Home | Site Map | Cisco How ToNet How To | Windows Vista | Case Studies | Forums | Services | Donations | Careers | About Us | Contact Us|

 

Active Directory 0703

Re: Library not registered when trying to open AD

Re: Remote Windows 2003 BDC

Re: About of Event ID : 3224

RE: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]

Re: Active Directory and Reverse DNS Zones

RE: AD printers - server-centric, am i missing something?

Re: Adding Custom Attribute

Re: adding workstation to domain - access is denied

Re: Administrative rights

Re: ADUC yields no search results for anything

Re: Basic AD question, proper use of OU's

Re: Character limit

Re: Customizing Delegwiz.inf  syntax question

Re: Dcdiag

Re: Delete duplicate computer accounts in AD

Re: Delete duplicate computer accounts in AD

Re: Does AD have a Default Backup User account?

Re: Domain controller crached

Re: Domain Controller down

Re: Domain Controller File Permissions on SYSVOL

Re: Domain Login Failed

Re: Domain Rename

 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Library not registered when trying to open AD

Date: 09/27/2007 06:49:21

 

 

run diagnostics against your Active Directory domain.

 

If you don't have the support tools installed, install them from your server

install disk.

d:\support\tools\setup.exe

 

Run dcdiag, netdiag and repadmin in verbose mode.

->  DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

->  netdiag.exe /v > c:\netdiag.log     (On each dc)

->  repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

->  dnslint /ad /s  "ip address of your dc"

 

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's

in the forest.  If you have significant numbers of DC's this test could

generate significant detail and take a long time.  You also want to take

into account slow links to dc's will also add to the testing time.

 

If you download a gui script I wrote it should be simple to set and run

(DCDiag and NetDiag).  It also has the option to run individual tests

without having to learn all the switch options.  The details will be output

in notepad text files that pop up automagically.

 

The script is located on my website at

http://www.pbbergs.com/windows/downloads.htm

 

Just select both dcdiag and netdiag make sure verbose is set.  (Leave the

default settings for dcdiag as set when selected)

 

When complete search for fail, error and warning messages.

 

Description and download for dnslint

http://support.microsoft.com/kb/321045

 

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"abaratin" <abaratin@gmail.com> wrote in message

news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...

> Hi all,

>

> Yesterday I had a problem with WSUS3. I tried to reinstall it but it

> fails... Few minutes after I tried to go to the GPO settings... I

> receive an error "The domain controller can not be contacted Error

> was: Library not Registered"

> I have this "Library not registered" error anytime I try to open

> something dealing with GPO's or AD.

> I don't know what to do...

>

> So if you have ideas, suggsestions or links with documentation It will

> be great...

> I don't know Active Directory enough to solve this kind of problem...

>

> Thanks in advance

>

 

 

 

Top


 

 

 

From: abaratin <abaratin@gmail.com>

To: none

Subject: Re: Library not registered when trying to open AD

Date: 09/27/2007 07:46:03

 

 

Well everything seems to be ok... It was what I felt because this

morning every users were able to connect to the domain...

My feeling now is rather that mmc 3.0 is in cause... But  i don't know

how to install/reinstall it and what can be the consequences for

users...

 

On 27 sep, 11:49, "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com>

wrote:

> run diagnostics against your Active Directory domain.

>

> If you don't have the support tools installed, install them from your server

> install disk.

> d:\support\tools\setup.exe

>

> Run dcdiag, netdiag and repadmin in verbose mode.

> ->  DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

> ->  netdiag.exe /v > c:\netdiag.log     (On each dc)

> ->  repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

> ->  dnslint /ad /s  "ip address of your dc"

>

> **Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's

> in the forest.  If you have significant numbers of DC's this test could

> generate significant detail and take a long time.  You also want to take

> into account slow links to dc's will also add to the testing time.

>

> If you download a gui script I wrote it should be simple to set and run

> (DCDiag and NetDiag).  It also has the option to run individual tests

> without having to learn all the switch options.  The details will be output

> in notepad text files that pop up automagically.

>

> The script is located on my website athttp://www.pbbergs.com/windows/downloads.htm

>

> Just select both dcdiag and netdiag make sure verbose is set.  (Leave the

> default settings for dcdiag as set when selected)

>

> When complete search for fail, error and warning messages.

>

> Description and download for dnslinthttp://support.microsoft.com/kb/321045

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> "abaratin" <abara...@gmail.com> wrote in message

>

> news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...

>

> > Hi all,

>

> > Yesterday I had a problem with WSUS3. I tried to reinstall it but it

> > fails... Few minutes after I tried to go to the GPO settings... I

> > receive an error "The domain controller can not be contacted Error

> > was: Library not Registered"

> > I have this "Library not registered" error anytime I try to open

> > something dealing with GPO's or AD.

> > I don't know what to do...

>

> > So if you have ideas, suggsestions or links with documentation It will

> > be great...

> > I don't know Active Directory enough to solve this kind of problem...

>

> > Thanks in advance

 

 

 

Top


 

 

 

From: abaratin <abaratin@gmail.com>

To: none

Subject: Re: Library not registered when trying to open AD

Date: 09/27/2007 12:28:45

 

 

Thanks for your help Paul, I've finally found the solution, AD was not

in fault, it was MMC !

The solution was here : http://support.microsoft.com/?scid=kb%3Ben-us%3B887438&x=7&y=9

 

Thank you very much an have a nice day !

--

Alex

 

On 27 sep, 12:46, abaratin <abara...@gmail.com> wrote:

> Well everything seems to be ok... It was what I felt because this

> morning every users were able to connect to the domain...

> My feeling now is rather that mmc 3.0 is in cause... But  i don't know

> how to install/reinstall it and what can be the consequences for

> users...

>

> On 27 sep, 11:49, "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com>

> wrote:

>

> > run diagnostics against your Active Directory domain.

>

> > If you don't have the support tools installed, install them from your server

> > install disk.

> > d:\support\tools\setup.exe

>

> > Run dcdiag, netdiag and repadmin in verbose mode.

> > ->  DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

> > ->  netdiag.exe /v > c:\netdiag.log     (On each dc)

> > ->  repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

> > ->  dnslint /ad /s  "ip address of your dc"

>

> > **Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's

> > in the forest.  If you have significant numbers of DC's this test could

> > generate significant detail and take a long time.  You also want to take

> > into account slow links to dc's will also add to the testing time.

>

> > If you download a gui script I wrote it should be simple to set and run

> > (DCDiag and NetDiag).  It also has the option to run individual tests

> > without having to learn all the switch options.  The details will be output

> > in notepad text files that pop up automagically.

>

> > The script is located on my website athttp://www.pbbergs.com/windows/downloads.htm

>

> > Just select both dcdiag and netdiag make sure verbose is set.  (Leave the

> > default settings for dcdiag as set when selected)

>

> > When complete search for fail, error and warning messages.

>

> > Description and download for dnslinthttp://support.microsoft.com/kb/321045

>

> > --

> > Paul Bergson

> > MVP - Directory Services

> > MCT, MCSE, MCSA, Security+, BS CSci

> > 2003, 2000 (Early Achiever), NT

>

> >http://www.pbbergs.com

>

> > Please no e-mails, any questions should be posted in the NewsGroup

> > This posting is provided "AS IS" with no warranties, and confers no rights.

>

> > "abaratin" <abara...@gmail.com> wrote in message

>

> >news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...

>

> > > Hi all,

>

> > > Yesterday I had a problem with WSUS3. I tried to reinstall it but it

> > > fails... Few minutes after I tried to go to the GPO settings... I

> > > receive an error "The domain controller can not be contacted Error

> > > was: Library not Registered"

> > > I have this "Library not registered" error anytime I try to open

> > > something dealing with GPO's or AD.

> > > I don't know what to do...

>

> > > So if you have ideas, suggsestions or links with documentation It will

> > > be great...

> > > I don't know Active Directory enough to solve this kind of problem...

>

> > > Thanks in advance

 

 

 

Top


 

 

 

From: Al Mulnick <amulnick_No_SPAM@ncDOTrr.com>

To: none

Subject: Re: Remote Windows 2003 BDC

Date: 09/27/2007 12:47:38

 

 

Generally speaking, you could, but you would want to likely use sites to

control replication and authentication traffic.  You can read more about the

site concept and how to configure site links, costing, etc here:

 

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx

 

 

"MATT" <MATT@discussions.microsoft.com> wrote in message

news:33B1F58B-B95A-4417-A978-6897B0E48348@microsoft.com...

> We have a Primary Domain Controller and Backup Domain Controller at our

> main

> office.  We have a second office connected by a Frame Relay.  We would

> like

> to add a second Backup Domain Controller at this site, and have it

> replicate

> with the DC's at the main site.  The two sites are on different subnets.

> Can

> I simply add the domain controller at the remote site, and it will

> replicate

> the Active Directory?

 

 

 

Top


 

 

 

From: Technical <Technical@discussions.microsoft.com>

To: none

Subject: RE: Remote Windows 2003 BDC

Date: 09/27/2007 12:57:05

 

 

Hello Matt

 

It will work , no extra configuration required, the only think that you must

check is the connectivity between two sites , also make sure that you make

this BDC as GC as you have frame relay connection between two sites which is

normally slow.

Also make sure that the required ports are not blocked in firewall.

If you have windows 2003 native environment then you can choose Install Dc

from media .

For more information follow this link

http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

 

I hope the above information is helpful to you .

 

"MATT" wrote:

 

> We have a Primary Domain Controller and Backup Domain Controller at our main

> office.  We have a second office connected by a Frame Relay.  We would like

> to add a second Backup Domain Controller at this site, and have it replicate

> with the DC's at the main site.  The two sites are on different subnets.  Can

> I simply add the domain controller at the remote site, and it will replicate

> the Active Directory?

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: About of Event ID : 3224

Date: 09/27/2007 09:06:16

 

 

Hello MutluOzel,

 

Is that DC restored, because of a failure?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hi All,

>

> I have a problem, when i restart domain controller and i found error

>

> i checked these are links, problem it hasn't been solved

>

> http://support.microsoft.com/kb/q259736/

> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2

> 000Msgs/161.mspx?mfr=true

> http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET

> LOGON&phase=1

>

> Soure : Netlogon

> Category : None

> Event ID: 3224

> Changing machine account password for account havas.local. failed with

> the following error: The specified user already exists.

>

> For more information, see Help and Support Center at

> http://go.microsoft.com/fwlink/events.asp.

>

 

 

 

Top


 

 

 

From: MutluOzel <MutluOzel@discussions.microsoft.com>

To: none

Subject: Re: About of Event ID : 3224

Date: 09/27/2007 09:32:03

 

 

Hi Weber,

 

We are working on the system, one primary dc and two additional dc runing.

 

but i found error primary dc (error info below)

 

 

"Meinolf Weber" wrote:

 

> Hello MutluOzel,

>

> Is that DC restored, because of a failure?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi All,

> >

> > I have a problem, when i restart domain controller and i found error

> >

> > i checked these are links, problem it hasn't been solved

> >

> > http://support.microsoft.com/kb/q259736/

> > http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2

> > 000Msgs/161.mspx?mfr=true

> > http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET

> > LOGON&phase=1

> >

> > Soure : Netlogon

> > Category : None

> > Event ID: 3224

> > Changing machine account password for account havas.local. failed with

> > the following error: The specified user already exists.

> >

> > For more information, see Help and Support Center at

> > http://go.microsoft.com/fwlink/events.asp.

> >

>

>

>

 

 

 

Top


 

 

 

From: Toby1Kinobe <toby1kinobe@gmail.com>

To: none

Subject: Re: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]

Date: 09/27/2007 18:44:15

 

 

Its the reminance of an account that has been removed from the domain

 

"Sofi" <Sofi@discussions.microsoft.com> wrote in message

news:6D22D879-5CC8-4752-BCA1-F9E3296AA6F8@microsoft.com...

>I am seeing these "ghost accounts" in the properties.

> Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]

>

> Anyone knows what this is?

> THanks!

> Sofia

 

 

 

Top


 

 

 

From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>

To: none

Subject: RE: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]

Date: 09/27/2007 22:36:00

 

 

Hi Sofi,

 

When you see the SID displayed instead of the User Name, this means that the

machine displaying the account cannot resolve the name -- for whatever reason.

 

As Toby points out, this could be a foreign security principal that is still

in your domain, but that the trust is gone and the name can no longer be

resolved.  This can also happen in cases where a trust is broken, SIDHistory

filtering has been turned on for a trust, GCs and the PDCe are unavailable,

or DNS problems are showing up in your domain.

 

The prefix is domain specific, so if this doesn't match your domain, you

will know that this is a foreign account arriving across a trust.  (You can

look at your accounts with ADSIEdit or LDP -- make sure you are looking as a

created account, not a builtin one.)

 

If it is inside your domain, you will want to start doing domain diagnostics

so see if you can locate a problem.  I've posted directions to a basic domain

health check at :

http://techsterity.com/blogs/bestpractices/archive/2007/09/13/AD-Health-Check.aspx

 

Hope this helps.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Sofi" wrote:

 

> I am seeing these "ghost accounts" in the properties.

> Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]

>

> Anyone knows what this is?

> THanks!

> Sofia

 

 

 

Top


 

 

 

From: pcnetnet <pcnetnet@yahoo.com.hk>

To: none

Subject: Re: active directory (sub-domain)

Date: 09/27/2007 11:23:39

 

 

Hi All,

     i setup the secondary dns on my side, if the sub-domain server is down

or between root domain and sub-domain the vpn line is down , when uk user

connect internet to our server(root domain) logon , him must be find the

name server ( sub-domain) , so cannot logon ?? right ? how to do when

sub-domain user logon to root domain server is access to root domain logon

or cache the name !

do you have any document or internet link for do this , Thanks ,

 

Thanks,

Patrick

 

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...

>I agree with Anthony.  If you have an unreliable network, then you should

>consider placing dc's at remote sites for higher reliability.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Anthony" <anthony.spam@spammedout.com> wrote in message

> news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...

>> Patrick,

>> You can solve the DNS problem by making secondaries of all sub-domain

>> zones on your central DNS servers.

>> For something as important as your international ERP, you could also keep

>> a replicated DC for each sub-domain at the centre.

>> Anthony, http://www.airdesk.co.uk

>>

>> "Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

>> news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...

>>> Hi All,

>>>    I have big problem on active directory, becuase our company (abc.com)

>>> have sub-domain install to other location(uk,us,cn...) , but we have ERP

>>> system install to HK office (root domain ) with citrix server , so all

>>> user connect to ERP HK office and then user logon to windows use

>>> subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is ,when uk

>>> user logon to citrix (terminal server) use uk.abc.com domain , then this

>>> domain name server is uk office server through VPN connect , if this VPN

>>> line is normal , uk user is no problem on logon , but when the vpn line

>>> have probelm ( e.g. disconnect) all uk user if connect to ERP cannot

>>> logon to windows, because uk user cannot find the domain name server .

