Member Server in DMZ

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Folder Redirection Error with Documents folder Hello, We operate under Windows Server 2003 R2 with 15 Windows XPsp2 and 1 Vista laptop. All XP laptops are redirecting just fine with the GPO; however, the solo Vista machine (which is mine) is having problems with redirecting one folder. Pictures, Music, and Videos have redirected to the server (NOLDC1) fine. The Documents folder is the one that is having problems. I receive the below error in the event log. Failed to apply policy and redirect folder "Documents" to "\\noldc1\users$\kbullock". Redirection options=9021. The following error occurred: "Folder can not move because there is non redirectable folder at the same path". Error details: "Access is denied.". I've also noticed an exact duplicate of kbullock folder inside of my profile. I don't know what's going on here. Can anyone shed some light and help me out here? Thanks. Kenny Tag: Member Server in DMZ Tag: 134577
  - 2
    - Authoritative Restore Question on the proper way to had this particular authoritative restore using the ntdsutil restore subtree. In the past with authoritative restores of an OU I haven't had any issues restoring an OU and all objects within. Recently I had a situation where an OU was deleted along with sub-OUs. One of the sub-OUs needed to be restored without restoring the other sub-OUs. I trying to do an authoritative restore twice without success as I would expect it. First attempt, I recreated the parent OU then performed the authoritative restore of the child OU. Second attempt, I deleted the parent OU and attempted to restore the child OU. In both cases immediate after the restore and reboot I could see the restored OUs and objects. But once replication occurred they disappeared. If I did a find on the user objects in the child OU I could find them through ADUC, but the OU could not be seen through expanding the OU structure. This is because in both cases the parent OU was still a deleted object in the deleted objects container (isDeleted=true). However the child OU was not deleted (isDeleted = NULL). How would I go about doing an authoritative restore of a child OU and a parent OU with out bring back all the other child OUs of that parent? Tag: Member Server in DMZ Tag: 134575
  - 3
    - Change notification using AD Hi There, lI am using AZman with authorization store stored in xml file. And I was creating a file system watcher on this xml file and when an administrator modifies the store using Azman mmc, the event was raised and I would notify all the interested parties. But now I want my azman store to be in ADAM. Do we have any mechanism/apis to know when the azman store is modified? What is the best practice in these scenarios? i found this http://msdn.microsoft.com/en-us/library/ms676877(VS.85).aspx which is in managed C++ , since most of the ldap apis are wrapped in System.directoryservices , i was thinking if it is possible to use .net libraries to achieve the above mentioned(getting the notification) behavior. Thanks for your time. Dee Tag: Member Server in DMZ Tag: 134572
  - 4
    - How do I disable Drag N Drop i AD Users & Computers? How do I disable Drag N Drop i AD Users & Computers? Tag: Member Server in DMZ Tag: 134564
  - 5
    - Migration from 2003 DC to 2008 DC Dear, i have windows 2003 domain controller and also 2 additional domain controllers, now i want to migrate it to 2008 domain controller. how it is possible? Rgds, Nasir karim -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200808/1 Tag: Member Server in DMZ Tag: 134555
  - 6
    - Adding a Windows 2003 R2 DC into a 2000 Domain Morning all, This is my current setup, I have 2 DC in my enviroment, one is a 200 server and the second is a 2k3 server, now what i want to do i introduce a wk3 r2 server into the enviroment, and make it the primar DC. If i run a "netdom query fsmo", this is the result, i have removed th domain in the results C:\Program Files\Support Tools>netdom query fsmo Schema owner server1 Domain role owner server2 PDC role server2 RID pool manager server2 Infrastructure owner server2 The command completed successfully. When i run a "schupgr" this is the result. C:\Program Files\Support Tools>Schupgr.exe Opened Connection to SERVER1 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 30 Schema has already been changed in another DC in this are made to this DC. Rerun setup to upgrade this DC Now i want the new Wk3 R2 server to have all the responsiblity, Roles DNS, DHCP etc... Oh yeah, i also have Exchange 2000 running on SERVER1, will thi upgrade impact Exchange at all? Whats the next step. Thank -- Wazz ----------------------------------------------------------------------- Wazza's Profile: http://forums.techarena.in/members/wazza.ht View this thread: http://forums.techarena.in/active-directory/1023028.ht http://forums.techarena.i Tag: Member Server in DMZ Tag: 134553
  - 7
