|
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 06:49:21
run
diagnostics against your Active Directory domain.
If
you don't have the support tools installed, install them from your server
install
disk.
d:\support\tools\setup.exe
Run
dcdiag, netdiag and repadmin in verbose mode.
->
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
->
netdiag.exe /v > c:\netdiag.log (On each dc)
->
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
->
dnslint /ad /s "ip address of your dc"
**Note:
Using the /E switch in dcdiag will run diagnostics against ALL dc's
in
the forest. If you have significant numbers of DC's this test could
generate
significant detail and take a long time. You also want to take
into
account slow links to dc's will also add to the testing time.
If you
download a gui script I wrote it should be simple to set and run
(DCDiag
and NetDiag). It also has the option to run individual tests
without
having to learn all the switch options. The details will be output
in
notepad text files that pop up automagically.
The
script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just
select both dcdiag and netdiag make sure verbose is set. (Leave the
default
settings for dcdiag as set when selected)
When
complete search for fail, error and warning messages.
Description
and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"abaratin"
<abaratin@gmail.com> wrote in message
news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
Hi all,
>
>
Yesterday I had a problem with WSUS3. I tried to reinstall it but it
>
fails... Few minutes after I tried to go to the GPO settings... I
>
receive an error "The domain controller can not be contacted Error
>
was: Library not Registered"
>
I have this "Library not registered" error anytime I try to open
>
something dealing with GPO's or AD.
>
I don't know what to do...
>
>
So if you have ideas, suggsestions or links with documentation It will
>
be great...
>
I don't know Active Directory enough to solve this kind of problem...
>
>
Thanks in advance
>
Top
From: abaratin <abaratin@gmail.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 07:46:03
Well
everything seems to be ok... It was what I felt because this
morning
every users were able to connect to the domain...
My
feeling now is rather that mmc 3.0 is in cause... But i don't know
how
to install/reinstall it and what can be the consequences for
users...
On
27 sep, 11:49, "Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com>
wrote:
>
run diagnostics against your Active Directory domain.
>
>
If you don't have the support tools installed, install them from your
server
>
install disk.
>
d:\support\tools\setup.exe
>
>
Run dcdiag, netdiag and repadmin in verbose mode.
>
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>
-> netdiag.exe /v > c:\netdiag.log (On
each dc)
>
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>
-> dnslint /ad /s "ip address of your dc"
>
>
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
>
in the forest. If you have significant numbers of DC's this test
could
>
generate significant detail and take a long time. You also want to
take
>
into account slow links to dc's will also add to the testing time.
>
>
If you download a gui script I wrote it should be simple to set and run
>
(DCDiag and NetDiag). It also has the option to run individual tests
>
without having to learn all the switch options. The details will be
output
>
in notepad text files that pop up automagically.
>
>
The script is located on my website
athttp://www.pbbergs.com/windows/downloads.htm
>
>
Just select both dcdiag and netdiag make sure verbose is set. (Leave
the
>
default settings for dcdiag as set when selected)
>
>
When complete search for fail, error and warning messages.
>
>
Description and download for dnslinthttp://support.microsoft.com/kb/321045
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no rights.
>
>
"abaratin" <abara...@gmail.com> wrote in message
>
>
news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
>
> Hi all,
>
>
> Yesterday I had a problem with WSUS3. I tried to reinstall it but it
>
> fails... Few minutes after I tried to go to the GPO settings... I
>
> receive an error "The domain controller can not be contacted
Error
>
> was: Library not Registered"
>
> I have this "Library not registered" error anytime I try to
open
>
> something dealing with GPO's or AD.
>
> I don't know what to do...
>
>
> So if you have ideas, suggsestions or links with documentation It will
>
> be great...
>
> I don't know Active Directory enough to solve this kind of problem...
>
>
> Thanks in advance
Top
From: abaratin <abaratin@gmail.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 12:28:45
Thanks
for your help Paul, I've finally found the solution, AD was not
in
fault, it was MMC !
The
solution was here :
http://support.microsoft.com/?scid=kb%3Ben-us%3B887438&x=7&y=9
Thank
you very much an have a nice day !
--
Alex
On
27 sep, 12:46, abaratin
<abara...@gmail.com> wrote:
>
Well everything seems to be ok... It was what I felt because this
>
morning every users were able to connect to the domain...
>
My feeling now is rather that mmc 3.0 is in cause... But i don't know
>
how to install/reinstall it and what can be the consequences for
>
users...
>
>
On 27 sep, 11:49, "Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com>
>
wrote:
>
>
> run diagnostics against your Active Directory domain.
>
>
> If you don't have the support tools installed, install them from your
server
>
> install disk.
>
> d:\support\tools\setup.exe
>
>
> Run dcdiag, netdiag and repadmin in verbose mode.
>
> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>
> -> netdiag.exe /v > c:\netdiag.log
(On each dc)
>
> -> repadmin.exe /showrepl dc* /verbose /all /intersite >
c:\repl.txt
>
> -> dnslint /ad /s "ip address of your dc"
>
>
> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
dc's
>
> in the forest. If you have significant numbers of DC's this test
could
>
> generate significant detail and take a long time. You also want
to take
>
> into account slow links to dc's will also add to the testing time.
>
>
> If you download a gui script I wrote it should be simple to set and
run
>
> (DCDiag and NetDiag). It also has the option to run individual
tests
>
> without having to learn all the switch options. The details will
be output
>
> in notepad text files that pop up automagically.
>
>
> The script is located on my website
athttp://www.pbbergs.com/windows/downloads.htm
>
>
> Just select both dcdiag and netdiag make sure verbose is set.
(Leave the
>
> default settings for dcdiag as set when selected)
>
>
> When complete search for fail, error and warning messages.
>
>
> Description and download for
dnslinthttp://support.microsoft.com/kb/321045
>
>
> --
>
> Paul Bergson
>
> MVP - Directory Services
>
> MCT, MCSE, MCSA, Security+, BS CSci
>
> 2003, 2000 (Early Achiever), NT
>
>
>http://www.pbbergs.com
>
>
> Please no e-mails, any questions should be posted in the NewsGroup
>
> This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
> "abaratin" <abara...@gmail.com> wrote in message
>
>
>news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
>
> > Hi all,
>
>
> > Yesterday I had a problem with WSUS3. I tried to reinstall it but
it
>
> > fails... Few minutes after I tried to go to the GPO settings... I
>
> > receive an error "The domain controller can not be contacted
Error
>
> > was: Library not Registered"
>
> > I have this "Library not registered" error anytime I
try to open
>
> > something dealing with GPO's or AD.
>
> > I don't know what to do...
>
>
> > So if you have ideas, suggsestions or links with documentation It
will
>
> > be great...
>
> > I don't know Active Directory enough to solve this kind of
problem...
>
>
> > Thanks in advance
Top
From: Al Mulnick
<amulnick_No_SPAM@ncDOTrr.com>
To:
none
Subject:
Re: Remote Windows 2003 BDC
Date:
09/27/2007 12:47:38
Generally
speaking, you could, but you would want to likely use sites to
control
replication and authentication traffic. You can read more about the
site
concept and how to configure site links, costing, etc here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
"MATT"
<MATT@discussions.microsoft.com> wrote in message
news:33B1F58B-B95A-4417-A978-6897B0E48348@microsoft.com...
>
We have a Primary Domain Controller and Backup Domain Controller at our
>
main
>
office. We have a second office connected by a Frame Relay. We
would
>
like
>
to add a second Backup Domain Controller at this site, and have it
>
replicate
>
with the DC's at the main site. The two sites are on different
subnets.
>
Can
>
I simply add the domain controller at the remote site, and it will
>
replicate
>
the Active Directory?
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: Remote Windows 2003 BDC
Date:
09/27/2007 12:57:05
Hello
Matt
It
will work , no extra configuration required, the only think that you must
check
is the connectivity between two sites , also make sure that you make
this
BDC as GC as you have frame relay connection between two sites which is
normally
slow.
Also
make sure that the required ports are not blocked in firewall.
If
you have windows 2003 native environment then you can choose Install Dc
from
media .
For
more information follow this link
http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
I
hope the above information is helpful to you .
"MATT"
wrote:
>
We have a Primary Domain Controller and Backup Domain Controller at our
main
>
office. We have a second office connected by a Frame Relay. We
would like
>
to add a second Backup Domain Controller at this site, and have it
replicate
>
with the DC's at the main site. The two sites are on different
subnets. Can
>
I simply add the domain controller at the remote site, and it will
replicate
>
the Active Directory?
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: About of Event ID : 3224
Date:
09/27/2007 09:06:16
Hello
MutluOzel,
Is
that DC restored, because of a failure?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi All,
>
>
I have a problem, when i restart domain controller and i found error
>
>
i checked these are links, problem it hasn't been solved
>
>
http://support.microsoft.com/kb/q259736/
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2
>
000Msgs/161.mspx?mfr=true
>
http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET
>
LOGON&phase=1
>
>
Soure : Netlogon
>
Category : None
>
Event ID: 3224
>
Changing machine account password for account havas.local. failed with
>
the following error: The specified user already exists.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Top
From: MutluOzel
<MutluOzel@discussions.microsoft.com>
To:
none
Subject:
Re: About of Event ID : 3224
Date:
09/27/2007 09:32:03
Hi
Weber,
We
are working on the system, one primary dc and two additional dc runing.
but
i found error primary dc (error info below)
"Meinolf
Weber" wrote:
>
Hello MutluOzel,
>
>
Is that DC restored, because of a failure?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi All,
>
>
>
> I have a problem, when i restart domain controller and i found error
>
>
>
> i checked these are links, problem it hasn't been solved
>
>
>
> http://support.microsoft.com/kb/q259736/
>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2
>
> 000Msgs/161.mspx?mfr=true
>
>
http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET
>
> LOGON&phase=1
>
>
>
> Soure : Netlogon
>
> Category : None
>
> Event ID: 3224
>
> Changing machine account password for account havas.local. failed with
>
> the following error: The specified user already exists.