>>> this is case 1 , case 2 is uk office name server have server down , user

>>> cannot logon to erp , but we have ERP application have no any error. we

>>> have any method success logon to ERP (citrix server) use uk.abc.com ,

>>> when the uk domain server is down or vpn line is down ! Thanks ALL

>>>

>>>

>>> Thanks,

>>> Patrick

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Anthony <anthony.spam@spammedout.com>

To: none

Subject: Re: active directory (sub-domain)

Date: 09/27/2007 11:32:24

 

 

This sounds like a big enterprise-level system. You probably should have a

DC for each sub-domain at your central site.

Or get a more reliable network. The VPN should not be down that often, so

presumably we are talking about something that happens once or twice a year,

Anthony, http://www.airdesk.co.uk

 

 

"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...

> Hi All,

>     i setup the secondary dns on my side, if the sub-domain server is down

> or between root domain and sub-domain the vpn line is down , when uk user

> connect internet to our server(root domain) logon , him must be find the

> name server ( sub-domain) , so cannot logon ?? right ? how to do when

> sub-domain user logon to root domain server is access to root domain logon

> or cache the name !

> do you have any document or internet link for do this , Thanks ,

>

> Thanks,

> Patrick

>

>

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...

>>I agree with Anthony.  If you have an unreliable network, then you should

>>consider placing dc's at remote sites for higher reliability.

>>

>> --

>> Paul Bergson

>> MVP - Directory Services

>> MCT, MCSE, MCSA, Security+, BS CSci

>> 2003, 2000 (Early Achiever), NT

>>

>> http://www.pbbergs.com

>>

>> Please no e-mails, any questions should be posted in the NewsGroup

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>> "Anthony" <anthony.spam@spammedout.com> wrote in message

>> news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...

>>> Patrick,

>>> You can solve the DNS problem by making secondaries of all sub-domain

>>> zones on your central DNS servers.

>>> For something as important as your international ERP, you could also

>>> keep a replicated DC for each sub-domain at the centre.

>>> Anthony, http://www.airdesk.co.uk

>>>

>>> "Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

>>> news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...

>>>> Hi All,

>>>>    I have big problem on active directory, becuase our company

>>>> (abc.com) have sub-domain install to other location(uk,us,cn...) , but

>>>> we have ERP system install to HK office (root domain ) with citrix

>>>> server , so all user connect to ERP HK office and then user logon to

>>>> windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is

>>>> ,when uk user logon to citrix (terminal server) use uk.abc.com domain ,

>>>> then this domain name server is uk office server through VPN connect ,

>>>> if this VPN line is normal , uk user is no problem on logon , but when

>>>> the vpn line have probelm ( e.g. disconnect) all uk user if connect to

>>>> ERP cannot logon to windows, because uk user cannot find the domain

>>>> name server . this is case 1 , case 2 is uk office name server have

>>>> server down , user cannot logon to erp , but we have ERP application

>>>> have no any error. we have any method success logon to ERP (citrix

>>>> server) use uk.abc.com , when the uk domain server is down or vpn line

>>>> is down ! Thanks ALL

>>>>

>>>>

>>>> Thanks,

>>>> Patrick

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: pcnetnet <pcnetnet@yahoo.com.hk>

To: none

Subject: Re: active directory (sub-domain)

Date: 09/27/2007 12:33:31

 

 

but we have about 10 sub-domain of of our company , then no other i must

install each sub-domain DC in root domain, then in root domain have up to 10

server , and network problem , i afraid the VPN line is down about 3 hour ,

then uk user cannot logon to erp this problem is network problem , but user

can connect to erp server use internet , but cannot logon ,no domain problem

is network problem , my boss don't hope do this , how can i do ????

Thanks,

Patrick

 

"Anthony" <anthony.spam@spammedout.com> wrote in message

news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...

> This sounds like a big enterprise-level system. You probably should have a

> DC for each sub-domain at your central site.

> Or get a more reliable network. The VPN should not be down that often, so

> presumably we are talking about something that happens once or twice a

> year,

> Anthony, http://www.airdesk.co.uk

>

>

> "pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

> news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...

>> Hi All,

>>     i setup the secondary dns on my side, if the sub-domain server is

>> down or between root domain and sub-domain the vpn line is down , when uk

>> user connect internet to our server(root domain) logon , him must be find

>> the name server ( sub-domain) , so cannot logon ?? right ? how to do when

>> sub-domain user logon to root domain server is access to root domain

>> logon or cache the name !

>> do you have any document or internet link for do this , Thanks ,

>>

>> Thanks,

>> Patrick

>>

>>

>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>> news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...

>>>I agree with Anthony.  If you have an unreliable network, then you should

>>>consider placing dc's at remote sites for higher reliability.

>>>

>>> --

>>> Paul Bergson

>>> MVP - Directory Services

>>> MCT, MCSE, MCSA, Security+, BS CSci

>>> 2003, 2000 (Early Achiever), NT

>>>

>>> http://www.pbbergs.com

>>>

>>> Please no e-mails, any questions should be posted in the NewsGroup

>>> This posting is provided "AS IS" with no warranties, and confers no

>>> rights.

>>>

>>> "Anthony" <anthony.spam@spammedout.com> wrote in message

>>> news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...

>>>> Patrick,

>>>> You can solve the DNS problem by making secondaries of all sub-domain

>>>> zones on your central DNS servers.

>>>> For something as important as your international ERP, you could also

>>>> keep a replicated DC for each sub-domain at the centre.

>>>> Anthony, http://www.airdesk.co.uk

>>>>

>>>> "Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

>>>> news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...

>>>>> Hi All,

>>>>>    I have big problem on active directory, becuase our company

>>>>> (abc.com) have sub-domain install to other location(uk,us,cn...) , but

>>>>> we have ERP system install to HK office (root domain ) with citrix

>>>>> server , so all user connect to ERP HK office and then user logon to

>>>>> windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem

>>>>> is ,when uk user logon to citrix (terminal server) use uk.abc.com

>>>>> domain , then this domain name server is uk office server through VPN

>>>>> connect , if this VPN line is normal , uk user is no problem on logon

>>>>> , but when the vpn line have probelm ( e.g. disconnect) all uk user if

>>>>> connect to ERP cannot logon to windows, because uk user cannot find

>>>>> the domain name server . this is case 1 , case 2 is uk office name

>>>>> server have server down , user cannot logon to erp , but we have ERP

>>>>> application have no any error. we have any method success logon to ERP

>>>>> (citrix server) use uk.abc.com , when the uk domain server is down or

>>>>> vpn line is down ! Thanks ALL

>>>>>

>>>>>

>>>>> Thanks,

>>>>> Patrick

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: active directory (sub-domain)

Date: 09/28/2007 07:25:14

 

 

I'm really struggling with the language barrier, so I may not understood

your problem.

 

1)    You should have your child domain users all use their dns services at

the location of their site.  From what I can figure out, it sounds like they

are using the dns services at the root location.  If this is the case, then

each child should have the root zone on their dns server and the root zone

should have all the child zones on that dns server.  No additional hardware

would be required.

 

2)    If the name server is down but the child dc server is available, then

the child client will need to point to the root dns server as a secondary on

the clients network dns configuration.  The root dns server will again need

to have all child zones on the root dns server.

 

 

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

news:Oy7SKySAIHA.4444@TK2MSFTNGP03.phx.gbl...

> but we have about 10 sub-domain of of our company , then no other i must

> install each sub-domain DC in root domain, then in root domain have up to

> 10 server , and network problem , i afraid the VPN line is down about 3

> hour , then uk user cannot logon to erp this problem is network problem ,

> but user can connect to erp server use internet , but cannot logon ,no

> domain problem is network problem , my boss don't hope do this , how can i

> do ????

> Thanks,

> Patrick

>

> "Anthony" <anthony.spam@spammedout.com> wrote in message

> news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...

>> This sounds like a big enterprise-level system. You probably should have

>> a DC for each sub-domain at your central site.

>> Or get a more reliable network. The VPN should not be down that often, so

>> presumably we are talking about something that happens once or twice a

>> year,

>> Anthony, http://www.airdesk.co.uk

>>

>>

>> "pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

>> news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...

>>> Hi All,

>>>     i setup the secondary dns on my side, if the sub-domain server is

>>> down or between root domain and sub-domain the vpn line is down , when

>>> uk user connect internet to our server(root domain) logon , him must be

>>> find the name server ( sub-domain) , so cannot logon ?? right ? how to

>>> do when sub-domain user logon to root domain server is access to root

>>> domain logon or cache the name !

>>> do you have any document or internet link for do this , Thanks ,

>>>

>>> Thanks,

>>> Patrick

>>>

>>>

>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>>> news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...

>>>>I agree with Anthony.  If you have an unreliable network, then you

>>>>should consider placing dc's at remote sites for higher reliability.

>>>>

>>>> --

>>>> Paul Bergson

>>>> MVP - Directory Services

>>>> MCT, MCSE, MCSA, Security+, BS CSci

>>>> 2003, 2000 (Early Achiever), NT

>>>>

>>>> http://www.pbbergs.com

>>>>

>>>> Please no e-mails, any questions should be posted in the NewsGroup

>>>> This posting is provided "AS IS" with no warranties, and confers no

>>>> rights.

>>>>

>>>> "Anthony" <anthony.spam@spammedout.com> wrote in message

>>>> news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...

>>>>> Patrick,

>>>>> You can solve the DNS problem by making secondaries of all sub-domain

>>>>> zones on your central DNS servers.

>>>>> For something as important as your international ERP, you could also

>>>>> keep a replicated DC for each sub-domain at the centre.

>>>>> Anthony, http://www.airdesk.co.uk

>>>>>

>>>>> "Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message

>>>>> news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...

>>>>>> Hi All,

>>>>>>    I have big problem on active directory, becuase our company

>>>>>> (abc.com) have sub-domain install to other location(uk,us,cn...) ,

>>>>>> but we have ERP system install to HK office (root domain ) with

>>>>>> citrix server , so all user connect to ERP HK office and then user

>>>>>> logon to windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i

>>>>>> problem is ,when uk user logon to citrix (terminal server) use

>>>>>> uk.abc.com domain , then this domain name server is uk office server

>>>>>> through VPN connect , if this VPN line is normal , uk user is no

>>>>>> problem on logon , but when the vpn line have probelm ( e.g.

>>>>>> disconnect) all uk user if connect to ERP cannot logon to windows,

>>>>>> because uk user cannot find the domain name server . this is case 1 ,

>>>>>> case 2 is uk office name server have server down , user cannot logon

>>>>>> to erp , but we have ERP application have no any error. we have any

>>>>>> method success logon to ERP (citrix server) use uk.abc.com , when the

>>>>>> uk domain server is down or vpn line is down ! Thanks ALL

>>>>>>

>>>>>>

>>>>>> Thanks,

>>>>>> Patrick

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: JayDee <dopamine@mail.com>

To: none

Subject: Re: Active Directory and Reverse DNS Zones

Date: 09/25/2007 20:11:11

 

 

On Sep 25, 10:15 am, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

> -Ok, you should be fine with creating the subnet B class, the reverse lookup

> zone will automatically create one "folder zone" for each subnet

> automatically.

> - As for the error/warning your servers/workstations are trying to reach

> somewhere where they shouldn't and that action can represent a security

> issue, especially if they're trying to register in some public location.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services"JayDee" <dopam...@mail.com> wrote in message

>

 

Ok so it my example, the DNS server contains:

 

5.15.26

5.15.27

5.15.18

 

I created a reverse lookup zone called [5.15.x.x] in my test

environment.

 

Now the following shows up:

 

5.15.26.x

5.15.27.x

5.15.18.x

5.15.x.x

 

Does this mean that the first three will continue working the way the

were and any Class C addresses that start with 5.15.x.x will drop into

the one I added? In other words, does the one I'm adding (5.15.x.x)

work as a "catch all" for all the class C's that aren't explicitely

defined?

 

Can creating the class B as in the example above (when there are

several class C's already created) cause any foreseeable problems as

far as you are aware?

 

Thanks.

 

 

 

Top


 

 

 

From: Anthony <anthony.spam@spammedout.com>

To: none

Subject: Re: Active Directory and Reverse DNS Zones

Date: 09/26/2007 03:29:43

 

 

The only things to bear in mind when you do this are:

the rights to register in DNS, if subnets are used by different domains

the distribution of the zones, if they are not AD integrated and/or not

shared by all sites,

Anthony, http://www.airdesk.co.uk

 

 

 

"JayDee" <dopamine@mail.com> wrote in message

news:1190769071.365646.63630@19g2000hsx.googlegroups.com...

> On Sep 25, 10:15 am, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

>> -Ok, you should be fine with creating the subnet B class, the reverse

>> lookup

>> zone will automatically create one "folder zone" for each subnet

>> automatically.

>> - As for the error/warning your servers/workstations are trying to reach

>> somewhere where they shouldn't and that action can represent a security

>> issue, especially if they're trying to register in some public location.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services"JayDee" <dopam...@mail.com> wrote in message

>>

>

> Ok so it my example, the DNS server contains:

>

> 5.15.26

> 5.15.27

> 5.15.18

>

> I created a reverse lookup zone called [5.15.x.x] in my test

> environment.

>

> Now the following shows up:

>

> 5.15.26.x

> 5.15.27.x

> 5.15.18.x

> 5.15.x.x

>

> Does this mean that the first three will continue working the way the

> were and any Class C addresses that start with 5.15.x.x will drop into

> the one I added? In other words, does the one I'm adding (5.15.x.x)

> work as a "catch all" for all the class C's that aren't explicitely

> defined?

>

> Can creating the class B as in the example above (when there are

> several class C's already created) cause any foreseeable problems as

> far as you are aware?

>

> Thanks.

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Active Directory and Reverse DNS Zones

Date: 09/26/2007 07:08:31

 

 

I'm not aware with any problems with that configuration, as lon as the

workstations can register the records in the appropriate DNS.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"JayDee" <dopamine@mail.com> wrote in message

news:1190769071.365646.63630@19g2000hsx.googlegroups.com...

> On Sep 25, 10:15 am, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

>> -Ok, you should be fine with creating the subnet B class, the reverse

>> lookup

>> zone will automatically create one "folder zone" for each subnet

>> automatically.

