>
>>>>>
Iam trying to update my server SP2 on Windows Server 2003 with AD
>>>>>
its our Global catlog server but its not able to be deployed
>>>>>
giving the msg Access denid even iam using admin ID. please tell
>>>>>
which steps to be taken before deployment so that I can deploy it
>>>>>
without any network disturbance.
>>>>>
>>>>>
saqib ahmad
>>>>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Possible GPO Setting Failure
Date:
09/26/2007 12:31:25
Hi
Never
saw something like that, however you can check in GPO ngs to get more
detailled
information about that behavior.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"myoman"
<myoman@discussions.microsoft.com> wrote in message
news:A1734124-2F9B-448B-9664-5892A6AF7159@microsoft.com...
>
Environment:
>
2 - 2003 R2 SP2 Domain Controllers on the same subnet and connected via
>
gig
>
Ethernet.
>
Servers are new hardware with updated FW.
>
Client computers are from XP sp2 image with Sysprep.
>
>
I'm helping a peer migrate to AD and we have hit a small, annoying
>
problem:
>
The GPO setting "Add the Administrators security group to the roaming
user
>
profile share" seems to be working only about 80 percent of the time.
This
>
is
>
totally random in nature. A user profile that is created at 10:00 will
>
have
>
the NTFS permissions properly applied but one that is created at 11:30
>
will
>
not. Everything else is working great. Event Logs on both DC's show
>
nothing
>
out of the ordinary. In fact, no errors are reported at all for AD, DNS
>
and
>
FRS. Client EventLogs show nothing either. We are about to enable the
>
verbose
>
Winlogon/UserEnv logging option for the clients.
>
>
We have several GPOs in use and the GPO in question is applied to the OU
>
that contains the client machines and RSOP shows that the GPO is indeed
>
applied. No errors at all.
>
>
Does anyone have any advice for what should we be looking for on the
>
servers? Clients? I'd be happy to provide any additional info.
>
>
Thanks for the help,
>
>
Craig
>
Top
From: GeoffD
<GeoffD@discussions.microsoft.com>
To:
none
Subject:
Re: Printer not publishing in Directory?
Date:
09/25/2007 15:10:06
I'm
experiencing the same behavior. I have one site, two DCs, and a single
server
dedicated to printer sharing. Recently, newly created printers stopped
appearing
in AD.
I've
confirmed that the server has the SELF create/delete child objects right.
I
haven't tried the "Check published state" solution, yet, but I
will.
Still,
I'd like to know why the printers aren't getting published at creation
time
the way they used to. I haven't seen any error events from the spooler
relating
to this issue.
What
else could I do to troubleshoot?
"Chris
Lukowski" wrote:
>
W00t!!! That did it. Here's the solution for all to see:
>
>
The spooler checks if the printers are in the AD only at init time or if
>
defined by policy. Unpublish and publish should do the trick but
since it
>
is not set the policy to verify and publish periodically.
>
>
gpedit.msc
>
>
>
Computer Configuration
>
Administrative Templates
>
Printers
>
Check Published state
>
>
>
The spooler will verify the printers are published and if not
"should"
>
publish them.
>
>
>
--All I had to do was enable that GP setting, restart the spooler, and
bang!
>
My missing printers appeared in the Directory!
>
>
"Jorge Silva" wrote:
>
>
> Hi
>
> check
>
> http://groups.google.com/group/microsoft.public.win2000.printing/browse_thread/thread/613aea40906f5b74/74a865bf8ad5d27b?lnk=st&q=Printers+don%27t+show+in+Active+Directory&rnum=2&hl=en#74a865bf8ad5d27b
>
>
>
>
>
> --
>
> I hope that the information above helps you.
>
> Have a Nice day.
>
>
>
> Jorge Silva
>
> MCSE, MVP Directory Services
>
> "Chris Lukowski"
<ChrisLukowski@discussions.microsoft.com> wrote in message
>
> news:4E3EEC9A-3FA7-4D8F-B7BE-6E69D3E97008@microsoft.com...
>
> >I just added a new printer to our file and print server running
Server 2003
>
> > R2. For some reason it's days later and it's still not listed in
the
>
> > Directory. I even tried unchecking, applying, and rechecking and
applying
>
> > the
>
> > "List in Directory" box but that did nothing. The
printer's share name is
>
> > KyoceraPreticketing. Is there an unmentioned cap on name lengths
that
>
> > could
>
> > be a problem here? This isn't the first time this has happened
either.
>
> > We're
>
> > a small shop with only 2 or 3 DCs so I doubt replication is an
issue. Can
>
> > you
>
> > help me out because I'm stumped?
>
>
>
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Printer not publishing in Directory?
Date:
09/25/2007 15:29:31
restart
the printspooler and check the GPO option stated before.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"GeoffD"
<GeoffD@discussions.microsoft.com> wrote in message
news:27D6FCB4-FE64-4E75-9429-7BA8A986678E@microsoft.com...
>
I'm experiencing the same behavior. I have one site, two DCs, and a single
>
server dedicated to printer sharing. Recently, newly created printers
>
stopped
>
appearing in AD.
>
>
I've confirmed that the server has the SELF create/delete child objects
>
right.
>
>
I haven't tried the "Check published state" solution, yet, but I
will.
>
Still, I'd like to know why the printers aren't getting published at
>
creation
>
time the way they used to. I haven't seen any error events from the
>
spooler
>
relating to this issue.
>
>
What else could I do to troubleshoot?
