From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 06:49:21
run
diagnostics against your Active Directory domain.
If
you don't have the support tools installed, install them from your server
install
disk.
d:\support\tools\setup.exe
Run
dcdiag, netdiag and repadmin in verbose mode.
->
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
->
netdiag.exe /v > c:\netdiag.log (On each dc)
->
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
->
dnslint /ad /s "ip address of your dc"
**Note:
Using the /E switch in dcdiag will run diagnostics against ALL dc's
in
the forest. If you have significant numbers of DC's this test could
generate
significant detail and take a long time. You also want to take
into
account slow links to dc's will also add to the testing time.
If you
download a gui script I wrote it should be simple to set and run
(DCDiag
and NetDiag). It also has the option to run individual tests
without
having to learn all the switch options. The details will be output
in
notepad text files that pop up automagically.
The
script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just
select both dcdiag and netdiag make sure verbose is set. (Leave the
default
settings for dcdiag as set when selected)
When
complete search for fail, error and warning messages.
Description
and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"abaratin"
<abaratin@gmail.com> wrote in message
news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
Hi all,
>
>
Yesterday I had a problem with WSUS3. I tried to reinstall it but it
>
fails... Few minutes after I tried to go to the GPO settings... I
>
receive an error "The domain controller can not be contacted Error
>
was: Library not Registered"
>
I have this "Library not registered" error anytime I try to open
>
something dealing with GPO's or AD.
>
I don't know what to do...
>
>
So if you have ideas, suggsestions or links with documentation It will
>
be great...
>
I don't know Active Directory enough to solve this kind of problem...
>
>
Thanks in advance
>
Top
From: abaratin <abaratin@gmail.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 07:46:03
Well
everything seems to be ok... It was what I felt because this
morning
every users were able to connect to the domain...
My
feeling now is rather that mmc 3.0 is in cause... But i don't know
how
to install/reinstall it and what can be the consequences for
users...
On
27 sep, 11:49, "Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com>
wrote:
>
run diagnostics against your Active Directory domain.
>
>
If you don't have the support tools installed, install them from your
server
>
install disk.
>
d:\support\tools\setup.exe
>
>
Run dcdiag, netdiag and repadmin in verbose mode.
>
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>
-> netdiag.exe /v > c:\netdiag.log (On
each dc)
>
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>
-> dnslint /ad /s "ip address of your dc"
>
>
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
>
in the forest. If you have significant numbers of DC's this test
could
>
generate significant detail and take a long time. You also want to
take
>
into account slow links to dc's will also add to the testing time.
>
>
If you download a gui script I wrote it should be simple to set and run
>
(DCDiag and NetDiag). It also has the option to run individual tests
>
without having to learn all the switch options. The details will be
output
>
in notepad text files that pop up automagically.
>
>
The script is located on my website
athttp://www.pbbergs.com/windows/downloads.htm
>
>
Just select both dcdiag and netdiag make sure verbose is set. (Leave
the
>
default settings for dcdiag as set when selected)
>
>
When complete search for fail, error and warning messages.
>
>
Description and download for dnslinthttp://support.microsoft.com/kb/321045
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no rights.
>
>
"abaratin" <abara...@gmail.com> wrote in message
>
>
news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
>
> Hi all,
>
>
> Yesterday I had a problem with WSUS3. I tried to reinstall it but it
>
> fails... Few minutes after I tried to go to the GPO settings... I
>
> receive an error "The domain controller can not be contacted
Error
>
> was: Library not Registered"
>
> I have this "Library not registered" error anytime I try to
open
>
> something dealing with GPO's or AD.
>
> I don't know what to do...
>
>
> So if you have ideas, suggsestions or links with documentation It will
>
> be great...
>
> I don't know Active Directory enough to solve this kind of problem...
>
>
> Thanks in advance
Top
From: abaratin <abaratin@gmail.com>
To:
none
Subject:
Re: Library not registered when trying to open AD
Date:
09/27/2007 12:28:45
Thanks
for your help Paul, I've finally found the solution, AD was not
in
fault, it was MMC !
The
solution was here :
http://support.microsoft.com/?scid=kb%3Ben-us%3B887438&x=7&y=9
Thank
you very much an have a nice day !
--
Alex
On
27 sep, 12:46, abaratin
<abara...@gmail.com> wrote:
>
Well everything seems to be ok... It was what I felt because this
>
morning every users were able to connect to the domain...
>
My feeling now is rather that mmc 3.0 is in cause... But i don't know
>
how to install/reinstall it and what can be the consequences for
>
users...
>
>
On 27 sep, 11:49, "Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com>
>
wrote:
>
>
> run diagnostics against your Active Directory domain.
>
>
> If you don't have the support tools installed, install them from your
server
>
> install disk.
>
> d:\support\tools\setup.exe
>
>
> Run dcdiag, netdiag and repadmin in verbose mode.
>
> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>
> -> netdiag.exe /v > c:\netdiag.log
(On each dc)
>
> -> repadmin.exe /showrepl dc* /verbose /all /intersite >
c:\repl.txt
>
> -> dnslint /ad /s "ip address of your dc"
>
>
> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
dc's
>
> in the forest. If you have significant numbers of DC's this test
could
>
> generate significant detail and take a long time. You also want
to take
>
> into account slow links to dc's will also add to the testing time.
>
>
> If you download a gui script I wrote it should be simple to set and
run
>
> (DCDiag and NetDiag). It also has the option to run individual
tests
>
> without having to learn all the switch options. The details will
be output
>
> in notepad text files that pop up automagically.
>
>
> The script is located on my website
athttp://www.pbbergs.com/windows/downloads.htm
>
>
> Just select both dcdiag and netdiag make sure verbose is set.
(Leave the
>
> default settings for dcdiag as set when selected)
>
>
> When complete search for fail, error and warning messages.
>
>
> Description and download for
dnslinthttp://support.microsoft.com/kb/321045
>
>
> --
>
> Paul Bergson
>
> MVP - Directory Services
>
> MCT, MCSE, MCSA, Security+, BS CSci
>
> 2003, 2000 (Early Achiever), NT
>
>
>http://www.pbbergs.com
>
>
> Please no e-mails, any questions should be posted in the NewsGroup
>
> This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
> "abaratin" <abara...@gmail.com> wrote in message
>
>
>news:1190888183.547668.193160@w3g2000hsg.googlegroups.com...
>
>
> > Hi all,
>
>
> > Yesterday I had a problem with WSUS3. I tried to reinstall it but
it
>
> > fails... Few minutes after I tried to go to the GPO settings... I
>
> > receive an error "The domain controller can not be contacted
Error
>
> > was: Library not Registered"
>
> > I have this "Library not registered" error anytime I
try to open
>
> > something dealing with GPO's or AD.
>
> > I don't know what to do...
>
>
> > So if you have ideas, suggsestions or links with documentation It
will
>
> > be great...
>
> > I don't know Active Directory enough to solve this kind of
problem...
>
>
> > Thanks in advance
Top
From: Al Mulnick
<amulnick_No_SPAM@ncDOTrr.com>
To:
none
Subject:
Re: Remote Windows 2003 BDC
Date:
09/27/2007 12:47:38
Generally
speaking, you could, but you would want to likely use sites to
control
replication and authentication traffic. You can read more about the
site
concept and how to configure site links, costing, etc here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
"MATT"
<MATT@discussions.microsoft.com> wrote in message
news:33B1F58B-B95A-4417-A978-6897B0E48348@microsoft.com...
>
We have a Primary Domain Controller and Backup Domain Controller at our
>
main
>
office. We have a second office connected by a Frame Relay. We
would
>
like
>
to add a second Backup Domain Controller at this site, and have it
>
replicate
>
with the DC's at the main site. The two sites are on different
subnets.
>
Can
>
I simply add the domain controller at the remote site, and it will
>
replicate
>
the Active Directory?
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: Remote Windows 2003 BDC
Date:
09/27/2007 12:57:05
Hello
Matt
It
will work , no extra configuration required, the only think that you must
check
is the connectivity between two sites , also make sure that you make
this
BDC as GC as you have frame relay connection between two sites which is
normally
slow.
Also
make sure that the required ports are not blocked in firewall.
If
you have windows 2003 native environment then you can choose Install Dc
from
media .
For
more information follow this link
http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
I
hope the above information is helpful to you .
"MATT"
wrote:
>
We have a Primary Domain Controller and Backup Domain Controller at our
main
>
office. We have a second office connected by a Frame Relay. We
would like
>
to add a second Backup Domain Controller at this site, and have it
replicate
>
with the DC's at the main site. The two sites are on different
subnets. Can
>
I simply add the domain controller at the remote site, and it will
replicate
>
the Active Directory?
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: About of Event ID : 3224
Date:
09/27/2007 09:06:16
Hello
MutluOzel,
Is
that DC restored, because of a failure?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi All,
>
>
I have a problem, when i restart domain controller and i found error
>
>
i checked these are links, problem it hasn't been solved
>
>
http://support.microsoft.com/kb/q259736/
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2
>
000Msgs/161.mspx?mfr=true
>
http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET
>
LOGON&phase=1
>
>
Soure : Netlogon
>
Category : None
>
Event ID: 3224
>
Changing machine account password for account havas.local. failed with
>
the following error: The specified user already exists.
>
>
For more information, see Help and Support Center at
>
http://go.microsoft.com/fwlink/events.asp.
>
Top
From: MutluOzel
<MutluOzel@discussions.microsoft.com>
To:
none
Subject:
Re: About of Event ID : 3224
Date:
09/27/2007 09:32:03
Hi
Weber,
We
are working on the system, one primary dc and two additional dc runing.
but
i found error primary dc (error info below)
"Meinolf
Weber" wrote:
>
Hello MutluOzel,
>
>
Is that DC restored, because of a failure?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi All,
>
>
>
> I have a problem, when i restart domain controller and i found error
>
>
>
> i checked these are links, problem it hasn't been solved
>
>
>
> http://support.microsoft.com/kb/q259736/
>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2
>
> 000Msgs/161.mspx?mfr=true
>
>
http://www.eventid.net/display.asp?eventid=3224&eventno=744&source=NET
>
> LOGON&phase=1
>
>
>
> Soure : Netlogon
>
> Category : None
>
> Event ID: 3224
>
> Changing machine account password for account havas.local. failed with
>
> the following error: The specified user already exists.
>
>
>
> For more information, see Help and Support Center at
>
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
>
>
Top
From: Toby1Kinobe
<toby1kinobe@gmail.com>
To:
none
Subject:
Re: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]
Date:
09/27/2007 18:44:15
Its
the reminance of an account that has been removed from the domain
"Sofi"
<Sofi@discussions.microsoft.com> wrote in message
news:6D22D879-5CC8-4752-BCA1-F9E3296AA6F8@microsoft.com...
>I
am seeing these "ghost accounts" in the properties.
>
Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]
>
>
Anyone knows what this is?
>
THanks!
>
Sofia
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
RE: Account unknown[s-1-5-21-xxxxxxxxxxxxxxxxxxxxxx]
Date:
09/27/2007 22:36:00
Hi
Sofi,
When
you see the SID displayed instead of the User Name, this means that the
machine
displaying the account cannot resolve the name -- for whatever reason.
As
Toby points out, this could be a foreign security principal that is still
in
your domain, but that the trust is gone and the name can no longer be
resolved.
This can also happen in cases where a trust is broken, SIDHistory
filtering
has been turned on for a trust, GCs and the PDCe are unavailable,
or
DNS problems are showing up in your domain.
The
prefix is domain specific, so if this doesn't match your domain, you
will
know that this is a foreign account arriving across a trust. (You can
look
at your accounts with ADSIEdit or LDP -- make sure you are looking as a
created
account, not a builtin one.)
If
it is inside your domain, you will want to start doing domain diagnostics
so
see if you can locate a problem. I've posted directions to a basic
domain
health
check at :
http://techsterity.com/blogs/bestpractices/archive/2007/09/13/AD-Health-Check.aspx
Hope
this helps.
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago, IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"Sofi"
wrote:
>
I am seeing these "ghost accounts" in the properties.
>
Account Unknown[s-1-5-21-xxxxxxxxxxxxxxxx]
>
>
Anyone knows what this is?
>
THanks!
>
Sofia
Top
From: pcnetnet
<pcnetnet@yahoo.com.hk>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 11:23:39
Hi
All,
i setup the secondary dns on my side, if the sub-domain server is down
or
between root domain and sub-domain the vpn line is down , when uk user
connect
internet to our server(root domain) logon , him must be find the
name
server ( sub-domain) , so cannot logon ?? right ? how to do when
sub-domain
user logon to root domain server is access to root domain logon
or
cache the name !
do
you have any document or internet link for do this , Thanks ,
Thanks,
Patrick
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>I
agree with Anthony. If you have an unreliable network, then you
should
>consider
placing dc's at remote sites for higher reliability.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>
Patrick,
>>
You can solve the DNS problem by making secondaries of all sub-domain
>>
zones on your central DNS servers.
>>
For something as important as your international ERP, you could also keep
>>
a replicated DC for each sub-domain at the centre.
>>
Anthony, http://www.airdesk.co.uk
>>
>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>
Hi All,
>>>
I have big problem on active directory, becuase our company (abc.com)
>>>
have sub-domain install to other location(uk,us,cn...) ,
but we have ERP
>>>
system install to HK office (root domain ) with citrix server , so all
>>>
user connect to ERP HK office and then user logon to windows use
>>>
subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is ,when uk
>>>
user logon to citrix (terminal server) use uk.abc.com domain , then this
>>>
domain name server is uk office
server through VPN connect , if this VPN
>>>
line is normal , uk user is no
problem on logon , but when the vpn line
>>>
have probelm ( e.g. disconnect) all uk user if
connect to ERP cannot
>>>
logon to windows, because uk user cannot
find the domain name server .
>>>
this is case 1 , case 2 is uk office name
server have server down , user
>>>
cannot logon to erp , but we have ERP application have no any error. we
>>>
have any method success logon to ERP (citrix server) use uk.abc.com ,
>>>
when the uk domain
server is down or vpn line is down ! Thanks ALL
>>>
>>>
>>>
Thanks,
>>>
Patrick
>>>
>>
>>
>
>
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 11:32:24
This
sounds like a big enterprise-level system. You probably should have a
DC
for each sub-domain at your central site.