>
>
>
> For more information, see Help and Support Center at
>
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
>
>
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]
Date:
09/27/2007 18:44:15
Its
the reminance of an account that has been removed from the domain
"Sofi"
<Sofi@discussions.microsoft.com> wrote in message
news:6D22D879-5CC8-4752-BCA1-F9E3296AA6F8@microsoft.com...
>I
am seeing these "ghost accounts" in the properties.
>
Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]
>
>
Anyone knows what this is?
>
THanks!
>
Sofia
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
RE: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]
Date:
09/27/2007 22:36:00
Hi
Sofi,
When
you see the SID displayed instead of the User Name, this means that the
machine
displaying the account cannot resolve the name -- for whatever reason.
As
Toby points out, this could be a foreign security principal that is still
in
your domain, but that the trust is gone and the name can no longer be
resolved.
This can also happen in cases where a trust is broken, SIDHistory
filtering
has been turned on for a trust, GCs and the PDCe are unavailable,
or
DNS problems are showing up in your domain.
The
prefix is domain specific, so if this doesn't match your domain, you
will
know that this is a foreign account arriving across a trust. (You can
look
at your accounts with ADSIEdit or LDP -- make sure you are looking as a
created
account, not a builtin one.)
If
it is inside your domain, you will want to start doing domain diagnostics
so
see if you can locate a problem. I've posted directions to a basic
domain
health
check at :
http://techsterity.com/blogs/bestpractices/archive/2007/09/13/AD-Health-Check.aspx
Hope
this helps.
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago, IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"Sofi"
wrote:
>
I am seeing these "ghost accounts" in the properties.
>
Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]
>
>
Anyone knows what this is?
>
THanks!
>
Sofia
Top
From: pcnetnet
<pcnetnet@yahoo.com.hk>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 11:23:39
Hi
All,
i setup the secondary dns on my side, if the sub-domain server is down
or
between root domain and sub-domain the vpn line is down , when uk user
connect
internet to our server(root domain) logon , him must be find the
name
server ( sub-domain) , so cannot logon ?? right ? how to do when
sub-domain
user logon to root domain server is access to root domain logon
or
cache the name !
do
you have any document or internet link for do this , Thanks ,
Thanks,
Patrick
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>I
agree with Anthony. If you have an unreliable network, then you
should
>consider
placing dc's at remote sites for higher reliability.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>
Patrick,
>>
You can solve the DNS problem by making secondaries of all sub-domain
>>
zones on your central DNS servers.
>>
For something as important as your international ERP, you could also keep
>>
a replicated DC for each sub-domain at the centre.
>>
Anthony, http://www.airdesk.co.uk
>>
>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>
Hi All,
>>>
I have big problem on active directory, becuase our company (abc.com)
>>>
have sub-domain install to other location(uk,us,cn...) ,
but we have ERP
>>>
system install to HK office (root domain ) with citrix server , so all
>>>
user connect to ERP HK office and then user logon to windows use
>>>
subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is ,when uk
>>>
user logon to citrix (terminal server) use uk.abc.com domain , then this
>>>
domain name server is uk office
server through VPN connect , if this VPN
>>>
line is normal , uk user is no
problem on logon , but when the vpn line
>>>
have probelm ( e.g. disconnect) all uk user if
connect to ERP cannot
>>>
logon to windows, because uk user cannot
find the domain name server .
>>>
this is case 1 , case 2 is uk office name
server have server down , user
>>>
cannot logon to erp , but we have ERP application have no any error. we
>>>
have any method success logon to ERP (citrix server) use uk.abc.com ,
>>>
when the uk domain
server is down or vpn line is down ! Thanks ALL
>>>
>>>
>>>
Thanks,
>>>
Patrick
>>>
>>
>>
>
>
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 11:32:24
This
sounds like a big enterprise-level system. You probably should have a
DC
for each sub-domain at your central site.
Or
get a more reliable network. The VPN should not be down that often, so
presumably
we are talking about something that happens once or twice a year,
Anthony,
http://www.airdesk.co.uk
"pcnetnet"
<pcnetnet@yahoo.com.hk> wrote in message
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>
Hi All,
>
i setup the secondary dns on my side, if the sub-domain server is down
>
or between root domain and sub-domain the vpn line is down , when uk user
>
connect internet to our server(root domain) logon , him must be find the
>
name server ( sub-domain) , so cannot logon ?? right ? how to do when
>
sub-domain user logon to root domain server is access to root domain logon
>
or cache the name !
>
do you have any document or internet link for do this , Thanks ,
>
>
Thanks,
>
Patrick
>
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>I
agree with Anthony. If you have an unreliable network, then you
should
>>consider
placing dc's at remote sites for higher reliability.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>
Patrick,
>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>
zones on your central DNS servers.
>>>
For something as important as your international ERP, you could also
>>>
keep a replicated DC for each sub-domain at the centre.
>>>
Anthony, http://www.airdesk.co.uk
>>>
>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>
Hi All,
>>>>
I have big problem on active directory, becuase our company
>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
but
>>>>
we have ERP system install to HK office (root domain ) with citrix
>>>>
server , so all user connect to ERP HK office and then user logon to
>>>>
windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is
>>>>
,when uk user logon
to citrix (terminal server) use uk.abc.com domain ,
>>>>
then this domain name server is uk office
server through VPN connect ,
>>>>
if this VPN line is normal , uk user is no
problem on logon , but when
>>>>
the vpn line have probelm ( e.g. disconnect) all uk user if
connect to
>>>>
ERP cannot logon to windows, because uk user cannot
find the domain
>>>>
name server . this is case 1 , case 2 is uk office name
server have
>>>>
server down , user cannot logon to erp , but we have ERP application
>>>>
have no any error. we have any method success logon to ERP (citrix
>>>>
server) use uk.abc.com , when the uk domain
server is down or vpn line
>>>>
is down ! Thanks ALL
>>>>
>>>>
>>>>
Thanks,
>>>>
Patrick
>>>>
>>>
>>>
>>
>>
>
>
Top
From: pcnetnet
<pcnetnet@yahoo.com.hk>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 12:33:31
but
we have about 10 sub-domain of of our company , then no other i must
install
each sub-domain DC in root domain, then in root domain have up to 10
server
, and network problem , i afraid the VPN line is down about 3 hour ,
then
uk user cannot
logon to erp this problem is network problem , but user
can
connect to erp server use internet , but cannot logon ,no domain problem
is
network problem , my boss don't hope do this , how can i do ????
Thanks,
Patrick
"Anthony"
<anthony.spam@spammedout.com> wrote in message
news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...
>
This sounds like a big enterprise-level system. You probably should have a
>
DC for each sub-domain at your central site.
>
Or get a more reliable network. The VPN should not be down that often, so
>
presumably we are talking about something that happens once or twice a
>
year,
>
Anthony, http://www.airdesk.co.uk
>
>
>
"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>>
Hi All,
>>
i setup the secondary dns on my side, if the sub-domain server is
>>
down or between root domain and sub-domain the vpn line is down , when uk
>>
user connect internet to our server(root domain) logon , him must be find
>>
the name server ( sub-domain) , so cannot logon ?? right ? how to do when
>>
sub-domain user logon to root domain server is access to root domain
>>
logon or cache the name !
>>
do you have any document or internet link for do this , Thanks ,
>>
>>
Thanks,
>>
Patrick
>>
>>
>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>>I
agree with Anthony. If you have an unreliable network, then you
should
>>>consider
placing dc's at remote sites for higher reliability.
>>>
>>>
--
>>>
Paul Bergson
>>>
MVP - Directory Services
>>>
MCT, MCSE, MCSA, Security+, BS CSci
>>>
2003, 2000 (Early Achiever), NT
>>>
>>>
http://www.pbbergs.com
>>>
>>>
Please no e-mails, any questions should be posted in the NewsGroup
>>>
This posting is provided "AS IS" with no warranties, and confers
no
>>>
rights.
>>>
>>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>>
Patrick,
>>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>>
zones on your central DNS servers.
>>>>
For something as important as your international ERP, you could also
>>>>
keep a replicated DC for each sub-domain at the centre.