>> - As for the error/warning your servers/workstations are trying to reach

>> somewhere where they shouldn't and that action can represent a security

>> issue, especially if they're trying to register in some public location.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services"JayDee" <dopam...@mail.com> wrote in message

>>

>

> Ok so it my example, the DNS server contains:

>

> 5.15.26

> 5.15.27

> 5.15.18

>

> I created a reverse lookup zone called [5.15.x.x] in my test

> environment.

>

> Now the following shows up:

>

> 5.15.26.x

> 5.15.27.x

> 5.15.18.x

> 5.15.x.x

>

> Does this mean that the first three will continue working the way the

> were and any Class C addresses that start with 5.15.x.x will drop into

> the one I added? In other words, does the one I'm adding (5.15.x.x)

> work as a "catch all" for all the class C's that aren't explicitely

> defined?

>

> Can creating the class B as in the example above (when there are

> several class C's already created) cause any foreseeable problems as

> far as you are aware?

>

> Thanks.

>

 

 

 

Top


 

 

 

From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>

To: none

Subject: RE: AD printers - server-centric, am i missing something?

Date: 09/27/2007 22:44:01

 

 

jzabrams,

 

Publishing printers in the directory allows printers to be searched out and

classified in the directory.  They are, however, still server resources.   

You can take advantage of clustering or even round-robin DNS to share them

between servers (printmig to copy printers) and use a cname record to refer

to them as a virtual server, \\print perhaps.

 

If you are using Server 2003 R2, there is a complete revamp of printing

services that will allow you to assign printers based on policy or group

membership.  It is definitely worth looking into.  Of course, you can use

simple VB scripts to accomplish the same things on logon.

 

I hope this helps.  The power of AD is in the multi-master nature of its

object management, not really in its printer handling.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"jzabrams" wrote:

 

> We just finished upgrading an NT4 domain to AD.  Now, i thought the

> whole point of AD was to make network resources directory-centric

> rather than server centric.  My printers are all published in AD,

> however nowehere do i see how to refer to them without reference to

> the server they're shared from.  I.e., i was under the impression i

> should now be able to refer to the printer similar to \\doaminname

> \printer, rather than \\server\printer?  I think i'm missing

> something?

>

> Thanks,

>

>

 

 

 

Top


 

 

 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: RE: AD printers - server-centric, am i missing something?

Date: 09/27/2007 22:51:00

 

 

Hi,

 

AD allows you to search for printers without having to know which server

they're located on first, as you had to in NT.

 

To add a printer to a workstation, choose network printer and then use the

"Find printer in the directory" option, it will bring up a search window. If

you click "Find Now" without filling in any details, it will find all of the

printers in the directory, or you can refine it by filling in some of the

details.

 

If you know the server that they're on, you can just type the direct path in

as you would with NT. The directory search can make it easier for end users

to install printers, if you want them to be able to do that!

 

Hope that helps,

 

--

Leigh

MCSE (NT4, 2000)

 

 

"jzabrams" wrote:

 

> We just finished upgrading an NT4 domain to AD.  Now, i thought the

> whole point of AD was to make network resources directory-centric

> rather than server centric.  My printers are all published in AD,

> however nowehere do i see how to refer to them without reference to

> the server they're shared from.  I.e., i was under the impression i

> should now be able to refer to the printer similar to \\doaminname

> \printer, rather than \\server\printer?  I think i'm missing

> something?

>

> Thanks,

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: AD, DNS, Wins, IP question

Date: 09/26/2007 15:05:01

 

 

Hi

Each WINS server should only point to itsel in WINS configuration, the

clientes should point to bothe WINS servers, and both WINS Servers should

have each other as replication partners.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"James" <acidflea@hotmail.com> wrote in message

news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...

> Here is what I have. We are replacing one of our domain controllers with a

> new server.  I have promoted the new server and moved the roles from the

> old server to the new server.  The old server was also running DNS and

> WINS so I installed DNS and WINS on the new server.  The old server IP is

> say 192.168.1.131 and new is 192.168.1.120. I do not want to change the

> clients DNS and wins addresses to point to 192.168.1.120 so after I

> demoted the old server and turned it off I added the old server IP of .131

> to the new server as a second IP on the same network card as the current

> .120 IP. So I now have the new server with both IP address on the same

> network card (which I have done before and seems to work fine).  My only

> issue is the WINS server I am not seeing any clients registering. I do see

> that on the WINS server it is showing that it is running on the .120

> address and the clients are pointing to the .131 address even though they

> are on the same network card.

>

> Is there a setting that I can change to make the WINS server work on both

> network address like I can within the DNS server?

>

> If not what would be the easiest way to fix this?

>

> Should I change the Main ip of the server to be .131 and use the .120 as

> the secondary ip?

>

> Should I just change the IP address of the new server to .131 and remove

> the .120 and if so what issues will I have by changing the IP address of a

> domain controller?

>

>

>

> Thanks,

>                James

 

 

 

Top


 

 

 

From: James <acidflea@hotmail.com>

To: none

Subject: Re: AD, DNS, Wins, IP question

Date: 09/26/2007 15:19:44

 

 

Jorge,

            I only have one wins server.

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...

> Hi

> Each WINS server should only point to itsel in WINS configuration, the

> clientes should point to bothe WINS servers, and both WINS Servers should

> have each other as replication partners.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "James" <acidflea@hotmail.com> wrote in message

> news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...

>> Here is what I have. We are replacing one of our domain controllers with

>> a new server.  I have promoted the new server and moved the roles from

>> the old server to the new server.  The old server was also running DNS

>> and WINS so I installed DNS and WINS on the new server.  The old server

>> IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to change

>> the clients DNS and wins addresses to point to 192.168.1.120 so after I

>> demoted the old server and turned it off I added the old server IP of

>> .131 to the new server as a second IP on the same network card as the

>> current .120 IP. So I now have the new server with both IP address on the

>> same network card (which I have done before and seems to work fine).  My

>> only issue is the WINS server I am not seeing any clients registering. I

>> do see that on the WINS server it is showing that it is running on the

>> .120 address and the clients are pointing to the .131 address even though

>> they are on the same network card.

>>

>> Is there a setting that I can change to make the WINS server work on both

>> network address like I can within the DNS server?

>>

>> If not what would be the easiest way to fix this?

>>

>> Should I change the Main ip of the server to be .131 and use the .120 as

>> the secondary ip?

>>

>> Should I just change the IP address of the new server to .131 and remove

>> the .120 and if so what issues will I have by changing the IP address of

>> a domain controller?

>>

>>

>>

>> Thanks,

>>                James

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: AD, DNS, Wins, IP question

Date: 09/26/2007 16:09:21

 

 

using the WINS console can you connect to the additional IP?

If uninstall the WINS server and re-install it again (now that you have 2 IP

Addresses) does it solve the problem?

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"James" <acidflea@hotmail.com> wrote in message

news:Oi6l0qHAIHA.1168@TK2MSFTNGP02.phx.gbl...

> Jorge,

>            I only have one wins server.

>

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...

>> Hi

>> Each WINS server should only point to itsel in WINS configuration, the

>> clientes should point to bothe WINS servers, and both WINS Servers should

>> have each other as replication partners.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "James" <acidflea@hotmail.com> wrote in message

>> news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...

>>> Here is what I have. We are replacing one of our domain controllers with

>>> a new server.  I have promoted the new server and moved the roles from

>>> the old server to the new server.  The old server was also running DNS

>>> and WINS so I installed DNS and WINS on the new server.  The old server

>>> IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to

>>> change the clients DNS and wins addresses to point to 192.168.1.120 so

>>> after I demoted the old server and turned it off I added the old server

>>> IP of .131 to the new server as a second IP on the same network card as

>>> the current .120 IP. So I now have the new server with both IP address

>>> on the same network card (which I have done before and seems to work

>>> fine).  My only issue is the WINS server I am not seeing any clients

>>> registering. I do see that on the WINS server it is showing that it is

>>> running on the .120 address and the clients are pointing to the .131

>>> address even though they are on the same network card.

>>>

>>> Is there a setting that I can change to make the WINS server work on

>>> both network address like I can within the DNS server?

>>>

>>> If not what would be the easiest way to fix this?

>>>

>>> Should I change the Main ip of the server to be .131 and use the .120 as

>>> the secondary ip?

>>>

>>> Should I just change the IP address of the new server to .131 and remove

>>> the .120 and if so what issues will I have by changing the IP address of

>>> a domain controller?

>>>

>>>

>>>

>>> Thanks,

>>>                James

>>

>>

 

 

 

Top


 

 

 

From: Lee Flight <lef@le.ac.uk-nospam>

To: none

Subject: Re: ADAM - dsacls - Proper Create Child permissions on subobjects

Date: 09/27/2007 05:04:45

 

 

Hi

 

I do not think you need the deny for delete.

Just grant GR inheritance on the naming context and then GWCC with

inheritance

on the cn=profiles subtree for the role you created. Delete should not be

possible

unless you have granted it directly or it is granted indirectly (nested

role).

 

Lee Flight

 

 

"Noremac" <Noremac@newsgroups.nospam> wrote in message

news:5C05CD9F-AC94-400F-89C2-EEAC6B88DF49@microsoft.com...

> Like a few other posters out there I am a veteren developer using ADAM and

> LDAP for the first time. Right now I am trying to get this to work on my

> developer machine XP SP2. ADAM is installed locally.

>

> I am trying to setup least-privelaged access to the data in our ADAM for a

> WebSSO solution we are building. I have a group under Roles called

> MembershipProvider of which I've added ASPNET as the code doing the work

> is a

> .NET Web Service.

>

> It has been working flawlessly except for this scenario: I cannot add a

> child object to an object I just created at runtime, it totally crashes

> the

> ADAM service with a COM security exception. I have to start the service

> manually.

>

> I have a container for our Profile objects. These are successfully created

> by the ASPNET identity at runtime. However, ASPNET cannot add Message

> objects

> to those Profiles. If I run this code from my test harness that uses me (a

> local administrator) as the identity, the Messages get added to the

> Profiles.

>

> Here are my dsacls:

>

> rem Grant the role read access to ADAM instance

> %SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=WebSSO /I:T /G

> CN=MembershipProvider,CN=Roles,CN=WebSSO:GR

>

> rem Grant the role create and update Profiles and children of Profiles

> like

> Messages

> %SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G

> CN=MembershipProvider,CN=Roles,CN=WebSSO:GW

> %SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G

> CN=MembershipProvider,CN=Roles,CN=WebSSO:CC

>

> rem DENY the role the ability to delete Profiles

> %SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:S /D

> CN=MembershipProvider,CN=Roles,CN=WebSSO:DT;;coc-WebSSO-Profile

>

>

>

> Thanks!

 

 

 

Top


 

 

 

From: Lee Flight <lef@le.ac.uk-nospam>

To: none

Subject: Re: ADAMsync not syncing all items

Date: 09/26/2007 03:37:01

 

 

Hi

 

what access does the account (steves) have to objects in

the source AD? Are you getting any errors in the log files?

 

Lee Flight

 

 

"stevestites" <stevestites.2xhlrg@DoNotSpam.com> wrote in message

news:stevestites.2xhlrg@DoNotSpam.com...

>

> I'm new to ADAM and have setup an instance per the ADAM stop-by-step

> guide.  I can get some of the objects to sync but not all.  Here's my

> xml config:

>

> -<description>Federal->ADAM Sync</description>

> <security-mode>object</security-mode>

> <source-ad-name>feddc01</source-ad-name>

> <source-ad-partition>dc=federal,dc=com</source-ad-partition>

> <source-ad-account>steves</source-ad-account>

> <account-domain>federal.com</account-domain>

> <target-dn>o=Netpro,c=US</target-dn>

> <query>

> <base-dn>ou=Federal Employees,dc=federal,dc=com</base-dn>

> <object-filter>(objectClass=*)</object-filter>

> <attributes>

> <include></include>

> <exclude>extensionName</exclude>

> <exclude>displayNamePrintable</exclude>

> <exclude>flags</exclude>

> <exclude>isPrivelegeHolder</exclude>

> <exclude>msCom-UserLink</exclude>

> <exclude>msCom-PartitionSetLink</exclude>

> <exclude>reports</exclude>

> <exclude>serviceprincipalname</exclude>

> <exclude>accountExpires</exclude>

> <exclude>adminCount</exclude>

> <exclude>primarygroupid</exclude>

> <exclude>userAccountControl</exclude>

> <exclude>codePage</exclude>

> <exclude>countryCode</exclude>

> <exclude>logonhours</exclude>

> <exclude>lockoutTime</exclude>

> </attributes>

> </query>-

>

> when syncing I get the top level OU (Federal Employees) and then 3 of

> the 2nd level OUs.  I also get several of these in the log file:

>

>

> -Processing Entry: Page 3, Frame 1, Entry 19, Count 1, USN 0

>

> Processing source entry <guid=7da2bf0f051bbc4c91439f93e8b1238b>

>

> Previous entry took 0 seconds (0, 0) to process

>

>

>

> Processing Entry: Page 3, Frame 1, Entry 20, Count 1, USN 0

>

> Processing source entry <guid=96b6cad705e15243be7df99a523e1848>

>

> Previous entry took 0 seconds (0, 0) to process

>

>

>

> Processing Entry: Page 3, Frame 1, Entry 21, Count 1, USN 0

>

> Processing source entry <guid=95becf0f278f4f48b9eb9cde06a523c5>

>

> Previous entry took 0 seconds (0, 0) to process

>

>

>

> Processing Entry: Page 3, Frame 1, Entry 22, Count 1, USN 0

>

> Processing source entry <guid=1bd50fdb00c73743a25a4301453d7c97>

>

> Processing in-scope entry 1bd50fdb00c73743a25a4301453d7c97.

>

> Adding target object CN=Magaret

> Bannister,OU=Texas,OU=Manufacturing,OU=Federal

> Employees,o=Netpro,c=US.

>

> Deferring synchronization of attribute showinaddressbook to end of run.

> Deleting attribute.

>

> Adding attributes: sourceobjectguid, objectCla-

>

> The last entry shows a user that is getting synced but the object never

> shows up in ldp or adsiedit.  I'm stumped.  Any ideas?

>

> Steve

>

>

> --

> stevestites

> ------------------------------------------------------------------------

> stevestites's Profile: http://forums.techarena.in/member.php?userid=31744

> View this thread: http://forums.techarena.in/showthread.php?t=824003

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: Ranjan <Ranjan@discussions.microsoft.com>

To: none

Subject: RE: Adding Custom Attribute

Date: 09/27/2007 10:30:06

 

 

Can Somebody help me out

 

"Ranjan" wrote:

 

> Hi

> I Just want to add a custom attribute Date of birth and how can i make it

> visible to ADUC.I know the creation process of attribute but i dont know how

> to make it visible.