Or
get a more reliable network. The VPN should not be down that often, so
presumably
we are talking about something that happens once or twice a year,
Anthony,
http://www.airdesk.co.uk
"pcnetnet"
<pcnetnet@yahoo.com.hk> wrote in message
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>
Hi All,
>
i setup the secondary dns on my side, if the sub-domain server is down
>
or between root domain and sub-domain the vpn line is down , when uk user
>
connect internet to our server(root domain) logon , him must be find the
>
name server ( sub-domain) , so cannot logon ?? right ? how to do when
>
sub-domain user logon to root domain server is access to root domain logon
>
or cache the name !
>
do you have any document or internet link for do this , Thanks ,
>
>
Thanks,
>
Patrick
>
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>I
agree with Anthony. If you have an unreliable network, then you
should
>>consider
placing dc's at remote sites for higher reliability.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>
Patrick,
>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>
zones on your central DNS servers.
>>>
For something as important as your international ERP, you could also
>>>
keep a replicated DC for each sub-domain at the centre.
>>>
Anthony, http://www.airdesk.co.uk
>>>
>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>
Hi All,
>>>>
I have big problem on active directory, becuase our company
>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
but
>>>>
we have ERP system install to HK office (root domain ) with citrix
>>>>
server , so all user connect to ERP HK office and then user logon to
>>>>
windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem is
>>>>
,when uk user logon
to citrix (terminal server) use uk.abc.com domain ,
>>>>
then this domain name server is uk office
server through VPN connect ,
>>>>
if this VPN line is normal , uk user is no
problem on logon , but when
>>>>
the vpn line have probelm ( e.g. disconnect) all uk user if
connect to
>>>>
ERP cannot logon to windows, because uk user cannot
find the domain
>>>>
name server . this is case 1 , case 2 is uk office name
server have
>>>>
server down , user cannot logon to erp , but we have ERP application
>>>>
have no any error. we have any method success logon to ERP (citrix
>>>>
server) use uk.abc.com , when the uk domain
server is down or vpn line
>>>>
is down ! Thanks ALL
>>>>
>>>>
>>>>
Thanks,
>>>>
Patrick
>>>>
>>>
>>>
>>
>>
>
>
Top
From: pcnetnet
<pcnetnet@yahoo.com.hk>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/27/2007 12:33:31
but
we have about 10 sub-domain of of our company , then no other i must
install
each sub-domain DC in root domain, then in root domain have up to 10
server
, and network problem , i afraid the VPN line is down about 3 hour ,
then
uk user cannot
logon to erp this problem is network problem , but user
can
connect to erp server use internet , but cannot logon ,no domain problem
is
network problem , my boss don't hope do this , how can i do ????
Thanks,
Patrick
"Anthony"
<anthony.spam@spammedout.com> wrote in message
news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...
>
This sounds like a big enterprise-level system. You probably should have a
>
DC for each sub-domain at your central site.
>
Or get a more reliable network. The VPN should not be down that often, so
>
presumably we are talking about something that happens once or twice a
>
year,
>
Anthony, http://www.airdesk.co.uk
>
>
>
"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>>
Hi All,
>>
i setup the secondary dns on my side, if the sub-domain server is
>>
down or between root domain and sub-domain the vpn line is down , when uk
>>
user connect internet to our server(root domain) logon , him must be find
>>
the name server ( sub-domain) , so cannot logon ?? right ? how to do when
>>
sub-domain user logon to root domain server is access to root domain
>>
logon or cache the name !
>>
do you have any document or internet link for do this , Thanks ,
>>
>>
Thanks,
>>
Patrick
>>
>>
>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>>I
agree with Anthony. If you have an unreliable network, then you
should
>>>consider
placing dc's at remote sites for higher reliability.
>>>
>>>
--
>>>
Paul Bergson
>>>
MVP - Directory Services
>>>
MCT, MCSE, MCSA, Security+, BS CSci
>>>
2003, 2000 (Early Achiever), NT
>>>
>>>
http://www.pbbergs.com
>>>
>>>
Please no e-mails, any questions should be posted in the NewsGroup
>>>
This posting is provided "AS IS" with no warranties, and confers
no
>>>
rights.
>>>
>>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>>
Patrick,
>>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>>
zones on your central DNS servers.
>>>>
For something as important as your international ERP, you could also
>>>>
keep a replicated DC for each sub-domain at the centre.
>>>>
Anthony, http://www.airdesk.co.uk
>>>>
>>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>>
Hi All,
>>>>>
I have big problem on active directory, becuase our company
>>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
but
>>>>>
we have ERP system install to HK office (root domain ) with citrix
>>>>>
server , so all user connect to ERP HK office and then user logon to
>>>>>
windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i problem
>>>>>
is ,when uk user logon
to citrix (terminal server) use uk.abc.com
>>>>>
domain , then this domain name server is uk office
server through VPN
>>>>>
connect , if this VPN line is normal , uk user is no
problem on logon
>>>>>
, but when the vpn line have probelm ( e.g. disconnect) all uk user if
>>>>>
connect to ERP cannot logon to windows, because uk user cannot
find
>>>>>
the domain name server . this is case 1 , case 2 is uk office name
>>>>>
server have server down , user cannot logon to erp , but we have ERP
>>>>>
application have no any error. we have any method success logon to ERP
>>>>>
(citrix server) use uk.abc.com , when the uk domain
server is down or
>>>>>
vpn line is down ! Thanks ALL
>>>>>
>>>>>
>>>>>
Thanks,
>>>>>
Patrick
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: active directory (sub-domain)
Date:
09/28/2007 07:25:14
I'm
really struggling with the language barrier, so I may not understood
your
problem.
1)
You should have your child domain users all use their dns services at
the
location of their site. From what I can figure out, it sounds like
they
are
using the dns services at the root location. If this is the case,
then
each
child should have the root zone on their dns server and the root zone
should
have all the child zones on that dns server. No additional hardware
would
be required.
2)
If the name server is down but the child dc server is available, then
the
child client will need to point to the root dns server as a secondary on
the
clients network dns configuration. The root dns server will again
need
to
have all child zones on the root dns server.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"pcnetnet"
<pcnetnet@yahoo.com.hk> wrote in message
news:Oy7SKySAIHA.4444@TK2MSFTNGP03.phx.gbl...
>
but we have about 10 sub-domain of of our company , then no other i must
>
install each sub-domain DC in root domain, then in root domain have up to
>
10 server , and network problem , i afraid the VPN line is down about 3
>
hour , then uk user cannot
logon to erp this problem is network problem ,
>
but user can connect to erp server use internet , but cannot logon ,no
>
domain problem is network problem , my boss don't hope do this , how can i
>
do ????
>
Thanks,
>
Patrick
>
>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>
news:OTDnHQSAIHA.1168@TK2MSFTNGP02.phx.gbl...
>>
This sounds like a big enterprise-level system. You probably should have
>>
a DC for each sub-domain at your central site.
>>
Or get a more reliable network. The VPN should not be down that often, so
>>
presumably we are talking about something that happens once or twice a
>>
year,
>>
Anthony, http://www.airdesk.co.uk
>>
>>
>>
"pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>
news:%23$9NJLSAIHA.5960@TK2MSFTNGP05.phx.gbl...
>>>
Hi All,
>>>
i setup the secondary dns on my side, if the sub-domain server is
>>>
down or between root domain and sub-domain the vpn line is down , when
>>>
uk user
connect internet to our server(root domain) logon , him must be
>>>
find the name server ( sub-domain) , so cannot logon ?? right ? how to
>>>
do when sub-domain user logon to root domain server is access to root
>>>
domain logon or cache the name !
>>>
do you have any document or internet link for do this , Thanks ,
>>>
>>>
Thanks,
>>>
Patrick
>>>
>>>
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:euyiBw2$HHA.5652@TK2MSFTNGP05.phx.gbl...
>>>>I
agree with Anthony. If you have an unreliable network, then you
>>>>should
consider placing dc's at remote sites for higher reliability.
>>>>
>>>>
--
>>>>
Paul Bergson
>>>>
MVP - Directory Services
>>>>
MCT, MCSE, MCSA, Security+, BS CSci
>>>>
2003, 2000 (Early Achiever), NT
>>>>
>>>>
http://www.pbbergs.com
>>>>
>>>>
Please no e-mails, any questions should be posted in the NewsGroup
>>>>
This posting is provided "AS IS" with no warranties, and confers
no
>>>>
rights.
>>>>
>>>>
"Anthony" <anthony.spam@spammedout.com> wrote in message
>>>>
news:OfBcHO1$HHA.1168@TK2MSFTNGP02.phx.gbl...
>>>>>
Patrick,
>>>>>
You can solve the DNS problem by making secondaries of all sub-domain
>>>>>
zones on your central DNS servers.
>>>>>
For something as important as your international ERP, you could also
>>>>>
keep a replicated DC for each sub-domain at the centre.
>>>>>
Anthony, http://www.airdesk.co.uk
>>>>>
>>>>>
"Pcnetnet" <pcnetnet@yahoo.com.hk> wrote in message
>>>>>
news:OIXye5y$HHA.4612@TK2MSFTNGP03.phx.gbl...
>>>>>>
Hi All,
>>>>>>
I have big problem on active directory, becuase our company
>>>>>>
(abc.com) have sub-domain install to other location(uk,us,cn...) ,
>>>>>>
but we have ERP system install to HK office (root domain ) with
>>>>>>
citrix server , so all user connect to ERP HK office and then user
>>>>>>
logon to windows use subdomain name (e.g. uk.abc.com, us.abc.com) . i
>>>>>>
problem is ,when uk user logon
to citrix (terminal server) use
>>>>>>
uk.abc.com domain , then this domain name server is uk office
server
>>>>>>
through VPN connect , if this VPN line is normal , uk user is no
>>>>>>
problem on logon , but when the vpn line have probelm ( e.g.
>>>>>>
disconnect) all uk user if
connect to ERP cannot logon to windows,
>>>>>>
because uk user cannot
find the domain name server . this is case 1 ,
>>>>>>
case 2 is uk office name
server have server down , user cannot logon
>>>>>>
to erp , but we have ERP application have no any error. we have any
>>>>>>
method success logon to ERP (citrix server) use uk.abc.com , when the
>>>>>>
uk domain
server is down or vpn line is down ! Thanks ALL
>>>>>>
>>>>>>
>>>>>>
Thanks,
>>>>>>
Patrick
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: JayDee <dopamine@mail.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/25/2007 20:11:11
On
Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>
-Ok, you should be fine with creating the subnet B class, the reverse
lookup
>
zone will automatically create one "folder zone" for each subnet
>
automatically.
>
- As for the error/warning your servers/workstations are trying to reach
>
somewhere where they shouldn't and that action can represent a security
>
issue, especially if they're trying to register in some public location.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>
Ok
so it my example, the DNS server contains:
5.15.26
5.15.27
5.15.18
I
created a reverse lookup zone called [5.15.x.x] in my test
environment.
Now
the following shows up:
5.15.26.x
5.15.27.x
5.15.18.x
5.15.x.x
Does
this mean that the first three will continue working the way the
were
and any Class C addresses that start with 5.15.x.x will drop into
the
one I added? In other words, does the one I'm adding (5.15.x.x)
work
as a "catch all" for all the class C's that aren't explicitely
defined?
Can
creating the class B as in the example above (when there are
several
class C's already created) cause any foreseeable problems as
far
as you are aware?
Thanks.
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/26/2007 03:29:43
The
only things to bear in mind when you do this are:
the
rights to register in DNS, if subnets are used by different domains
the
distribution of the zones, if they are not AD integrated and/or not
shared
by all sites,
Anthony,
http://www.airdesk.co.uk
"JayDee"
<dopamine@mail.com> wrote in message
news:1190769071.365646.63630@19g2000hsx.googlegroups.com...
>
On Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>>
-Ok, you should be fine with creating the subnet B class, the reverse
>>
lookup
>>
zone will automatically create one "folder zone" for each subnet
>>
automatically.
>>
- As for the error/warning your servers/workstations are trying to reach
>>
somewhere where they shouldn't and that action can represent a security
>>
issue, especially if they're trying to register in some public location.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>>
>
>
Ok so it my example, the DNS server contains:
>
>
5.15.26
>
5.15.27
>
5.15.18
>
>
I created a reverse lookup zone called [5.15.x.x] in my test
>
environment.
>
>
Now the following shows up:
>
>
5.15.26.x
>
5.15.27.x
>
5.15.18.x
>
5.15.x.x
>
>
Does this mean that the first three will continue working the way the
>
were and any Class C addresses that start with 5.15.x.x will drop into
>
the one I added? In other words, does the one I'm adding (5.15.x.x)
>
work as a "catch all" for all the class C's that aren't
explicitely
>
defined?
>
>
Can creating the class B as in the example above (when there are
>
several class C's already created) cause any foreseeable problems as
>
far as you are aware?
>
>
Thanks.
>
Top
From: Jorge Silva <jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Active Directory and Reverse DNS Zones
Date:
09/26/2007 07:08:31
I'm
not aware with any problems with that configuration, as lon as the
workstations
can register the records in the appropriate DNS.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"JayDee"
<dopamine@mail.com> wrote in message
news:1190769071.365646.63630@19g2000hsx.googlegroups.com...
>
On Sep 25, 10:15 am,
"Jorge Silva" <jorgesilva...@hotmail.com> wrote:
>>
-Ok, you should be fine with creating the subnet B class, the reverse
>>
lookup
>>
zone will automatically create one "folder zone" for each subnet
>>
automatically.
>>
- As for the error/warning your servers/workstations are trying to reach
>>
somewhere where they shouldn't and that action can represent a security
>>
issue, especially if they're trying to register in some public location.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>>
>
>
Ok so it my example, the DNS server contains:
>
>
5.15.26
>
5.15.27
>
5.15.18
>
>
I created a reverse lookup zone called [5.15.x.x] in my test
>
environment.
>
>
Now the following shows up:
>
>
5.15.26.x
>
5.15.27.x
>
5.15.18.x
>
5.15.x.x
>
>
Does this mean that the first three will continue working the way the
>
were and any Class C addresses that start with 5.15.x.x will drop into
>
the one I added? In other words, does the one I'm adding (5.15.x.x)
>
work as a "catch all" for all the class C's that aren't
explicitely
>
defined?
>
>
Can creating the class B as in the example above (when there are
>
several class C's already created) cause any foreseeable problems as
>
far as you are aware?