    - Share Point Error #50070 I had an erlier post regarding a Share Point Error in the Event Log which is writing itself in every 5 seconds. I had a reply to apply a registry line KB840685, which I did. However, the error still occurs. The error is as follows: #50070: Unable to connect to the database STS_Config on xxxSERVER\SharePoint. Check the database connection information and make sure that the database server is running. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any other suggestion? It is driving me mad about this error every 5 seconds. Thanks Tag: Member Server in DMZ Tag: 134552
  - 8
    - New location Hello, I currently have 1 local lan with AD (2003), some servers. Now, we have a new location linked to the central site via a mpls. I want to install a server (and users) on this new location. The users for the new site do the same job than for the central site. They connect to the central site for exchange and TSE and use the local site for files, ... What is the best to do that ? Create new AD and link it, create new site, ... ?? Thx Tag: Member Server in DMZ Tag: 134548
  - 9
    - redirecting My Documents and permissions hey I've playing around with Group Policy on my Windows Server 2003. For the purpose of learning. This is not a prodcution environment. The win2k3 machine is domain controller in my network Now I've created a Group Policy which redirect users My Documets over the a directory on the domain controller. On the domain controller I created a folder which I shared. Giving users read permissions. I wonder if only read permission is not enough. Maybe I should add write permissions to? But in the Group Policy I specified users having exclusive rights to these folders, so maybe that automatically gives it write permissons? any thoughts? Tag: Member Server in DMZ Tag: 134547
  - 10
    - determine the users have certificate installed I need to know who has certificates installed in personel certificate store and who don't.. I have 250 clients in my environment. How can i do this easily? Also i want to know if users have configured signing certificates in their outlook. I searched Google and found a registry key "AutoSign" has to be enabled in registry. But there is no autosign registry key enablen in my computer but autosign option is enabled in outlook. Tag: Member Server in DMZ Tag: 134533
  - 11
    - Join a Remote Computer? I have a corporate domain on a customer office, and, from my home, i want to have a virtual machine that is member of that domain. I have VPN access to the corporate domain already, and i have the admin login of the domain among a user account that i want to use, can i have windows XP client to join that domain over VPN and act as it was locally? I had tryied many different scenarios but any is working so far, any one can help with a guide on this? Tag: Member Server in DMZ Tag: 134525
  - 12
    - fun with indian sex moves downloadfree fun with indian sex moves downloadfree http://kumaripud.blogspot.com/ Tag: Member Server in DMZ Tag: 134522
  - 13
    - Using Active Directory (without any admin account) for checking if Hello, I'm programming in VS2003-ASP.NET 1.1. My web app is running on a Windows Server 2003. The user has to login into the web app using its account and password of the Active Directory (AD). I have this problem: How can I check if a domain account, that tries to login, has been disabled or password has expired? I use the System.DirectoryServices.DirectoryEntry class, but for security reasons we don't want to user any admin user account to get information of the account trying to login. Say that account "jdoe" has been disabled, or its password has expired in AD. If user tries to login, the web app should show some message about acount disabled or password expired. My code: Dim Domain As String = "DOMAINXXX" Dim sUserName="jdoe": Dim sPassword="jdoe_password" Dim myEntry As System.DirectoryServices.DirectoryEntry = New System.DirectoryServices.DirectoryEntry("LDAP://" & Domain, sUserName, sPassword, System.DirectoryServices.AuthenticationTypes.Secure) myEntry.Username = sUserName myEntry.Password = sPassword Dim mySearcher As System.DirectoryServices.DirectorySearcher = New System.DirectoryServices.DirectorySearcher(myEntry) Dim myResult As System.DirectoryServices.SearchResult mySearcher.Filter = "(&(objectCategory=person) (objectClass=user)(userPrincipalName=" & UserName & "*))" myResult = mySearcher.FindOne Dim x as String = myResult.Properties("sAMAccountName")(0) ''<-- it gets 'jdoe' Dim y as String = myResult.Properties("userAccountControl")(0) ''<-- it gets Nothing If I'd get 514 or 512 from myResult.Properties("userAccountControl") (0), then it would be able to determine if account has expired or not. But it gets Nothing However, if myEntry.Username = "any_admin_account" then it works ! I had put this question on the ASP.NET zone, but I've been told that the reasons I get Nothing from myResult.Properties("userAccountControl")(0), could be because of settings on the domain or the AD. Sorry if I have put my question in the wrong area, but maybe you guys could help me with some advices. Many Thanks Tag: Member Server in DMZ Tag: 134508