 

 

 

Top


 

 

 

From: jwd <jwd@discussions.microsoft.com>

To: none

Subject: RE: Adding Custom Attribute

Date: 09/27/2007 11:04:03

 

 

If you add new attributes to the schema you need to have a custom front end

to view them.

 

Are you sure you know how to create a new attribute?  Modifying the schema

is something you should fully understand before even thinking about making

changes.

 

Best Regards

Joe Dunn MCSE

 

 

 

"Ranjan" wrote:

 

> Can Somebody help me out

>

> "Ranjan" wrote:

>

> > Hi

> > I Just want to add a custom attribute Date of birth and how can i make it

> > visible to ADUC.I know the creation process of attribute but i dont know how

> > to make it visible.

 

 

 

Top


 

 

 

From: Ranjan <Ranjan@discussions.microsoft.com>

To: none

Subject: RE: Adding Custom Attribute

Date: 09/27/2007 11:18:03

 

 

Yes i know to create new attribute and i have some overview of AD schema.I

have gone through the process of adding employeeid and make it visible in the

admin-context-menu but i want to make it visible in admin-property-pages.

 

"jwd" wrote:

 

>

> If you add new attributes to the schema you need to have a custom front end

> to view them.

>

> Are you sure you know how to create a new attribute?  Modifying the schema

> is something you should fully understand before even thinking about making

> changes.

>

> Best Regards

> Joe Dunn MCSE

>

>

>

> "Ranjan" wrote:

>

> > Can Somebody help me out

> >

> > "Ranjan" wrote:

> >

> > > Hi

> > > I Just want to add a custom attribute Date of birth and how can i make it

> > > visible to ADUC.I know the creation process of attribute but i dont know how

> > > to make it visible.

 

 

 

Top


 

 

 

From: Ranjan <Ranjan@discussions.microsoft.com>

To: none

Subject: RE: Adding Custom Attribute

Date: 09/27/2007 11:23:02

 

 

Similar to employeeid example i have created for date of birth .As unicode

string it is working fine but using that we can add any value .I want it in

proper date time format.I have tried it as UTC coded time but it is not

accepting the value giving error.

 

"Ranjan" wrote:

 

> Yes i know to create new attribute and i have some overview of AD schema.I

> have gone through the process of adding employeeid and make it visible in the

> admin-context-menu but i want to make it visible in admin-property-pages.

>

> "jwd" wrote:

>

> >

> > If you add new attributes to the schema you need to have a custom front end

> > to view them.

> >

> > Are you sure you know how to create a new attribute?  Modifying the schema

> > is something you should fully understand before even thinking about making

> > changes.

> >

> > Best Regards

> > Joe Dunn MCSE

> >

> >

> >

> > "Ranjan" wrote:

> >

> > > Can Somebody help me out

> > >

> > > "Ranjan" wrote:

> > >

> > > > Hi

> > > > I Just want to add a custom attribute Date of birth and how can i make it

> > > > visible to ADUC.I know the creation process of attribute but i dont know how

> > > > to make it visible.

 

 

 

Top


 

 

 

From: Joe Kaplan <joseph.e.kaplan@removethis.accenture.com>

To: none

Subject: Re: Adding Custom Attribute

Date: 09/27/2007 12:23:37

 

 

The MSDN documentation for extending the ADUC UI is right here:

 

http://msdn2.microsoft.com/en-us/library/ms676902.aspx

 

You basically need to implement the correct COM interfaces in C++ to create

a new property page and integrate it with ADUC.  Then, you have to figure

out how to get your custom extension deployed to all of the machines that

will need to use it.

 

Joe K.

 

--

Joe Kaplan-MS MVP Directory Services Programming

Co-author of "The .NET Developer's Guide to Directory Services Programming"

http://www.directoryprogramming.net

--

"Ranjan" <Ranjan@discussions.microsoft.com> wrote in message

news:9550468D-63BB-4FDD-AAB2-5536D833B8F7@microsoft.com...

> Similar to employeeid example i have created for date of birth .As unicode

> string it is working fine but using that we can add any value .I want it

> in

> proper date time format.I have tried it as UTC coded time but it is not

> accepting the value giving error.

>

> "Ranjan" wrote:

>

>> Yes i know to create new attribute and i have some overview of AD

>> schema.I

>> have gone through the process of adding employeeid and make it visible in

>> the

>> admin-context-menu but i want to make it visible in admin-property-pages.

>>

>> "jwd" wrote:

>>

>> >

>> > If you add new attributes to the schema you need to have a custom front

>> > end

>> > to view them.

>> >

>> > Are you sure you know how to create a new attribute?  Modifying the

>> > schema

>> > is something you should fully understand before even thinking about

>> > making

>> > changes.

>> >

>> > Best Regards

>> > Joe Dunn MCSE

>> >

>> >

>> >

>> > "Ranjan" wrote:

>> >

>> > > Can Somebody help me out

>> > >

>> > > "Ranjan" wrote:

>> > >

>> > > > Hi

>> > > > I Just want to add a custom attribute Date of birth and how can i

>> > > > make it

>> > > > visible to ADUC.I know the creation process of attribute but i dont

>> > > > know how

>> > > > to make it visible.

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: adding workstation to domain - access is denied

Date: 09/26/2007 11:37:47

 

 

Hello,

 

take care about ms-DS-MachineAccountQuota. By default, they loose the

delegation every 10 computers

 

http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Tina" <tina@nospam.postalias> wrote in message

news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...

> When IT staff add xp workstation to our server 2003 active directory

> domain,

> they get "Access is denied" errors. I have given "ITGroup" security group

> "create computer account" and "delete computer account" on the computer OU

> and the workwstation OU (I changed the default container workstations go

> in

> when they are added to the domain. When a workstation is added to the

> domain,

> they go into the Workstation OU. I also checked the Domain Controller

> Security Policy under administrative tools, and the Add workstation to

> domain

> has authenticated user, and ITGroup. No matter what I change, I still get

> the

> error. Please help.

> Tina

 

 

 

Top


 

 

 

From: Tina <tina@nospam.postalias>

To: none

Subject: Re: adding workstation to domain - access is denied

Date: 09/26/2007 11:48:03

 

 

I know they are only allowed to add 10. How do I give them the right to add

unlimited?

 

"Mathieu CHATEAU" wrote:

 

> Hello,

>

> take care about ms-DS-MachineAccountQuota. By default, they loose the

> delegation every 10 computers

>

> http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Tina" <tina@nospam.postalias> wrote in message

> news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...

> > When IT staff add xp workstation to our server 2003 active directory

> > domain,

> > they get "Access is denied" errors. I have given "ITGroup" security group

> > "create computer account" and "delete computer account" on the computer OU

> > and the workwstation OU (I changed the default container workstations go

> > in

> > when they are added to the domain. When a workstation is added to the

> > domain,

> > they go into the Workstation OU. I also checked the Domain Controller

> > Security Policy under administrative tools, and the Add workstation to

> > domain

> > has authenticated user, and ITGroup. No matter what I change, I still get

> > the

> > error. Please help.

> > Tina

>

>

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: adding workstation to domain - access is denied

Date: 09/26/2007 11:51:21

 

 

follow the KB on my blog !

http://support.microsoft.com/kb/243327/en-us

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Tina" <tina@nospam.postalias> wrote in message

news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...

>I know they are only allowed to add 10. How do I give them the right to add

> unlimited?

>

> "Mathieu CHATEAU" wrote:

>

>> Hello,

>>

>> take care about ms-DS-MachineAccountQuota. By default, they loose the

>> delegation every 10 computers

>>

>> http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "Tina" <tina@nospam.postalias> wrote in message

>> news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...

>> > When IT staff add xp workstation to our server 2003 active directory

>> > domain,

>> > they get "Access is denied" errors. I have given "ITGroup" security

>> > group

>> > "create computer account" and "delete computer account" on the computer

>> > OU

>> > and the workwstation OU (I changed the default container workstations

>> > go

>> > in

>> > when they are added to the domain. When a workstation is added to the

>> > domain,

>> > they go into the Workstation OU. I also checked the Domain Controller

>> > Security Policy under administrative tools, and the Add workstation to

>> > domain

>> > has authenticated user, and ITGroup. No matter what I change, I still

>> > get

>> > the

>> > error. Please help.

>> > Tina

>>

>>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: adding workstation to domain - access is denied

Date: 09/26/2007 12:07:18

 

 

Hi

Please check the following:

http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Mathieu CHATEAU" <gollum123@free.fr> wrote in message

news:%23sT%2341FAIHA.1164@TK2MSFTNGP02.phx.gbl...

> follow the KB on my blog !

> http://support.microsoft.com/kb/243327/en-us

>

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Tina" <tina@nospam.postalias> wrote in message

> news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...

>>I know they are only allowed to add 10. How do I give them the right to

>>add

>> unlimited?

>>

>> "Mathieu CHATEAU" wrote:

>>

>>> Hello,

>>>

>>> take care about ms-DS-MachineAccountQuota. By default, they loose the

>>> delegation every 10 computers

>>>

>>> http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html

>>>

>>> --

>>> Cordialement,

>>> Mathieu CHATEAU

>>> http://lordoftheping.blogspot.com

>>>

>>>

>>> "Tina" <tina@nospam.postalias> wrote in message

>>> news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...

>>> > When IT staff add xp workstation to our server 2003 active directory

>>> > domain,

>>> > they get "Access is denied" errors. I have given "ITGroup" security

>>> > group

>>> > "create computer account" and "delete computer account" on the

>>> > computer OU

>>> > and the workwstation OU (I changed the default container workstations

>>> > go

>>> > in

>>> > when they are added to the domain. When a workstation is added to the

>>> > domain,

>>> > they go into the Workstation OU. I also checked the Domain Controller

>>> > Security Policy under administrative tools, and the Add workstation to

>>> > domain

>>> > has authenticated user, and ITGroup. No matter what I change, I still

>>> > get

>>> > the

>>> > error. Please help.

>>> > Tina

>>>

>>>

>

 

 

 

Top


 

 

 

From: Technical <Technical@discussions.microsoft.com>

To: none

Subject: RE: adding workstation to domain - access is denied

Date: 09/26/2007 12:30:02

 

 

Hello Tina ,

 

can u pls paste the netsetup.log from the client/workstation where you are

getting this error message.you can find netsetup.log in c:\windows\debug

folder

 

"Tina" wrote:

 

> When IT staff add xp workstation to our server 2003 active directory domain,

> they get "Access is denied" errors. I have given "ITGroup" security group

> "create computer account" and "delete computer account" on the computer OU

> and the workwstation OU (I changed the default container workstations go in

> when they are added to the domain. When a workstation is added to the domain,

> they go into the Workstation OU. I also checked the Domain Controller

> Security Policy under administrative tools, and the Add workstation to domain

> has authenticated user, and ITGroup. No matter what I change, I still get the

> error. Please help.

> Tina

 

 

 

Top


 

 

 

From: v-kzhao@online.microsoft.com (Ken Zhao [MSFT])

To: none

Subject: RE: adding workstation to domain - access is denied

Date: 09/26/2007 22:24:59

 

 

Thank for all guys' great information and experience sharing.

 

From your post,

 

Thanks & Regards,

 

Ken Zhao

 

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>

====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

 

 

 

--------------------

| Thread-Topic: adding workstation to domain - access is denied

| thread-index: AcgAWnzVkGPXIxpAS1+z+JD3mmRd4g==

| X-WBNR-Posting-Host: 207.46.192.207

| From: =?Utf-8?B?VGluYQ==?= <tina@nospam.postalias>

| Subject: adding workstation to domain - access is denied

| Date: Wed, 26 Sep 2007 09:30:02 -0700

| Lines: 10

| Message-ID: <2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com>

| MIME-Version: 1.0

| Content-Type: text/plain;

|        charset="Utf-8"

| Content-Transfer-Encoding: 7bit

| X-Newsreader: Microsoft CDO for Windows 2000

| Content-Class: urn:content-classes:message

| Importance: normal

| Priority: normal

| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929

| Newsgroups: microsoft.public.windows.server.active_directory

| Path: TK2MSFTNGHUB02.phx.gbl

| Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.server.active_directory:26512

| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148

| X-Tomcat-NG: microsoft.public.windows.server.active_directory

|

| When IT staff add xp workstation to our server 2003 active directory

domain,

| they get "Access is denied" errors. I have given "ITGroup" security group

| "create computer account" and "delete computer account" on the computer

OU

| and the workwstation OU (I changed the default container workstations go

in

| when they are added to the domain. When a workstation is added to the

domain,

| they go into the Workstation OU. I also checked the Domain Controller

| Security Policy under administrative tools, and the Add workstation to

domain

| has authenticated user, and ITGroup. No matter what I change, I still get

the

| error. Please help.

| Tina

|

 

 

 

Top


 

 

 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: RE: Administrative rights

Date: 09/26/2007 22:13:00

 

 

Joey,

 

Was this server connected to an existing domain or was it a fresh setup? Are

there any errors showing in the event log from the dcpromo process?

 

Cheers,

--

Leigh

MCSE (NT4, 2000)

 

 

"joeylongcox" wrote:

 

> I have a Dell SC1420 PowerEdge server running Windows 2003 Server.  I

> ran the install, I thought, flawlessly.  Now that I am trying to

> really exploit all the possibilities of the server, I cannot do work

> with Active Directory or manage groups and users.  I log in as

> "Administrator," but when I go to the Active Directory utility, I am

> told I need to log on as a user with administrative rights.  I am

> lost.  I thought that was what I was doing.  Anybody have any idea how

> I can fix this?

>

>

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Administrative rights

Date: 09/27/2007 07:02:51

 

 

run diagnostics against your Active Directory domain.

 

If you don't have the support tools installed, install them from your server

install disk.

d:\support\tools\setup.exe

 

Run dcdiag, netdiag and repadmin in verbose mode.

->  DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

->  netdiag.exe /v > c:\netdiag.log     (On each dc)

->  repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

->  dnslint /ad /s  "ip address of your dc"

 

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's

in the forest.  If you have significant numbers of DC's this test could

generate significant detail and take a long time.  You also want to take

into account slow links to dc's will also add to the testing time.

 

If you download a gui script I wrote it should be simple to set and run

(DCDiag and NetDiag).  It also has the option to run individual tests

without having to learn all the switch options.  The details will be output

in notepad text files that pop up automagically.

 

The script is located on my website at

http://www.pbbergs.com/windows/downloads.htm

 

Just select both dcdiag and netdiag make sure verbose is set.  (Leave the

default settings for dcdiag as set when selected)

 

When complete search for fail, error and warning messages.