>
>
Thanks.
>
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
RE: AD printers - server-centric, am i missing something?
Date:
09/27/2007 22:44:01
jzabrams,
Publishing
printers in the directory allows printers to be searched out and
classified
in the directory. They are, however, still server
resources.
You
can take advantage of clustering or even round-robin DNS to share them
between
servers (printmig to copy printers) and use a cname record to refer
to
them as a virtual server, \\print perhaps.
If
you are using Server 2003 R2, there is a complete revamp of printing
services
that will allow you to assign printers based on policy or group
membership.
It is definitely worth looking into. Of course, you can use
simple
VB scripts to accomplish the same things on logon.
I
hope this helps. The power of AD is in the multi-master nature of its
object
management, not really in its printer handling.
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago, IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"jzabrams"
wrote:
>
We just finished upgrading an NT4 domain to AD. Now, i thought the
>
whole point of AD was to make network resources directory-centric
>
rather than server centric. My printers are all published in AD,
>
however nowehere do i see how to refer to them without reference to
>
the server they're shared from. I.e., i was under the impression i
>
should now be able to refer to the printer similar to \\doaminname
>
\printer, rather than \\server\printer? I think i'm missing
>
something?
>
>
Thanks,
>
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
RE: AD printers - server-centric, am i missing something?
Date:
09/27/2007 22:51:00
Hi,
AD
allows you to search for printers without having to know which server
they're
located on first, as you had to in NT.
To
add a printer to a workstation, choose network printer and then use the
"Find
printer in the directory" option, it will bring up a search window. If
you
click "Find Now" without filling in any details, it will find all
of the
printers
in the directory, or you can refine it by filling in some of the
details.
If
you know the server that they're on, you can just type the direct path in
as
you would with NT. The directory search can make it easier for end users
to
install printers, if you want them to be able to do that!
Hope
that helps,
--
Leigh
MCSE
(NT4, 2000)
"jzabrams"
wrote:
>
We just finished upgrading an NT4 domain to AD. Now, i thought the
>
whole point of AD was to make network resources directory-centric
>
rather than server centric. My printers are all published in AD,
>
however nowehere do i see how to refer to them without reference to
>
the server they're shared from. I.e., i was under the impression i
>
should now be able to refer to the printer similar to \\doaminname
>
\printer, rather than \\server\printer? I think i'm missing
>
something?
>
>
Thanks,
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 15:05:01
Hi
Each
WINS server should only point to itsel in WINS configuration, the
clientes
should point to bothe WINS servers, and both WINS Servers should
have
each other as replication partners.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"James"
<acidflea@hotmail.com> wrote in message
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>
Here is what I have. We are replacing one of our domain controllers with a
>
new server. I have promoted the new server and moved the roles from
the
>
old server to the new server. The old server was also running DNS and
>
WINS so I installed DNS and WINS on the new server. The old server IP
is
>
say 192.168.1.131 and new is 192.168.1.120. I do not want to change the
>
clients DNS and wins addresses to point to 192.168.1.120 so after I
>
demoted the old server and turned it off I added the old server IP of .131
>
to the new server as a second IP on the same network card as the current
>
.120 IP. So I now have the new server with both IP address on the same
>
network card (which I have done before and seems to work fine). My
only
>
issue is the WINS server I am not seeing any clients registering. I do see
>
that on the WINS server it is showing that it is running on the .120
>
address and the clients are pointing to the .131 address even though they
>
are on the same network card.
>
>
Is there a setting that I can change to make the WINS server work on both
>
network address like I can within the DNS server?
>
>
If not what would be the easiest way to fix this?
>
>
Should I change the Main ip of the server to be .131 and use the .120 as
>
the secondary ip?
>
>
Should I just change the IP address of the new server to .131 and remove
>
the .120 and if so what issues will I have by changing the IP address of a
>
domain controller?
>
>
>
>
Thanks,
>
James
Top
From: James <acidflea@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 15:19:44
Jorge,
I only have one wins server.
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...
>
Hi
>
Each WINS server should only point to itsel in WINS configuration, the
>
clientes should point to bothe WINS servers, and both WINS Servers should
>
have each other as replication partners.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"James" <acidflea@hotmail.com> wrote in message
>
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>>
Here is what I have. We are replacing one of our domain controllers with
>>
a new server. I have promoted the new server and moved the roles from
>>
the old server to the new server. The old server was also running DNS
>>
and WINS so I installed DNS and WINS on the new server. The old
server
>>
IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to change
>>
the clients DNS and wins addresses to point to 192.168.1.120 so after I
>>
demoted the old server and turned it off I added the old server IP of
>>
.131 to the new server as a second IP on the same network card as the
>>
current .120 IP. So I now have the new server with both IP address on the
>>
same network card (which I have done before and seems to work fine).
My
>>
only issue is the WINS server I am not seeing any clients registering. I
>>
do see that on the WINS server it is showing that it is running on the
>>
.120 address and the clients are pointing to the .131 address even though
>>
they are on the same network card.
>>
>>
Is there a setting that I can change to make the WINS server work on both
>>
network address like I can within the DNS server?
>>
>>
If not what would be the easiest way to fix this?
>>
>>
Should I change the Main ip of the server to be .131 and use the .120 as
>>
the secondary ip?
>>
>>
Should I just change the IP address of the new server to .131 and remove
>>
the .120 and if so what issues will I have by changing the IP address of
>>
a domain controller?
>>
>>
>>
>>
Thanks,
>>
James
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: AD, DNS, Wins, IP question
Date:
09/26/2007 16:09:21
using
the WINS console can you connect to the additional IP?
If
uninstall the WINS server and re-install it again (now that you have 2 IP
Addresses)
does it solve the problem?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"James"
<acidflea@hotmail.com> wrote in message
news:Oi6l0qHAIHA.1168@TK2MSFTNGP02.phx.gbl...
>
Jorge,
>
I only have one wins server.
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:OOlRAiHAIHA.4732@TK2MSFTNGP04.phx.gbl...
>>
Hi
>>
Each WINS server should only point to itsel in WINS configuration, the
>>
clientes should point to bothe WINS servers, and both WINS Servers should
>>
have each other as replication partners.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"James" <acidflea@hotmail.com> wrote in message
>>
news:%23txmouGAIHA.484@TK2MSFTNGP06.phx.gbl...
>>>
Here is what I have. We are replacing one of our domain controllers with
>>>
a new server. I have promoted the new server and moved the roles from
>>>
the old server to the new server. The old server was also running DNS
>>>
and WINS so I installed DNS and WINS on the new server. The old
server
>>>
IP is say 192.168.1.131 and new is 192.168.1.120. I do not want to
>>>
change the clients DNS and wins addresses to point to 192.168.1.120 so
>>>
after I demoted the old server and turned it off I added the old server
>>>
IP of .131 to the new server as a second IP on the same network card as
>>>
the current .120 IP. So I now have the new server with both IP address
>>>
on the same network card (which I have done before and seems to work
>>>
fine). My only issue is the WINS server I am not seeing any clients
>>>
registering. I do see that on the WINS server it is showing that it is
>>>
running on the .120 address and the clients are pointing to the .131
>>>
address even though they are on the same network card.
>>>
>>>
Is there a setting that I can change to make the WINS server work on
>>>
both network address like I can within the DNS server?
>>>
>>>
If not what would be the easiest way to fix this?
>>>
>>>
Should I change the Main ip of the server to be .131 and use the .120 as
>>>
the secondary ip?
>>>
>>>
Should I just change the IP address of the new server to .131 and remove
>>>
the .120 and if so what issues will I have by changing the IP address of
>>>
a domain controller?
>>>
>>>
>>>
>>>
Thanks,
>>>
James
>>
>>
Top
From: Lee Flight
<lef@le.ac.uk-nospam>
To:
none
Subject:
Re: ADAM - dsacls - Proper Create Child permissions on
subobjects
Date:
09/27/2007 05:04:45
Hi
I
do not think you need the deny for delete.
Just
grant GR inheritance on the naming context and then GWCC with
inheritance
on
the cn=profiles subtree for the role you created. Delete should not be
possible
unless
you have granted it directly or it is granted indirectly (nested
role).
Lee
Flight
"Noremac"
<Noremac@newsgroups.nospam> wrote in message
news:5C05CD9F-AC94-400F-89C2-EEAC6B88DF49@microsoft.com...
>
Like a few other posters out there I am a veteren developer using ADAM and
>
LDAP for the first time. Right now I am trying to get this to work on my
>
developer machine XP SP2. ADAM is installed locally.
>
>
I am trying to setup least-privelaged access to the data in our ADAM for a
>
WebSSO solution we are building. I have a group under Roles called
>
MembershipProvider of which I've added ASPNET as the code doing the work
>
is a
>
.NET Web Service.
>
>
It has been working flawlessly except for this scenario: I cannot add a
>
child object to an object I just created at runtime, it totally crashes
>
the
>
ADAM service with a COM security exception. I have to start the service
>
manually.
>
>
I have a container for our Profile objects. These are successfully created
>
by the ASPNET identity at runtime. However, ASPNET cannot add Message
>
objects
>
to those Profiles. If I run this code from my test harness that uses me (a
>
local administrator) as the identity, the Messages get added to the
>
Profiles.
>
>
Here are my dsacls:
>
>
rem Grant the role read access to ADAM instance
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:GR
>
>
rem Grant the role create and update Profiles and children of Profiles
>
like
>
Messages
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:GW
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:T /G
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:CC
>
>
rem DENY the role the ability to delete Profiles
>
%SYSTEMROOT%\ADAM\dsacls.exe \\%1\CN=Profiles,CN=WebSSO /I:S /D
>
CN=MembershipProvider,CN=Roles,CN=WebSSO:DT;;coc-WebSSO-Profile
>
>
>
>
Thanks!
Top
From: Lee Flight
<lef@le.ac.uk-nospam>
To:
none
Subject:
Re: ADAMsync not syncing all items
Date:
09/26/2007 03:37:01
Hi
what
access does the account (steves) have to objects in
the
source AD? Are you getting any errors in the log files?
Lee
Flight
"stevestites"
<stevestites.2xhlrg@DoNotSpam.com> wrote in message
news:stevestites.2xhlrg@DoNotSpam.com...
>
>
I'm new to ADAM and have setup an instance per the ADAM stop-by-step
>
guide. I can get some of the objects to sync but not all.
Here's my
>
xml config:
>
>
-<description>Federal->ADAM Sync</description>
>
<security-mode>object</security-mode>
>
<source-ad-name>feddc01</source-ad-name>
>
<source-ad-partition>dc=federal,dc=com</source-ad-partition>
>
<source-ad-account>steves</source-ad-account>
>
<account-domain>federal.com</account-domain>
>
<target-dn>o=Netpro,c=US</target-dn>
>
<query>
>
<base-dn>ou=Federal Employees,dc=federal,dc=com</base-dn>
>
<object-filter>(objectClass=*)</object-filter>
>
<attributes>
>
<include></include>
>
<exclude>extensionName</exclude>
>
<exclude>displayNamePrintable</exclude>
>
<exclude>flags</exclude>
>
<exclude>isPrivelegeHolder</exclude>
>
<exclude>msCom-UserLink</exclude>
>
<exclude>msCom-PartitionSetLink</exclude>
>
<exclude>reports</exclude>
>
<exclude>serviceprincipalname</exclude>
>
<exclude>accountExpires</exclude>
>
<exclude>adminCount</exclude>
>
<exclude>primarygroupid</exclude>
>
<exclude>userAccountControl</exclude>
>
<exclude>codePage</exclude>
>
<exclude>countryCode</exclude>
>
<exclude>logonhours</exclude>
>
<exclude>lockoutTime</exclude>
>
</attributes>
>
</query>-
>
>
when syncing I get the top level OU (Federal Employees) and then 3 of
>
the 2nd level OUs. I also get several of these in the log file:
>
>
>
-Processing Entry: Page 3, Frame 1, Entry 19, Count 1, USN 0
>
>
Processing source entry <guid=7da2bf0f051bbc4c91439f93e8b1238b>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 20, Count 1, USN 0
>
>
Processing source entry <guid=96b6cad705e15243be7df99a523e1848>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 21, Count 1, USN 0
>
>
Processing source entry <guid=95becf0f278f4f48b9eb9cde06a523c5>
>
>
Previous entry took 0 seconds (0, 0) to process
>
>
>
>
Processing Entry: Page 3, Frame 1, Entry 22, Count 1, USN 0
>
>
Processing source entry <guid=1bd50fdb00c73743a25a4301453d7c97>
>
>
Processing in-scope entry 1bd50fdb00c73743a25a4301453d7c97.
>
>
Adding target object CN=Magaret
>
Bannister,OU=Texas,OU=Manufacturing,OU=Federal
>
Employees,o=Netpro,c=US.
>
>
Deferring synchronization of attribute showinaddressbook to end of run.
>
Deleting attribute.
>
>
Adding attributes: sourceobjectguid, objectCla-
>
>
The last entry shows a user that is getting synced but the object never
>
shows up in ldp or adsiedit. I'm stumped. Any ideas?
>
>
Steve
>
>
>
--
>
stevestites
>
------------------------------------------------------------------------
>
stevestites's Profile: http://forums.techarena.in/member.php?userid=31744
>
View this thread: http://forums.techarena.in/showthread.php?t=824003
>
>
http://forums.techarena.in
>
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 10:30:06
Can
Somebody help me out
"Ranjan"
wrote:
>
Hi
>
I Just want to add a custom attribute Date of birth and how can i make it
>
visible to ADUC.I know the creation process of attribute but i dont know
how
>
to make it visible.
Top
From: jwd
<jwd@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:04:03
If
you add new attributes to the schema you need to have a custom front end
to
view them.
Are
you sure you know how to create a new attribute? Modifying the schema
is
something you should fully understand before even thinking about making
changes.
Best
Regards
Joe
Dunn MCSE
"Ranjan"
wrote:
>
Can Somebody help me out
>
>
"Ranjan" wrote:
>
>
> Hi
>
> I Just want to add a custom attribute Date of birth and how can i make
it
>
> visible to ADUC.I know the creation process of attribute but i dont
know how
>
> to make it visible.
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:18:03
Yes
i know to create new attribute and i have some overview of AD schema.I
have
gone through the process of adding employeeid and make it visible in the
admin-context-menu
but i want to make it visible in admin-property-pages.