>
>
"Chris Lukowski" wrote:
>
>>
W00t!!! That did it. Here's the solution for all to see:
>>
>>
The spooler checks if the printers are in the AD only at init time or if
>>
defined by policy. Unpublish and publish should do the trick but
since
>>
it
>>
is not set the policy to verify and publish periodically.
>>
>>
gpedit.msc
>>
Computer Configuration
>>
Administrative Templates
>>
Printers
>>
Check Published state
>>
The spooler will verify the printers are published and if not
"should"
>>
publish them.
>>
--All I had to do was enable that GP setting, restart the spooler, and
>>
bang!
>>
My missing printers appeared in the Directory!
>>
>>
"Jorge Silva" wrote:
>>
>>
> Hi
>>
> check
>>
>
http://groups.google.com/group/microsoft.public.win2000.printing/browse_thread/thread/613aea40906f5b74/74a865bf8ad5d27b?lnk=st&q=Printers+don%27t+show+in+Active+Directory&rnum=2&hl=en#74a865bf8ad5d27b
>>
>
>>
>
>>
> --
>>
> I hope that the information above helps you.
>>
> Have a Nice day.
>>
>
>>
> Jorge Silva
>>
> MCSE, MVP Directory Services
>>
> "Chris Lukowski"
<ChrisLukowski@discussions.microsoft.com> wrote in
>>
> message
>>
> news:4E3EEC9A-3FA7-4D8F-B7BE-6E69D3E97008@microsoft.com...
>>
> >I just added a new printer to our file and print server running
Server
>>
> >2003
>>
> > R2. For some reason it's days later and it's still not listed in
the
>>
> > Directory. I even tried unchecking, applying, and rechecking and
>>
> > applying
>>
> > the
>>
> > "List in Directory" box but that did nothing. The
printer's share
>>
> > name is
>>
> > KyoceraPreticketing. Is there an unmentioned cap on name lengths
that
>>
> > could
>>
> > be a problem here? This isn't the first time this has happened
>>
> > either.
>>
> > We're
>>
> > a small shop with only 2 or 3 DCs so I doubt replication is an
issue.
>>
> > Can
>>
> > you
>>
> > help me out because I'm stumped?
>>
>
>>
>
>>
>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 17:50:39
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>
Network browsing is NetBIOS resolution dependent, that's by design, in
>
different subnets you need WINS.
We
are not using Network Browsing, if by that you mean the use of Network
Neighborhood.
When you turn off NetBIOS over TCP you lose that capability
entirely.
We
were issuing command line net view \\DC4 which is a specific command
directed
at specific hostname, resolvable through DNS.
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>
needs
>>
to
>>>
be on the same subnet as where you are attempting this test or be
>>
registered
>>>
with a WINS server.
>>
>>
We haven't used WINs in seven years, and nearly every machine we have is
>>
on
>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137, 138,
>>
and
>>
139 are dirty words in our office. :)
>>
>>
In any case, I don't see any attempt by client to locate the server by
>>
any
>>
method other than DNS. The problem is the client is sending out
a
>>
Kerberos
>>
request just for this one DC using some malformed Kerberos request and
>>
getting back a rejection. All of that activity takes place
between
>>
client
>>
and another DC on port 88 (from memory).
>>
>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on different
>>
subnets than the client. Net View works to all DCs except
DC4. So
>>
subnetting is not the unique variable associated with the failure case.
>>
>>
--
>>
Will
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 18:12:00
That's
correct, I was just re-stating previous posts regardind to that
resolution
mechanism.
Regarding
to the Access is DENIED error, did you tried the KB that I
provided
you?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Will"
<westes-usc@noemail.nospam> wrote in message
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>
Network browsing is NetBIOS resolution dependent, that's by design, in
>>
different subnets you need WINS.
>
>
We are not using Network Browsing, if by that you mean the use of Network
>
Neighborhood. When you turn off NetBIOS over TCP you lose
that
>
capability entirely.
>
>
We were issuing command line net view \\DC4 which is a specific command
>
directed at specific hostname, resolvable through DNS.
>
>
--
>
Will
>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>
needs
>>>
to
>>>>
be on the same subnet as where you are attempting this test or be
>>>
registered
>>>>
with a WINS server.
>>>
>>>
We haven't used WINs in seven years, and nearly every machine we have is
>>>
on
>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137, 138,
>>>
and
>>>
139 are dirty words in our office. :)
>>>
>>>
In any case, I don't see any attempt by client to locate the server by
>>>
any
>>>
method other than DNS. The problem is the client is sending out
a
>>>
Kerberos
>>>
request just for this one DC using some malformed Kerberos request and
>>>
getting back a rejection. All of that activity takes place
between
>>>
client
>>>
and another DC on port 88 (from memory).
>>>
>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on different
>>>
subnets than the client. Net View works to all DCs except
DC4. So
>>>
subnetting is not the unique variable associated with the failure case.
>>>
>>>
--
>>>
Will
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 18:41:00
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:OM1A2l8$HHA.3916@TK2MSFTNGP02.phx.gbl...
>
That's correct, I was just re-stating previous posts regardind to that
>
resolution mechanism.
>
>
Regarding to the Access is DENIED error, did you tried the KB that I
>
provided you?
Maybe
I'm thinking of the wrong one, but the KB you sent was for resetting
the
password of a domain controller?
That
sounds like a serious thing to do, potentially destabilizing, and why
would
it be an appropriate step to take when it is the client that is
malforming
a Kerberos request to use the DC? I'm willing to try it if
there
is a reason to try it, but it seemed a bit random.
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>
Network browsing is NetBIOS resolution dependent, that's by design, in
>>>
different subnets you need WINS.