 

Description and download for dnslint

http://support.microsoft.com/kb/321045

 

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"joeylongcox" <cobra270@excite.com> wrote in message

news:1190860716.318350.121080@g4g2000hsf.googlegroups.com...

>I have a Dell SC1420 PowerEdge server running Windows 2003 Server.  I

> ran the install, I thought, flawlessly.  Now that I am trying to

> really exploit all the possibilities of the server, I cannot do work

> with Active Directory or manage groups and users.  I log in as

> "Administrator," but when I go to the Active Directory utility, I am

> told I need to log on as a user with administrative rights.  I am

> lost.  I thought that was what I was doing.  Anybody have any idea how

> I can fix this?

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: ADUC yields no search results for anything

Date: 09/26/2007 12:09:49

 

 

Hi

Something is wrong in the filter options, can you explain exactly all steps

taken.

Are the Admin able to see objects in ADUC without doing the search?

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

<rockemhard@gmail.com> wrote in message

news:1190819239.458739.117810@22g2000hsm.googlegroups.com...

> OK... this is on top on my list of annoyances.

>

> I have a new admin my department.  I give hime domain admin privs.  He

> logs onto a server to run ADUC and no results for any search he does.

>

> It doesn't matter:

>

> 1) What server he uses ADUC on

> 2) What object he searches for

> 3) That the Filter Options says show all types of objects

> 4) Or that he even tries ADUC on the DC itself

>

> My account works just fine everytime and we don't use roaming

> profiles.  I'm stumped.  How hard can this be...

>

> Thanks for any help.

>

 

 

 

Top


 

 

 

From: Chris <nospam@email.com>

To: none

Subject: Re: Basic AD question, proper use of OU's

Date: 09/26/2007 15:46:21

 

 

Computers is just a container. The default for new computer objects.

 

OU's are there to organise your network. It makes sense to organise your

network and split it into users, computers, shares etc dependent on any

geographical layout you may have. Group policies are distributed via OU's

which you should use to set the environment for you clients as well as roll

out new software, apply logon, logoff scripts.

 

It would be very beneficial to investigate how group olicy could help on

your network

 

Chris

 

"Adam N." <AdamN@discussions.microsoft.com> wrote in message

news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...

> please see picture first then read question...

>

> http://baumshelter.net/img/clip.JPG

>

> Ok, so we have an OU that the arrow is pointing to in the picture.

>

> Is the "Computers" an OU also or just a directory?

>

> Isnt an OU "basically" only needed if you are going to delegate some admin

> stuff to a group or user?

>

> I dont have any need on this network for delegation so shouldnt my objects

> (PC's) within that OU be moved to the computer folder?

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Basic AD question, proper use of OU's

Date: 09/26/2007 15:49:51

 

 

Hello,

 

the "computers" container is a bit special. It's the default container when

joining computers, and you can't link GPO to it.

The same for the "Users" Containers.

 

More story here:

http://technet2.microsoft.com/windowsserver/en/library/26c53b04-f955-4d81-b468-5c7a982693f31033.mspx?mfr=true

 

As you can' apply GPO to them, it's best practice to create your own OU for

them, and move all your created users and joined computers to these custom

OU

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Adam N." <AdamN@discussions.microsoft.com> wrote in message

news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...

> please see picture first then read question...

>

> http://baumshelter.net/img/clip.JPG

>

> Ok, so we have an OU that the arrow is pointing to in the picture.

>

> Is the "Computers" an OU also or just a directory?

>

> Isnt an OU "basically" only needed if you are going to delegate some admin

> stuff to a group or user?

>

> I dont have any need on this network for delegation so shouldnt my objects

> (PC's) within that OU be moved to the computer folder?

 

 

 

Top


 

 

 

From: Meinolf Weber

To: none

Subject: Re: Basic AD question, proper use of OU's

Date: 09/26/2007 15:50:16

 

 

Hello Adam N.,

 

Computers is a so called container. Here you can not do the things you can

do in OU's. By default if you add computers to the domain they will be placed

in this container.

 

It doesn't matter if the OU is not used where you place them, but the question

is for what will you use AD when not configure the domain, users, groups

and computers from one central point?

 

Maybe you give some more infos what you like to achive.

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> please see picture first then read question...

>

> http://baumshelter.net/img/clip.JPG

>

> Ok, so we have an OU that the arrow is pointing to in the picture.

>

> Is the "Computers" an OU also or just a directory?

>

> Isnt an OU "basically" only needed if you are going to delegate some

> admin stuff to a group or user?

>

> I dont have any need on this network for delegation so shouldnt my

> objects (PC's) within that OU be moved to the computer folder?

>

 

 

 

Top


 

 

 

From: Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net>

To: none

Subject: Re: Character limit

Date: 09/26/2007 12:53:41

 

 

"Sergio Minniti wrote

 

> I'd like to know what is it the difference between Windows 2003 -Windows

> 2000 and pre-Windows 2000 name for Active Directory object. Is there a

> "best

> practice" or Microsoft Knowledge Base article that to speak about it?

> I haven't found nothing about it. I'd like read an article that to speak

> about group name and account name limit, special character, etc..

> May you help me? I wait a your reply

 

This link discusses what I have learned about the characters that are

allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon

names), plus the characters that need to be escaped:

 

http://www.rlmueller.net/CharactersEscaped.htm

 

I have not found any differences between W2k and W2k3, except that when you

create groups and don't specify the "pre-Windows 2000 logon name" a long

random string is assigned that is very scary.

 

This link dicusses the various "names" used in AD, and with the WinNT and

LDAP providers:

 

http://www.rlmueller.net/Name_Attributes.htm

 

sAMAccountName is limited to 20 characters. I forget the max lenght for

Common Names, but I think it's about 127. The value for Common Name (the cn

attribute, which is part of the Distinguished Name) must be unique in the

container or OU. Several objects in AD can have the same cn as long as they

are in different OU's or containers. sAMAccountName must be unique in the

domain. Distinguished Name is unique in the forest.

 

The rules are the same for all classes of objects (user, group, computer,

etc.), except that the sAMAccountNames of computer objects have a trailing

"$". The sAMAccountName of a computer object is the NetBIOS name of the

computer with "$" appended to the end. The NetBIOS name of computers seems

to be limited to 15 characters, so the sAMAccountName is limited to 16.

 

--

Richard Mueller

Microsoft MVP Scripting and ADSI

Hilltop Lab - http://www.rlmueller.net

--

 

 

 

Top


 

 

 

From: Sergio Minniti <SergioMinniti@discussions.microsoft.com>

To: none

Subject: Re: Character limit

Date: 09/26/2007 15:56:00

 

 

Thank you very much indeed Richard! I have read your articles but inside it I

haven't found any reference about groups name limit (64 char.?). I try to

type more than 64 char. and it's possible in the pre-windows 2000 name. Is it

true? I think that the system accepts a string longer than 64 char. but it

uses only 64 char. Aren't you?

I wait a your reply, thank a lot.

 

Sergio

 

P.S. Any Microsoft KB??

"Richard Mueller [MVP]" wrote:

 

>

> "Sergio Minniti wrote

>

> > I'd like to know what is it the difference between Windows 2003 -Windows

> > 2000 and pre-Windows 2000 name for Active Directory object. Is there a

> > "best

> > practice" or Microsoft Knowledge Base article that to speak about it?

> > I haven't found nothing about it. I'd like read an article that to speak

> > about group name and account name limit, special character, etc..

> > May you help me? I wait a your reply

>

> This link discusses what I have learned about the characters that are

> allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon

> names), plus the characters that need to be escaped:

>

> http://www.rlmueller.net/CharactersEscaped.htm

>

> I have not found any differences between W2k and W2k3, except that when you

> create groups and don't specify the "pre-Windows 2000 logon name" a long

> random string is assigned that is very scary.

>

> This link dicusses the various "names" used in AD, and with the WinNT and

> LDAP providers:

>

> http://www.rlmueller.net/Name_Attributes.htm

>

> sAMAccountName is limited to 20 characters. I forget the max lenght for

> Common Names, but I think it's about 127. The value for Common Name (the cn

> attribute, which is part of the Distinguished Name) must be unique in the

> container or OU. Several objects in AD can have the same cn as long as they

> are in different OU's or containers. sAMAccountName must be unique in the

> domain. Distinguished Name is unique in the forest.

>

> The rules are the same for all classes of objects (user, group, computer,

> etc.), except that the sAMAccountNames of computer objects have a trailing

> "$". The sAMAccountName of a computer object is the NetBIOS name of the

> computer with "$" appended to the end. The NetBIOS name of computers seems

> to be limited to 15 characters, so the sAMAccountName is limited to 16.

>

> --

> Richard Mueller

> Microsoft MVP Scripting and ADSI

> Hilltop Lab - http://www.rlmueller.net

> --

>

>

>

 

 

 

Top


 

 

 

From: Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net>

To: none

Subject: Re: Character limit

Date: 09/26/2007 20:13:10

 

 

By testing I find that the cn attribute (Common Name) of groups is limited

to 64 characters. However, I have a group with a sAMAccountName that is 94

characters.

 

--

Richard Mueller

Microsoft MVP Scripting and ADSI

Hilltop Lab - http://www.rlmueller.net

--

 

"Sergio Minniti" <SergioMinniti@discussions.microsoft.com> wrote in message

news:0936A2DB-DFAD-47E5-86CD-E6D7F0941BB6@microsoft.com...

> Thank you very much indeed Richard! I have read your articles but inside

> it I

> haven't found any reference about groups name limit (64 char.?). I try to

> type more than 64 char. and it's possible in the pre-windows 2000 name. Is

> it

> true? I think that the system accepts a string longer than 64 char. but it

> uses only 64 char. Aren't you?

> I wait a your reply, thank a lot.

>

> Sergio

>

> P.S. Any Microsoft KB??

> "Richard Mueller [MVP]" wrote:

>

>>

>> "Sergio Minniti wrote

>>

>> > I'd like to know what is it the difference between Windows

>> > 2003 -Windows

>> > 2000 and pre-Windows 2000 name for Active Directory object. Is there a

>> > "best

>> > practice" or Microsoft Knowledge Base article that to speak about it?

>> > I haven't found nothing about it. I'd like read an article that to

>> > speak

>> > about group name and account name limit, special character, etc..

>> > May you help me? I wait a your reply

>>

>> This link discusses what I have learned about the characters that are

>> allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000

>> logon

>> names), plus the characters that need to be escaped:

>>

>> http://www.rlmueller.net/CharactersEscaped.htm

>>

>> I have not found any differences between W2k and W2k3, except that when

>> you

>> create groups and don't specify the "pre-Windows 2000 logon name" a long

>> random string is assigned that is very scary.

>>

>> This link dicusses the various "names" used in AD, and with the WinNT and

>> LDAP providers:

>>

>> http://www.rlmueller.net/Name_Attributes.htm

>>

>> sAMAccountName is limited to 20 characters. I forget the max lenght for

>> Common Names, but I think it's about 127. The value for Common Name (the

>> cn

>> attribute, which is part of the Distinguished Name) must be unique in the

>> container or OU. Several objects in AD can have the same cn as long as

>> they

>> are in different OU's or containers. sAMAccountName must be unique in the

>> domain. Distinguished Name is unique in the forest.

>>

>> The rules are the same for all classes of objects (user, group, computer,

>> etc.), except that the sAMAccountNames of computer objects have a

>> trailing

>> "$". The sAMAccountName of a computer object is the NetBIOS name of the

>> computer with "$" appended to the end. The NetBIOS name of computers

>> seems

>> to be limited to 15 characters, so the sAMAccountName is limited to 16.

>>

>> --

>> Richard Mueller

>> Microsoft MVP Scripting and ADSI

>> Hilltop Lab - http://www.rlmueller.net

>> --

>>

>>

>>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Customizing Delegwiz.inf  syntax question

Date: 09/26/2007 12:20:18

 

 

Hi

Check

http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...

>I would like to add a few custom templates to my delegwiz.inf, however I am

> new to the syntax.  Well syntax may not be as important issue, but where

> do I

> find the list of the "SCOPE" identifiers?

>

> In Q308404 is the example:

>

> [template10]

> AppliesToClasses=domainDns,organizationalUnit,container

>

> Description = "Create, delete, and manage inetorgperson accounts"

>

> ObjectTypes = SCOPE, inetorgperson

>

> [template10.SCOPE]

> inetorgperson=CC,DC

>

> [template10.inetorgperson]

> @=GA

>

> I want to find the correct identifiers for the .SCOPE object types for

> user

> and computer account management.  Like Disable this user, Unlock this

> user,

> Force user to change password, etc.

>

> Where are those listed?  Is there one place I can find all the proper

> terms?

> What are these called?

>

> The Q308404 information is very minimal so I keep thinking there is more

> information on this somewhere!

 

 

 

Top


 

 

 

From: SecAdmin <SecAdmin@discussions.microsoft.com>

To: none

Subject: Re: Customizing Delegwiz.inf  syntax question

Date: 09/26/2007 12:34:03

 

 

Jorge,

 

I have been to this site already and I do not see answers to my questions. 

Where can I find the exact wording for all the SCOPE required or object types?

 

 

 

"Jorge Silva" wrote:

 

> Hi

> Check

> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...

> >I would like to add a few custom templates to my delegwiz.inf, however I am

> > new to the syntax.  Well syntax may not be as important issue, but where

> > do I

> > find the list of the "SCOPE" identifiers?

> >

> > In Q308404 is the example:

> >

> > [template10]

> > AppliesToClasses=domainDns,organizationalUnit,container

> >

> > Description = "Create, delete, and manage inetorgperson accounts"

> >

> > ObjectTypes = SCOPE, inetorgperson

> >

> > [template10.SCOPE]

> > inetorgperson=CC,DC

> >

> > [template10.inetorgperson]

> > @=GA

> >

> > I want to find the correct identifiers for the .SCOPE object types for

> > user

> > and computer account management.  Like Disable this user, Unlock this

> > user,

> > Force user to change password, etc.

> >

> > Where are those listed?  Is there one place I can find all the proper

> > terms?

> > What are these called?

> >

> > The Q308404 information is very minimal so I keep thinking there is more

> > information on this somewhere!

>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Customizing Delegwiz.inf  syntax question

Date: 09/26/2007 12:41:03

 

 

wrong link, I meant this one:

http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true

 

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...

> Jorge,

>

> I have been to this site already and I do not see answers to my questions.

> Where can I find the exact wording for all the SCOPE required or object

> types?

>

>

>

> "Jorge Silva" wrote:

>

>> Hi

>> Check

>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

>> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...