"jwd"
wrote:
>
>
If you add new attributes to the schema you need to have a custom front end
>
to view them.
>
>
Are you sure you know how to create a new attribute? Modifying the
schema
>
is something you should fully understand before even thinking about making
>
changes.
>
>
Best Regards
>
Joe Dunn MCSE
>
>
>
>
"Ranjan" wrote:
>
>
> Can Somebody help me out
>
>
>
> "Ranjan" wrote:
>
>
>
> > Hi
>
> > I Just want to add a custom attribute Date of birth and how can i
make it
>
> > visible to ADUC.I know the creation process of attribute but i
dont know how
>
> > to make it visible.
Top
From: Ranjan
<Ranjan@discussions.microsoft.com>
To:
none
Subject:
RE: Adding Custom Attribute
Date:
09/27/2007 11:23:02
Similar
to employeeid example i have created for date of birth .As unicode
string
it is working fine but using that we can add any value .I want it in
proper
date time format.I have tried it as UTC coded time but it is not
accepting
the value giving error.
"Ranjan"
wrote:
>
Yes i know to create new attribute and i have some overview of AD schema.I
>
have gone through the process of adding employeeid and make it visible in
the
>
admin-context-menu but i want to make it visible in admin-property-pages.
>
>
"jwd" wrote:
>
>
>
>
> If you add new attributes to the schema you need to have a custom
front end
>
> to view them.
>
>
>
> Are you sure you know how to create a new attribute? Modifying
the schema
>
> is something you should fully understand before even thinking about
making
>
> changes.
>
>
>
> Best Regards
>
> Joe Dunn MCSE
>
>
>
>
>
>
>
> "Ranjan" wrote:
>
>
>
> > Can Somebody help me out
>
> >
>
> > "Ranjan" wrote:
>
> >
>
> > > Hi
>
> > > I Just want to add a custom attribute Date of birth and how
can i make it
>
> > > visible to ADUC.I know the creation process of attribute but
i dont know how
>
> > > to make it visible.
Top
From: Joe Kaplan
<joseph.e.kaplan@removethis.accenture.com>
To:
none
Subject:
Re: Adding Custom Attribute
Date:
09/27/2007 12:23:37
The
MSDN documentation for extending the ADUC UI is right here:
http://msdn2.microsoft.com/en-us/library/ms676902.aspx
You
basically need to implement the correct COM interfaces in C++ to create
a
new property page and integrate it with ADUC. Then, you have to
figure
out
how to get your custom extension deployed to all of the machines that
will
need to use it.
Joe
K.
--
Joe
Kaplan-MS MVP Directory Services Programming
Co-author
of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ranjan"
<Ranjan@discussions.microsoft.com> wrote in message
news:9550468D-63BB-4FDD-AAB2-5536D833B8F7@microsoft.com...
>
Similar to employeeid example i have created for date of birth .As unicode
>
string it is working fine but using that we can add any value .I want it
>
in
>
proper date time format.I have tried it as UTC coded time but it is not
>
accepting the value giving error.
>
>
"Ranjan" wrote:
>
>>
Yes i know to create new attribute and i have some overview of AD
>>
schema.I
>>
have gone through the process of adding employeeid and make it visible in
>>
the
>>
admin-context-menu but i want to make it visible in admin-property-pages.
>>
>>
"jwd" wrote:
>>
>>
>
>>
> If you add new attributes to the schema you need to have a custom
front
>>
> end
>>
> to view them.
>>
>
>>
> Are you sure you know how to create a new attribute? Modifying
the
>>
> schema
>>
> is something you should fully understand before even thinking about
>>
> making
>>
> changes.
>>
>
>>
> Best Regards
>>
> Joe Dunn MCSE
>>
>
>>
>
>>
>
>>
> "Ranjan" wrote:
>>
>
>>
> > Can Somebody help me out
>>
> >
>>
> > "Ranjan" wrote:
>>
> >
>>
> > > Hi
>>
> > > I Just want to add a custom attribute Date of birth and how
can i
>>
> > > make it
>>
> > > visible to ADUC.I know the creation process of attribute but
i dont
>>
> > > know how
>>
> > > to make it visible.
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:37:47
Hello,
take
care about ms-DS-MachineAccountQuota. By default, they loose the
delegation
every 10 computers
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Tina"
<tina@nospam.postalias> wrote in message
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>
When IT staff add xp workstation to our server 2003 active directory
>
domain,
>
they get "Access is denied" errors. I have given
"ITGroup" security group
>
"create computer account" and "delete computer account"
on the computer OU
>
and the workwstation OU (I changed the default container workstations go
>
in
>
when they are added to the domain. When a workstation is added to the
>
domain,
>
they go into the Workstation OU. I also checked the Domain Controller
>
Security Policy under administrative tools, and the Add workstation to
>
domain
>
has authenticated user, and ITGroup. No matter what I change, I still get
>
the
>
error. Please help.
>
Tina
Top
From: Tina <tina@nospam.postalias>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:48:03
I
know they are only allowed to add 10. How do I give them the right to add
unlimited?
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>
delegation every 10 computers
>
>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Tina" <tina@nospam.postalias> wrote in message
>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>
> When IT staff add xp workstation to our server 2003 active directory
>
> domain,
>
> they get "Access is denied" errors. I have given
"ITGroup" security group
>
> "create computer account" and "delete computer
account" on the computer OU
>
> and the workwstation OU (I changed the default container workstations
go
>
> in
>
> when they are added to the domain. When a workstation is added to the
>
> domain,
>
> they go into the Workstation OU. I also checked the Domain Controller
>
> Security Policy under administrative tools, and the Add workstation to
>
> domain
>
> has authenticated user, and ITGroup. No matter what I change, I still
get
>
> the
>
> error. Please help.
>
> Tina
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 11:51:21
follow
the KB on my blog !
http://support.microsoft.com/kb/243327/en-us
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Tina"
<tina@nospam.postalias> wrote in message
news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...
>I
know they are only allowed to add 10. How do I give them the right to add
>
unlimited?
>
>
"Mathieu CHATEAU" wrote:
>
>>
Hello,
>>
>>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>>
delegation every 10 computers
>>
>>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"Tina" <tina@nospam.postalias> wrote in message
>>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>>
> When IT staff add xp workstation to our server 2003 active directory
>>
> domain,
>>
> they get "Access is denied" errors. I have given
"ITGroup" security
>>
> group
>>
> "create computer account" and "delete computer
account" on the computer
>>
> OU
>>
> and the workwstation OU (I changed the default container workstations
>>
> go
>>
> in
>>
> when they are added to the domain. When a workstation is added to the
>>
> domain,
>>
> they go into the Workstation OU. I also checked the Domain Controller
>>
> Security Policy under administrative tools, and the Add workstation to
>>
> domain
>>
> has authenticated user, and ITGroup. No matter what I change, I still
>>
> get
>>
> the
>>
> error. Please help.
>>
> Tina
>>
>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: adding workstation to domain - access is denied
Date:
09/26/2007 12:07:18
Hi
Please
check the following:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Mathieu
CHATEAU" <gollum123@free.fr> wrote in message
news:%23sT%2341FAIHA.1164@TK2MSFTNGP02.phx.gbl...
>
follow the KB on my blog !
>
http://support.microsoft.com/kb/243327/en-us
>
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Tina" <tina@nospam.postalias> wrote in message
>
news:6452B83B-78CE-4ECF-8861-535F57764B05@microsoft.com...
>>I
know they are only allowed to add 10. How do I give them the right to
>>add
>>
unlimited?
>>
>>
"Mathieu CHATEAU" wrote:
>>
>>>
Hello,
>>>
>>>
take care about ms-DS-MachineAccountQuota. By default, they loose the
>>>
delegation every 10 computers
>>>
>>>
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
>>>
>>>
--
>>>
Cordialement,
>>>
Mathieu CHATEAU
>>>
http://lordoftheping.blogspot.com
>>>
>>>
>>>
"Tina" <tina@nospam.postalias> wrote in message
>>>
news:2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com...
>>>
> When IT staff add xp workstation to our server 2003 active directory
>>>
> domain,
>>>
> they get "Access is denied" errors. I have given "ITGroup"
security
>>>
> group
>>>
> "create computer account" and "delete computer
account" on the
>>>
> computer OU
>>>
> and the workwstation OU (I changed the default container workstations
>>>
> go
>>>
> in
>>>
> when they are added to the domain. When a workstation is added to the
>>>
> domain,
>>>
> they go into the Workstation OU. I also checked the Domain Controller
>>>
> Security Policy under administrative tools, and the Add workstation to
>>>
> domain
>>>
> has authenticated user, and ITGroup. No matter what I change, I still
>>>
> get
>>>
> the
>>>
> error. Please help.
>>>
> Tina
>>>
>>>
>
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: adding workstation to domain - access is denied
Date:
09/26/2007 12:30:02
Hello
Tina ,
can
u pls paste the netsetup.log from the client/workstation where you are
getting
this error message.you can find netsetup.log in c:\windows\debug
folder
"Tina"
wrote:
>
When IT staff add xp workstation to our server 2003 active directory
domain,
>
they get "Access is denied" errors. I have given
"ITGroup" security group
>
"create computer account" and "delete computer account"
on the computer OU
>
and the workwstation OU (I changed the default container workstations go in
>
when they are added to the domain. When a workstation is added to the
domain,
>
they go into the Workstation OU. I also checked the Domain Controller
>
Security Policy under administrative tools, and the Add workstation to
domain
>
has authenticated user, and ITGroup. No matter what I change, I still get
the
>
error. Please help.
>
Tina
Top
From: v-kzhao@online.microsoft.com (Ken
Zhao [MSFT])
To:
none
Subject:
RE: adding workstation to domain - access is denied
Date:
09/26/2007 22:24:59
Thank
for all guys' great information and experience sharing.
From
your post,
Thanks
& Regards,
Ken
Zhao
Microsoft
Online Support
Microsoft
Global Technical Support Center
Get
Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When
responding to posts, please "Reply to Group" via your newsreader
so
that
others may learn and benefit from your issue.
====================================================
This
posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
|
Thread-Topic: adding workstation to domain - access is denied
|
thread-index: AcgAWnzVkGPXIxpAS1+z+JD3mmRd4g==
|
X-WBNR-Posting-Host: 207.46.192.207
|
From: =?Utf-8?B?VGluYQ==?= <tina@nospam.postalias>
|
Subject: adding workstation to domain - access is denied
|
Date: Wed, 26 Sep 2007 09:30:02 -0700
|
Lines: 10
|
Message-ID: <2952A708-4776-4CDA-B313-2B2C6EEDC966@microsoft.com>
|
MIME-Version: 1.0
|
Content-Type: text/plain;
|
charset="Utf-8"
|
Content-Transfer-Encoding: 7bit
|
X-Newsreader: Microsoft CDO for Windows 2000
|
Content-Class: urn:content-classes:message
|
Importance: normal
|
Priority: normal
|
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929
|
Newsgroups: microsoft.public.windows.server.active_directory
|
Path: TK2MSFTNGHUB02.phx.gbl
|
Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:26512
|
NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
|
X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
|
When IT staff add xp workstation to our server 2003 active directory
domain,
|
they get "Access is denied" errors. I have given
"ITGroup" security group
|
"create computer account" and "delete computer account"
on the computer
OU
|
and the workwstation OU (I changed the default container workstations go
in
|
when they are added to the domain. When a workstation is added to the
domain,
|
they go into the Workstation OU. I also checked the Domain Controller
|
Security Policy under administrative tools, and the Add workstation to
domain
| has
authenticated user, and ITGroup. No matter what I change, I still get
the
|
error. Please help.
|
Tina
|
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
RE: Administrative rights
Date:
09/26/2007 22:13:00
Joey,
Was
this server connected to an existing domain or was it a fresh setup? Are
there
any errors showing in the event log from the dcpromo process?
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"joeylongcox"
wrote:
>
I have a Dell SC1420 PowerEdge server running Windows 2003 Server. I
>
ran the install, I thought, flawlessly. Now that I am trying to
>
really exploit all the possibilities of the server, I cannot do work
>
with Active Directory or manage groups and users. I log in as
>
"Administrator," but when I go to the Active Directory utility, I
am
>
told I need to log on as a user with administrative rights. I am
>
lost. I thought that was what I was doing. Anybody have any
idea how
>
I can fix this?
>
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Administrative rights
Date:
09/27/2007 07:02:51
run
diagnostics against your Active Directory domain.
If
you don't have the support tools installed, install them from your server
install
disk.
d:\support\tools\setup.exe
Run
dcdiag, netdiag and repadmin in verbose mode.
->
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
->
netdiag.exe /v > c:\netdiag.log (On each dc)
->
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
->
dnslint /ad /s "ip address of your dc"
**Note:
Using the /E switch in dcdiag will run diagnostics against ALL dc's
in
the forest. If you have significant numbers of DC's this test could
generate
significant detail and take a long time. You also want to take
into
account slow links to dc's will also add to the testing time.
If
you download a gui script I wrote it should be simple to set and run
(DCDiag
and NetDiag). It also has the option to run individual tests
without
having to learn all the switch options. The details will be output
in
notepad text files that pop up automagically.
The
script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just
select both dcdiag and netdiag make sure verbose is set. (Leave the
default
settings for dcdiag as set when selected)
When
complete search for fail, error and warning messages.
Description
and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"joeylongcox"
<cobra270@excite.com> wrote in message
news:1190860716.318350.121080@g4g2000hsf.googlegroups.com...
>I
have a Dell SC1420 PowerEdge server running Windows 2003 Server. I
>
ran the install, I thought, flawlessly. Now that I am trying to
>
really exploit all the possibilities of the server, I cannot do work
>
with Active Directory or manage groups and users. I log in as
>
"Administrator," but when I go to the Active Directory utility, I
am
>
told I need to log on as a user with administrative rights. I am
>
lost. I thought that was what I was doing. Anybody have any
idea how
>
I can fix this?
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: ADUC yields no search results for anything
Date:
09/26/2007 12:09:49
Hi
Something
is wrong in the filter options, can you explain exactly all steps
taken.
Are
the Admin able to see objects in ADUC without doing the search?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
<rockemhard@gmail.com>
wrote in message
news:1190819239.458739.117810@22g2000hsm.googlegroups.com...
>
OK... this is on top on my list of annoyances.