>>>>
Anthony, http://www.airdesk.co.uk
>>>>
>>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>>
Hi All,
>>>>>
I have big problem on active directory, becuase our company
>>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
but
>>>>>
we have ERP system install to HK office (root domain ) with citrix
>>>>>
server , so all user connect to ERP HK office and then user logon to
>>>>>
windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem
>>>>>
is ,when uk user logon
to citrix (terminal server) use uk.abc.com
>>>>>
domain , then this domain name server is uk office
server through VPN
>>>>>
connect , if this VPN line is normal , uk user is no
problem on logon
>>>>>
, but when the vpn line have probelm ( e.g. disconnect) all uk user if
>>>>>
connect to ERP cannot logon to windows, because uk user cannot
find
>>>>>
the domain name server . this is case 1 , case 2 is uk office name
>>>>>
server have server down , user cannot logon to erp , but we have ERP
>>>>>
application have no any error. we have any method success logon to ERP
>>>>>
(citrix server) use uk.abc.com , when the uk domain
server is down or
>>>>>
vpn line is down ! Thanks ALL
>>>>>
>>>>>
>>>>>
Thanks,
>>>>>
Patrick
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/28/2007 07:25:14
I'm
really struggling with the language barrier, so I may not understood
your
problem.
1)
You should have your child domain users all use their dns services at
the
location of their site. From what I can figure out, it sounds like
they
are
using the dns services at the root location. If this is the case,
then
each
child should have the root zone on their dns server and the root zone
should
have all the child zones on that dns server. No additional hardware
would
be required.
2)
If the name server is down but the child dc server is available, then
the
child client will need to point to the root dns server as a secondary on
the
clients network dns configuration. The root dns server will again
need
to
have all child zones on the root dns server.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"pcnetnet"
<pcnetnet@yahoo.com.hk> wrote in message
news:Oy7SKySAIHA.4444@TK2MSFTNGP03.phx.gbl...
>
but we have about 10 sub-domain of of our company , then no other i must
>
install each sub-domain DC in root domain, then in root domain have up to
>
10 server , and network problem , i afraid the VPN line is down about 3
>
hour , then uk user cannot
logon to erp this problem is network problem ,
>
but user can connect to erp server use internet , but cannot logon ,no
>
domain problem is network problem , my boss don't hope do this , how can i
>
do ????
>
Thanks,
>
Patrick
>
>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>
news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...
>>
This sounds like a big enterprise-level system. You probably should have
>>
a DC for each sub-domain at your central site.
>>
Or get a more reliable network. The VPN should not be down that often, so
>>
presumably we are talking about something that happens once or twice a
>>
year,
>>
Anthony, http://www.airdesk.co.uk
>>
>>
>>
"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>>>
Hi All,
>>>
i setup the secondary dns on my side, if the sub-domain server is
>>>
down or between root domain and sub-domain the vpn line is down , when
>>>
uk user
connect internet to our server(root domain) logon , him must be
>>>
find the name server ( sub-domain) , so cannot logon ?? right ? how to
>>>
do when sub-domain user logon to root domain server is access to root
>>>
domain logon or cache the name !
>>>
do you have any document or internet link for do this , Thanks ,
>>>
>>>
Thanks,
>>>
Patrick
>>>
>>>
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>>>I
agree with Anthony. If you have an unreliable network, then you
>>>>should
consider placing dc's at remote sites for higher reliability.
>>>>
>>>>
--
>>>>
Paul Bergson
>>>>
MVP - Directory Services
>>>>
MCT, MCSE, MCSA, Security+, BS CSci
>>>>
2003, 2000 (Early Achiever), NT
>>>>
>>>>
http://www.pbbergs.com
>>>>
>>>>
Please no e-mails, any questions should be posted in the NewsGroup
>>>>
This posting is provided "AS IS" with no warranties, and confers
no
>>>>
rights.
>>>>
>>>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>>>
Patrick,
>>>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>>>
zones on your central DNS servers.
>>>>>
For something as important as your international ERP, you could also
>>>>>
keep a replicated DC for each sub-domain at the centre.
>>>>>
Anthony, http://www.airdesk.co.uk
>>>>>
>>>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>>>
Hi All,
>>>>>>
I have big problem on active directory, becuase our company
>>>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
>>>>>>
but we have ERP system install to HK office (root domain ) with
>>>>>>
citrix server , so all user connect to ERP HK office and then user
>>>>>>
logon to windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i
>>>>>>
problem is ,when uk user logon
to citrix (terminal server) use
>>>>>>
uk.abc.com domain , then this domain name server is uk office
server
>>>>>>
through VPN connect , if this VPN line is normal , uk user is no
>>>>>>
problem on logon , but when the vpn line have probelm ( e.g.
>>>>>>
disconnect) all uk user if
connect to ERP cannot logon to windows,
>>>>>>
because uk user cannot
find the domain name server . this is case 1 ,
>>>>>>
case 2 is uk office name
server have server down , user cannot logon
>>>>>>
to erp , but we have ERP application have no any error. we have any
>>>>>>
method success logon to ERP (citrix server) use uk.abc.com , when the
>>>>>>
uk domain
server is down or vpn line is down ! Thanks ALL
>>>>>>
>>>>>>
>>>>>>
Thanks,
>>>>>>
Patrick
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: JayDee <dopamine@mail.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/25/2007 20:11:11
On
Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>
-Ok, you should be fine with creating the subnet B class, the reverse
lookup
>
zone will automatically create one "folder zone" for each subnet
>
automatically.
>
- As for the error/warning your servers/workstations are trying to reach
>
somewhere where they shouldn't and that action can represent a security
>
issue, especially if they're trying to register in some public location.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>
Ok
so it my example, the DNS server contains:
5.15.26
5.15.27
5.15.18
I
created a reverse lookup zone called [5.15.x.x] in my test
environment.
Now
the following shows up:
5.15.26.x
5.15.27.x
5.15.18.x
5.15.x.x
Does
this mean that the first three will continue working the way the
were
and any Class C addresses that start with 5.15.x.x will drop into
the
one I added? In other words, does the one I'm adding (5.15.x.x)
work
as a "catch all" for all the class C's that aren't explicitely
defined?
Can
creating the class B as in the example above (when there are
several
class C's already created) cause any foreseeable problems as
far
as you are aware?
Thanks.
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/26/2007 03:29:43
The
only things to bear in mind when you do this are:
the
rights to register in DNS, if subnets are used by different domains
the
distribution of the zones, if they are not AD integrated and/or not
shared
by all sites,
Anthony,
http://www.airdesk.co.uk
"JayDee"
<dopamine@mail.com> wrote in message
news:1190769071.365646.63630@19g2000hsx.googlegroups.com...
>
On Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>>
-Ok, you should be fine with creating the subnet B class, the reverse
>>
lookup
>>
zone will automatically create one "folder zone" for each subnet
>>
automatically.
>>
- As for the error/warning your servers/workstations are trying to reach
>>
somewhere where they shouldn't and that action can represent a security
>>
issue, especially if they're trying to register in some public location.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>>
>
>
Ok so it my example, the DNS server contains:
>
>
5.15.26
>
5.15.27
>
5.15.18
>
>
I created a reverse lookup zone called [5.15.x.x] in my test
>
environment.
>
>
Now the following shows up:
>
>
5.15.26.x
>
5.15.27.x
>
5.15.18.x
>
5.15.x.x
>
>
Does this mean that the first three will continue working the way the
>
were and any Class C addresses that start with 5.15.x.x will drop into
>
the one I added? In other words, does the one I'm adding (5.15.x.x)
>
work as a "catch all" for all the class C's that aren't
explicitely
>
defined?
>
>
Can creating the class B as in the example above (when there are
>
several class C's already created) cause any foreseeable problems as
>
far as you are aware?
>
>
Thanks.
>
Top
From: Jorge Silva <jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/26/2007 07:08:31
I'm
not aware with any problems with that configuration, as lon as the
workstations
can register the records in the appropriate DNS.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"JayDee"
<dopamine@mail.com> wrote in message
news:1190769071.365646.63630@19g2000hsx.googlegroups.com...
>
On Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>>
-Ok, you should be fine with creating the subnet B class, the reverse
>>
lookup
>>
zone will automatically create one "folder zone" for each subnet
>>
automatically.
>>
- As for the error/warning your servers/workstations are trying to reach
>>
somewhere where they shouldn't and that action can represent a security
>>
issue, especially if they're trying to register in some public location.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>>
>
>
Ok so it my example, the DNS server contains:
>
>
5.15.26
>
5.15.27
>
5.15.18
>
>
I created a reverse lookup zone called [5.15.x.x] in my test
>
environment.
>
>
Now the following shows up:
>
>
5.15.26.x
>
5.15.27.x
>
5.15.18.x
>
5.15.x.x
>
>
Does this mean that the first three will continue working the way the
>
were and any Class C addresses that start with 5.15.x.x will drop into
>
the one I added? In other words, does the one I'm adding (5.15.x.x)
>
work as a "catch all" for all the class C's that aren't
explicitely
>
defined?
>
>
Can creating the class B as in the example above (when there are
>
several class C's already created) cause any foreseeable problems as
>
far as you are aware?
>
>
Thanks.
>
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
RE: AD printers - server-centric, am i missing something?
Date:
09/27/2007 22:44:01
jzabrams,
Publishing
printers in the directory allows printers to be searched out and
classified
in the directory. They are, however, still server
resources.
You
can take advantage of clustering or even round-robin DNS to share them
between
servers (printmig to copy printers) and use a cname record to refer
to
them as a virtual server, \\print perhaps.
If
you are using Server 2003 R2, there is a complete revamp of printing
services
that will allow you to assign printers based on policy or group
membership.