>>
>>
We are not using Network Browsing, if by that you mean the use of Network
>>
Neighborhood. When you turn off NetBIOS over TCP you lose
that
>>
capability entirely.
>>
>>
We were issuing command line net view \\DC4 which is a specific command
>>
directed at specific hostname, resolvable through DNS.
>>
>>
--
>>
Will
>>
>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>>
needs
>>>>
to
>>>>>
be on the same subnet as where you are attempting this test or be
>>>>
registered
>>>>>
with a WINS server.
>>>>
>>>>
We haven't used WINs in seven years, and nearly every machine we have
>>>>
is on
>>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137,
>>>>
138, and
>>>>
139 are dirty words in our office. :)
>>>>
>>>>
In any case, I don't see any attempt by client to locate the server by
>>>>
any
>>>>
method other than DNS. The problem is the client is sending out
a
>>>>
Kerberos
>>>>
request just for this one DC using some malformed Kerberos request and
>>>>
getting back a rejection. All of that activity takes place
between
>>>>
client
>>>>
and another DC on port 88 (from memory).
>>>>
>>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on different
>>>>
subnets than the client. Net View works to all DCs except
DC4. So
>>>>
subnetting is not the unique variable associated with the failure case.
>>>>
>>>>
--
>>>>
Will
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 18:50:41
I
though that the error was from server.
If
you type the \\ipaddress of the server can you get access to it?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Will"
<westes-usc@noemail.nospam> wrote in message
news:5aOdnRCYR4oQAWTbnZ2dnUVZ_v2unZ2d@giganews.com...
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:OM1A2l8$HHA.3916@TK2MSFTNGP02.phx.gbl...
>>
That's correct, I was just re-stating previous posts regardind to that
>>
resolution mechanism.
>>
>>
Regarding to the Access is DENIED error, did you tried the KB that I
>>
provided you?
>
>
Maybe I'm thinking of the wrong one, but the KB you sent was for resetting
>
the password of a domain controller?
>
>
That sounds like a serious thing to do, potentially destabilizing, and why
>
would it be an appropriate step to take when it is the client that is
>
malforming a Kerberos request to use the DC? I'm willing to try
it if
>
there is a reason to try it, but it seemed a bit random.
>
>
--
>
Will
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>>
Network browsing is NetBIOS resolution dependent, that's by design, in
>>>>
different subnets you need WINS.
>>>
>>>
We are not using Network Browsing, if by that you mean the use of
>>>
Network Neighborhood. When you turn off NetBIOS over TCP
you lose
>>>
that capability entirely.
>>>
>>>
We were issuing command line net view \\DC4 which is a specific command
>>>
directed at specific hostname, resolvable through DNS.
>>>
>>>
--
>>>
Will
>>>
>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>>>
needs
>>>>>
to
>>>>>>
be on the same subnet as where you are attempting this test or be
>>>>>
registered
>>>>>>
with a WINS server.
>>>>>
>>>>>
We haven't used WINs in seven years, and nearly every machine we have
>>>>>
is on
>>>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137,
>>>>>
138, and
>>>>>
139 are dirty words in our office. :)
>>>>>
>>>>>
In any case, I don't see any attempt by client to locate the server by
>>>>>
any
>>>>>
method other than DNS. The problem is the client is sending out
a
>>>>>
Kerberos
>>>>>
request just for this one DC using some malformed Kerberos request and
>>>>>
getting back a rejection. All of that activity takes place between
>>>>>
client
>>>>>
and another DC on port 88 (from memory).
>>>>>
>>>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on different
>>>>>
subnets than the client. Net View works to all DCs except
DC4. So
>>>>>
subnetting is not the unique variable associated with the failure
>>>>>
case.
>>>>>
>>>>>
--
>>>>>
Will
Top
From: Andy C
<acracchiolo@fluidmaster.com>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 19:09:58
I
cannot get into the 'network' it says access denied. So I cant get a
computer
name or anything to do that to. I was wondering how I could find
the
computer that is generating that network name on my network
neighborhood.
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uRuSd78$HHA.5164@TK2MSFTNGP05.phx.gbl...
>I
though that the error was from server.
>
If you type the \\ipaddress of the server can you get access to it?
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:5aOdnRCYR4oQAWTbnZ2dnUVZ_v2unZ2d@giganews.com...
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:OM1A2l8$HHA.3916@TK2MSFTNGP02.phx.gbl...
>>>
That's correct, I was just re-stating previous posts regardind to that
>>>
resolution mechanism.
>>>
>>>
Regarding to the Access is DENIED error, did you tried the KB that I
>>>
provided you?
>>
>>
Maybe I'm thinking of the wrong one, but the KB you sent was for
>>
resetting the password of a domain controller?
>>
>>
That sounds like a serious thing to do, potentially destabilizing, and
>>
why would it be an appropriate step to take when it is the client that is
>>
malforming a Kerberos request to use the DC? I'm willing to try
it if
>>
there is a reason to try it, but it seemed a bit random.
>>
>>
--
>>
Will
>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>>>
Network browsing is NetBIOS resolution dependent, that's by design, in
>>>>>
different subnets you need WINS.
>>>>
>>>>
We are not using Network Browsing, if by that you mean the use of
>>>>
Network Neighborhood. When you turn off NetBIOS over TCP
you lose
>>>>
that capability entirely.
>>>>
>>>>
We were issuing command line net view \\DC4 which is a specific command
>>>>
directed at specific hostname, resolvable through DNS.