>
>
I have a new admin my department. I give hime domain admin
privs. He
>
logs onto a server to run ADUC and no results for any search he does.
>
>
It doesn't matter:
>
>
1) What server he uses ADUC on
>
2) What object he searches for
>
3) That the Filter Options says show all types of objects
>
4) Or that he even tries ADUC on the DC itself
>
>
My account works just fine everytime and we don't use roaming
>
profiles. I'm stumped. How hard can this be...
>
>
Thanks for any help.
>
Top
From: Chris <nospam@email.com>
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:46:21
Computers
is just a container. The default for new computer objects.
OU's
are there to organise your network. It makes sense to organise your
network
and split it into users, computers, shares etc dependent on any
geographical
layout you may have. Group policies are distributed via OU's
which
you should use to set the environment for you clients as well as roll
out
new software, apply logon, logoff scripts.
It
would be very beneficial to investigate how group olicy could help on
your
network
Chris
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some admin
>
stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my objects
>
(PC's) within that OU be moved to the computer folder?
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:49:51
Hello,
the
"computers" container is a bit special. It's the default
container when
joining
computers, and you can't link GPO to it.
The
same for the "Users" Containers.
More
story here:
http://technet2.microsoft.com/windowsserver/en/library/26c53b04-f955-4d81-b468-5c7a982693f31033.mspx?mfr=true
As
you can' apply GPO to them, it's best practice to create your own OU for
them,
and move all your created users and joined computers to these custom
OU
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:86C9AC22-E7E5-4D5D-98C0-B111DF444945@microsoft.com...
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some admin
>
stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my objects
>
(PC's) within that OU be moved to the computer folder?
Top
From: Meinolf Weber
To:
none
Subject:
Re: Basic AD question, proper use of OU's
Date:
09/26/2007 15:50:16
Hello
Adam N.,
Computers
is a so called container. Here you can not do the things you can
do
in OU's. By default if you add computers to the domain they will be placed
in
this container.
It
doesn't matter if the OU is not used where you place them, but the question
is
for what will you use AD when not configure the domain, users, groups
and
computers from one central point?
Maybe
you give some more infos what you like to achive.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
please see picture first then read question...
>
>
http://baumshelter.net/img/clip.JPG
>
>
Ok, so we have an OU that the arrow is pointing to in the picture.
>
>
Is the "Computers" an OU also or just a directory?
>
>
Isnt an OU "basically" only needed if you are going to delegate
some
>
admin stuff to a group or user?
>
>
I dont have any need on this network for delegation so shouldnt my
>
objects (PC's) within that OU be moved to the computer folder?
>
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 12:53:41
"Sergio
Minniti wrote
>
I'd like to know what is it the difference between Windows 2003 -Windows
>
2000 and pre-Windows 2000 name for Active Directory object. Is there a
>
"best
>
practice" or Microsoft Knowledge Base article that to speak about it?
>
I haven't found nothing about it. I'd like read an article that to speak
>
about group name and account name limit, special character, etc..
>
May you help me? I wait a your reply
This
link discusses what I have learned about the characters that are
allowed
in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon
names),
plus the characters that need to be escaped:
http://www.rlmueller.net/CharactersEscaped.htm
I
have not found any differences between W2k and W2k3, except that when you
create
groups and don't specify the "pre-Windows 2000 logon name" a long
random
string is assigned that is very scary.
This
link dicusses the various "names" used in AD, and with the WinNT
and
LDAP
providers:
http://www.rlmueller.net/Name_Attributes.htm
sAMAccountName
is limited to 20 characters. I forget the max lenght for
Common
Names, but I think it's about 127. The value for Common Name (the cn
attribute,
which is part of the Distinguished Name) must be unique in the
container
or OU. Several objects in AD can have the same cn as long as they
are
in different OU's or containers. sAMAccountName must be unique in the
domain.
Distinguished Name is unique in the forest.
The
rules are the same for all classes of objects (user, group, computer,
etc.),
except that the sAMAccountNames of computer objects have a trailing
"$".
The sAMAccountName of a computer object is the NetBIOS name of the
computer
with "$" appended to the end. The NetBIOS name of computers seems
to
be limited to 15 characters, so the sAMAccountName is limited to 16.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
Top
From: Sergio Minniti
<SergioMinniti@discussions.microsoft.com>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 15:56:00
Thank
you very much indeed Richard! I have read your articles but inside it I
haven't
found any reference about groups name limit (64 char.?). I try to
type
more than 64 char. and it's possible in the pre-windows 2000 name. Is it
true?
I think that the system accepts a string longer than 64 char. but it
uses
only 64 char. Aren't you?
I
wait a your reply, thank a lot.
Sergio
P.S.
Any Microsoft KB??
"Richard
Mueller [MVP]" wrote:
>
>
"Sergio Minniti wrote
>
>
> I'd like to know what is it the difference between Windows 2003
-Windows
>
> 2000 and pre-Windows 2000 name for Active Directory object. Is there a
>
> "best
>
> practice" or Microsoft Knowledge Base article that to speak about
it?
>
> I haven't found nothing about it. I'd like read an article that to
speak
>
> about group name and account name limit, special character, etc..
>
> May you help me? I wait a your reply
>
>
This link discusses what I have learned about the characters that are
>
allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000 logon
>
names), plus the characters that need to be escaped:
>
>
http://www.rlmueller.net/CharactersEscaped.htm
>
>
I have not found any differences between W2k and W2k3, except that when you
>
create groups and don't specify the "pre-Windows 2000 logon name"
a long
>
random string is assigned that is very scary.
>
>
This link dicusses the various "names" used in AD, and with the
WinNT and
>
LDAP providers:
>
>
http://www.rlmueller.net/Name_Attributes.htm
>
>
sAMAccountName is limited to 20 characters. I forget the max lenght for
>
Common Names, but I think it's about 127. The value for Common Name (the cn
>
attribute, which is part of the Distinguished Name) must be unique in the
>
container or OU. Several objects in AD can have the same cn as long as they
>
are in different OU's or containers. sAMAccountName must be unique in the
>
domain. Distinguished Name is unique in the forest.
>
>
The rules are the same for all classes of objects (user, group, computer,
>
etc.), except that the sAMAccountNames of computer objects have a trailing
>
"$". The sAMAccountName of a computer object is the NetBIOS name
of the
>
computer with "$" appended to the end. The NetBIOS name of
computers seems
>
to be limited to 15 characters, so the sAMAccountName is limited to 16.
>
>
--
>
Richard Mueller
>
Microsoft MVP Scripting and ADSI
>
Hilltop Lab - http://www.rlmueller.net
>
--
>
>
>
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Character limit
Date:
09/26/2007 20:13:10
By
testing I find that the cn attribute (Common Name) of groups is limited
to
64 characters. However, I have a group with a sAMAccountName that is 94
characters.
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
"Sergio
Minniti" <SergioMinniti@discussions.microsoft.com> wrote in message
news:0936A2DB-DFAD-47E5-86CD-E6D7F0941BB6@microsoft.com...
>
Thank you very much indeed Richard! I have read your articles but inside
>
it I
>
haven't found any reference about groups name limit (64 char.?). I try to
>
type more than 64 char. and it's possible in the pre-windows 2000 name. Is
>
it
>
true? I think that the system accepts a string longer than 64 char. but it
>
uses only 64 char. Aren't you?
>
I wait a your reply, thank a lot.
>
>
Sergio
>
>
P.S. Any Microsoft KB??
>
"Richard Mueller [MVP]" wrote:
>
>>
>>
"Sergio Minniti wrote
>>
>>
> I'd like to know what is it the difference between Windows
>>
> 2003 -Windows
>>
> 2000 and pre-Windows 2000 name for Active Directory object. Is there a
>>
> "best
>>
> practice" or Microsoft Knowledge Base article that to speak about
it?
>>
> I haven't found nothing about it. I'd like read an article that to
>>
> speak
>>
> about group name and account name limit, special character, etc..
>>
> May you help me? I wait a your reply
>>
>>
This link discusses what I have learned about the characters that are
>>
allowed in Distinguished Names and sAMAccountNames (pre-Windows 2000
>>
logon
>>
names), plus the characters that need to be escaped:
>>
>>
http://www.rlmueller.net/CharactersEscaped.htm
>>
>>
I have not found any differences between W2k and W2k3, except that when
>>
you
>>
create groups and don't specify the "pre-Windows 2000 logon name"
a long
>>
random string is assigned that is very scary.
>>
>>
This link dicusses the various "names" used in AD, and with the
WinNT and
>>
LDAP providers:
>>
>>
http://www.rlmueller.net/Name_Attributes.htm
>>
>>
sAMAccountName is limited to 20 characters. I forget the max lenght for
>>
Common Names, but I think it's about 127. The value for Common Name (the
>>
cn
>>
attribute, which is part of the Distinguished Name) must be unique in the
>>
container or OU. Several objects in AD can have the same cn as long as
>>
they
>>
are in different OU's or containers. sAMAccountName must be unique in the
>>
domain. Distinguished Name is unique in the forest.
>>
>>
The rules are the same for all classes of objects (user, group, computer,
>>
etc.), except that the sAMAccountNames of computer objects have a
>>
trailing
>>
"$". The sAMAccountName of a computer object is the NetBIOS name
of the
>>
computer with "$" appended to the end. The NetBIOS name of
computers
>>
seems
>>
to be limited to 15 characters, so the sAMAccountName is limited to 16.
>>
>>
--
>>
Richard Mueller
>>
Microsoft MVP Scripting and ADSI
>>
Hilltop Lab - http://www.rlmueller.net
>>
--
>>
>>
>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:20:18
Hi
Check
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>I
would like to add a few custom templates to my delegwiz.inf, however I am
>
new to the syntax. Well syntax may not be as important issue, but
where
>
do I
>
find the list of the "SCOPE" identifiers?
>
>
In Q308404 is the example:
>
>
[template10]
>
AppliesToClasses=domainDns,organizationalUnit,container
>
>
Description = "Create, delete, and manage inetorgperson accounts"
>
>
ObjectTypes = SCOPE, inetorgperson
>
>
[template10.SCOPE]
>
inetorgperson=CC,DC
>
>
[template10.inetorgperson]
>
@=GA
>
>
I want to find the correct identifiers for the .SCOPE object types for
>
user
>
and computer account management. Like Disable this user, Unlock this
>
user,
>
Force user to change password, etc.
>
>
Where are those listed? Is there one place I can find all the proper
>
terms?
>
What are these called?
>
>
The Q308404 information is very minimal so I keep thinking there is more
>
information on this somewhere!
Top
From: SecAdmin
<SecAdmin@discussions.microsoft.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:34:03
Jorge,
I
have been to this site already and I do not see answers to my
questions.
Where
can I find the exact wording for all the SCOPE required or object types?
"Jorge
Silva" wrote:
>
Hi
>
Check
>
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>
>I would like to add a few custom templates to my delegwiz.inf, however
I am
>
> new to the syntax. Well syntax may not be as important issue,
but where
>
> do I
>
> find the list of the "SCOPE" identifiers?
>
>
>
> In Q308404 is the example:
>
>
>
> [template10]
>
> AppliesToClasses=domainDns,organizationalUnit,container
>
>
>
> Description = "Create, delete, and manage inetorgperson
accounts"
>
>
>
> ObjectTypes = SCOPE, inetorgperson
>
>
>
> [template10.SCOPE]
>
> inetorgperson=CC,DC
>
>
>
> [template10.inetorgperson]
>
> @=GA
>
>
>
> I want to find the correct identifiers for the .SCOPE object types for
>
> user
>
> and computer account management. Like Disable this user, Unlock
this
>
> user,
>
> Force user to change password, etc.
>
>
>
> Where are those listed? Is there one place I can find all the
proper
>
> terms?
>
> What are these called?
>
>
>
> The Q308404 information is very minimal so I keep thinking there is
more
>
> information on this somewhere!
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:41:03
wrong
link, I meant this one:
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>
Jorge,
>
>
I have been to this site already and I do not see answers to my questions.
>
Where can I find the exact wording for all the SCOPE required or object
>
types?
>
>
>
>
"Jorge Silva" wrote:
>
>>
Hi
>>
Check
>>
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>>
news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>>
>I would like to add a few custom templates to my delegwiz.inf, however
I
>>
>am
>>
> new to the syntax. Well syntax may not be as important issue,
but
>>
> where
>>
> do I
>>
> find the list of the "SCOPE" identifiers?
>>
>
>>
> In Q308404 is the example:
>>
>
>>
> [template10]
>>
> AppliesToClasses=domainDns,organizationalUnit,container
>>
>
>>
> Description = "Create, delete, and manage inetorgperson
accounts"
>>
>
>>
> ObjectTypes = SCOPE, inetorgperson
>>
>
>>
> [template10.SCOPE]
>>
> inetorgperson=CC,DC
>>
>
>>
> [template10.inetorgperson]
>>
> @=GA
>>
>
>>
> I want to find the correct identifiers for the .SCOPE object types for
>>
> user
>>
> and computer account management. Like Disable this user, Unlock
this
>>
> user,
>>
> Force user to change password, etc.
>>
>
>>
> Where are those listed? Is there one place I can find all the
proper
>>
> terms?
>>
> What are these called?
>>
>
>>
> The Q308404 information is very minimal so I keep thinking there is
>>
> more
>>
> information on this somewhere!
>>
>>
>>
Top
From: SecAdmin <SecAdmin@discussions.microsoft.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 12:54:19
That
is nothing more than a sample Delegwiz.inf
Lets
try this another way. What would an entry look like if I wanted to
delegate
the following permissions on a user account....
Create
user account
Delete
this user account
Unlock
user account
Reset
Password
Force
user to change password at next logon
Where
do I find the exact object types or Scope identifiers in order to
modify
my Delegwiz.inf?
"Jorge
Silva" wrote:
>
wrong link, I meant this one:
>
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
>
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>
> Jorge,
>
>
>
> I have been to this site already and I do not see answers to my
questions.
>
> Where can I find the exact wording for all the SCOPE required or
object
>
> types?
>
>
>
>
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> Hi
>
>> Check
>
>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "SecAdmin" <SecAdmin@discussions.microsoft.com>
wrote in message
>
>> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>
>> >I would like to add a few custom templates to my delegwiz.inf,
however I
>
>> >am
>
>> > new to the syntax. Well syntax may not be as important
issue, but
>
>> > where
>
>> > do I
>
>> > find the list of the "SCOPE" identifiers?