>> >I would like to add a few custom templates to my delegwiz.inf, however I

>> >am

>> > new to the syntax.  Well syntax may not be as important issue, but

>> > where

>> > do I

>> > find the list of the "SCOPE" identifiers?

>> >

>> > In Q308404 is the example:

>> >

>> > [template10]

>> > AppliesToClasses=domainDns,organizationalUnit,container

>> >

>> > Description = "Create, delete, and manage inetorgperson accounts"

>> >

>> > ObjectTypes = SCOPE, inetorgperson

>> >

>> > [template10.SCOPE]

>> > inetorgperson=CC,DC

>> >

>> > [template10.inetorgperson]

>> > @=GA

>> >

>> > I want to find the correct identifiers for the .SCOPE object types for

>> > user

>> > and computer account management.  Like Disable this user, Unlock this

>> > user,

>> > Force user to change password, etc.

>> >

>> > Where are those listed?  Is there one place I can find all the proper

>> > terms?

>> > What are these called?

>> >

>> > The Q308404 information is very minimal so I keep thinking there is

>> > more

>> > information on this somewhere!

>>

>>

>>

 

 

 

Top


 

 

 

From: SecAdmin <SecAdmin@discussions.microsoft.com>

To: none

Subject: Re: Customizing Delegwiz.inf  syntax question

Date: 09/26/2007 12:54:19

 

 

That is nothing more than a sample Delegwiz.inf

 

Lets try this another way.  What would an entry look like if I wanted to

delegate the following permissions on a user account....

 

Create user account

Delete this user account

Unlock user account

Reset Password

Force user to change password at next logon

 

Where do I find the exact object types or Scope identifiers in order to

modify my Delegwiz.inf?

 

"Jorge Silva" wrote:

 

> wrong link, I meant this one:

> http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true

>

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

> news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...

> > Jorge,

> >

> > I have been to this site already and I do not see answers to my questions.

> > Where can I find the exact wording for all the SCOPE required or object

> > types?

> >

> >

> >

> > "Jorge Silva" wrote:

> >

> >> Hi

> >> Check

> >> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

> >>

> >> --

> >> I hope that the information above helps you.

> >> Have a Nice day.

> >>

> >> Jorge Silva

> >> MCSE, MVP Directory Services

> >> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

> >> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...

> >> >I would like to add a few custom templates to my delegwiz.inf, however I

> >> >am

> >> > new to the syntax.  Well syntax may not be as important issue, but

> >> > where

> >> > do I

> >> > find the list of the "SCOPE" identifiers?

> >> >

> >> > In Q308404 is the example:

> >> >

> >> > [template10]

> >> > AppliesToClasses=domainDns,organizationalUnit,container

> >> >

> >> > Description = "Create, delete, and manage inetorgperson accounts"

> >> >

> >> > ObjectTypes = SCOPE, inetorgperson

> >> >

> >> > [template10.SCOPE]

> >> > inetorgperson=CC,DC

> >> >

> >> > [template10.inetorgperson]

> >> > @=GA

> >> >

> >> > I want to find the correct identifiers for the .SCOPE object types for

> >> > user

> >> > and computer account management.  Like Disable this user, Unlock this

> >> > user,

> >> > Force user to change password, etc.

> >> >

> >> > Where are those listed?  Is there one place I can find all the proper

> >> > terms?

> >> > What are these called?

> >> >

> >> > The Q308404 information is very minimal so I keep thinking there is

> >> > more

> >> > information on this somewhere!

> >>

> >>

> >>

>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Customizing Delegwiz.inf  syntax question

Date: 09/26/2007 14:47:48

 

 

I'm sorry, I miss understood you, I'll need to check my documentation, I

can't confirm at the moment, I'll send you a response when I have a chance,

in mean time check at GPO ngs, let me know the results.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

news:FC01D948-C477-422E-857D-001AF2BDDF89@microsoft.com...

> That is nothing more than a sample Delegwiz.inf

>

> Lets try this another way.  What would an entry look like if I wanted to

> delegate the following permissions on a user account....

>

> Create user account

> Delete this user account

> Unlock user account

> Reset Password

> Force user to change password at next logon

>

> Where do I find the exact object types or Scope identifiers in order to

> modify my Delegwiz.inf?

>

> "Jorge Silva" wrote:

>

>> wrong link, I meant this one:

>> http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true

>>

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

>> news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...

>> > Jorge,

>> >

>> > I have been to this site already and I do not see answers to my

>> > questions.

>> > Where can I find the exact wording for all the SCOPE required or object

>> > types?

>> >

>> >

>> >

>> > "Jorge Silva" wrote:

>> >

>> >> Hi

>> >> Check

>> >> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

>> >>

>> >> --

>> >> I hope that the information above helps you.

>> >> Have a Nice day.

>> >>

>> >> Jorge Silva

>> >> MCSE, MVP Directory Services

>> >> "SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in message

>> >> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...

>> >> >I would like to add a few custom templates to my delegwiz.inf,

>> >> >however I

>> >> >am

>> >> > new to the syntax.  Well syntax may not be as important issue, but

>> >> > where

>> >> > do I

>> >> > find the list of the "SCOPE" identifiers?

>> >> >

>> >> > In Q308404 is the example:

>> >> >

>> >> > [template10]

>> >> > AppliesToClasses=domainDns,organizationalUnit,container

>> >> >

>> >> > Description = "Create, delete, and manage inetorgperson accounts"

>> >> >

>> >> > ObjectTypes = SCOPE, inetorgperson

>> >> >

>> >> > [template10.SCOPE]

>> >> > inetorgperson=CC,DC

>> >> >

>> >> > [template10.inetorgperson]

>> >> > @=GA

>> >> >

>> >> > I want to find the correct identifiers for the .SCOPE object types

>> >> > for

>> >> > user

>> >> > and computer account management.  Like Disable this user, Unlock

>> >> > this

>> >> > user,

>> >> > Force user to change password, etc.

>> >> >

>> >> > Where are those listed?  Is there one place I can find all the

>> >> > proper

>> >> > terms?

>> >> > What are these called?

>> >> >

>> >> > The Q308404 information is very minimal so I keep thinking there is

>> >> > more

>> >> > information on this somewhere!

>> >>

>> >>

>> >>

>>

>>

>>

 

 

 

Top


 

 

 

From: Dmitri Gavrilov [MSFT] <dmitrig@online.microsoft.com>

To: none

Subject: Re: Dcdiag

Date: 09/26/2007 21:40:16

 

 

Try running it in verbose mode: dcdiag /v

It should print more data, which might give a clue as to where it breaks.

 

--

Dmitri Gavrilov

SDE, Active Directory team

 

This posting is provided "AS IS" with no warranties, and confers no rights.

Use of included script samples are subject to the terms specified at

http://www.microsoft.com/info/cpyright.htm

 

"gdilullo" <gdilullo.2xjavc@DoNotSpam.com> wrote in message

news:gdilullo.2xjavc@DoNotSpam.com...

>

> This is the result from DCDIAG on a Domain Controller:

>

> Performaing Initial Setup:

>

> And then it returns to the command prompt.

>

> Any one seen this before?

>

> Thanks

>

> Gabe

>

>

> --

> gdilullo

> ------------------------------------------------------------------------

> gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

> View this thread: http://forums.techarena.in/showthread.php?t=824579

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Dcdiag

Date: 09/27/2007 07:16:01

 

 

When I run dcdiag I set the following flags:

 

DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

 

You have to watch out for the /E in a large environment, it will query ALL

dc's in the domain and if you have a lot of remote sites this could take a

very long time.  I pipe the output of this diagnostic to c:\dcdiag.log.

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"gdilullo" <gdilullo.2xjavc@DoNotSpam.com> wrote in message

news:gdilullo.2xjavc@DoNotSpam.com...

>

> This is the result from DCDIAG on a Domain Controller:

>

> Performaing Initial Setup:

>

> And then it returns to the command prompt.

>

> Any one seen this before?

>

> Thanks

>

> Gabe

>

>

> --

> gdilullo

> ------------------------------------------------------------------------

> gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

> View this thread: http://forums.techarena.in/showthread.php?t=824579

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: gdilullo <gdilullo.2xkrnd@DoNotSpam.com>

To: none

Subject: Re: Dcdiag

Date: 09/27/2007 09:34:29

 

 

Thanks Paul,  the last line from results of DCDIAG /V /C /D /E is:

dcdiag: a dcdiag exception raised, handling error 2

 

Any suggestions?

 

Thanks

 

Gabe

 

 

--

gdilullo

------------------------------------------------------------------------

gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

View this thread: http://forums.techarena.in/showthread.php?t=824579

 

http://forums.techarena.in

 

 

 

Top


 

 

 

From: Dmitri Gavrilov [MSFT] <dmitrig@online.microsoft.com>

To: none

Subject: Re: Dcdiag

Date: 09/27/2007 11:37:05

 

 

We need context. What do you see before this line? Could you post the

complete output? Feel free to obscure DC and domain names, if you want.

 

--

Dmitri Gavrilov

SDE, Active Directory team

 

This posting is provided "AS IS" with no warranties, and confers no rights.

Use of included script samples are subject to the terms specified at

http://www.microsoft.com/info/cpyright.htm

 

"gdilullo" <gdilullo.2xkrnd@DoNotSpam.com> wrote in message

news:gdilullo.2xkrnd@DoNotSpam.com...

>

> Thanks Paul,  the last line from results of DCDIAG /V /C /D /E is:

> dcdiag: a dcdiag exception raised, handling error 2

>

> Any suggestions?

>

> Thanks

>

> Gabe

>

>

> --

> gdilullo

> ------------------------------------------------------------------------

> gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

> View this thread: http://forums.techarena.in/showthread.php?t=824579

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Dcdiag

Date: 09/27/2007 12:51:40

 

 

Dmitri  I wonder if he is using the an old version of dcdiag?  I have seen

similar issues with an old version running against a new o/s.

 

Gabe, try the link below and see if that helps.

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message

news:Ob3ykSSAIHA.5312@TK2MSFTNGP02.phx.gbl...

> We need context. What do you see before this line? Could you post the

> complete output? Feel free to obscure DC and domain names, if you want.

>

> --

> Dmitri Gavrilov

> SDE, Active Directory team

>

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> Use of included script samples are subject to the terms specified at

> http://www.microsoft.com/info/cpyright.htm

>

> "gdilullo" <gdilullo.2xkrnd@DoNotSpam.com> wrote in message

> news:gdilullo.2xkrnd@DoNotSpam.com...

>>

>> Thanks Paul,  the last line from results of DCDIAG /V /C /D /E is:

>> dcdiag: a dcdiag exception raised, handling error 2

>>

>> Any suggestions?

>>

>> Thanks

>>

>> Gabe

>>

>>

>> --

>> gdilullo

>> ------------------------------------------------------------------------

>> gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

>> View this thread: http://forums.techarena.in/showthread.php?t=824579

>>

>> http://forums.techarena.in

>>

>

>

 

 

 

Top


 

 

 

From: gdilullo <gdilullo.2xl2rf@DoNotSpam.com>

To: none

Subject: Re: Dcdiag

Date: 09/27/2007 13:34:24

 

 

Hi  guys,  I downloaded the version of suport tools from your link just

to be sure and I am still recieving the following output.

 

* Verifying that the local machine srv-msbl, is a DC.

* Connecting to directory service on server srv-msbl.

srv-msbl.currentTime = 20070927182057.0Z

srv-msbl.highestCommittedUSN = 55738

srv-msbl.isSynchronized = 1

srv-msbl.isGlobalCatalogReady = 0

* Collecting site info.

DcDiag: a dcdiag exception raised, handling error 2

 

We have 17 domain controllers.  From this DC the NTDS settings are

populated with its settings in the site container,  but the remaining

16 DCs don't recognize this one.

 

Thanks

 

Gabe

 

 

--

gdilullo

------------------------------------------------------------------------

gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

View this thread: http://forums.techarena.in/showthread.php?t=824579

 

http://forums.techarena.in

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Dcdiag

Date: 09/28/2007 06:51:22

 

 

Has anything out of the ordinary happened to this dc?  Have you lost and had

to recover it or any other dc?  Have you run dcdiag on a dc besides the

failing one?  If not try that and post the output. Also post the ipconfig

/all of the troubled dc, the troubled dc's dns server.

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"gdilullo" <gdilullo.2xl2rf@DoNotSpam.com> wrote in message

news:gdilullo.2xl2rf@DoNotSpam.com...

>

> Hi  guys,  I downloaded the version of suport tools from your link just

> to be sure and I am still recieving the following output.

>

> * Verifying that the local machine srv-msbl, is a DC.

> * Connecting to directory service on server srv-msbl.

> srv-msbl.currentTime = 20070927182057.0Z

> srv-msbl.highestCommittedUSN = 55738

> srv-msbl.isSynchronized = 1

> srv-msbl.isGlobalCatalogReady = 0

> * Collecting site info.

> DcDiag: a dcdiag exception raised, handling error 2

>

> We have 17 domain controllers.  From this DC the NTDS settings are

> populated with its settings in the site container,  but the remaining

> 16 DCs don't recognize this one.

>

> Thanks

>

> Gabe

>

>

> --

> gdilullo

> ------------------------------------------------------------------------

> gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815

> View this thread: http://forums.techarena.in/showthread.php?t=824579

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net>

To: none

Subject: Re: Delete duplicate computer accounts in AD

Date: 09/27/2007 09:05:26

 

 

Ronnie wrote:

 

> The help desk in our company have created duplicate computer accounts

> for some computer objects in AD, and now I need to delete the accounts

> that are not being used. Is there any way to determine which account

> is actually in use, so that I don't delete the wrong ones?

>

> I can see that one of the accounts have several odd characters in the

> end of the name, but I'm not sure that's any guarantee that this is

> the account not being used. Is it possible to see when the accounts

> were last logged on or something like that?

>

> We run a Windows 2000 Server environment.

 

You can use Joe Richards' free oldcmp utility:

 

http://www.joeware.net/win/free/tools/oldcmp.htm

 

--

Richard Mueller

Microsoft MVP Scripting and ADSI

Hilltop Lab - http://www.rlmueller.net

--

 

 

 

Top


 

 

 

From: rondo <newsnospam@mail.sonofon.dk>

To: none

Subject: Re: Delete duplicate computer accounts in AD

Date: 09/28/2007 04:41:21

 

 

On Sep 27, 4:05 pm, "Richard Mueller [MVP]" <rlmueller-

nos...@ameritech.nospam.net> wrote:

> Ronnie wrote:

> > The help desk in our company have created duplicate computer accounts

> > for some computer objects in AD, and now I need to delete the accounts

> > that are not being used. Is there any way to determine which account

> > is actually in use, so that I don't delete the wrong ones?