  - 14
    - Any effect on Windows 2003 envir.? Hi all, I want to introduce one windows 2008 member server to windows 2003 envir. with Windows 2003 DCs. Will it affect my schema or windows 2003 DCs? thank you. Tag: Member Server in DMZ Tag: 134464
  - 15
    - workstations & server times Hi all, Is it possible to configure all member workstations & servers in our domain to sync their date/time with a central server? We have 2 DCs and either one would be OK We also have an ISA server on our network. So would we have to open up any firewall permissions? Any articles on how to do this would be greatly appreciated. TIA! Tag: Member Server in DMZ Tag: 134457
  - 16
    - Group Policy - Maximum Password Age OK, this is weird.... In Group Policy we have the Default Domain set to Disabled. However, even though it is set to Disabled it does have settings in it from when it use to be Enabled. One of the settings is that the Maximum Password Age is set to 90 Days. Ok, now in the Group Policy we have set and enabled on the OU for where my user's and computers reside we have the Maximum Password Age set to 45 Days. Now this is where it gets weird... even though everything I look at (GP Modeling, GP Results, etc) says that the Maximum Password Age is set to 45 Days, it appears that the passwords do not expire until they reach 90 Days? Any Ideas on this? Tag: Member Server in DMZ Tag: 134436
  - 17
    - Create a site over WAN link I'm working on diagraming out a new AD site design for our single domain network. We have 3 physical locations. 1. Data center facility with all servers (file, app, web, AD and Exchange) 2. Main campus (about 1000 users), currently no servers 3. Satellite office (about 100 users), currently no servers WAN connection between Data Center and Main campus is 100Mbit. Should AD sites represent physical locations, or if there is a high speed highly available WAN link, can a site encompass more than one physical location. I'm looking for best practice design geared toward high availability in the event of connectivity disruption. Currently I have two sites defined. One for the Data Center and main campus and one for the satellite office. I've placed one ADDC at the Data center and one at the main campus. Both are GC's with AD integrated DNS. Exchange will be hosted at the data center. I also have a ADDC that is a GC with integrated DNS at the satellite office. This office will also have a high bandwidth highly available WAN link, but not as fast as the one between the DC and the main campus. Any suggestions on this approach would be greatly appreciated. Thank you. Tag: Member Server in DMZ Tag: 134435
  - 18
    - Query Based Distribution Group We are looking at implementing QDQ in our environment. We have about 13,000 users. We first one we want to create is for everyone that has an Exchange mailbox. I have done some research to find out what the requirements and recommendations are and found out that our DCs will be able to handle the load. They have enough processing and memory capacity. What I am curious about that I have not been able to find, but think I remember from something is the results size of each QDG. Is there a recommended limit on the number of results that a single QDG should return. For our example of creating a goup to list everyone with a mailbox, we initially thought we would create a univeral group and nest the QDG in that. We would create one QDG for each mailbox server. Each Mailbox server has about 3000 mailboxes. I do not know if that is too large for one QDG. Should we break each server down to the database level where it would only return ~200 results and nest those into a server based group? Any advice, hints, articles and knowledge would be wonderful. Thank you. Pete Tag: Member Server in DMZ Tag: 134377
  - 19
    - What backups for DC and DNS etc? Hi, I'm in the process of reviewing our backup procedures for our Active Directory and DNS (and DHCP). (My setup is as follows): Domain A - root forest - 4 domain controllers over 3 sites. (2 at the main and these hold most roles). The main server in each site is a GC, DHCP and DNS. I was thinking i would back up the system state of one main DC in each site? IS this enough or should i backup ALL? Is System State enough to be backing up? Does this include everything? If a DC goes down we do not mind so long as we have others - i am confortble with seizing roles and demoting and promoting and tidying up AD etc. However i want to protect against worse case scenario. It is important for AD to be backed up, DHCP and DNS. I believe we use some corperate Symantec product so imagine it able to do most things so long as i know what to back up.... Thanks. Tag: Member Server in DMZ Tag: 134343
  - 20