>>>>
>>>>
--
>>>>
Will
>>>>
>>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>>>>
needs
>>>>>>
to
>>>>>>>
be on the same subnet as where you are attempting this test or be
>>>>>>
registered
>>>>>>>
with a WINS server.
>>>>>>
>>>>>>
We haven't used WINs in seven years, and nearly every machine we have
>>>>>>
is on
>>>>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137,
>>>>>>
138, and
>>>>>>
139 are dirty words in our office. :)
>>>>>>
>>>>>>
In any case, I don't see any attempt by client to locate the server
>>>>>>
by any
>>>>>>
method other than DNS. The problem is the client is sending out
a
>>>>>>
Kerberos
>>>>>>
request just for this one DC using some malformed Kerberos request
>>>>>>
and
>>>>>>
getting back a rejection. All of that activity takes place
between
>>>>>>
client
>>>>>>
and another DC on port 88 (from memory).
>>>>>>
>>>>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on
>>>>>>
different
>>>>>>
subnets than the client. Net View works to all DCs except
DC4. So
>>>>>>
subnetting is not the unique variable associated with the failure
>>>>>>
case.
>>>>>>
>>>>>>
--
>>>>>>
Will
>>>>
>>>>
Top
From: Andy C
<acracchiolo@fluidmaster.com>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 19:20:01
SORRY
WRONG POST
"Andy
C" <acracchiolo@fluidmaster.com> wrote in message
news:Ox6NWG9$HHA.5184@TK2MSFTNGP02.phx.gbl...
>I
cannot get into the 'network' it says access denied. So I cant get a
>computer
name or anything to do that to. I was wondering how I could find
>the
computer that is generating that network name on my network
>neighborhood.
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:uRuSd78$HHA.5164@TK2MSFTNGP05.phx.gbl...
>>I
though that the error was from server.
>>
If you type the \\ipaddress of the server can you get access to it?
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:5aOdnRCYR4oQAWTbnZ2dnUVZ_v2unZ2d@giganews.com...
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:OM1A2l8$HHA.3916@TK2MSFTNGP02.phx.gbl...
>>>>
That's correct, I was just re-stating previous posts regardind to that
>>>>
resolution mechanism.
>>>>
>>>>
Regarding to the Access is DENIED error, did you tried the KB that I
>>>>
provided you?
>>>
>>>
Maybe I'm thinking of the wrong one, but the KB you sent was for
>>>
resetting the password of a domain controller?
>>>
>>>
That sounds like a serious thing to do, potentially destabilizing, and
>>>
why would it be an appropriate step to take when it is the client that
>>>
is malforming a Kerberos request to use the DC? I'm willing to
try it
>>>
if there is a reason to try it, but it seemed a bit random.
>>>
>>>
--
>>>
Will
>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>>>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>>>>
Network browsing is NetBIOS resolution dependent, that's by design,
>>>>>>
in different subnets you need WINS.
>>>>>
>>>>>
We are not using Network Browsing, if by that you mean the use of
>>>>>
Network Neighborhood. When you turn off NetBIOS over TCP
you lose
>>>>>
that capability entirely.
>>>>>
>>>>>
We were issuing command line net view \\DC4 which is a specific
>>>>>
command directed at specific hostname, resolvable through DNS.
>>>>>
>>>>>
--
>>>>>
Will
>>>>>
>>>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>>>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in
>>>>>>>
message
>>>>>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>>>>>
needs
>>>>>>>
to
>>>>>>>>
be on the same subnet as where you are attempting this test or be
>>>>>>>
registered
>>>>>>>>
with a WINS server.
>>>>>>>
>>>>>>>
We haven't used WINs in seven years, and nearly every machine we
>>>>>>>
have is on
>>>>>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137,
>>>>>>>
138, and
>>>>>>>
139 are dirty words in our office. :)
>>>>>>>
>>>>>>>
In any case, I don't see any attempt by client to locate the server
>>>>>>>
by any
>>>>>>>
method other than DNS. The problem is the client is sending out
a
>>>>>>>
Kerberos
>>>>>>>
request just for this one DC using some malformed Kerberos request
>>>>>>>
and
>>>>>>>
getting back a rejection. All of that activity takes place
between
>>>>>>>
client
>>>>>>>
and another DC on port 88 (from memory).
>>>>>>>
>>>>>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on
>>>>>>>
different
>>>>>>>
subnets than the client. Net View works to all DCs except DC4.
>>>>>>>
So
>>>>>>>
subnetting is not the unique variable associated with the failure
>>>>>>>
case.
>>>>>>>
>>>>>>>
--
>>>>>>>
Will
>>>>>
>>>>>
>>>>
>>>>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: Problems With Kerberos Authentication
Date:
09/25/2007 20:23:59
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uRuSd78$HHA.5164@TK2MSFTNGP05.phx.gbl...
>I
though that the error was from server.
>
If you type the \\ipaddress of the server can you get access to it?
Yes,
as stated in original message, either of these variants works:
net
view \\dc4.my.domain.com // the
FQDN
net
view \\<ip-of-dc4>
Only
simple NetBIOS name version fails:
net
view \\dc4
What's
truly bizarre to me is that the client generates *NO* kerberos
traffic
for the two variants that work, but seems to feel a need to generate
Kerberos
traffic (ill formed request) for the case that fails.
The
whole algorithm for how authentication is done appears totally different
for
the two cases of FQDN versus simple NetBIOS name.
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:5aOdnRCYR4oQAWTbnZ2dnUVZ_v2unZ2d@giganews.com...
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:OM1A2l8$HHA.3916@TK2MSFTNGP02.phx.gbl...