>

> > I can see that one of the accounts have several odd characters in the

> > end of the name, but I'm not sure that's any guarantee that this is

> > the account not being used. Is it possible to see when the accounts

> > were last logged on or something like that?

>

> > We run a Windows 2000 Server environment.

>

> You can use Joe Richards' free oldcmp utility:

>

> http://www.joeware.net/win/free/tools/oldcmp.htm

>

> --

> Richard Mueller

> Microsoft MVP Scripting and ADSI

> Hilltop Lab -http://www.rlmueller.net

> --

 

Thank you for that however I was hoping that this would be possible

without using any 3rd party software.

 

Anyway I've now downloaded the software but I must admit I can't

figure out how to use this tool to solve my problem. Can anybody

please help me here with the correct command I need to run?

 

Thanks,

Ronnie

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Does AD have a Default Backup User account?

Date: 09/27/2007 16:02:57

 

 

Hello Adam N.,

 

See your other post.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Is there a Default Backup User account already created in W2K3?

>

> I am wanting to use a NAS to backup some directories on a W2K3 server,

> the utility wants an account to access the server with, so if there

> was a default account already created I would like to just use that.

>

> If not should I just create a user account specifically for this

> function?

>

> Thanks in advance,

>

 

 

 

Top


 

 

 

From: Aime <oaime@hotmail.com>

To: none

Subject: Re: Domain controller crached

Date: 09/26/2007 02:53:21

 

 

Dear Jorge,

 

Thank you for your reply,

i finish all the steps as advice but did not yet install the DNS,

Is it necessary to install the DNS in the DC that holding the exchange or

reinstall the DNS in the new DC and re-introduce it in the domain.

Can you please give me the steps how to re-introduce the new DC in the

domain.

What about the GC, do i need to install it as well in the exchange server or

??

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...

> Hi

> In AD there isn't a BDC concept all DCs are peers and equal in most of

> configurations. - Disconnect the Dc from network.

> - Then remove all references to that Dc on AD database (Metadata cleanup).

> - Remove any Dns references to the Dc.

> - If necessary seize any left Op Master roles that were hosted by that Dc.

> - If the domain controller that you are demoting is a DNS server or global

> catalog server, you must create a new GC or DNS server to satisfy load

> balancing, fault tolerance, and configuration settings in the forest.

> - When you use the remove selected server command in NTDSUTIL, the NTDSDSA

> object, the parent object for incoming connections to the domain

> controller that you forcibly demoted is removed. The command does not

> remove the parent server objects that appear in the Sites and Services

> snap-in. Use the Active Directory Sites and Services MMC snap-in to remove

> the server object if the domain controller will not be promoted into the

> forest with the same computer name

> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

> http://support.microsoft.com/kb/255504/

> How to remove data in Active Directory after an unsuccessful domain

> controller demotion

> http://support.microsoft.com/?kbid=216498

>

>

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

>

> Jorge Silva

> MCSE, MVP Directory Services

> "Aime" <oaime@hotmail.com> wrote in message

> news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...

>> Dear,

>>

>> I had the primary domain controller crash, i don't have any backup.

>> But the backup domain controller still working,

>> Can you please guide me how i can bring back the primary DC again in the

>> AD after reinstalling a fresh windows 2003 on it.

>> The primary DC was in charge of DNS and DHCP and the backup DC is holding

>> the exchange server 2003

>>

>> Regards

>> AIME

>>

>>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Domain controller crached

Date: 09/26/2007 07:08:35

 

 

-First of all you shouldn't Exchange on DCs, is a bad practice in my opinion

(Not all share the same opinion).

-You must have at least 1 DNS server in your domain, so if you don't have

any you must urgently configure 1, you also need to have at least 1 GC.

-Run dcdiag and netdiag and make sure that no errors in output windows.

-To create Additional domain controllers check:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Aime" <oaime@hotmail.com> wrote in message

news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...

> Dear Jorge,

>

> Thank you for your reply,

> i finish all the steps as advice but did not yet install the DNS,

> Is it necessary to install the DNS in the DC that holding the exchange or

> reinstall the DNS in the new DC and re-introduce it in the domain.

> Can you please give me the steps how to re-introduce the new DC in the

> domain.

> What about the GC, do i need to install it as well in the exchange server

> or ??

>

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...

>> Hi

>> In AD there isn't a BDC concept all DCs are peers and equal in most of

>> configurations. - Disconnect the Dc from network.

>> - Then remove all references to that Dc on AD database (Metadata

>> cleanup).

>> - Remove any Dns references to the Dc.

>> - If necessary seize any left Op Master roles that were hosted by that

>> Dc.

>> - If the domain controller that you are demoting is a DNS server or

>> global catalog server, you must create a new GC or DNS server to satisfy

>> load balancing, fault tolerance, and configuration settings in the

>> forest.

>> - When you use the remove selected server command in NTDSUTIL, the

>> NTDSDSA object, the parent object for incoming connections to the domain

>> controller that you forcibly demoted is removed. The command does not

>> remove the parent server objects that appear in the Sites and Services

>> snap-in. Use the Active Directory Sites and Services MMC snap-in to

>> remove the server object if the domain controller will not be promoted

>> into the forest with the same computer name

>> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

>> http://support.microsoft.com/kb/255504/

>> How to remove data in Active Directory after an unsuccessful domain

>> controller demotion

>> http://support.microsoft.com/?kbid=216498

>>

>>

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "Aime" <oaime@hotmail.com> wrote in message

>> news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...

>>> Dear,

>>>

>>> I had the primary domain controller crash, i don't have any backup.

>>> But the backup domain controller still working,

>>> Can you please guide me how i can bring back the primary DC again in the

>>> AD after reinstalling a fresh windows 2003 on it.

>>> The primary DC was in charge of DNS and DHCP and the backup DC is

>>> holding the exchange server 2003

>>>

>>> Regards

>>> AIME

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Aime <oaime@hotmail.com>

To: none

Subject: Re: Domain controller crached

Date: 09/27/2007 02:57:18

 

 

Can you please clarify if i should not install the DNS on the DC that runs

Exchange server 2003.

If not, then i should install first DNS in the new server then DCPROMO and

join the existing domain!

Is this correct?

 

Thanks

 

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...

> -First of all you shouldn't Exchange on DCs, is a bad practice in my

> opinion (Not all share the same opinion).

> -You must have at least 1 DNS server in your domain, so if you don't have

> any you must urgently configure 1, you also need to have at least 1 GC.

> -Run dcdiag and netdiag and make sure that no errors in output windows.

> -To create Additional domain controllers check:

> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "Aime" <oaime@hotmail.com> wrote in message

> news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...

>> Dear Jorge,

>>

>> Thank you for your reply,

>> i finish all the steps as advice but did not yet install the DNS,

>> Is it necessary to install the DNS in the DC that holding the exchange or

>> reinstall the DNS in the new DC and re-introduce it in the domain.

>> Can you please give me the steps how to re-introduce the new DC in the

>> domain.

>> What about the GC, do i need to install it as well in the exchange server

>> or ??

>>

>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

>> news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...

>>> Hi

>>> In AD there isn't a BDC concept all DCs are peers and equal in most of

>>> configurations. - Disconnect the Dc from network.

>>> - Then remove all references to that Dc on AD database (Metadata

>>> cleanup).

>>> - Remove any Dns references to the Dc.

>>> - If necessary seize any left Op Master roles that were hosted by that

>>> Dc.

>>> - If the domain controller that you are demoting is a DNS server or

>>> global catalog server, you must create a new GC or DNS server to satisfy

>>> load balancing, fault tolerance, and configuration settings in the

>>> forest.

>>> - When you use the remove selected server command in NTDSUTIL, the

>>> NTDSDSA object, the parent object for incoming connections to the domain

>>> controller that you forcibly demoted is removed. The command does not

>>> remove the parent server objects that appear in the Sites and Services

>>> snap-in. Use the Active Directory Sites and Services MMC snap-in to

>>> remove the server object if the domain controller will not be promoted

>>> into the forest with the same computer name

>>> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

>>> controller

>>> http://support.microsoft.com/kb/255504/

>>> How to remove data in Active Directory after an unsuccessful domain

>>> controller demotion

>>> http://support.microsoft.com/?kbid=216498

>>>

>>>

>>>

>>> --

>>> I hope that the information above helps you.

>>> Have a Nice day.

>>>

>>>

>>> Jorge Silva

>>> MCSE, MVP Directory Services

>>> "Aime" <oaime@hotmail.com> wrote in message

>>> news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...

>>>> Dear,

>>>>

>>>> I had the primary domain controller crash, i don't have any backup.

>>>> But the backup domain controller still working,

>>>> Can you please guide me how i can bring back the primary DC again in

>>>> the AD after reinstalling a fresh windows 2003 on it.

>>>> The primary DC was in charge of DNS and DHCP and the backup DC is

>>>> holding the exchange server 2003

>>>>

>>>> Regards

>>>> AIME

>>>>

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Aime <oaime@hotmail.com>

To: none

Subject: Re: Domain controller crached

Date: 09/27/2007 04:02:24

 

 

Can you please clarify if i should not install the DNS on the DC that runs

Exchange server 2003.

If not, then i should install first DNS in the new server then DCPROMO and

join the existing domain!

Is this correct?

 

Thanks

 

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...

> -First of all you shouldn't Exchange on DCs, is a bad practice in my

> opinion (Not all share the same opinion).

> -You must have at least 1 DNS server in your domain, so if you don't have

> any you must urgently configure 1, you also need to have at least 1 GC.

> -Run dcdiag and netdiag and make sure that no errors in output windows.

> -To create Additional domain controllers check:

> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "Aime" <oaime@hotmail.com> wrote in message

> news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...

>> Dear Jorge,

>>

>> Thank you for your reply,

>> i finish all the steps as advice but did not yet install the DNS,

>> Is it necessary to install the DNS in the DC that holding the exchange or

>> reinstall the DNS in the new DC and re-introduce it in the domain.

>> Can you please give me the steps how to re-introduce the new DC in the

>> domain.

>> What about the GC, do i need to install it as well in the exchange server

>> or ??

>>

>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

>> news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...

>>> Hi

>>> In AD there isn't a BDC concept all DCs are peers and equal in most of

>>> configurations. - Disconnect the Dc from network.

>>> - Then remove all references to that Dc on AD database (Metadata

>>> cleanup).

>>> - Remove any Dns references to the Dc.

>>> - If necessary seize any left Op Master roles that were hosted by that

>>> Dc.

>>> - If the domain controller that you are demoting is a DNS server or

>>> global catalog server, you must create a new GC or DNS server to satisfy

>>> load balancing, fault tolerance, and configuration settings in the

>>> forest.

>>> - When you use the remove selected server command in NTDSUTIL, the

>>> NTDSDSA object, the parent object for incoming connections to the domain

>>> controller that you forcibly demoted is removed. The command does not

>>> remove the parent server objects that appear in the Sites and Services

>>> snap-in. Use the Active Directory Sites and Services MMC snap-in to

>>> remove the server object if the domain controller will not be promoted

>>> into the forest with the same computer name

>>> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

>>> controller

>>> http://support.microsoft.com/kb/255504/

>>> How to remove data in Active Directory after an unsuccessful domain

>>> controller demotion

>>> http://support.microsoft.com/?kbid=216498

>>>

>>>

>>>

>>> --

>>> I hope that the information above helps you.

>>> Have a Nice day.

>>>

>>>

>>> Jorge Silva

>>> MCSE, MVP Directory Services

>>> "Aime" <oaime@hotmail.com> wrote in message

>>> news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...

>>>> Dear,

>>>>

>>>> I had the primary domain controller crash, i don't have any backup.

>>>> But the backup domain controller still working,

>>>> Can you please guide me how i can bring back the primary DC again in

>>>> the AD after reinstalling a fresh windows 2003 on it.

>>>> The primary DC was in charge of DNS and DHCP and the backup DC is

>>>> holding the exchange server 2003

>>>>

>>>> Regards

>>>> AIME

>>>>

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Domain controller crached

Date: 09/27/2007 15:24:54

 

 

The problem isn't having DNS on Exchange but rather having Exchange on a DC.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

 

"Aime" <oaime@hotmail.com> wrote in message

news:u4KheXOAIHA.1208@TK2MSFTNGP05.phx.gbl...

> Can you please clarify if i should not install the DNS on the DC that runs

> Exchange server 2003.

> If not, then i should install first DNS in the new server then DCPROMO and

> join the existing domain!

> Is this correct?

>

> Thanks

>

>

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...

>> -First of all you shouldn't Exchange on DCs, is a bad practice in my

>> opinion (Not all share the same opinion).

>> -You must have at least 1 DNS server in your domain, so if you don't have

>> any you must urgently configure 1, you also need to have at least 1 GC.

>> -Run dcdiag and netdiag and make sure that no errors in output windows.

>> -To create Additional domain controllers check:

>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "Aime" <oaime@hotmail.com> wrote in message

>> news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...

>>> Dear Jorge,

>>>

>>> Thank you for your reply,

>>> i finish all the steps as advice but did not yet install the DNS,

>>> Is it necessary to install the DNS in the DC that holding the exchange

>>> or reinstall the DNS in the new DC and re-introduce it in the domain.

>>> Can you please give me the steps how to re-introduce the new DC in the

>>> domain.

>>> What about the GC, do i need to install it as well in the exchange

>>> server or ??

>>>

>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

>>> news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...

>>>> Hi

>>>> In AD there isn't a BDC concept all DCs are peers and equal in most of

>>>> configurations. - Disconnect the Dc from network.

>>>> - Then remove all references to that Dc on AD database (Metadata

>>>> cleanup).

>>>> - Remove any Dns references to the Dc.

>>>> - If necessary seize any left Op Master roles that were hosted by that

>>>> Dc.

>>>> - If the domain controller that you are demoting is a DNS server or

>>>> global catalog server, you must create a new GC or DNS server to

>>>> satisfy load balancing, fault tolerance, and configuration settings in

>>>> the forest.

>>>> - When you use the remove selected server command in NTDSUTIL, the

>>>> NTDSDSA object, the parent object for incoming connections to the

>>>> domain controller that you forcibly demoted is removed. The command

>>>> does not remove the parent server objects that appear in the Sites and

>>>> Services snap-in. Use the Active Directory Sites and Services MMC

>>>> snap-in to remove the server object if the domain controller will not

>>>> be promoted into the forest with the same computer name

>>>> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

>>>> controller

>>>> http://support.microsoft.com/kb/255504/

>>>> How to remove data in Active Directory after an unsuccessful domain

>>>> controller demotion

>>>> http://support.microsoft.com/?kbid=216498

>>>>

>>>>

>>>>

>>>> --

>>>> I hope that the information above helps you.