    - Servers in Sites & Services We have a 2003 AD. In Sites & Services, under Default First Site Name we have 4 servers. 2 of them are the DCs with DNS. The other 2 are just member servers. These 2 might have been DCs at one time. Should these be removed? -- Thanks! Tag: Member Server in DMZ Tag: 134342
  - 21
    - Forest functional upgrade not possible Iâ??m having trouble upgrading the forest functional level in a test environment, and am wondering if any light can be on the issue. (Sorry, for the length of this initial post, but I thought it best to include as much as possible). When attempting to raise the forest functionality to Windows 2003 (logged in to holder of all root FSMOs with Enterprise admin account) I receive the followign error; â??The forest functional level could not be be raised. This may be due to replication latency. Please wait about 30 minutes and try again.â?? I first got this error two weeks ago, so replication latency can be ruled out (replication health checked numerous times during this period). More specifically if I raise the NTDS service logging level to 5 for 9 (Internal Processing), 8 (Directory access) and 16 (LDAP interface events) I get three events logged when I try to raise forest functional level; 1535, 1175 and 1481. The detail of these events are; Source: NTDS General Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on the object failed. Additional data: Error value: 5 00002179: SvcErr: DSID-030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Source: NTDS General Category: Directory Access Event ID: 1175 Description: Internal event: A privileged operation (rights required = 0x) on object CN=Partitions,CN=Configuration,<FOREST ROOT> failed because a non-security related error occurred. Source: NTDS LDAP Catoegry: LDAP Interface Event ID: 1535 Internal event: The LDAP server returned an error 00002179: SvcErr: DSID, 030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0 Error 2179 is ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN, which indicates that one or more domains are still in mixed mode. However this is not the case. The test domain has a placeholder root domain (single DC) and a production domain (three DCs), both of which are at Windows 2003 level, and this value (domainFunctionality=2) is consistent across all DCs). This test environment Iâ??ve been asked to use, has unfortunately not been maintained properly. When I got to it I found that it even had a â??deadâ?? domain referenced (another one below the placeholder root). I tidied this up using NTDSUTIL, including removign the domain and the domainDNSzones partition, and can no longer find any reference to it in the configuration container, or as a trust in other domains, but I canâ??t help feeling that some residue of this domain is causing the issue. The following steps have been taken as troubleshooting steps; â?¢ Replication confirmed as healthy. (repadmin /replsum) â?¢ Domain controllers confirmed as healthy (dcdiag /c/v/d, /test:verifyenterprisereferences) â?¢ Netdiag /v on all DCs â?¢ Only expected partitions in cn=partitions,cn=configuration,<FOREST ROOT> â?¢ No references to failed domain in Configuration partition (dumped using ldif and scanned) â?¢ All DCs are now at sp2 (were at sp1 before) â?¢ 2 * DomainDNSZones deleted and recreated â?¢ No obsolete computer objects in Sites and Services â?¢ No obsolete _msdcs references, or reference to â??deadâ?? domain â?¢ Schema and Enterprise admins are universal groups â?¢ Forest prep logs (for 2K3 update) are still available and donâ??t report any error â?¢ No unexpected computers think theyâ??re DCs (userAccountControl 8192) â?¢ Lost and found objects deleted â?¢ CNF objects deleted â?¢ Lingering objects cleared down (there were a lot of these on the root DC in the child partition) â?¢ FSMO roles are reporting correctly (netdom query fsmo) when checked from each DC. These are as per appropriate fsmoRoleOwner attributes. â?¢ Enterprise Admins and Enterprise Domain Controllers seem to have appropriate rights (compared with other environments) to the partitions (at root of partitions, and in CN=Partitions container), and the Partitions container in Configuration partition. â?¢ Thirteen attributes are added to the global catalog as part of the forest functional update. To rule this out I manually added the attributes to the PAS with the Schema GUI. â?¢ ntmixedDomain value on all DCs=0. â?¢ No obsolete security descriptors on CN=Partitions or itâ??s content partitions â?¢ INITSYNC has been set to be skipped (Repl Perform Initial Synchronizations = 0) â?¢ â??Everyoneâ?? has Access this computer from the network right â?¢ userAccountcontrol for all DCs is 532480 Two other errors have also been received, but havenâ??t helped me so far. Whenever a DC is rebooted the following error is received; Source: NTDS Category: Internal Processing Event ID: 1481 Description: Internal error: The operation on object failed. Additional data Error value 2 000020EF: NameErr: DSID-032500F4, problem 2001 (NO_OBJECT), data -1603, best match of: â??â?? 20EF = ERROR_DS_UNKNOWN_ERROR ====== I tried using ADMOD to â??manuallyâ?? update the msDS-Behaviour-Version value (recommended in a post elsewhere by Joe Richards), and got the following error; DN Count: 1 Using server: <ROOTDC>.<FOREST ROOT>:389 Directory: Windows Server 2003 Modifying specified objects... DN: CN=Partitions,CN=Configuration,<FOREST ROOT>... Extended Error: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece ERROR: Too many errors encountered, terminating... The command did not complete successfully x57= LDAP_FILTER_ERROR I couldnâ??t get any further with these errors. Thanks in advance for any help. Regards Gordon Tag: Member Server in DMZ Tag: 134338