>>>
That's correct, I was just re-stating previous posts regardind to that
>>>
resolution mechanism.
>>>
>>>
Regarding to the Access is DENIED error, did you tried the KB that I
>>>
provided you?
>>
>>
Maybe I'm thinking of the wrong one, but the KB you sent was for
>>
resetting the password of a domain controller?
>>
>>
That sounds like a serious thing to do, potentially destabilizing, and
>>
why would it be an appropriate step to take when it is the client that is
>>
malforming a Kerberos request to use the DC? I'm willing to try
it if
>>
there is a reason to try it, but it seemed a bit random.
>>
>>
--
>>
Will
>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>
news:q72dnW-4l7pdDWTbnZ2dnUVZ_hudnZ2d@giganews.com...
>>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>>
news:e7q9Uw6$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>>>
Network browsing is NetBIOS resolution dependent, that's by design, in
>>>>>
different subnets you need WINS.
>>>>
>>>>
We are not using Network Browsing, if by that you mean the use of
>>>>
Network Neighborhood. When you turn off NetBIOS over TCP
you lose
>>>>
that capability entirely.
>>>>
>>>>
We were issuing command line net view \\DC4 which is a specific command
>>>>
directed at specific hostname, resolvable through DNS.
>>>>
>>>>
--
>>>>
Will
>>>>
>>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>>
news:_pudnZIIsf7b_GTbnZ2dnUVZ_r6rnZ2d@giganews.com...
>>>>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>>>>
news:uhyCru2$HHA.4880@TK2MSFTNGP03.phx.gbl...
>>>>>>>
Do you point your dc to a WINS server on its NIC configuration? It
>>>>>>>
needs
>>>>>>
to
>>>>>>>
be on the same subnet as where you are attempting this test or be
>>>>>>
registered
>>>>>>>
with a WINS server.
>>>>>>
>>>>>>
We haven't used WINs in seven years, and nearly every machine we have
>>>>>>
is on
>>>>>>
a different subnet. We turn off NetBIOS over TCP, and
ports 137,
>>>>>>
138, and
>>>>>>
139 are dirty words in our office. :)
>>>>>>
>>>>>>
In any case, I don't see any attempt by client to locate the server
>>>>>>
by any
>>>>>>
method other than DNS. The problem is the client is sending out
a
>>>>>>
Kerberos
>>>>>>
request just for this one DC using some malformed Kerberos request
>>>>>>
and
>>>>>>
getting back a rejection. All of that activity takes place
between
>>>>>>
client
>>>>>>
and another DC on port 88 (from memory).
>>>>>>
>>>>>>
Note that from my example, DC1, DC2, DC3, and DC4 are all on
>>>>>>
different
>>>>>>
subnets than the client. Net View works to all DCs except
DC4. So
>>>>>>
subnetting is not the unique variable associated with the failure
>>>>>>
case.
>>>>>>
>>>>>>
--
>>>>>>
Will
>>>>
>>>>
Top
From: Andy C
<acracchiolo@fluidmaster.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/27/2007 19:40:07
Do
you have any more information on this error?
"Toby1Kinobe"
<tw@tw.com> wrote in message
news:fdhbse$ls7$1@news-01.bur.connect.com.au...
>
Hi,
>
>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>
whilst extending the Schema (from 30 to 31). In the debug log I have an
>
ldif.err.31 which reads:
>
>
Entry DN:
>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>
Add error on line 1519: Unwilling To Perform
>
>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>
syntax."
>
>
An error has occurred in the program
>
>
I believe that some 3rd party application (not sure what, maybe the 1 mac
>
pc on our domain) may have incorrectly extended the schema at some stage.
>
This appears to be a Unix type error (we dont have nor ever have had unix
>
services on the network).
>
Has anyone seen this before/resolved the issue?
>
I have see 1 post that suggests I need to defunct the offending UID
>
attribute, any thoughts?
>
>
We are getting very frustrated with this as its holding up many other
>
projects, any help would be gratefully received,
>
>
Thanks
>
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/27/2007 20:17:39
Sorry
what other information do you need?, the error from the debug log is
posted
below. The R2 schema extension fails,
Thanks
"Andy
C" <acracchiolo@fluidmaster.com> wrote in message
news:%23QZsfgWAIHA.4836@TK2MSFTNGP06.phx.gbl...
>
Do you have any more information on this error?
>
"Toby1Kinobe" <tw@tw.com> wrote in message
>
news:fdhbse$ls7$1@news-01.bur.connect.com.au...
>>
Hi,
>>
>>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>>
whilst extending the Schema (from 30 to 31). In the debug log I have an
>>
ldif.err.31 which reads:
>>
>>
Entry DN:
>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>
Add error on line 1519: Unwilling To Perform
>>
>>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>>
syntax."
>>
>>
An error has occurred in the program
>>
>>
I believe that some 3rd party application (not sure what, maybe the 1 mac
>>
pc on our domain) may have incorrectly extended the schema at some stage.
>>
This appears to be a Unix type error (we dont have nor ever have had unix
>>
services on the network).
>>
Has anyone seen this before/resolved the issue?
>>
I have see 1 post that suggests I need to defunct the offending UID
>>
attribute, any thoughts?
>>
>>
We are getting very frustrated with this as its holding up many other
>>
projects, any help would be gratefully received,
>>
>>
Thanks
>>
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/27/2007 22:29:01
Hi
Toby,
Is
this a 64 bit machine. There are occasionally some issues with that
and
a
few work arounds?