>>>> Have a Nice day.

>>>>

>>>>

>>>> Jorge Silva

>>>> MCSE, MVP Directory Services

>>>> "Aime" <oaime@hotmail.com> wrote in message

>>>> news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...

>>>>> Dear,

>>>>>

>>>>> I had the primary domain controller crash, i don't have any backup.

>>>>> But the backup domain controller still working,

>>>>> Can you please guide me how i can bring back the primary DC again in

>>>>> the AD after reinstalling a fresh windows 2003 on it.

>>>>> The primary DC was in charge of DNS and DHCP and the backup DC is

>>>>> holding the exchange server 2003

>>>>>

>>>>> Regards

>>>>> AIME

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Domain Controller down

Date: 09/26/2007 12:59:09

 

 

Hi

IT shouldn't be, check at DFS ngs.

One of the problems may be related with your Active Directory Sites and

Subnets configuration/design, you may have people trying to get the servers

in the wrong site. Once again check in DFS ngs.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"BBW" <tkarpowski@bennettcompany.com> wrote in message

news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...

>I have a domain controller, win2K3 SP1, that is down due to hardware

>failure.  It is the Infastructure Master and was a DFS Root Link.

>

> Now, when people now access the Y:, this is a DFS Link, we are

> experiencing intermittent slowdowns, like 15-30 seconds.

>

> I have removed it as a DFS Root links on the production server, as I have

> others.

>

> Is this because the Infastructure Master is down...?

>

> Any other thoughts...

 

 

 

Top


 

 

 

From: BBW <tkarpowski@bennettcompany.com>

To: none

Subject: Re: Domain Controller down

Date: 09/26/2007 13:24:41

 

 

This slowness happens for accessing the local server using the DFS mapped

drive.

 

The down server is also the Schema Master also...?

 

Would that cause intermittent DFS slowdowns.

 

There isn't anything in the logs execpt that it can't see the down server...

 

 

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:%23QbRrbGAIHA.4880@TK2MSFTNGP03.phx.gbl...

> Hi

> IT shouldn't be, check at DFS ngs.

> One of the problems may be related with your Active Directory Sites and

> Subnets configuration/design, you may have people trying to get the

> servers in the wrong site. Once again check in DFS ngs.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "BBW" <tkarpowski@bennettcompany.com> wrote in message

> news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...

>>I have a domain controller, win2K3 SP1, that is down due to hardware

>>failure.  It is the Infastructure Master and was a DFS Root Link.

>>

>> Now, when people now access the Y:, this is a DFS Link, we are

>> experiencing intermittent slowdowns, like 15-30 seconds.

>>

>> I have removed it as a DFS Root links on the production server, as I have

>> others.

>>

>> Is this because the Infastructure Master is down...?

>>

>> Any other thoughts...

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Domain Controller down

Date: 09/26/2007 14:55:40

 

 

> This slowness happens for accessing the local server using the DFS mapped

> drive.

Only in mapped drivers what about UNC path?

Do you have DFS servers on different sites?

Do you have additional servers for DFS Root Namespace?

 

> The down server is also the Schema Master also...?

Shouldn't interfere

 

> Would that cause intermittent DFS slowdowns.

-Bad site configuration (Asuming multiple sites and DFS servers at different

locations).

-Name resolution.

-Switching, cabeling...

 

> There isn't anything in the logs execpt that it can't see the down

> server...

check other related known issues:

http://support.microsoft.com/kb/873407

http://support.microsoft.com/kb/915377

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsdb_dfs_stdz.mspx?mfr=true

 

Once again post this at DFS ngs, let's know the results.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"BBW" <tkarpowski@bennettcompany.com> wrote in message

news:eAWtCqGAIHA.5360@TK2MSFTNGP03.phx.gbl...

> This slowness happens for accessing the local server using the DFS mapped

> drive.

>

> The down server is also the Schema Master also...?

>

> Would that cause intermittent DFS slowdowns.

>

> There isn't anything in the logs execpt that it can't see the down

> server...

>

>

>

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:%23QbRrbGAIHA.4880@TK2MSFTNGP03.phx.gbl...

>> Hi

>> IT shouldn't be, check at DFS ngs.

>> One of the problems may be related with your Active Directory Sites and

>> Subnets configuration/design, you may have people trying to get the

>> servers in the wrong site. Once again check in DFS ngs.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "BBW" <tkarpowski@bennettcompany.com> wrote in message

>> news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...

>>>I have a domain controller, win2K3 SP1, that is down due to hardware

>>>failure.  It is the Infastructure Master and was a DFS Root Link.

>>>

>>> Now, when people now access the Y:, this is a DFS Link, we are

>>> experiencing intermittent slowdowns, like 15-30 seconds.

>>>

>>> I have removed it as a DFS Root links on the production server, as I

>>> have others.

>>>

>>> Is this because the Infastructure Master is down...?

>>>

>>> Any other thoughts...

>>

>>

>

 

 

 

Top


 

 

 

From: Will <westes-usc@noemail.nospam>

To: none

Subject: Re: Domain Controller File Permissions on SYSVOL

Date: 09/25/2007 17:52:01

 

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:%23ySF3u6$HHA.5868@TK2MSFTNGP05.phx.gbl...

>> 1) READ permissions against the SYSVOLs on other DCs

> There are 2 SYSVOL (1 is shared).

> What permissions are you talkinga about (NTFS or Share permissions).

>

> IIRC: By default NTFS PERMISSIONS ARE: Administrators and System have full

> control, Authenticated users and server operators have read permissions,

> SHARE PERMISSIONS: Administrators Full control, everyone ahave read perm.

> (Note: i'm talking about the Sysvol share folder)

 

I'm referring to just the NTFS permissions.     Inferring from the above:

domain controllers should only have read access to the SYSVOLs of other

domain controllers.

 

--

Will

 

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:EO-dndb-JZdBwmTbnZ2dnUVZ_rOpnZ2d@giganews.com...

>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

>> news:OzsKX91$HHA.3716@TK2MSFTNGP03.phx.gbl...

>>> Hi

>>> DCs share the same permissions among all existing DCs.

>>

>> That doesn't answer the original question.   I'm asking do DCs need

>>

>> 1) READ permissions against the SYSVOLs on other DCs

>>

>> 2) MODIFY permissions against the SYSVOLs on other DCs

>>

>> It's not a question about the sameness of permissions.

>>

>> --

>> Will

>>

>>

>>> "Will" <westes-usc@noemail.nospam> wrote in message

>>> news:OrqdnTlH3LuqSWXbnZ2dnUVZ_qqgnZ2d@giganews.com...

>>> > Do Domain Controllers only require read-only file system permissions

>>> > to

>>> > the

>>> > SYSVOL on other Domain Controllers?

>>> >

>>> > --

>>> > Will

>>

>>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Domain Controller File Permissions on SYSVOL

Date: 09/25/2007 18:18:45

 

 

They could have, but isn't defined by default. By default the "Domain

Controllers" Security group don't have Permissions on that folder.

The defaults should do the job just fine.

And as I said before these permissions should be set equal among all DCs.

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Will" <westes-usc@noemail.nospam> wrote in message

news:dYCdnfY3z7aPDGTbnZ2dnUVZ_v2unZ2d@giganews.com...

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:%23ySF3u6$HHA.5868@TK2MSFTNGP05.phx.gbl...

>>> 1) READ permissions against the SYSVOLs on other DCs

>> There are 2 SYSVOL (1 is shared).

>> What permissions are you talkinga about (NTFS or Share permissions).

>>

>> IIRC: By default NTFS PERMISSIONS ARE: Administrators and System have

>> full control, Authenticated users and server operators have read

>> permissions, SHARE PERMISSIONS: Administrators Full control, everyone

>> ahave read perm. (Note: i'm talking about the Sysvol share folder)

>

> I'm referring to just the NTFS permissions.     Inferring from the above:

> domain controllers should only have read access to the SYSVOLs of other

> domain controllers.

>

> --

> Will

>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:EO-dndb-JZdBwmTbnZ2dnUVZ_rOpnZ2d@giganews.com...

>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

>>> news:OzsKX91$HHA.3716@TK2MSFTNGP03.phx.gbl...

>>>> Hi

>>>> DCs share the same permissions among all existing DCs.

>>>

>>> That doesn't answer the original question.   I'm asking do DCs need

>>>

>>> 1) READ permissions against the SYSVOLs on other DCs

>>>

>>> 2) MODIFY permissions against the SYSVOLs on other DCs

>>>

>>> It's not a question about the sameness of permissions.

>>>

>>> --

>>> Will

>>>

>>>

>>>> "Will" <westes-usc@noemail.nospam> wrote in message

>>>> news:OrqdnTlH3LuqSWXbnZ2dnUVZ_qqgnZ2d@giganews.com...

>>>> > Do Domain Controllers only require read-only file system permissions

>>>> > to

>>>> > the

>>>> > SYSVOL on other Domain Controllers?

>>>> >

>>>> > --

>>>> > Will

>>>

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Dkp <deep275@gmail.com>

To: none

Subject: Re: Domain Login Failed

Date: 09/26/2007 08:12:55

 

 

Try to create the trust relationship between these domains and proceed

further

 

On Sep 10, 12:22 am, Shan <S...@discussions.microsoft.com> wrote:

> Hi Meinolf,

> I checked in there and I do not see any entries.

>

> Thanks

>

> "Meinolf Weber" wrote:

> > Hello Shan,

>

> > No that trust i do not mean. Open Active directory Domains and trusts and

> > check if theire is an entry.

>

> > Best regards

>

> > Meinolf Weber

> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > no rights.

>

> > > Hi Meinolf,

>

> > > Ok I have changed the DNS entry to its on IP.  This is a stand alone

> > > domain. How can I use trust for this domain?  Should I use "Trust

> > > computer for delegation" check box in the Computer properties?

>

> > > Thanks

>

> > > "Meinolf Weber" wrote:

>

> > >> Hello Shan,

>

> > >> The configuration is ok, but i would change the DNS entry from

> > >> 127.0.0.1 to the real ipaddress of the server. If you will have more

> > >> then one DNS server you run in trouble with the Loopback ip

> > >> configuration.

>

> > >> For the event id check this one:

> > >>http://www.eventid.net/display.asp?eventid=5513&eventno=484&source=NE

> > >> TLOGON&phase=1

> > >> Do you use a trust to another domain or have you used it?

>

> > >> Best regards

>

> > >> Meinolf Weber

> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> > >> confers

> > >> no rights.

> > >>> OK.. Here is the ipconfig /all

> > >>> C:\Documents and Settings\Administrator>ipconfig /all

> > >>> Windows IP Configuration

> > >>> Host Name . . . . . . . . . . . . : apdc01

> > >>> Primary Dns Suffix  . . . . . . . : alsplumbing.lcl

> > >>> Node Type . . . . . . . . . . . . : Hybrid

> > >>> IP Routing Enabled. . . . . . . . : No

> > >>> WINS Proxy Enabled. . . . . . . . : No

> > >>> DNS Suffix Search List. . . . . . : alsplumbing.lcl

> > >>> Ethernet adapter Local Area Connection:

> > >>> Connection-specific DNS Suffix  . :

> > >>> Description . . . . . . . . . . . : Broadcom NetXtreme 5721 Gigabit

> > >>> Controller

> > >>> Physical Address. . . . . . . . . : 00-12-3F-24-45-AC

> > >>> DHCP Enabled. . . . . . . . . . . : No

> > >>> IP Address. . . . . . . . . . . . : 10.1.0.2

> > >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > >>> Default Gateway . . . . . . . . . : 10.1.0.254

> > >>> DNS Servers . . . . . . . . . . . : 127.0.0.1

> > >>> After I renamed one of the computers it apparently disconnected

> > >>> computer AP021.

> > >>> EVENT Viewer shows

> > >>> Event Type:   Error

> > >>> Event Source: NETLOGON

> > >>> Event Category:       None

> > >>> Event ID:     5513

> > >>> Date:         9/8/2007

> > >>> Time:         1:36:50 PM

> > >>> User:         N/A

> > >>> Computer:     APDC01

> > >>> Description:

> > >>> The computer AP021 tried to connect to the server \\APDC01 using the

> > >>> trust

> > >>> relationship established by the ALSPLUMBING domain. However, the

> > >>> computer

> > >>> lost the correct security identifier (SID) when the domain was

> > >>> reconfigured.

> > >>> Reestablish the trust relationship.

> > >>> For more information, see Help and Support Center at

> > >>>http://go.microsoft.com/fwlink/events.asp.

> > >>> "Meinolf Weber" wrote:

>

> > >>>> Hello Shan,

>

> > >>>> Logon problems often has to do with bad DNS configuration. Please

> > >>>> post an ipconfig /all from the server and one client. Also check on

> > >>>> the domain controller for errors in the event viewer and post them

> > >>>> also here.

>

> > >>>> Best regards

>

> > >>>> Meinolf Weber

> > >>>> Disclaimer: This posting is provided "AS IS" with no warranties,

> > >>>> and

> > >>>> confers

> > >>>> no rights.

> > >>>>> I'm using W2K3 Standard edition with Active directory.  Every time

> > >>>>> I add a new machine on this server next day one of the domain user

> > >>>>> complains about that they can no longer login to the server.  I

> > >>>>> try everything but the only way that user can login is if I change

> > >>>>> the machine name to something else.  And as soon as I do that

> > >>>>> another machine fails to login. Any help in this matter is greatly

> > >>>>> appreciated.

>

> > >>>>> Thanks

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Domain Rename

Date: 09/28/2007 01:12:38

 

 

Hello,

 

Problems are not directly on Active Directory, but everything around that

use it!

 

Our domain rename experience:

http://lordoftheping.blogspot.com/2006/07/domain-rename-done.html

http://lordoftheping.blogspot.com/2006/08/post-domain-rename-sms-iis-wsus-down.html

 

Jorge's posts:

http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/154.aspx

http://blogs.dirteam.com/blogs/jorge/archive/2006/05/24/1037.aspx

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Trev" <trevor.dodds@gmail.com> wrote in message

news:1190959206.331758.102020@g4g2000hsf.googlegroups.com...

> Hi,

>

> we are running a Windows 2003 Native Domain in both our Root level

> domain and Child Level, we have over 12 DC's country wide with 8

> Exchange 2003 SP2 servers and roughly 3000 workstations.  How

> successful is the rendom tool? Of course this will be tested in a test

> environment but I would like to hear from anyone else that has done a

> domain rename.

>

> Thanks

> Trevor

>

 

 

 

Top


 

Post your questions, comments, feedbacks and suggestions