It is definitely worth looking into. Of course, you can use
simple
VB scripts to accomplish the same things on logon.
I
hope this helps. The power of AD is in the multi-master nature of its
object
management, not really in its printer handling.
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago, IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"jzabrams"
wrote:
>
We just finished upgrading an NT4 domain to AD. Now, i thought the
>
whole point of AD was to make network resources directory-centric
>
rather than server centric. My printers are all published in AD,
>
however nowehere do i see how to refer to them without reference to
>
the server they're shared from. I.e., i was under the impression i
>
should now be able to refer to the printer similar to \\doaminname
>
\printer, rather than \\server\printer? I think i'm missing
>
something?
>
>
Thanks,
>
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
RE: AD printers - server-centric, am i missing something?
Date:
09/27/2007 22:51:00
Hi,
AD
allows you to search for printers without having to know which server
they're
located on first, as you had to in NT.
To
add a printer to a workstation, choose network printer and then use the
"Find
printer in the directory" option, it will bring up a search window. If
you
click "Find Now" without filling in any details, it will find all
of the
printers
in the directory, or you can refine it by filling in some of the
details.
If
you know the server that they're on, you can just type the direct path in
as
you would with NT. The directory search can make it easier for end users
to
install printers, if you want them to be able to do that!
Hope
that helps,
--
Leigh
MCSE
(NT4, 2000)
"jzabrams"
wrote:
>
We just finished upgrading an NT4 domain to AD. Now, i thought the
>
whole point of AD was to make network resources directory-centric
>
rather than server centric. My printers are all published in AD,
>
however nowehere do i see how to refer to them without reference to
>
the server they're shared from. I.e., i was under the impression i
>
should now be able to refer to the printer similar to \\doaminname
>
\printer, rather than \\server\printer? I think i'm missing
>
something?
>
>
Thanks,
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 15:05:01
Hi
Each
WINS server should only point to itsel in WINS configuration, the
clientes
should point to bothe WINS servers, and both WINS Servers should
have
each other as replication partners.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"James"
<acidflea@hotmail.com> wrote in message
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>
Here is what I have. We are replacing one of our domain controllers with a
>
new server. I have promoted the new server and moved the roles from
the
>
old server to the new server. The old server was also running DNS and
>
WINS so I installed DNS and WINS on the new server. The old server IP
is
>
say 192.168.1.131 and new is 192.168.1.120. I do not want to change the
>
clients DNS and wins addresses to point to 192.168.1.120 so after I
>
demoted the old server and turned it off I added the old server IP of .131
>
to the new server as a second IP on the same network card as the current
>
.120 IP. So I now have the new server with both IP address on the same
>
network card (which I have done before and seems to work fine). My
only
>
issue is the WINS server I am not seeing any clients registering. I do see
>
that on the WINS server it is showing that it is running on the .120
>
address and the clients are pointing to the .131 address even though they
>
are on the same network card.
>
>
Is there a setting that I can change to make the WINS server work on both
>
network address like I can within the DNS server?
>
>
If not what would be the easiest way to fix this?
>
>
Should I change the Main ip of the server to be .131 and use the .120 as
>
the secondary ip?
>
>
Should I just change the IP address of the new server to .131 and remove
>
the .120 and if so what issues will I have by changing the IP address of a
>
domain controller?
>
>
>
>
Thanks,
>
James
Top
From: James <acidflea@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 15:19:44
Jorge,
I only have one wins server.
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...
>
Hi
>
Each WINS server should only point to itsel in WINS configuration, the
>
clientes should point to bothe WINS servers, and both WINS Servers should
>
have each other as replication partners.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"James" <acidflea@hotmail.com> wrote in message
>
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>>
Here is what I have. We are replacing one of our domain controllers with
>>
a new server. I have promoted the new server and moved the roles from
>>
the old server to the new server. The old server was also running DNS
>>
and WINS so I installed DNS and WINS on the new server. The old
server
>>
IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to change
>>
the clients DNS and wins addresses to point to 192.168.1.120 so after I
>>
demoted the old server and turned it off I added the old server IP of
>>
.131 to the new server as a second IP on the same network card as the
>>
current .120 IP. So I now have the new server with both IP address on the
>>
same network card (which I have done before and seems to work fine).
My
>>
only issue is the WINS server I am not seeing any clients registering. I
>>
do see that on the WINS server it is showing that it is running on the
>>
.120 address and the clients are pointing to the .131 address even though
>>
they are on the same network card.
>>
>>
Is there a setting that I can change to make the WINS server work on both
>>
network address like I can within the DNS server?
>>
>>
If not what would be the easiest way to fix this?
>>
>>
Should I change the Main ip of the server to be .131 and use the .120 as
>>
the secondary ip?
>>
>>
Should I just change the IP address of the new server to .131 and remove
>>
the .120 and if so what issues will I have by changing the IP address of
>>
a domain controller?
>>
>>
>>
>>
Thanks,
>>
James
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 16:09:21
using
the WINS console can you connect to the additional IP?
If
uninstall the WINS server and re-install it again (now that you have 2 IP
Addresses)
does it solve the problem?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"James"
<acidflea@hotmail.com> wrote in message
news:Oi6l0qHAIHA.1168@TK2MSFTNGP02.phx.gbl...
>
Jorge,
>
I only have one wins server.
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...
>>
Hi
>>
Each WINS server should only point to itsel in WINS configuration, the
>>
clientes should point to bothe WINS servers, and both WINS Servers should
>>
have each other as replication partners.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"James" <acidflea@hotmail.com> wrote in message
>>
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>>>
Here is what I have. We are replacing one of our domain controllers with
>>>
a new server. I have promoted the new server and moved the roles from
>>>
the old server to the new server. The old server was also running DNS
>>>
and WINS so I installed DNS and WINS on the new server. The old
server
>>>
IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to
>>>
change the clients DNS and wins addresses to point to 192.168.1.120 so
>>>
after I demoted the old server and turned it off I added the old server
>>>
IP of .131 to the new server as a second IP on the same network card as
>>>
the current .120 IP. So I now have the new server with both IP address
>>>
on the same network card (which I have done before and seems to work
>>>
fine). My only issue is the WINS server I am not seeing any clients
>>>
registering. I do see that on the WINS server it is showing that it is
>>>
running on the .120 address and the clients are pointing to the .131
>>>
address even though they are on the same network card.
>>>
>>>
Is there a setting that I can change to make the WINS server work on
>>>
both network address like I can within the DNS server?
>>>
>>>
If not what would be the easiest way to fix this?
>>>
>>>
Should I change the Main ip of the server to be .131 and use the .120 as
>>>
the secondary ip?
>>>
>>>
Should I just change the IP address of the new server to .131 and remove
>>>
the .120 and if so what issues will I have by changing the IP address of
>>>
a domain controller?
>>>
>>>
>>>
>>>
Thanks,
>>>
James
>>
>>
Top
From: Lee Flight
<lef@le.ac.uk-nospam>
To:
none
Subject:
Re: ADAM - dsacls - Proper Create Child permissions on
subobjects
Date:
09/27/2007 05:04:45
Hi
I
do not think you need the deny for delete.
Just
grant GR inheritance on the naming context and then GWCC with
inheritance
on
the cn=profiles subtree for the role you created. Delete should not be
possible
unless
you have granted it directly or it is granted indirectly (nested
role).
Lee
Flight
"Noremac"
<Noremac@newsgroups.nospam> wrote in message
news:5C05CD9F-AC94-400F-89C2-EEAC6B88DF49@microsoft.com...
>
Like a few other posters out there I am a veteren developer using ADAM and
>
LDAP for the first time. Right now I am trying to get this to work on my
>
developer machine XP SP2. ADAM is installed locally.
>
>
I am trying to setup least-privelaged access to the data in our ADAM for a
>
WebSSO solution we are building. I have a group under Roles called
>
MembershipProvider of which I've added ASPNET as the code doing the work
>
is a
>
.NET Web Service.
>
>
It has been working flawlessly except for this scenario: I cannot add a
>
child object to an object I just created at runtime, it totally crashes
>
the
>
ADAM service with a COM security exception. I have to start the service
>
manually.
>
>
I have a container for our Profile objects. These are successfully created
>
by the ASPNET identity at runtime. However, ASPNET cannot add Message
>
objects
>
to those Profiles. If I run this code from my test harness that uses me (a
>
local administrator) as the identity, the Messages get added to the
>
Profiles.
>
>
Here are my dsacls:
>
>
rem Grant the role read access to ADAM instance
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:GR
>
>
rem Grant the role create and update Profiles and children of Profiles
>
like
>
Messages
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:GW
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:CC
>
>
rem DENY the role the ability to delete Profiles
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:S /D
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:DT;;coc-WebSSO-Profile
>
>
>
>
Thanks!
Top
From: Lee Flight
<lef@le.ac.uk-nospam>
To:
none
Subject:
Re: ADAMsync not syncing all items
Date:
09/26/2007 03:37:01
Hi
what
access does the account (steves) have to objects in
the
source AD? Are you getting any errors in the log files?
Lee
Flight
"stevestites"
<stevestites.2xhlrg@DoNotSpam.com> wrote in message
news:stevestites.2xhlrg@DoNotSpam.com...
>
>
I'm new to ADAM and have setup an instance per the ADAM stop-by-step
>
guide. I can get some of the objects to sync but not all.