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago,
IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"Toby1Kinobe"
wrote:
>
Sorry what other information do you need?, the error from the debug log is
>
posted below. The R2 schema extension fails,
>
Thanks
>
>
"Andy C" <acracchiolo@fluidmaster.com> wrote in message
>
news:%23QZsfgWAIHA.4836@TK2MSFTNGP06.phx.gbl...
>
> Do you have any more information on this error?
>
>
>
>
>
> "Toby1Kinobe" <tw@tw.com> wrote in message
>
> news:fdhbse$ls7$1@news-01.bur.connect.com.au...
>
>> Hi,
>
>>
>
>> I am trying to upgrade server 2003 (sp2) to R2 and am getting
errors
>
>> whilst extending the Schema (from 30 to 31). In the debug log I
have an
>
>> ldif.err.31 which reads:
>
>>
>
>> Entry DN:
>
>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>
>> Add error on line 1519: Unwilling To Perform
>
>>
>
>> The server side error is "Schema update failed: Rdn-Att-Id
has wrong
>
>> syntax."
>
>>
>
>> An error has occurred in the program
>
>>
>
>> I believe that some 3rd party application (not sure what, maybe
the 1 mac
>
>> pc on our domain) may have incorrectly extended the schema at some
stage.
>
>> This appears to be a Unix type error (we dont have nor ever have
had unix
>
>> services on the network).
>
>> Has anyone seen this before/resolved the issue?
>
>> I have see 1 post that suggests I need to defunct the offending
UID
>
>> attribute, any thoughts?
>
>>
>
>> We are getting very frustrated with this as its holding up many
other
>
>> projects, any help would be gratefully received,
>
>>
>
>> Thanks
>
>>
>
>
>
>
>
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/27/2007 23:22:39
Hi
Ryan,
No
unfortunately it is a 32bit machine. We have tried seizing the FSMO role
on
different DC's in the domain and attempted the upgrade again (at
Microsoft's
request) and still no joy (we are essentialy just passing the
broken
schema around!). I feel that we need to find the entry in the schema
that
is confilicting with the R2 base schema (possibly possix, as per the
dump)
and either delete it or rectify the conflict. Not sure how we go about
this
though and MS dont seem to have a answers, this has been with them for
a
number of weeks.
Cheers,
Toby
"Ryan
Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in
message
news:EC5674E9-70EE-4CE0-AF06-A56BFB956F18@microsoft.com...
>
Hi Toby,
>
>
Is this a 64 bit machine. There are occasionally some issues with
that
>
and
>
a few work arounds?
>
--
>
Ryan Hanisco
>
MCSE, MCTS: SQL 2005, Project+
>
www.techsterity.com
>
Chicago, IL
>
>
Remember: Marking helpful answers helps everyone find the info they need
>
quickly.
>
"Toby1Kinobe" wrote:
>
>>
Sorry what other information do you need?, the error from the debug log
>>
is
>>
posted below. The R2 schema extension fails,
>>
Thanks
>>
>>
"Andy C" <acracchiolo@fluidmaster.com> wrote in message
>>
news:%23QZsfgWAIHA.4836@TK2MSFTNGP06.phx.gbl...
>>
> Do you have any more information on this error?
>>
>
>>
>
>>
> "Toby1Kinobe" <tw@tw.com> wrote in message
>>
> news:fdhbse$ls7$1@news-01.bur.connect.com.au...
>>
>> Hi,
>>
>>
>>
>> I am trying to upgrade server 2003 (sp2) to R2 and am getting
errors
>>
>> whilst extending the Schema (from 30 to 31). In the debug log I
have
>>
>> an
>>
>> ldif.err.31 which reads:
>>
>>
>>
>> Entry DN:
>>
>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>
>> Add error on line 1519: Unwilling To Perform
>>
>>
>>
>> The server side error is "Schema update failed: Rdn-Att-Id
has wrong
>>
>> syntax."
>>
>>
>>
>> An error has occurred in the program
>>
>>
>>
>> I believe that some 3rd party application (not sure what, maybe
the 1
>>
>> mac
>>
>> pc on our domain) may have incorrectly extended the schema at some
>>
>> stage.
>>
>> This appears to be a Unix type error (we dont have nor ever have
had
>>
>> unix
>>
>> services on the network).
>>
>> Has anyone seen this before/resolved the issue?
>>
>> I have see 1 post that suggests I need to defunct the offending
UID
>>
>> attribute, any thoughts?
>>
>>
>>
>> We are getting very frustrated with this as its holding up many
other
>>
>> projects, any help would be gratefully received,
>>
>>
>>
>> Thanks
>>
>>
>>
>
>>
>
>>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/27/2007 23:36:00
Toby1Kinobe
wrote:
>
Hi,
>
>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>
whilst extending the Schema (from 30 to 31). In the debug log I have
>
an ldif.err.31 which reads:
>
>
Entry DN:
>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>
Add error on line 1519: Unwilling To Perform
>
>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>
syntax."
>
>
An error has occurred in the program
>
>
I believe that some 3rd party application (not sure what, maybe the 1
>
mac pc on our domain) may have incorrectly extended the schema at
>
some stage. This appears to be a Unix type error (we dont have nor
>
ever have had unix services on the network).
>
Has anyone seen this before/resolved the issue?
>
I have see 1 post that suggests I need to defunct the offending UID
>
attribute, any thoughts?
>
>
We are getting very frustrated with this as its holding up many other
>
projects, any help would be gratefully received,
>
>
Thanks
You
might find googling;
wrong
syntax schema r2 Rdn-Att-Id
some
help in progressing with your problem.