>
>> >
>
>> > In Q308404 is the example:
>
>> >
>
>> > [template10]
>
>> > AppliesToClasses=domainDns,organizationalUnit,container
>
>> >
>
>> > Description = "Create, delete, and manage inetorgperson
accounts"
>
>> >
>
>> > ObjectTypes = SCOPE, inetorgperson
>
>> >
>
>> > [template10.SCOPE]
>
>> > inetorgperson=CC,DC
>
>> >
>
>> > [template10.inetorgperson]
>
>> > @=GA
>
>> >
>
>> > I want to find the correct identifiers for the .SCOPE object
types for
>
>> > user
>
>> > and computer account management. Like Disable this
user, Unlock this
>
>> > user,
>
>> > Force user to change password, etc.
>
>> >
>
>> > Where are those listed? Is there one place I can find
all the proper
>
>> > terms?
>
>> > What are these called?
>
>> >
>
>> > The Q308404 information is very minimal so I keep thinking
there is
>
>> > more
>
>> > information on this somewhere!
>
>>
>
>>
>
>>
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Customizing Delegwiz.inf syntax question
Date:
09/26/2007 14:47:48
I'm
sorry, I miss understood you, I'll need to check my documentation, I
can't
confirm at the moment, I'll send you a response when I have a chance,
in
mean time check at GPO ngs, let me know the results.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"SecAdmin"
<SecAdmin@discussions.microsoft.com> wrote in message
news:FC01D948-C477-422E-857D-001AF2BDDF89@microsoft.com...
>
That is nothing more than a sample Delegwiz.inf
>
>
Lets try this another way. What would an entry look like if I wanted
to
>
delegate the following permissions on a user account....
>
>
Create user account
>
Delete this user account
>
Unlock user account
>
Reset Password
>
Force user to change password at next logon
>
>
Where do I find the exact object types or Scope identifiers in order to
>
modify my Delegwiz.inf?
>
>
"Jorge Silva" wrote:
>
>>
wrong link, I meant this one:
>>
http://technet2.microsoft.com/windowsserver/en/library/1d05f294-bb1e-4a55-aec3-2ee80f0db2791033.mspx?mfr=true
>>
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"SecAdmin" <SecAdmin@discussions.microsoft.com> wrote in
message
>>
news:5332BAF9-9678-4BFE-914C-447D19C454EF@microsoft.com...
>>
> Jorge,
>>
>
>>
> I have been to this site already and I do not see answers to my
>>
> questions.
>>
> Where can I find the exact wording for all the SCOPE required or
object
>>
> types?
>>
>
>>
>
>>
>
>>
> "Jorge Silva" wrote:
>>
>
>>
>> Hi
>>
>> Check
>>
>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>>
>>
>>
>> --
>>
>> I hope that the information above helps you.
>>
>> Have a Nice day.
>>
>>
>>
>> Jorge Silva
>>
>> MCSE, MVP Directory Services
>>
>> "SecAdmin" <SecAdmin@discussions.microsoft.com>
wrote in message
>>
>> news:9D5B8B9A-F045-492B-ADFA-855AE9401EE9@microsoft.com...
>>
>> >I would like to add a few custom templates to my delegwiz.inf,
>>
>> >however I
>>
>> >am
>>
>> > new to the syntax. Well syntax may not be as important
issue, but
>>
>> > where
>>
>> > do I
>>
>> > find the list of the "SCOPE" identifiers?
>>
>> >
>>
>> > In Q308404 is the example:
>>
>> >
>>
>> > [template10]
>>
>> > AppliesToClasses=domainDns,organizationalUnit,container
>>
>> >
>>
>> > Description = "Create, delete, and manage inetorgperson
accounts"
>>
>> >
>>
>> > ObjectTypes = SCOPE, inetorgperson
>>
>> >
>>
>> > [template10.SCOPE]
>>
>> > inetorgperson=CC,DC
>>
>> >
>>
>> > [template10.inetorgperson]
>>
>> > @=GA
>>
>> >
>>
>> > I want to find the correct identifiers for the .SCOPE object
types
>>
>> > for
>>
>> > user
>>
>> > and computer account management. Like Disable this
user, Unlock
>>
>> > this
>>
>> > user,
>>
>> > Force user to change password, etc.
>>
>> >
>>
>> > Where are those listed? Is there one place I can find
all the
>>
>> > proper
>>
>> > terms?
>>
>> > What are these called?
>>
>> >
>>
>> > The Q308404 information is very minimal so I keep thinking
there is
>>
>> > more
>>
>> > information on this somewhere!
>>
>>
>>
>>
>>
>>
>>
>>
>>
Top
From: Dmitri Gavrilov [MSFT]
<dmitrig@online.microsoft.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/26/2007 21:40:16
Try
running it in verbose mode: dcdiag /v
It
should print more data, which might give a clue as to where it breaks.
--
Dmitri
Gavrilov
SDE,
Active Directory team
This
posting is provided "AS IS" with no warranties, and confers no
rights.
Use
of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"gdilullo"
<gdilullo.2xjavc@DoNotSpam.com> wrote in message
news:gdilullo.2xjavc@DoNotSpam.com...
>
>
This is the result from DCDIAG on a Domain Controller:
>
>
Performaing Initial Setup:
>
>
And then it returns to the command prompt.
>
>
Any one seen this before?
>
>
Thanks
>
>
Gabe
>
>
>
--
>
gdilullo
>
------------------------------------------------------------------------
>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>
>
http://forums.techarena.in
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 07:16:01
When
I run dcdiag I set the following flags:
DCDIAG
/V /C /D /E /s:yourdcname > c:\dcdiag.log
You
have to watch out for the /E in a large environment, it will query ALL
dc's
in the domain and if you have a lot of remote sites this could take a
very
long time. I pipe the output of this diagnostic to c:\dcdiag.log.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"gdilullo"
<gdilullo.2xjavc@DoNotSpam.com> wrote in message
news:gdilullo.2xjavc@DoNotSpam.com...
>
>
This is the result from DCDIAG on a Domain Controller:
>
>
Performaing Initial Setup:
>
>
And then it returns to the command prompt.
>
>
Any one seen this before?
>
>
Thanks
>
>
Gabe
>
>
>
--
>
gdilullo
>
------------------------------------------------------------------------
>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>
>
http://forums.techarena.in
>
Top
From: gdilullo
<gdilullo.2xkrnd@DoNotSpam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 09:34:29
Thanks
Paul, the last line from results of DCDIAG /V /C /D /E is:
dcdiag:
a dcdiag exception raised, handling error 2
Any
suggestions?
Thanks
Gabe
--
gdilullo
------------------------------------------------------------------------
gdilullo's
Profile: http://forums.techarena.in/member.php?userid=31815
View
this thread: http://forums.techarena.in/showthread.php?t=824579
http://forums.techarena.in
Top
From: Dmitri Gavrilov [MSFT]
<dmitrig@online.microsoft.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 11:37:05
We
need context. What do you see before this line? Could you post the
complete
output? Feel free to obscure DC and domain names, if you want.
--
Dmitri
Gavrilov
SDE,
Active Directory team
This
posting is provided "AS IS" with no warranties, and confers no
rights.
Use
of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"gdilullo"
<gdilullo.2xkrnd@DoNotSpam.com> wrote in message
news:gdilullo.2xkrnd@DoNotSpam.com...
>
>
Thanks Paul, the last line from results of DCDIAG /V /C /D /E is:
>
dcdiag: a dcdiag exception raised, handling error 2
>
>
Any suggestions?
>
>
Thanks
>
>
Gabe
>
>
>
--
>
gdilullo
>
------------------------------------------------------------------------
>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>
>
http://forums.techarena.in
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 12:51:40
Dmitri
I wonder if he is using the an old version of dcdiag? I have seen
similar
issues with an old version running against a new o/s.
Gabe,
try the link below and see if that helps.
http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Dmitri
Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:Ob3ykSSAIHA.5312@TK2MSFTNGP02.phx.gbl...
>
We need context. What do you see before this line? Could you post the
>
complete output? Feel free to obscure DC and domain names, if you want.
>
>
--
>
Dmitri Gavrilov
>
SDE, Active Directory team
>
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
Use of included script samples are subject to the terms specified at
>
http://www.microsoft.com/info/cpyright.htm
>
>
"gdilullo" <gdilullo.2xkrnd@DoNotSpam.com> wrote in message
>
news:gdilullo.2xkrnd@DoNotSpam.com...
>>
>>
Thanks Paul, the last line from results of DCDIAG /V /C /D /E is:
>>
dcdiag: a dcdiag exception raised, handling error 2
>>
>>
Any suggestions?
>>
>>
Thanks
>>
>>
Gabe
>>
>>
>>
--
>>
gdilullo
>>
------------------------------------------------------------------------
>>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>>
>>
http://forums.techarena.in
>>
>
>
Top
From: gdilullo
<gdilullo.2xl2rf@DoNotSpam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/27/2007 13:34:24
Hi
guys, I downloaded the version of suport tools from your link just
to
be sure and I am still recieving the following output.
*
Verifying that the local machine srv-msbl, is a DC.
*
Connecting to directory service on server srv-msbl.
srv-msbl.currentTime
= 20070927182057.0Z
srv-msbl.highestCommittedUSN
= 55738
srv-msbl.isSynchronized
= 1
srv-msbl.isGlobalCatalogReady
= 0
*
Collecting site info.
DcDiag:
a dcdiag exception raised, handling error 2
We
have 17 domain controllers. From this DC the NTDS settings are
populated
with its settings in the site container, but the remaining
16
DCs don't recognize this one.
Thanks
Gabe
--
gdilullo
------------------------------------------------------------------------
gdilullo's
Profile: http://forums.techarena.in/member.php?userid=31815
View
this thread: http://forums.techarena.in/showthread.php?t=824579
http://forums.techarena.in
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Dcdiag
Date:
09/28/2007 06:51:22
Has
anything out of the ordinary happened to this dc? Have you lost and
had
to
recover it or any other dc? Have you run dcdiag on a dc besides the
failing
one? If not try that and post the output. Also post the ipconfig
/all
of the troubled dc, the troubled dc's dns server.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"gdilullo"
<gdilullo.2xl2rf@DoNotSpam.com> wrote in message
news:gdilullo.2xl2rf@DoNotSpam.com...
>
>
Hi guys, I downloaded the version of suport tools from your
link just
>
to be sure and I am still recieving the following output.
>
>
* Verifying that the local machine srv-msbl, is a DC.
>
* Connecting to directory service on server srv-msbl.
>
srv-msbl.currentTime = 20070927182057.0Z
>
srv-msbl.highestCommittedUSN = 55738
>
srv-msbl.isSynchronized = 1
>
srv-msbl.isGlobalCatalogReady = 0
>
* Collecting site info.
>
DcDiag: a dcdiag exception raised, handling error 2
>
>
We have 17 domain controllers. From this DC the NTDS settings are
>
populated with its settings in the site container, but the remaining
>
16 DCs don't recognize this one.
>
>
Thanks
>
>
Gabe
>
>
>
--
>
gdilullo
>
------------------------------------------------------------------------
>
gdilullo's Profile: http://forums.techarena.in/member.php?userid=31815
>
View this thread: http://forums.techarena.in/showthread.php?t=824579
>
>
http://forums.techarena.in
>
Top
From: Richard Mueller [MVP]
<rlmueller-nospam@ameritech.nospam.net>
To:
none
Subject:
Re: Delete duplicate computer accounts in AD
Date:
09/27/2007 09:05:26
Ronnie
wrote:
>
The help desk in our company have created duplicate computer accounts
>
for some computer objects in AD, and now I need to delete the accounts
>
that are not being used. Is there any way to determine which account
>
is actually in use, so that I don't delete the wrong ones?
>
>
I can see that one of the accounts have several odd characters in the
>
end of the name, but I'm not sure that's any guarantee that this is
>
the account not being used. Is it possible to see when the accounts
>
were last logged on or something like that?
>
>
We run a Windows 2000 Server environment.
You
can use Joe Richards' free oldcmp utility:
http://www.joeware.net/win/free/tools/oldcmp.htm
--
Richard
Mueller
Microsoft
MVP Scripting and ADSI
Hilltop
Lab - http://www.rlmueller.net
--
Top
From: rondo
<newsnospam@mail.sonofon.dk>
To:
none
Subject:
Re: Delete duplicate computer accounts in AD
Date:
09/28/2007 04:41:21
On
Sep 27, 4:05 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net>
wrote:
>
Ronnie wrote:
>
> The help desk in our company have created duplicate computer accounts
>
> for some computer objects in AD, and now I need to delete the accounts
>
> that are not being used. Is there any way to determine which account
>
> is actually in use, so that I don't delete the wrong ones?
>
>
> I can see that one of the accounts have several odd characters in the
>
> end of the name, but I'm not sure that's any guarantee that this is
>
> the account not being used. Is it possible to see when the accounts
>
> were last logged on or something like that?
>
>
> We run a Windows 2000 Server environment.
>
>
You can use Joe Richards' free oldcmp utility:
>
>
http://www.joeware.net/win/free/tools/oldcmp.htm
>
>
--
>
Richard Mueller
>
Microsoft MVP Scripting and ADSI
>
Hilltop Lab -http://www.rlmueller.net
>
--
Thank
you for that however I was hoping that this would be possible
without
using any 3rd party software.
Anyway
I've now downloaded the software but I must admit I can't
figure
out how to use this tool to solve my problem. Can anybody
please
help me here with the correct command I need to run?
Thanks,
Ronnie
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Does AD have a Default Backup User account?
Date:
09/27/2007 16:02:57
Hello
Adam N.,
See
your other post.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Is there a Default Backup User account already created in W2K3?
>
>
I am wanting to use a NAS to backup some directories on a W2K3 server,
>
the utility wants an account to access the server with, so if there
>
was a default account already created I would like to just use that.
>
>
If not should I just create a user account specifically for this
>
function?
>
>
Thanks in advance,
>
Top
From: Aime <oaime@hotmail.com>
To:
none
Subject:
Re: Domain controller crached
Date:
09/26/2007 02:53:21
Dear
Jorge,
Thank
you for your reply,
i
finish all the steps as advice but did not yet install the DNS,
Is
it necessary to install the DNS in the DC that holding the exchange or
reinstall
the DNS in the new DC and re-introduce it in the domain.