Here's my
>
xml config:
>
>
-<description>Federal->ADAM Sync</description>
>
<security-mode>object</security-mode>
>
<source-ad-name>feddc01</source-ad-name>
>
<source-ad-partition>dc=federal,dc=com</source-ad-partition>
>
<source-ad-account>steves</source-ad-account>
>
<account-domain>federal.com</account-domain>
>
<target-dn>o=Netpro,c=US</target-dn>
>
<query>
>
<base-dn>ou=Federal Employees,dc=federal,dc=com</base-dn>
>
<object-filter>(objectClass=*)</object-filter>
>
<attributes>
>
<include></include>
>
<exclude>extensionName</exclude>
>
<exclude>displayNamePrintable</exclude>
>
<exclude>flags</exclude>
>
<exclude>isPrivelegeHolder</exclude>
>
<exclude>msCom-UserLink</exclude>
>
<exclude>msCom-PartitionSetLink</exclude>
>
<exclude>reports</exclude>
>
<exclude>serviceprincipalname</exclude>
>
<exclude>accountExpires</exclude>
>
<exclude>adminCount</exclude>
>
<exclude>primarygroupid</exclude>
>
<exclude>userAccountControl</exclude>
>
<exclude>codePage</exclude>
>
<exclude>countryCode</exclude>
>
<exclude>logonhours</exclude>
>
<exclude>lockoutTime</exclude>
>
</attributes>
>
</query>-
>
>
when syncing I get the top level OU (Federal Employees) and then 3 of
>
the 2nd level OUs. I also get several of these in the log file:
>
>
>
-Processing Entry: Page 3, Frame 1, Entry 19, Count 1, USN 0
>
>
Processing source entry <guid=7da2bf0f051bbc4c91439f93e8b1238b>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 20, Count 1, USN 0
>
>
Processing source entry <guid=96b6cad705e15243be7df99a523e1848>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 21, Count 1, USN 0
>
>
Processing source entry <guid=95becf0f278f4f48b9eb9cde06a523c5>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 22, Count 1, USN 0
>
>
Processing source entry <guid=1bd50fdb00c73743a25a4301453d7c97>
>
>
Processing in-scope entry 1bd50fdb00c73743a25a4301453d7c97.
>
>
Adding target object CN=Magaret
>
Bannister,OU=Texas,OU=Manufacturing,OU=Federal
>
Employees,o=Netpro,c=US.
>
>
Deferring synchronization of attribute showinaddressbook to end of run.
>
Deleting attribute.
>
>
Adding attributes: sourceobjectguid, objectCla-
>
>
The last entry shows a user that is getting synced but the object never
>
shows up in ldp or adsiedit. I'm stumped. Any ideas?
>
>
Steve
>
>
>
--
>
stevestites
>
------------------------------------------------------------------------
>
stevestites's Profile: http://forums.techarena.in/member.php?userid=31744
>
View this thread: http://forums.techarena.in/showthread.php?t=824003
>
>
http://forums.techarena.in
>
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 10:30:06
Can
Somebody help me out
"Ranjan"
wrote:
>
Hi
>
I Just want to add a custom attribute Date of birth and how can i make it
>
visible to ADUC.I know the creation process of attribute but i dont know
how
>
to make it visible.
Top
From: jwd
<jwd@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:04:03
If
you add new attributes to the schema you need to have a custom front end
to
view them.
Are
you sure you know how to create a new attribute? Modifying the schema
is
something you should fully understand before even thinking about making
changes.
Best
Regards
Joe
Dunn MCSE
"Ranjan"
wrote:
>
Can Somebody help me out
>
>
"Ranjan" wrote:
>
>
> Hi
>
> I Just want to add a custom attribute Date of birth and how can i make
it
>
> visible to ADUC.I know the creation process of attribute but i dont
know how
>
> to make it visible.
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:18:03
Yes
i know to create new attribute and i have some overview of AD schema.I
have
gone through the process of adding employeeid and make it visible in the
admin-context-menu
but i want to make it visible in admin-property-pages.
"jwd"
wrote:
>
>
If you add new attributes to the schema you need to have a custom front end
>
to view them.
>
>
Are you sure you know how to create a new attribute? Modifying the
schema
>
is something you should fully understand before even thinking about making
>
changes.
>
>
Best Regards
>
Joe Dunn MCSE
>
>
>
>
"Ranjan" wrote:
>
>
> Can Somebody help me out
>
>
>
> "Ranjan" wrote:
>
>
>
> > Hi
>
> > I Just want to add a custom attribute Date of birth and how can i
make it
>
> > visible to ADUC.I know the creation process of attribute but i
dont know how
>
> > to make it visible.
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:23:02
Similar
to employeeid example i have created for date of birth .As unicode
string
it is working fine but using that we can add any value .I want it in
proper
date time format.I have tried it as UTC coded time but it is not
accepting
the value giving error.
"Ranjan"
wrote:
>
Yes i know to create new attribute and i have some overview of AD schema.I
>
have gone through the process of adding employeeid and make it visible in
the
>
admin-context-menu but i want to make it visible in admin-property-pages.
>
>
"jwd" wrote:
>
>
>
>
> If you add new attributes to the schema you need to have a custom
front end
>
> to view them.
>
>
>
> Are you sure you know how to create a new attribute? Modifying
the schema
>
> is something you should fully understand before even thinking about
making
>
> changes.
>
>
>
> Best Regards
>
> Joe Dunn MCSE
>
>
>
>
>
>
>
> "Ranjan" wrote:
>
>
>
> > Can Somebody help me out
>
> >
>
> > "Ranjan" wrote:
>
> >
>
> > > Hi
>
> > > I Just want to add a custom attribute Date of birth and how
can i make it
>
> > > visible to ADUC.I know the creation process of attribute but
i dont know how
>
> > > to make it visible.
Top
From: Joe Kaplan
<joseph.e.kaplan@removethis.accenture.com>
To:
none
Subject:
Re: Adding Custom Attribute
Date:
09/27/2007 12:23:37
The
MSDN documentation for extending the ADUC UI is right here:
http://msdn2.microsoft.com/en-us/library/ms676902.aspx
You
basically need to implement the correct COM interfaces in C++ to create
a
new property page and integrate it with ADUC. Then, you have to
figure
out
how to get your custom extension deployed to all of the machines that
will
need to use it.
Joe
K.
--
Joe
Kaplan-MS MVP Directory Services Programming
Co-author
of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ranjan"
<Ranjan@discussions.microsoft.com> wrote in message
news:9550468D-63BB-4FDD-AAB2-5536D833B8F7@microsoft.com...
>
Similar to employeeid example i have created for date of birth .As unicode
>
string it is working fine but using that we can add any value .I want it
>
in
>
proper date time format.I have tried it as UTC coded time but it is not
>
accepting the value giving error.
>
>
"Ranjan" wrote:
>
>>
Yes i know to create new attribute and i have some overview of AD
>>
schema.I
>>
have gone through the process of adding employeeid and make it visible in
>>
the
>>
admin-context-menu but i want to make it visible in admin-property-pages.
>>
>>
"jwd" wrote:
>>
>>
>
>>
> If you add new attributes to the schema you need to have a custom
front
>>
> end
>>
> to view them.
>>
>
>>
> Are you sure you know how to create a new attribute? Modifying
the
>>
> schema
>>
> is something you should fully understand before even thinking about
>>
> making
>>
> changes.
>>
>
>>
> Best Regards
>>
> Joe Dunn MCSE
>>
>
>>
>
>>
>
>>
> "Ranjan" wrote:
>>
>
>>
> > Can Somebody help me out
>>
> >
>>
> > "Ranjan" wrote:
>>
> >
>>
> > > Hi
>>
> > > I Just want to add a custom attribute Date of birth and how
can i
>>
> > > make it
>>
> > > visible to ADUC.I know the creation process of attribute but
i dont
>>
> > > know how
>>
> > > to make it visible.
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:37:47
Hello,
take
care about ms-DS-MachineAccountQuota. By default, they loose the
delegation
every 10 computers
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Tina"
<tina@nospam.postalias> wrote in message
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>
When IT staff add xp workstation to our server 2003 active directory
>
domain,
>
they get "Access is denied" errors. I have given
"ITGroup" security group
>
"create computer account" and "delete computer account"
on the computer OU
>
and the workwstation OU (I changed the default container workstations go
>
in
>
when they are added to the domain. When a workstation is added to the
>
domain,
>
they go into the Workstation OU. I also checked the Domain Controller
>
Security Policy under administrative tools, and the Add workstation to
>
domain
>
has authenticated user, and ITGroup. No matter what I change, I still get
>
the
>
error. Please help.
>
Tina
Top
From: Tina <tina@nospam.postalias>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:48:03
I
know they are only allowed to add 10. How do I give them the right to add
unlimited?
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>
delegation every 10 computers
>
>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Tina" <tina@nospam.postalias> wrote in message
>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>
> When IT staff add xp workstation to our server 2003 active directory
>
> domain,
>
> they get "Access is denied" errors. I have given
"ITGroup" security group
>
> "create computer account" and "delete computer
account" on the computer OU
>
> and the workwstation OU (I changed the default container workstations
go
>
> in
>
> when they are added to the domain. When a workstation is added to the
>
> domain,
>
> they go into the Workstation OU. I also checked the Domain Controller
>
> Security Policy under administrative tools, and the Add workstation to
>
> domain
>
> has authenticated user, and ITGroup. No matter what I change, I still
get
>
> the
>
> error. Please help.