--
/kj
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/28/2007 00:29:37
This
is a serious problem so sensible responses/or none at all please KJ
"kj
[SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%232qRWkYAIHA.4200@TK2MSFTNGP04.phx.gbl...
>
Toby1Kinobe wrote:
>>
Hi,
>>
>>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>>
whilst extending the Schema (from 30 to 31). In the debug log I have
>>
an ldif.err.31 which reads:
>>
>>
Entry DN:
>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>
Add error on line 1519: Unwilling To Perform
>>
>>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>>
syntax."
>>
>>
An error has occurred in the program
>>
>>
I believe that some 3rd party application (not sure what, maybe the 1
>>
mac pc on our domain) may have incorrectly extended the schema at
>>
some stage. This appears to be a Unix type error (we dont have nor
>>
ever have had unix services on the network).
>>
Has anyone seen this before/resolved the issue?
>>
I have see 1 post that suggests I need to defunct the offending UID
>>
attribute, any thoughts?
>>
>>
We are getting very frustrated with this as its holding up many other
>>
projects, any help would be gratefully received,
>>
>>
Thanks
>
>
You might find googling;
>
>
wrong syntax schema r2 Rdn-Att-Id
>
>
some help in progressing with your problem.
>
>
--
>
/kj
>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/28/2007 00:43:21
Toby1Kinobe
wrote:
>
This is a serious problem so sensible responses/or none at all please
>
KJ
I
agree, but the first such hit should direct you here which has a potential
resolution.
Have you already seen it?
http://www.activedir.org/ma/default.aspx?msg=11874
>
>
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in
message
>
news:%232qRWkYAIHA.4200@TK2MSFTNGP04.phx.gbl...
>>
Toby1Kinobe wrote:
>>>
Hi,
>>>
>>>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>>>
whilst extending the Schema (from 30 to 31). In the debug log I have
>>>
an ldif.err.31 which reads:
>>>
>>>
Entry DN:
>>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>>
Add error on line 1519: Unwilling To Perform
>>>
>>>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>>>
syntax."
>>>
>>>
An error has occurred in the program
>>>
>>>
I believe that some 3rd party application (not sure what, maybe the
>>>
1 mac pc on our domain) may have incorrectly extended the schema at
>>>
some stage. This appears to be a Unix type error (we dont have nor
>>>
ever have had unix services on the network).
>>>
Has anyone seen this before/resolved the issue?
>>>
I have see 1 post that suggests I need to defunct the offending UID
>>>
attribute, any thoughts?
>>>
>>>
We are getting very frustrated with this as its holding up many
>>>
other projects, any help would be gratefully received,
>>>
>>>
Thanks
>>
>>
You might find googling;
>>
>>
wrong syntax schema r2 Rdn-Att-Id
>>
>>
some help in progressing with your problem.
>>
>>
--
>>
/kj
--
/kj
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/28/2007 01:20:28
kj,
yes I have seen this article. Unfortunately it seems to be the only
article
on the net that I can find that resembles our issue. Unfortunately
the
post does not contain a workaround for us. This case has been raised
with
MS, who seem to be struggling to resolve it. I was just hoping someone
out
there may have seen this error before or could offer any fix
suggestions.
Cheers
for your efforts
"kj
[SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23vy9$JZAIHA.3400@TK2MSFTNGP03.phx.gbl...
>
Toby1Kinobe wrote:
>>
This is a serious problem so sensible responses/or none at all please
>>
KJ
>
>
I agree, but the first such hit should direct you here which has a
>
potential resolution. Have you already seen it?
>
>
http://www.activedir.org/ma/default.aspx?msg=11874
>
>>
>>
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in
message
>>
news:%232qRWkYAIHA.4200@TK2MSFTNGP04.phx.gbl...
>>>
Toby1Kinobe wrote:
>>>>
Hi,
>>>>
>>>>
I am trying to upgrade server 2003 (sp2) to R2 and am getting errors
>>>>
whilst extending the Schema (from 30 to 31). In the debug log I have
>>>>
an ldif.err.31 which reads:
>>>>
>>>>
Entry DN:
>>>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>>>
Add error on line 1519: Unwilling To Perform
>>>>
>>>>
The server side error is "Schema update failed: Rdn-Att-Id has wrong
>>>>
syntax."
>>>>
>>>>
An error has occurred in the program
>>>>
>>>>
I believe that some 3rd party application (not sure what, maybe the
>>>>
1 mac pc on our domain) may have incorrectly extended the schema at
>>>>
some stage. This appears to be a Unix type error (we dont have nor
>>>>
ever have had unix services on the network).
>>>>
Has anyone seen this before/resolved the issue?
>>>>
I have see 1 post that suggests I need to defunct the offending UID
>>>>
attribute, any thoughts?
>>>>
>>>>
We are getting very frustrated with this as its holding up many
>>>>
other projects, any help would be gratefully received,
>>>>
>>>>
Thanks
>>>
>>>
You might find googling;
>>>
>>>
wrong syntax schema r2 Rdn-Att-Id
>>>
>>>
some help in progressing with your problem.
>>>
>>>
--
>>>
/kj
>
>
--
>
/kj
>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: R2 Schema Extension
Date:
09/28/2007 01:29:15
Toby1Kinobe
wrote:
>
kj, yes I have seen this article. Unfortunately it seems to be the
>
only article on the net that I can find that resembles our issue.
>
Unfortunately the post does not contain a workaround for us. This
>
case has been raised with MS, who seem to be struggling to resolve
>
it. I was just hoping someone out there may have seen this error
>
before or could offer any fix suggestions.
>
Cheers for your efforts
Sorry,
not much else to add. Any idea on what vendor did the extension?