Can
you please give me the steps how to re-introduce the new DC in the
domain.
What
about the GC, do i need to install it as well in the exchange server or
??
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...
>
Hi
>
In AD there isn't a BDC concept all DCs are peers and equal in most of
>
configurations. - Disconnect the Dc from network.
>
- Then remove all references to that Dc on AD database (Metadata cleanup).
>
- Remove any Dns references to the Dc.
>
- If necessary seize any left Op Master roles that were hosted by that Dc.
>
- If the domain controller that you are demoting is a DNS server or global
>
catalog server, you must create a new GC or DNS server to satisfy load
>
balancing, fault tolerance, and configuration settings in the forest.
>
- When you use the remove selected server command in NTDSUTIL, the NTDSDSA
>
object, the parent object for incoming connections to the domain
>
controller that you forcibly demoted is removed. The command does not
>
remove the parent server objects that appear in the Sites and Services
>
snap-in. Use the Active Directory Sites and Services MMC snap-in to remove
>
the server object if the domain controller will not be promoted into the
>
forest with the same computer name
>
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
>
http://support.microsoft.com/kb/255504/
>
How to remove data in Active Directory after an unsuccessful domain
>
controller demotion
>
http://support.microsoft.com/?kbid=216498
>
>
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Aime" <oaime@hotmail.com> wrote in message
>
news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...
>>
Dear,
>>
>>
I had the primary domain controller crash, i don't have any backup.
>>
But the backup domain controller still working,
>>
Can you please guide me how i can bring back the primary DC again in the
>>
AD after reinstalling a fresh windows 2003 on it.
>>
The primary DC was in charge of DNS and DHCP and the backup DC is holding
>>
the exchange server 2003
>>
>>
Regards
>>
AIME
>>
>>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Domain controller crached
Date:
09/26/2007 07:08:35
-First
of all you shouldn't Exchange on DCs, is a bad practice in my opinion
(Not
all share the same opinion).
-You
must have at least 1 DNS server in your domain, so if you don't have
any
you must urgently configure 1, you also need to have at least 1 GC.
-Run
dcdiag and netdiag and make sure that no errors in output windows.
-To
create Additional domain controllers check:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Aime"
<oaime@hotmail.com> wrote in message
news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...
>
Dear Jorge,
>
>
Thank you for your reply,
>
i finish all the steps as advice but did not yet install the DNS,
>
Is it necessary to install the DNS in the DC that holding the exchange or
>
reinstall the DNS in the new DC and re-introduce it in the domain.
>
Can you please give me the steps how to re-introduce the new DC in the
>
domain.
>
What about the GC, do i need to install it as well in the exchange server
>
or ??
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...
>>
Hi
>>
In AD there isn't a BDC concept all DCs are peers and equal in most of
>>
configurations. - Disconnect the Dc from network.
>>
- Then remove all references to that Dc on AD database (Metadata
>>
cleanup).
>>
- Remove any Dns references to the Dc.
>>
- If necessary seize any left Op Master roles that were hosted by that
>>
Dc.
>>
- If the domain controller that you are demoting is a DNS server or
>>
global catalog server, you must create a new GC or DNS server to satisfy
>>
load balancing, fault tolerance, and configuration settings in the
>>
forest.
>>
- When you use the remove selected server command in NTDSUTIL, the
>>
NTDSDSA object, the parent object for incoming connections to the domain
>>
controller that you forcibly demoted is removed. The command does not
>>
remove the parent server objects that appear in the Sites and Services
>>
snap-in. Use the Active Directory Sites and Services MMC snap-in to
>>
remove the server object if the domain controller will not be promoted
>>
into the forest with the same computer name
>>
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
>>
http://support.microsoft.com/kb/255504/
>>
How to remove data in Active Directory after an unsuccessful domain
>>
controller demotion
>>
http://support.microsoft.com/?kbid=216498
>>
>>
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Aime" <oaime@hotmail.com> wrote in message
>>
news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...
>>>
Dear,
>>>
>>>
I had the primary domain controller crash, i don't have any backup.
>>>
But the backup domain controller still working,
>>>
Can you please guide me how i can bring back the primary DC again in the
>>>
AD after reinstalling a fresh windows 2003 on it.
>>>
The primary DC was in charge of DNS and DHCP and the backup DC is
>>>
holding the exchange server 2003
>>>
>>>
Regards
>>>
AIME
>>>
>>>
>>
>>
>
>
Top
From: Aime <oaime@hotmail.com>
To:
none
Subject:
Re: Domain controller crached
Date:
09/27/2007 02:57:18
Can
you please clarify if i should not install the DNS on the DC that runs
Exchange
server 2003.
If
not, then i should install first DNS in the new server then DCPROMO and
join
the existing domain!
Is
this correct?
Thanks
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...
>
-First of all you shouldn't Exchange on DCs, is a bad practice in my
>
opinion (Not all share the same opinion).
>
-You must have at least 1 DNS server in your domain, so if you don't have
>
any you must urgently configure 1, you also need to have at least 1 GC.
>
-Run dcdiag and netdiag and make sure that no errors in output windows.
>
-To create Additional domain controllers check:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Aime" <oaime@hotmail.com> wrote in message
>
news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...
>>
Dear Jorge,
>>
>>
Thank you for your reply,
>>
i finish all the steps as advice but did not yet install the DNS,
>>
Is it necessary to install the DNS in the DC that holding the exchange or
>>
reinstall the DNS in the new DC and re-introduce it in the domain.
>>
Can you please give me the steps how to re-introduce the new DC in the
>>
domain.
>>
What about the GC, do i need to install it as well in the exchange server
>>
or ??
>>
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...
>>>
Hi
>>>
In AD there isn't a BDC concept all DCs are peers and equal in most of
>>>
configurations. - Disconnect the Dc from network.
>>>
- Then remove all references to that Dc on AD database (Metadata
>>>
cleanup).
>>>
- Remove any Dns references to the Dc.
>>>
- If necessary seize any left Op Master roles that were hosted by that
>>>
Dc.
>>>
- If the domain controller that you are demoting is a DNS server or
>>>
global catalog server, you must create a new GC or DNS server to satisfy
>>>
load balancing, fault tolerance, and configuration settings in the
>>>
forest.
>>>
- When you use the remove selected server command in NTDSUTIL, the
>>>
NTDSDSA object, the parent object for incoming connections to the domain
>>>
controller that you forcibly demoted is removed. The command does not
>>>
remove the parent server objects that appear in the Sites and Services
>>>
snap-in. Use the Active Directory Sites and Services MMC snap-in to
>>>
remove the server object if the domain controller will not be promoted
>>>
into the forest with the same computer name
>>>
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
>>>
controller
>>>
http://support.microsoft.com/kb/255504/
>>>
How to remove data in Active Directory after an unsuccessful domain
>>>
controller demotion
>>>
http://support.microsoft.com/?kbid=216498
>>>
>>>
>>>
>>>
--
>>>
I hope that the information above helps you.
>>>
Have a Nice day.
>>>
>>>
>>>
Jorge Silva
>>>
MCSE, MVP Directory Services
>>>
"Aime" <oaime@hotmail.com> wrote in message
>>>
news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...
>>>>
Dear,
>>>>
>>>>
I had the primary domain controller crash, i don't have any backup.
>>>>
But the backup domain controller still working,
>>>>
Can you please guide me how i can bring back the primary DC again in
>>>>
the AD after reinstalling a fresh windows 2003 on it.
>>>>
The primary DC was in charge of DNS and DHCP and the backup DC is
>>>>
holding the exchange server 2003
>>>>
>>>>
Regards
>>>>
AIME
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Aime <oaime@hotmail.com>
To:
none
Subject:
Re: Domain controller crached
Date:
09/27/2007 04:02:24
Can
you please clarify if i should not install the DNS on the DC that runs
Exchange
server 2003.
If
not, then i should install first DNS in the new server then DCPROMO and
join
the existing domain!
Is
this correct?
Thanks
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...
>
-First of all you shouldn't Exchange on DCs, is a bad practice in my
>
opinion (Not all share the same opinion).
>
-You must have at least 1 DNS server in your domain, so if you don't have
>
any you must urgently configure 1, you also need to have at least 1 GC.
>
-Run dcdiag and netdiag and make sure that no errors in output windows.
>
-To create Additional domain controllers check:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"Aime" <oaime@hotmail.com> wrote in message
>
news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...
>>
Dear Jorge,
>>
>>
Thank you for your reply,
>>
i finish all the steps as advice but did not yet install the DNS,
>>
Is it necessary to install the DNS in the DC that holding the exchange or
>>
reinstall the DNS in the new DC and re-introduce it in the domain.
>>
Can you please give me the steps how to re-introduce the new DC in the
>>
domain.
>>
What about the GC, do i need to install it as well in the exchange server
>>
or ??
>>
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...
>>>
Hi
>>>
In AD there isn't a BDC concept all DCs are peers and equal in most of
>>>
configurations. - Disconnect the Dc from network.
>>>
- Then remove all references to that Dc on AD database (Metadata
>>>
cleanup).
>>>
- Remove any Dns references to the Dc.
>>>
- If necessary seize any left Op Master roles that were hosted by that
>>>
Dc.
>>>
- If the domain controller that you are demoting is a DNS server or
>>>
global catalog server, you must create a new GC or DNS server to satisfy
>>>
load balancing, fault tolerance, and configuration settings in the
>>>
forest.
>>>
- When you use the remove selected server command in NTDSUTIL, the
>>>
NTDSDSA object, the parent object for incoming connections to the domain
>>>
controller that you forcibly demoted is removed. The command does not
>>>
remove the parent server objects that appear in the Sites and Services
>>>
snap-in. Use the Active Directory Sites and Services MMC snap-in to
>>>
remove the server object if the domain controller will not be promoted
>>>
into the forest with the same computer name
>>>
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
>>>
controller
>>>
http://support.microsoft.com/kb/255504/
>>>
How to remove data in Active Directory after an unsuccessful domain
>>>
controller demotion
>>>
http://support.microsoft.com/?kbid=216498
>>>
>>>
>>>
>>>
--
>>>
I hope that the information above helps you.
>>>
Have a Nice day.
>>>
>>>
>>>
Jorge Silva
>>>
MCSE, MVP Directory Services
>>>
"Aime" <oaime@hotmail.com> wrote in message
>>>
news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...
>>>>
Dear,
>>>>
>>>>
I had the primary domain controller crash, i don't have any backup.
>>>>
But the backup domain controller still working,
>>>>
Can you please guide me how i can bring back the primary DC again in
>>>>
the AD after reinstalling a fresh windows 2003 on it.
>>>>
The primary DC was in charge of DNS and DHCP and the backup DC is
>>>>
holding the exchange server 2003
>>>>
>>>>
Regards
>>>>
AIME
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Domain controller crached
Date:
09/27/2007 15:24:54
The
problem isn't having DNS on Exchange but rather having Exchange on a DC.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Aime"
<oaime@hotmail.com> wrote in message
news:u4KheXOAIHA.1208@TK2MSFTNGP05.phx.gbl...
>
Can you please clarify if i should not install the DNS on the DC that runs
>
Exchange server 2003.
>
If not, then i should install first DNS in the new server then DCPROMO and
>
join the existing domain!
>
Is this correct?
>
>
Thanks
>
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:OIVEyXDAIHA.3400@TK2MSFTNGP03.phx.gbl...
>>
-First of all you shouldn't Exchange on DCs, is a bad practice in my
>>
opinion (Not all share the same opinion).
>>
-You must have at least 1 DNS server in your domain, so if you don't have
>>
any you must urgently configure 1, you also need to have at least 1 GC.
>>
-Run dcdiag and netdiag and make sure that no errors in output windows.
>>
-To create Additional domain controllers check:
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"Aime" <oaime@hotmail.com> wrote in message
>>
news:%23E3qNMBAIHA.4324@TK2MSFTNGP02.phx.gbl...
>>>
Dear Jorge,
>>>
>>>
Thank you for your reply,
>>>
i finish all the steps as advice but did not yet install the DNS,
>>>
Is it necessary to install the DNS in the DC that holding the exchange
>>>
or reinstall the DNS in the new DC and re-introduce it in the domain.
>>>
Can you please give me the steps how to re-introduce the new DC in the
>>>
domain.
>>>
What about the GC, do i need to install it as well in the exchange
>>>
server or ??
>>>
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:uxsK8a5$HHA.4324@TK2MSFTNGP02.phx.gbl...
>>>>
Hi
>>>>
In AD there isn't a BDC concept all DCs are peers and equal in most of
>>>>
configurations. - Disconnect the Dc from network.
>>>>
- Then remove all references to that Dc on AD database (Metadata
>>>>
cleanup).
>>>>
- Remove any Dns references to the Dc.
>>>>
- If necessary seize any left Op Master roles that were hosted by that
>>>>
Dc.
>>>>
- If the domain controller that you are demoting is a DNS server or
>>>>
global catalog server, you must create a new GC or DNS server to
>>>>
satisfy load balancing, fault tolerance, and configuration settings in
>>>>
the forest.
>>>>
- When you use the remove selected server command in NTDSUTIL, the
>>>>
NTDSDSA object, the parent object for incoming connections to the
>>>>
domain controller that you forcibly demoted is removed. The command
>>>>
does not remove the parent server objects that appear in the Sites and
>>>>
Services snap-in. Use the Active Directory Sites and Services MMC
>>>>
snap-in to remove the server object if the domain controller will not
>>>>
be promoted into the forest with the same computer name
>>>>
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
>>>>
controller
>>>>
http://support.microsoft.com/kb/255504/
>>>>
How to remove data in Active Directory after an unsuccessful domain
>>>>
controller demotion
>>>>
http://support.microsoft.com/?kbid=216498
>>>>
>>>>
>>>>
>>>>
--
>>>>
I hope that the information above helps you.
>>>>
Have a Nice day.
>>>>
>>>>
>>>>
Jorge Silva
>>>>
MCSE, MVP Directory Services
>>>>
"Aime" <oaime@hotmail.com> wrote in message
>>>>
news:OlbV8R4$HHA.5980@TK2MSFTNGP04.phx.gbl...
>>>>>
Dear,
>>>>>
>>>>>
I had the primary domain controller crash, i don't have any backup.
>>>>>
But the backup domain controller still working,
>>>>>
Can you please guide me how i can bring back the primary DC again in
>>>>>
the AD after reinstalling a fresh windows 2003 on it.