>
> Tina
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:51:21
follow
the KB on my blog !
http://support.microsoft.com/kb/243327/en-us
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Tina"
<tina@nospam.postalias> wrote in message
news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...
>I
know they are only allowed to add 10. How do I give them the right to add
>
unlimited?
>
>
"Mathieu CHATEAU" wrote:
>
>>
Hello,
>>
>>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>>
delegation every 10 computers
>>
>>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"Tina" <tina@nospam.postalias> wrote in message
>>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>>
> When IT staff add xp workstation to our server 2003 active directory
>>
> domain,
>>
> they get "Access is denied" errors. I have given
"ITGroup" security
>>
> group
>>
> "create computer account" and "delete computer
account" on the computer
>>
> OU
>>
> and the workwstation OU (I changed the default container workstations
>>
> go
>>
> in
>>
> when they are added to the domain. When a workstation is added to the
>>
> domain,
>>
> they go into the Workstation OU. I also checked the Domain Controller
>>
> Security Policy under administrative tools, and the Add workstation to
>>
> domain
>>
> has authenticated user, and ITGroup. No matter what I change, I still
>>
> get
>>
> the
>>
> error. Please help.
>>
> Tina
>>
>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 12:07:18
Hi
Please
check the following:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Mathieu
CHATEAU" <gollum123@free.fr> wrote in message
news:%23sT%2341FAIHA.1164@TK2MSFTNGP02.phx.gbl...
>
follow the KB on my blog !
>
http://support.microsoft.com/kb/243327/en-us
>
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Tina" <tina@nospam.postalias> wrote in message
>
news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...
>>I
know they are only allowed to add 10. How do I give them the right to
>>add
>>
unlimited?
>>
>>
"Mathieu CHATEAU" wrote:
>>
>>>
Hello,
>>>
>>>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>>>
delegation every 10 computers
>>>
>>>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>>>
>>>
--
>>>
Cordialement,
>>>
Mathieu CHATEAU
>>>
http://lordoftheping.blogspot.com
>>>
>>>
>>>
"Tina" <tina@nospam.postalias> wrote in message
>>>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>>>
> When IT staff add xp workstation to our server 2003 active directory
>>>
> domain,
>>>
> they get "Access is denied" errors. I have given "ITGroup"
security
>>>
> group
>>>
> "create computer account" and "delete computer
account" on the
>>>
> computer OU
>>>
> and the workwstation OU (I changed the default container workstations
>>>
> go
>>>
> in
>>>
> when they are added to the domain. When a workstation is added to the
>>>
> domain,
>>>
> they go into the Workstation OU. I also checked the Domain Controller
>>>
> Security Policy under administrative tools, and the Add workstation to
>>>
> domain
>>>
> has authenticated user, and ITGroup. No matter what I change, I still
>>>
> get
>>>
> the
>>>
> error. Please help.
>>>
> Tina
>>>
>>>
>
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: adding workstation to domain - access is denied
Date:
09/26/2007 12:30:02
Hello
Tina ,
can
u pls paste the netsetup.log from the client/workstation where you are
getting
this error message.you can find netsetup.log in c:\windows\debug
folder
"Tina"
wrote:
>
When IT staff add xp workstation to our server 2003 active directory
domain,
>
they get "Access is denied" errors. I have given
"ITGroup" security group
>
"create computer account" and "delete computer account"
on the computer OU
>
and the workwstation OU (I changed the default container workstations go in
>
when they are added to the domain. When a workstation is added to the
domain,
>
they go into the Workstation OU. I also checked the Domain Controller
>
Security Policy under administrative tools, and the Add workstation to
domain
>
has authenticated user, and ITGroup. No matter what I change, I still get
the
>
error. Please help.
>
Tina
Top
From: v-kzhao@online.microsoft.com (Ken
Zhao [MSFT])
To:
none
Subject:
RE: adding workstation to domain - access is denied
Date:
09/26/2007 22:24:59
Thank
for all guys' great information and experience sharing.
From
your post,
Thanks
& Regards,
Ken
Zhao
Microsoft
Online Support
Microsoft
Global Technical Support Center
Get
Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When
responding to posts, please "Reply to Group" via your newsreader
so
that
others may learn and benefit from your issue.
====================================================
This
posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
|
Thread-Topic: adding workstation to domain - access is denied
|
thread-index: AcgAWnzVkGPXIxpAS1+z+JD3mmRd4g==
|
X-WBNR-Posting-Host: 207.46.192.207
|
From: =?Utf-8?B?VGluYQ==?= <tina@nospam.postalias>
|
Subject: adding workstation to domain - access is denied
|
Date: Wed, 26 Sep 2007 09:30:02 -0700
|
Lines: 10
|
Message-ID: <2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com>
|
MIME-Version: 1.0
|
Content-Type: text/plain;
|
charset="Utf-8"
|
Content-Transfer-Encoding: 7bit
|
X-Newsreader: Microsoft CDO for Windows 2000
|
Content-Class: urn:content-classes:message
|
Importance: normal
|
Priority: normal
|
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929
|
Newsgroups: microsoft.public.windows.server.active_directory
|
Path: TK2MSFTNGHUB02.phx.gbl
|
Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:26512
|
NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
|
X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
|
When IT staff add xp workstation to our server 2003 active directory
domain,
|
they get "Access is denied" errors. I have given
"ITGroup" security group
|
"create computer account" and "delete computer account"
on the computer
OU
|
and the workwstation OU (I changed the default container workstations go
in
|
when they are added to the domain. When a workstation is added to the
domain,
|
they go into the Workstation OU. I also checked the Domain Controller
|
Security Policy under administrative tools, and the Add workstation to
domain
| has
authenticated user, and ITGroup. No matter what I change, I still get
the
|
error. Please help.
|
Tina
|
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
RE: Administrative rights
Date:
09/26/2007 22:13:00
Joey,
Was
this server connected to an existing domain or was it a fresh setup? Are
there
any errors showing in the event log from the dcpromo process?
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"joeylongcox"
wrote:
>
I have a Dell SC1420 PowerEdge server running Windows 2003 Server. I
>
ran the install, I thought, flawlessly. Now that I am trying to
>
really exploit all the possibilities of the server, I cannot do work
>
with Active Directory or manage groups and users. I log in as
>
"Administrator," but when I go to the Active Directory utility, I
am
>
told I need to log on as a user with administrative rights. I am
>
lost. I thought that was what I was doing. Anybody have any
idea how
>
I can fix this?
>
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Administrative rights
Date:
09/27/2007 07:02:51
run
diagnostics against your Active Directory domain.
If
you don't have the support tools installed, install them from your server
install
disk.
d:\support\tools\setup.exe
Run
dcdiag, netdiag and repadmin in verbose mode.
->
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
->
netdiag.exe /v > c:\netdiag.log (On each dc)
->
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
->
dnslint /ad /s "ip address of your dc"
**Note:
Using the /E switch in dcdiag will run diagnostics against ALL dc's
in
the forest. If you have significant numbers of DC's this test could
generate
significant detail and take a long time. You also want to take
into
account slow links to dc's will also add to the testing time.
If
you download a gui script I wrote it should be simple to set and run
(DCDiag
and NetDiag). It also has the option to run individual tests
without
having to learn all the switch options. The details will be output
in
notepad text files that pop up automagically.
The
script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just
select both dcdiag and netdiag make sure verbose is set. (Leave the
default
settings for dcdiag as set when selected)
When
complete search for fail, error and warning messages.
Description
and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"joeylongcox"
<cobra270@excite.com> wrote in message
news:1190860716.318350.121080@g4g2000hsf.googlegroups.com...
>I
have a Dell SC1420 PowerEdge server running Windows 2003 Server. I
>
ran the install, I thought, flawlessly. Now that I am trying to
>
really exploit all the possibilities of the server, I cannot do work
>
with Active Directory or manage groups and users. I log in as
>
"Administrator," but when I go to the Active Directory utility, I
am
>
told I need to log on as a user with administrative rights. I am
>
lost. I thought that was what I was doing. Anybody have any
idea how
>
I can fix this?
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: ADUC yields no search results for anything
Date:
09/26/2007 12:09:49
Hi
Something
is wrong in the filter options, can you explain exactly all steps
taken.
Are
the Admin able to see objects in ADUC without doing the search?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
<rockemhard@gmail.com>
wrote in message
news:1190819239.458739.117810@22g2000hsm.googlegroups.com...
>
OK... this is on top on my list of annoyances.
>
>
I have a new admin my department. I give hime domain admin
privs. He
>
logs onto a server to run ADUC and no results for any search he does.
>
>
It doesn't matter:
>
>
1) What server he uses ADUC on
>
2) What object he searches for
>
3) That the Filter Options says show all types of objects
>
4) Or that he even tries ADUC on the DC itself
>
>
My account works just fine everytime and we don't use roaming
>
profiles. I'm stumped. How hard can this be...
>
>
Thanks for any help.
>
Top
From: Chris <nospam@email.com>
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:46:21
Computers
is just a container. The default for new computer objects.