Good
luck with the problem/resolution.
>
>
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in
message
>
news:%23vy9$JZAIHA.3400@TK2MSFTNGP03.phx.gbl...
>>
Toby1Kinobe wrote:
>>>
This is a serious problem so sensible responses/or none at all
>>>
please KJ
>>
>>
I agree, but the first such hit should direct you here which has a
>>
potential resolution. Have you already seen it?
>>
>>
http://www.activedir.org/ma/default.aspx?msg=11874
>>
>>>
>>>
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in
message
>>>
news:%232qRWkYAIHA.4200@TK2MSFTNGP04.phx.gbl...
>>>>
Toby1Kinobe wrote:
>>>>>
Hi,
>>>>>
>>>>>
I am trying to upgrade server 2003 (sp2) to R2 and am getting
>>>>>
errors whilst extending the Schema (from 30 to 31). In the debug
>>>>>
log I have an ldif.err.31 which reads:
>>>>>
>>>>>
Entry DN:
>>>>>
CN=PosixAccount,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
>>>>>
Add error on line 1519: Unwilling To Perform
>>>>>
>>>>>
The server side error is "Schema update failed: Rdn-Att-Id has
>>>>>
wrong syntax."
>>>>>
>>>>>
An error has occurred in the program
>>>>>
>>>>>
I believe that some 3rd party application (not sure what, maybe
>>>>>
the 1 mac pc on our domain) may have incorrectly extended the
>>>>>
schema at some stage. This appears to be a Unix type error (we
>>>>>
dont have nor ever have had unix services on the network).
>>>>>
Has anyone seen this before/resolved the issue?
>>>>>
I have see 1 post that suggests I need to defunct the offending
>>>>>
UID attribute, any thoughts?
>>>>>
>>>>>
We are getting very frustrated with this as its holding up many
>>>>>
other projects, any help would be gratefully received,
>>>>>
>>>>>
Thanks
>>>>
>>>>
You might find googling;
>>>>
>>>>
wrong syntax schema r2 Rdn-Att-Id
>>>>
>>>>
some help in progressing with your problem.
>>>>
>>>>
--
>>>>
/kj
>>
>>
--
>>
/kj
--
/kj
Top
From: MattMJF
<MattMJF@discussions.microsoft.com>
To:
none
Subject:
RE: redirection My Documents
Date:
09/27/2007 13:47:01
One
solution is on servers where users RDC/TS into, disable any folder
redirection
and/or force mandatory profile for any terminal services
sessions.
You can do this via a GPO applied to OU where servers are located
in
or you can do this via local GPO on server(s) itself then use "enable
loopback'
setting. Also, on user account properties, terminal services tab,
you
can remove the U:\ drive path and configure a mandatory profile just for
TS
sessions.
These
are a variety of ideas. Pick the one to research and works best for
your
environment.
~
Matt ~
"rocker40"
wrote:
>
I have a policy for redirection for My documents. I had a issue with my
>
domain controller and had to rebuild it. i reinstalled the policy and it
>
works. the issue is I have some users and myself log into servers through
TS
>
sometimes to do different things. When we do that my Documents are moved
over
>
too. I do not want them to pull thier my Documents when they log into a
>
server but I need them to on thier local machines. Doe sthat make sense? I
>
thought I had that way before but if I did I not sure what I did make that
>
happen.
>
Thanks
>
Dave
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Remote Desktop connection
Date:
09/27/2007 22:11:59
Dave_R
wrote:
>I
want a user who is out of state when login remotely to start an app.
>
>
I have Windows 2003 Server configured as DC running DNS, DHCP and File
>
Server.
>
>
I created "USer1" in AD and added to Builtin Remote Desktop Users
group.
>
>
When "USer1" logs in remotely gets an error " To logon you
must be granted
>
Allow logon thru Terminal Services right.."
>
>
Can somebody please help me step ny step how to logon "USer1"
>
successfully?
In
addition, check "Allow Access" on the "Dial-in" tab of
the user
properties
in Active Directory Users & Computers.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
Top
From: pooradmin <jskiba99@gmail.com>
To:
none
Subject:
Re: Remote Desktop connection
Date:
09/27/2007 22:37:59
On
Sep 27, 11:11 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net>
wrote:
>
Dave_R wrote:
>
>I want a user who is out of state when login remotely to start an app.
>
>
> I have Windows 2003 Server configured as DC running DNS, DHCP and File
>
> Server.
>
>
> I created "USer1" in AD and added to Builtin Remote Desktop
Users group.
>
>
> When "USer1" logs in remotely gets an error " To logon
you must be granted
>
> Allow logon thru Terminal Services right.."
>
>
> Can somebody please help me step ny step how to logon
"USer1"
>
> successfully?
>
>
In addition, check "Allow Access" on the "Dial-in" tab
of the user
>
properties in Active Directory Users & Computers.
>
>
--
>
Richard Mueller
>
Microsoft MVP Scripting and ADSI
>
Hilltop Lab -http://www.rlmueller.net
>
--
Think
that's just for the RAS connections, vpn, dialin. Theres a
checkbox
on the terminal service tab "deny this user permission to log
onto
any terminal server" that should be unchecked. There are
also 2
policies
in group policy for the machine that need checked, since its
a
domain controller that the user is going to log onto they need to be
either
an administrator on that machine or added to the one policy
below
to log on locally.
Computer
Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
Allow Log on Through Terminal Service
Allow log on locally
Hope
that helps
-J
www.pooradmin.com
Top
Post your
questions, comments, feedbacks and suggestions
|