>>>>>
The primary DC was in charge of DNS and DHCP and the backup DC is
>>>>>
holding the exchange server 2003
>>>>>
>>>>>
Regards
>>>>>
AIME
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Domain Controller down
Date:
09/26/2007 12:59:09
Hi
IT
shouldn't be, check at DFS ngs.
One
of the problems may be related with your Active Directory Sites and
Subnets
configuration/design, you may have people trying to get the servers
in
the wrong site. Once again check in DFS ngs.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"BBW"
<tkarpowski@bennettcompany.com> wrote in message
news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...
>I
have a domain controller, win2K3 SP1, that is down due to hardware
>failure.
It is the Infastructure Master and was a DFS Root Link.
>
>
Now, when people now access the Y:, this is a DFS Link, we are
>
experiencing intermittent slowdowns, like 15-30 seconds.
>
>
I have removed it as a DFS Root links on the production server, as I have
>
others.
>
>
Is this because the Infastructure Master is down...?
>
>
Any other thoughts...
Top
From: BBW
<tkarpowski@bennettcompany.com>
To:
none
Subject:
Re: Domain Controller down
Date:
09/26/2007 13:24:41
This
slowness happens for accessing the local server using the DFS mapped
drive.
The
down server is also the Schema Master also...?
Would
that cause intermittent DFS slowdowns.
There
isn't anything in the logs execpt that it can't see the down server...
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:%23QbRrbGAIHA.4880@TK2MSFTNGP03.phx.gbl...
>
Hi
>
IT shouldn't be, check at DFS ngs.
>
One of the problems may be related with your Active Directory Sites and
>
Subnets configuration/design, you may have people trying to get the
>
servers in the wrong site. Once again check in DFS ngs.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"BBW" <tkarpowski@bennettcompany.com> wrote in message
>
news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...
>>I
have a domain controller, win2K3 SP1, that is down due to hardware
>>failure.
It is the Infastructure Master and was a DFS Root Link.
>>
>>
Now, when people now access the Y:, this is a DFS Link, we are
>>
experiencing intermittent slowdowns, like 15-30 seconds.
>>
>>
I have removed it as a DFS Root links on the production server, as I have
>>
others.
>>
>>
Is this because the Infastructure Master is down...?
>>
>>
Any other thoughts...
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Domain Controller down
Date:
09/26/2007 14:55:40
>
This slowness happens for accessing the local server using the DFS mapped
>
drive.
Only
in mapped drivers what about UNC path?
Do
you have DFS servers on different sites?
Do
you have additional servers for DFS Root Namespace?
>
The down server is also the Schema Master also...?
Shouldn't
interfere
>
Would that cause intermittent DFS slowdowns.
-Bad
site configuration (Asuming multiple sites and DFS servers at different
locations).
-Name
resolution.
-Switching,
cabeling...
>
There isn't anything in the logs execpt that it can't see the down
>
server...
check
other related known issues:
http://support.microsoft.com/kb/873407
http://support.microsoft.com/kb/915377
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsdb_dfs_stdz.mspx?mfr=true
Once
again post this at DFS ngs, let's know the results.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"BBW"
<tkarpowski@bennettcompany.com> wrote in message
news:eAWtCqGAIHA.5360@TK2MSFTNGP03.phx.gbl...
>
This slowness happens for accessing the local server using the DFS mapped
>
drive.
>
>
The down server is also the Schema Master also...?
>
>
Would that cause intermittent DFS slowdowns.
>
>
There isn't anything in the logs execpt that it can't see the down
>
server...
>
>
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:%23QbRrbGAIHA.4880@TK2MSFTNGP03.phx.gbl...
>>
Hi
>>
IT shouldn't be, check at DFS ngs.
>>
One of the problems may be related with your Active Directory Sites and
>>
Subnets configuration/design, you may have people trying to get the
>>
servers in the wrong site. Once again check in DFS ngs.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"BBW" <tkarpowski@bennettcompany.com> wrote in message
>>
news:OjN3oZGAIHA.320@TK2MSFTNGP04.phx.gbl...
>>>I
have a domain controller, win2K3 SP1, that is down due to hardware
>>>failure.
It is the Infastructure Master and was a DFS Root Link.
>>>
>>>
Now, when people now access the Y:, this is a DFS Link, we are
>>>
experiencing intermittent slowdowns, like 15-30 seconds.
>>>
>>>
I have removed it as a DFS Root links on the production server, as I
>>>
have others.
>>>
>>>
Is this because the Infastructure Master is down...?
>>>
>>>
Any other thoughts...
>>
>>
>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: Domain Controller File Permissions on SYSVOL
Date:
09/25/2007 17:52:01
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:%23ySF3u6$HHA.5868@TK2MSFTNGP05.phx.gbl...
>>
1) READ permissions against the SYSVOLs on other DCs
>
There are 2 SYSVOL (1 is shared).
>
What permissions are you talkinga about (NTFS or Share permissions).
>
>
IIRC: By default NTFS PERMISSIONS ARE: Administrators and System have full
>
control, Authenticated users and server operators have read permissions,
>
SHARE PERMISSIONS: Administrators Full control, everyone ahave read perm.
>
(Note: i'm talking about the Sysvol share folder)
I'm
referring to just the NTFS permissions. Inferring
from the above:
domain
controllers should only have read access to the SYSVOLs of other
domain
controllers.
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:EO-dndb-JZdBwmTbnZ2dnUVZ_rOpnZ2d@giganews.com...
>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>
news:OzsKX91$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>
Hi
>>>
DCs share the same permissions among all existing DCs.
>>
>>
That doesn't answer the original question. I'm asking do DCs
need
>>
>>
1) READ permissions against the SYSVOLs on other DCs
>>
>>
2) MODIFY permissions against the SYSVOLs on other DCs
>>
>>
It's not a question about the sameness of permissions.
>>
>>
--
>>
Will
>>
>>
>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>
news:OrqdnTlH3LuqSWXbnZ2dnUVZ_qqgnZ2d@giganews.com...
>>>
> Do Domain Controllers only require read-only file system permissions
>>>
> to
>>>
> the
>>>
> SYSVOL on other Domain Controllers?
>>>
>
>>>
> --
>>>
> Will
>>
>>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Domain Controller File Permissions on SYSVOL
Date:
09/25/2007 18:18:45
They
could have, but isn't defined by default. By default the "Domain
Controllers"
Security group don't have Permissions on that folder.
The
defaults should do the job just fine.
And
as I said before these permissions should be set equal among all DCs.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Will"
<westes-usc@noemail.nospam> wrote in message
news:dYCdnfY3z7aPDGTbnZ2dnUVZ_v2unZ2d@giganews.com...
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:%23ySF3u6$HHA.5868@TK2MSFTNGP05.phx.gbl...
>>>
1) READ permissions against the SYSVOLs on other DCs
>>
There are 2 SYSVOL (1 is shared).
>>
What permissions are you talkinga about (NTFS or Share permissions).
>>
>>
IIRC: By default NTFS PERMISSIONS ARE: Administrators and System have
>>
full control, Authenticated users and server operators have read
>>
permissions, SHARE PERMISSIONS: Administrators Full control, everyone
>>
ahave read perm. (Note: i'm talking about the Sysvol share folder)
>
>
I'm referring to just the NTFS permissions.
Inferring from the above:
>
domain controllers should only have read access to the SYSVOLs of other
>
domain controllers.
>
>
--
>
Will
>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:EO-dndb-JZdBwmTbnZ2dnUVZ_rOpnZ2d@giganews.com...
>>>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>>>
news:OzsKX91$HHA.3716@TK2MSFTNGP03.phx.gbl...
>>>>
Hi
>>>>
DCs share the same permissions among all existing DCs.
>>>
>>>
That doesn't answer the original question. I'm asking do DCs
need
>>>
>>>
1) READ permissions against the SYSVOLs on other DCs
>>>
>>>
2) MODIFY permissions against the SYSVOLs on other DCs
>>>
>>>
It's not a question about the sameness of permissions.
>>>
>>>
--
>>>
Will
>>>
>>>
>>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>>
news:OrqdnTlH3LuqSWXbnZ2dnUVZ_qqgnZ2d@giganews.com...
>>>>
> Do Domain Controllers only require read-only file system permissions
>>>>
> to
>>>>
> the
>>>>
> SYSVOL on other Domain Controllers?
>>>>
>
>>>>
> --
>>>>
> Will
>>>
>>>
>>
>>
>
>
Top
From: Dkp <deep275@gmail.com>
To:
none
Subject:
Re: Domain Login Failed
Date:
09/26/2007 08:12:55
Try
to create the trust relationship between these domains and proceed
further
On
Sep 10, 12:22 am, Shan <S...@discussions.microsoft.com> wrote:
>
Hi Meinolf,
>
I checked in there and I do not see any entries.
>
>
Thanks
>
>
"Meinolf Weber" wrote:
>
> Hello Shan,
>
>
> No that trust i do not mean. Open Active directory Domains and trusts
and
>
> check if theire is an entry.
>
>
> Best regards
>
>
> Meinolf Weber
>
> Disclaimer: This posting is provided "AS IS" with no
warranties, and confers
>
> no rights.
>
>
> > Hi Meinolf,
>
>
> > Ok I have changed the DNS entry to its on IP. This is a
stand alone
>
> > domain. How can I use trust for this domain? Should I use
"Trust
>
> > computer for delegation" check box in the Computer
properties?
>
>
> > Thanks
>
>
> > "Meinolf Weber" wrote:
>
>
> >> Hello Shan,
>
>
> >> The configuration is ok, but i would change the DNS entry
from
>
> >> 127.0.0.1 to the real ipaddress of the server. If you will
have more
>
> >> then one DNS server you run in trouble with the Loopback ip
>
> >> configuration.
>
>
> >> For the event id check this one:
>
>
>>http://www.eventid.net/display.asp?eventid=5513&eventno=484&source=NE
>
> >> TLOGON&phase=1
>
> >> Do you use a trust to another domain or have you used it?
>
>
> >> Best regards
>
>
> >> Meinolf Weber
>
> >> Disclaimer: This posting is provided "AS IS" with
no warranties, and
>
> >> confers
>
> >> no rights.
>
> >>> OK.. Here is the ipconfig /all
>
> >>> C:\Documents and Settings\Administrator>ipconfig /all
>
> >>> Windows IP Configuration
>
> >>> Host Name . . . . . . . . . . . . : apdc01
>
> >>> Primary Dns Suffix . . . . . . . : alsplumbing.lcl
>
> >>> Node Type . . . . . . . . . . . . : Hybrid
>
> >>> IP Routing Enabled. . . . . . . . : No
>
> >>> WINS Proxy Enabled. . . . . . . . : No
>
> >>> DNS Suffix Search List. . . . . . : alsplumbing.lcl
>
> >>> Ethernet adapter Local Area Connection:
>
> >>> Connection-specific DNS Suffix . :
>
> >>> Description . . . . . . . . . . . : Broadcom NetXtreme
5721 Gigabit
>
> >>> Controller
>
> >>> Physical Address. . . . . . . . . : 00-12-3F-24-45-AC
>
> >>> DHCP Enabled. . . . . . . . . . . : No
>
> >>> IP Address. . . . . . . . . . . . : 10.1.0.2
>
> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> >>> Default Gateway . . . . . . . . . : 10.1.0.254
>
> >>> DNS Servers . . . . . . . . . . . : 127.0.0.1
>
> >>> After I renamed one of the computers it apparently
disconnected
>
> >>> computer AP021.
>
> >>> EVENT Viewer shows
>
> >>> Event Type: Error
>
> >>> Event Source: NETLOGON
>
> >>> Event Category: None
>
> >>> Event ID: 5513
>
> >>> Date: 9/8/2007
>
> >>> Time: 1:36:50 PM
>
> >>> User: N/A
>
> >>> Computer: APDC01
>
> >>> Description:
>
> >>> The computer AP021 tried to connect to the server
\\APDC01 using the
>
> >>> trust
>
> >>> relationship established by the ALSPLUMBING domain.
However, the
>
> >>> computer
>
> >>> lost the correct security identifier (SID) when the
domain was
>
> >>> reconfigured.
>
> >>> Reestablish the trust relationship.
>
> >>> For more information, see Help and Support Center at
>
> >>>http://go.microsoft.com/fwlink/events.asp.
>
> >>> "Meinolf Weber" wrote:
>
>
> >>>> Hello Shan,
>
>
> >>>> Logon problems often has to do with bad DNS
configuration. Please
>
> >>>> post an ipconfig /all from the server and one client.
Also check on
>
> >>>> the domain controller for errors in the event viewer
and post them
>
> >>>> also here.
>
>
> >>>> Best regards
>
>
> >>>> Meinolf Weber
>
> >>>> Disclaimer: This posting is provided "AS
IS" with no warranties,
>
> >>>> and
>
> >>>> confers
>
> >>>> no rights.
>
> >>>>> I'm using W2K3 Standard edition with Active
directory. Every time
>
> >>>>> I add a new machine on this server next day one
of the domain user
>
> >>>>> complains about that they can no longer login to
the server. I
>
> >>>>> try everything but the only way that user can
login is if I change
>
> >>>>> the machine name to something else. And as
soon as I do that
>
> >>>>> another machine fails to login. Any help in this
matter is greatly
>
> >>>>> appreciated.
>
>
> >>>>> Thanks
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Domain Rename
Date:
09/28/2007 01:12:38
Hello,
Problems
are not directly on Active Directory, but everything around that
use
it!
Our
domain rename experience:
http://lordoftheping.blogspot.com/2006/07/domain-rename-done.html
http://lordoftheping.blogspot.com/2006/08/post-domain-rename-sms-iis-wsus-down.html
Jorge's
posts:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/154.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/24/1037.aspx
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Trev"
<trevor.dodds@gmail.com> wrote in message
news:1190959206.331758.102020@g4g2000hsf.googlegroups.com...
>
Hi,
>
>
we are running a Windows 2003 Native Domain in both our Root level
>
domain and Child Level, we have over 12 DC's country wide with 8
>
Exchange 2003 SP2 servers and roughly 3000 workstations. How
>
successful is the rendom tool? Of course this will be tested in a test
>
environment but I would like to hear from anyone else that has done a
>
domain rename.
>
>
Thanks
>
Trevor
>
Top
Post your
questions, comments, feedbacks and suggestions
|