OU's
are there to organise your network. It makes sense to organise your
network
and split it into users, computers, shares etc dependent on any
geographical
layout you may have. Group policies are distributed via OU's
which
you should use to set the environment for you clients as well as roll
out
new software, apply logon, logoff scripts.
It
would be very beneficial to investigate how group olicy could help on
your
network
Chris
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some admin
>
stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my objects
>
(PC's) within that OU be moved to the computer folder?
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:49:51
Hello,
the
"computers" container is a bit special. It's the default
container when
joining
computers, and you can't link GPO to it.
The
same for the "Users" Containers.
More
story here:
http://technet2.microsoft.com/windowsserver/en/library/26c53b04-f955-4d81-b468-5c7a982693f31033.mspx?mfr=true
As
you can' apply GPO to them, it's best practice to create your own OU for
them,
and move all your created users and joined computers to these custom
OU
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some admin
>
stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my objects
>
(PC's) within that OU be moved to the computer folder?
Top
From: Meinolf Weber
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:50:16
Hello
Adam N.,
Computers
is a so called container. Here you can not do the things you can
do
in OU's. By default if you add computers to the domain they will be placed
in
this container.
It
doesn't matter if the OU is not used where you place them, but the question
is
for what will you use AD when not configure the domain, users, groups
and
computers from one central point?
Maybe
you give some more infos what you like to achive.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some
>
admin stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my
>
objects (PC's) within that OU be moved to the computer folder?
>
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 12:53:41
"Sergio
Minniti wrote
>
I'd like to know what is it the difference between Windows 2003 -Windows
>
2000 and pre-Windows 2000 name for Active Directory object. Is there a
>
"best
>
practice" or Microsoft Knowledge Base article that to speak about it?
>
I haven't found nothing about it. I'd like read an article that to speak
>
about group name and account name limit, special character, etc..
>
May you help me? I wait a your reply
This
link discusses what I have learned about the characters that are
allowed
in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon
names),
plus the characters that need to be escaped:
http://www.rlmueller.net/CharactersEscaped.htm
I
have not found any differences between W2k and W2k3, except that when you
create
groups and don't specify the "pre-Windows 2000 logon name" a long
random
string is assigned that is very scary.
This
link dicusses the various "names" used in AD, and with the WinNT
and
LDAP
providers:
http://www.rlmueller.net/Name_Attributes.htm
sAMAccountName
is limited to 20 characters. I forget the max lenght for
Common
Names, but I think it's about 127. The value for Common Name (the cn
attribute,
which is part of the Distinguished Name) must be unique in the
container
or OU. Several objects in AD can have the same cn as long as they
are
in different OU's or containers. sAMAccountName must be unique in the
domain.
Distinguished Name is unique in the forest.
The
rules are the same for all classes of objects (user, group, computer,
etc.),
except that the sAMAccountNames of computer objects have a trailing
"$".
The sAMAccountName of a computer object is the NetBIOS name of the
computer
with "$" appended to the end. The NetBIOS name of computers seems
to
be limited to 15 characters, so the sAMAccountName is limited to 16.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
Top
From: Sergio Minniti
<SergioMinniti@discussions.microsoft.com>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 15:56:00
Thank
you very much indeed Richard! I have read your articles but inside it I
haven't
found any reference about groups name limit (64 char.?). I try to
type
more than 64 char. and it's possible in the pre-windows 2000 name. Is it
true?
I think that the system accepts a string longer than 64 char. but it
uses
only 64 char. Aren't you?
I
wait a your reply, thank a lot.
Sergio
P.S.
Any Microsoft KB??
"Richard
Mueller [MVP]" wrote:
>
>
"Sergio Minniti wrote
>
>
> I'd like to know what is it the difference between Windows 2003
-Windows
>
> 2000 and pre-Windows 2000 name for Active Directory object. Is there a
>
> "best
>
> practice" or Microsoft Knowledge Base article that to speak about
it?
>
> I haven't found nothing about it. I'd like read an article that to
speak
>
> about group name and account name limit, special character, etc..
>
> May you help me? I wait a your reply
>
>
This link discusses what I have learned about the characters that are
>
allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon
>
names), plus the characters that need to be escaped:
>
>
http://www.rlmueller.net/CharactersEscaped.htm
>
>
I have not found any differences between W2k and W2k3, except that when you
>
create groups and don't specify the "pre-Windows 2000 logon name"
a long
>
random string is assigned that is very scary.
>
>
This link dicusses the various "names" used in AD, and with the
WinNT and
>
LDAP providers:
>
>
http://www.rlmueller.net/Name_Attributes.htm
>
>
sAMAccountName is limited to 20 characters. I forget the max lenght for
>
Common Names, but I think it's about 127. The value for Common Name (the cn
>
attribute, which is part of the Distinguished Name) must be unique in the
>
container or OU. Several objects in AD can have the same cn as long as they
>
are in different OU's or containers. sAMAccountName must be unique in the
>
domain. Distinguished Name is unique in the forest.
>
>
The rules are the same for all classes of objects (user, group, computer,
>
etc.), except that the sAMAccountNames of computer objects have a trailing
>
"$". The sAMAccountName of a computer object is the NetBIOS name
of the
>
computer with "$" appended to the end. The NetBIOS name of
computers seems
>
to be limited to 15 characters, so the sAMAccountName is limited to 16.
>
>
--
>
Richard Mueller
>
Microsoft MVP Scripting and ADSI
>
Hilltop Lab - http://www.rlmueller.net
>
--
>
>
>
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 20:13:10
By
testing I find that the cn attribute (Common Name) of groups is limited
to
64 characters. However, I have a group with a sAMAccountName that is 94
characters.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
"Sergio
Minniti" <SergioMinniti@discussions.microsoft.com> wrote in message
news:0936A2DB-DFAD-47E5-86CD-E6D7F0941BB6@microsoft.com...
>
Thank you very much indeed Richard! I have read your articles but inside
>
it I
>
haven't found any reference about groups name limit (64 char.?). I try to
>
type more than 64 char. and it's possible in the pre-windows 2000 name. Is
>
it
>
true? I think that the system accepts a string longer than 64 char. but it
>
uses only 64 char. Aren't you?
>
I wait a your reply, thank a lot.
>
>
Sergio
>
>
P.S. Any Microsoft KB??
>
"Richard Mueller [MVP]" wrote:
>
>>
>>
"Sergio Minniti wrote
>>
>>
> I'd like to know what is it the difference between Windows
>>
> 2003 -Windows
>>
> 2000 and pre-Windows 2000 name for Active Directory object. Is there a
>>
> "best
>>
> practice" or Microsoft Knowledge Base article that to speak about
it?
>>
> I haven't found nothing about it. I'd like read an article that to
>>
> speak
>>
> about group name and account name limit, special character, etc..
>>
> May you help me? I wait a your reply
>>
>>
This link discusses what I have learned about the characters that are
>>
allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000
>>
logon
>>
names), plus the characters that need to be escaped:
>>
>>
http://www.rlmueller.net/CharactersEscaped.htm
>>
>>
I have not found any differences between W2k and W2k3, except that when
>>
you
>>
create groups and don't specify the "pre-Windows 2000 logon name"
a long
>>
random string is assigned that is very scary.
>>
>>
This link dicusses the various "names" used in AD, and with the
WinNT and
>>
LDAP providers:
>>
>>
http://www.rlmueller.net/Name_Attributes.htm
>>
>>
sAMAccountName is limited to 20 characters. I forget the max lenght for
>>
Common Names, but I think it's about 127. The value for Common Name (the
>>
cn
>>
attribute, which is part of the Distinguished Name) must be unique in the
>>
container or OU. Several objects in AD can have the same cn as long as
>>
they
>>
are in different OU's or containers. sAMAccountName must be unique in the
>>
domain. Distinguished Name is unique in the forest.
>>
>>
The rules are the same for all classes of objects (user, group, computer,
>>
etc.), except that the sAMAccountNames of computer objects have a
>>
trailing
>>
"$". The sAMAccountName of a computer object is the NetBIOS name
of the
>>
computer with "$" appended to the end. The NetBIOS name of
computers
>>
seems
>>
to be limited to 15 characters, so the sAMAccountName is limited to 16.
>>
>>
--
>>
Richard Mueller
>>
Microsoft MVP Scripting and ADSI
>>
Hilltop Lab - http://www.rlmueller.net
>>
--
>>
>>
>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:20:18
Hi
Check
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>I
would like to add a few custom templates to my delegwiz.inf, however I am
>
new to the syntax. Well syntax may not be as important issue, but
where
>
do I
>
find the list of the "SCOPE" identifiers?
>
>
In Q308404 is the example:
>
>
[template10]
>
AppliesToClasses=domainDns,organizationalUnit,container
>
>
Description = "Create, delete, and manage inetorgperson accounts"
>
>
ObjectTypes = SCOPE, inetorgperson
>
>
[template10.SCOPE]
>
inetorgperson=CC,DC
>
>
[template10.inetorgperson]
>
@=GA
>
>
I want to find the correct identifiers for the .SCOPE object types for
>
user
>
and computer account management. Like Disable this user, Unlock this
>
user,
>
Force user to change password, etc.
>
>
Where are those listed? Is there one place I can find all the proper
>
terms?
>
What are these called?
>
>
The Q308404 information is very minimal so I keep thinking there is more
>
information on this somewhere!
Top
From: SecAdmin
<SecAdmin@discussions.microsoft.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:34:03
Jorge,
I
have been to this site already and I do not see answers to my
questions.
Where
can I find the exact wording for all the SCOPE required or object types?
"Jorge
Silva" wrote:
>
Hi
>
Check
>
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>
>I would like to add a few custom templates to my delegwiz.inf, however
I am
>
> new to the syntax. Well syntax may not be as important issue,
but where
>
> do I
>
> find the list of the "SCOPE" identifiers?
>
>
>
> In Q308404 is the example:
>
>
>
> [template10]
>
> AppliesToClasses=domainDns,organizationalUnit,container
>
>
>
> Description = "Create, delete, and manage inetorgperson
accounts"
>
>
>
> ObjectTypes = SCOPE, inetorgperson
>
>
>
> [template10.SCOPE]
>
> inetorgperson=CC,DC
>
>
>
> [template10.inetorgperson]
>
> @=GA
>
>
>
> I want to find the correct identifiers for the .SCOPE object types for
>
> user
>
> and computer account management. Like Disable this user, Unlock
this
>
> user,
>
> Force user to change password, etc.
>
>
>
> Where are those listed? Is there one place I can find all the
proper
>
> terms?
>
> What are these called?
>
>
>
> The Q308404 information is very minimal so I keep thinking there is
more
>
> information on this somewhere!
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:41:03
wrong
link, I meant this one:
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>
Jorge,
>
>
I have been to this site already and I do not see answers to my questions.
>
Where can I find the exact wording for all the SCOPE required or object
>
types?
>
>
>
>
"Jorge Silva" wrote:
>
>>
Hi
>>
Check
>>
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>>
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>>
>I would like to add a few custom templates to my delegwiz.inf, however
I
>>
>am
>>
> new to the syntax. Well syntax may not be as important issue,
but
>>
> where
>>
> do I
>>
> find the list of the "SCOPE" identifiers?
>>
>
>>
> In Q308404 is the example:
>>
>
>>
> [template10]
>>
> AppliesToClasses=domainDns,organizationalUnit,container
>>
>
>>
> Description = "Create, delete, and manage inetorgperson
accounts"
>>
>
>>
> ObjectTypes = SCOPE, inetorgperson
>>
>
>>
> [template10.SCOPE]
>>
> inetorgperson=CC,DC
>>
>
>>
> [template10.inetorgperson]
>>
> @=GA
>>
>
>>
> I want to find the correct identifiers for the .SCOPE object types for
>>
> user
>>
> and computer account management. Like Disable this user, Unlock
this
>>
> user,
>>
> Force user to change password, etc.
>>
>
>>
> Where are those listed? Is there one place I can find all the
proper
>>
> terms?
>>
> What are these called?
>>
>
>>
> The Q308404 information is very minimal so I keep thinking there is
>>
> more
>>
> information on this somewhere!
>>
>>
>>
Top
From: SecAdmin <SecAdmin@discussions.microsoft.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:54:19
That
is nothing more than a sample Delegwiz.inf
Lets
try this another way. What would an entry look like if I wanted to
delegate
the following permissions on a user account....
Create
user account
Delete
this user account
Unlock
user account
Reset
Password
Force
user to change password at next logon
Where
do I find the exact object types or Scope identifiers in order to
modify
my Delegwiz.inf?
"Jorge
Silva" wrote:
>
wrong link, I meant this one:
>
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
>
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>
> Jorge,
>
>
>
> I have been to this site already and I do not see answers to my
questions.
>
> Where can I find the exact wording for all the SCOPE required or
object
>
> types?
>
>
>
>
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> Hi
>
>> Check
>
>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "SecAdmin" <SecAdmin@discussions.microsoft.com>
wrote in message
>
>> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>
>> >I would like to add a few custom templates to my delegwiz.inf,
however I
>
>> >am
>
>> > new to the syntax. Well syntax may not be as important
issue, but
>
>> > where
>
>> > do I
>
>> > find the list of the "SCOPE" identifiers?
>
>> >
>
>> > In Q308404 is the example:
>
>> >
>
>> > [template10]
>
>> > AppliesToClasses=domainDns,organizationalUnit,container
>
>> >
>
>> > Description = "Create, delete, and manage inetorgperson
accounts"
>
>> >
>
>> > ObjectTypes = SCOPE, inetorgperson
>
>> >
>
>> > [template10.SCOPE]
>
>> > inetorgperson=CC,DC
>
>> >
>
>> > [template10.inetorgperson]
>
>> > @=GA
>
>> >
>
>> > I want to find the correct identifiers for the .SCOPE object
types for
>
>> > user
>
>> > and computer account management. Like Disable this
user, Unlock this
>
>> > user,
>
>> > Force user to change password, etc.
>
>> >
>
>> > Where are those listed? Is there one place I can find
all the proper
>
>> > terms?
>
>> > What are these called?
>
>> >
>
>> > The Q308404 information is very minimal so I keep thinking
there is
>
>> > more
>
>> > information on this somewhere!
>
>>
>
>>
>
>>
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 14:47:48
I'm
sorry, I miss understood you, I'll need to check my documentation, I
can't
confirm at the moment, I'll send you a response when I have a chance,
in
mean time check at GPO ngs, let me know the results.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:FC01D948-C477-422E-857D-001AF2BDDF89@microsoft.com...
>
That is nothing more than a sample Delegwiz.inf
>
>
Lets try this another way. What would an entry look like if I wanted
to
>
delegate the following permissions on a user account....
>
>
Create user account
>
Delete this user account
>
Unlock user account
>
Reset Password
>
Force user to change password at next logon
>
>
Where do I find the exact object types or Scope identifiers in order to
>
modify my Delegwiz.inf?
>
>
"Jorge Silva" wrote:
>
>>
wrong link, I meant this one:
>>
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
>>
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>>
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>>
> Jorge,
>>
>
>>
> I have been to this site already and I do not see answers to my
>>
> questions.
>>
> Where can I find the exact wording for all the SCOPE required or
object
>>
> types?
>>
>
>>
>
>>
>
>>
> "Jorge Silva" wrote:
>>
>
>>
>> Hi
>>
>> Check
>>
>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>>
>>
>>
>> --
>>
>> I hope that the information above helps you.
>>
>> Have a Nice day.
>>
>>
>>
>> Jorge Silva
>>
>> MCSE, MVP Directory Services
>>
>> "SecAdmin" <SecAdmin@discussions.microsoft.com>
wrote in message
>>
>> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>>
>> >I would like to add a few custom templates to my delegwiz.inf,
>>
>> >however I
>>
>> >am
>>
>> > new to the syntax. Well syntax may not be as important
issue, but
>>
>> > where
>>
>> > do I
>>
>> > find the list of the "SCOPE" identifiers?
>>
>> >
>>
>> > In Q308404 is the example:
>>
>> >
>>
>> > [template10]
>>
>> > AppliesToClasses=domainDns,organizationalUnit,container
>>
>> >
>>
>> > Description = "Create, delete, and manage inetorgperson
accounts"
>>
>> >
>>
>> > ObjectTypes = SCOPE, inetorgperson
>>
>> >
>>
>> > [template10.SCOPE]
>>
>> > inetorgperson=CC,DC
>>
>> >
>>
>> > [template10.inetorgperson]
>>
>> > @=GA
>>
>> >
>>
>> > I want to find the correct identifiers for the .SCOPE object
types
>>
>> > for
>>
>> > user
>>
>> > and computer account management. Like Disable this
user, Unlock
>>
>> > this
>>
>> > user,
>>
>> > Force user to change password, etc.
>>
>> >
>>
>> > Where are those listed? Is there one place I can find
all the
>>
>> > proper
>>
>> > terms?
>>
>> > What are these called?
>>
>> >
>>
>> > The Q308404 information is very minimal so I keep thinking
there is
>>
>> > more
>>
>> > information on this somewhere!
>>
>>
>>
>>
>>
>>
>>
>>
>>
Top
From: Dmitri Gavrilov [MSFT]
<dmitrig@online.microsoft.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/26/2007 21:40:16
Try
running it in verbose mode: dcdiag /v
It
should print more data, which might give a clue as to where it breaks.
--
Dmitri
Gavrilov
SDE,
Active Directory team
This
posting is provided "AS IS" with no warranties, and confers no
rights.
Use
of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"gdilullo"
<gdilullo.2xjavc@DoNotSpam.com> wrote in message
news:gdilullo.2xjavc@DoNotSpam.com...
>
>
This is the result from DCDIAG on a Domain Controller:
>
>
Performaing Initial Setup:
>
>
And then it returns to the command prompt.
>
>
Any one seen this before?
>
>
Thanks
>
>
Gabe
>
>
>
--
>
gdilullo
>
------------------------------------------------------------------------
>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>
>
http://forums.techarena.in
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 07:16:01
When
I run dcdiag I set the following flags:
DCDIAG
/V /C /D /E /s:yourdcname > c:\dcdiag.log
You
have to watch out for the /E in a large environment, it will query ALL
dc's
in the domain and if you have a lot of remote sites this could take a
very
long time. I pipe the output of this diagnostic to c:\dcdiag.log.
| 