  - 22
    - RENDOM or ADMT Hi I have inheritted a poorly named single level domain and am looking to either rename it or to migrate the business to a new domain and suitable domain name. Currently the domain is named in the format domain.domain.company.com and really only needs to be company.com We have around 150 users but they only use AD for authentication as we have linux based DNS (to be replaced by A integrated shortly) and linux file&print servers. 1> I am after opinion as to whether to rename the domain or migrate to a new AD domain on a new box. 2> I understand by doing this I can also migrate local profiles so end users won't see the change, is this correct? 3> Do I install AD integrated DNS before i start either process? I can answer any questions if I am not clear enough Cheers Andy Tag: Member Server in DMZ Tag: 134336
  - 23
    - Security analysis We have one-place branch office and we'd like to create security analysis of our services, checking procedures and make new procedures and rules. As first step we'll run Microsoft Best Practices Analyzers (for Exchange, GPO, SharePoint, SystemStateAnalyzer, ...) and follow Microsoft Instrastructure Optimization to identify our currently position in IT software and hardware world. Can you please advice any other SW / procedure to follow formal procedure...? p.s. sorry for crosspoting Thnx. Tag: Member Server in DMZ Tag: 134334
  - 24
    - admin pack vista & terminal profile tab Installed Windows Server 2003 SP1 Administration Tools Pack on Windows Vista. In Active Directory Users and Computers when you pull up the properties of a user account the Terminal Services Profile tab is missing. This is not just the case on my installation. The Terminal Services Extension in MMC is missing. How do we make this available? Tag: Member Server in DMZ Tag: 134325
  - 25
    - DCDIAG Error Sometimes Exchange 2007 had problem connecting to the DC (cannot find DC) I then started to run a dcdiag and got some DNS errors which I think I fixed. Now when I run a DCdiag it passes all the test without one of which I have attached the log from DCDIAG below. I have no idea what that could be. Could anyone please point me to the right direction. I really would appreciate. Thanks in advance. Starting test: frsevent ......................... SCTDC passed test frsevent Starting test: kccevent An Error Event occured. EventID: 0x0000025C Time Generated: 08/18/2008 11:03:20 Event String: NTDS (476) NTDSA: Locale ID 0x0000041e (Thai ......................... SCTDC failed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 08/18/2008 11:02:39 (Event String could not be retrieved) ......................... SCTDC failed test systemlog Tag: Member Server in DMZ Tag: 134317
- Next
  - 1
    - Minimum security settings of computer accounts for allowing domain user account to join domain Hi ALL, I'd like to configure the security settings for the computer accounts that only allow domain user to join domain (nothing else, including changing computer account name,etc.). I tried to create a dummy computer account using (Active Directory Users and Computers -> New Computer Wizard) and specified a domain user account in the "The following user or group can join this computer to a domain". The domain account can join domain but also can modify the computer name (Simply change the computer name in the Windows client, the computer account will be modified after reboot). Do anyone know what is the minimum security settings of the computer account object so that the domain account can only have join domain privilege, no others, especially change the computer account name? TIA M C Tag: Member Server in DMZ Tag: 134315
  - 2
    - Problem After Creating Home Folder with vbs script Hello, I have a script that creates users, assigns them to security groups and creates and sets a home folder. Here is an excerpt: 'Create home folder Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFolder = objFSO.CreateFolder("\\terra\home\2010\" & strSAMAccountName) 'Set permissions Set oShell = wscript.CreateObject("Wscript.Shell") oShell.Run "%COMSPEC% /c Echo Y| cacls \\terra\home\2010\"& strSAMAccountName & " /t /e /g Administrators:F "& strSAMAccountName & ":C /R Students", 2, True 'Set home directory and home drive objNewUser.Put "homeDirectory", "\\terra\home\2010\" & strSAMAccountName objNewUser.SetInfo objNewUser.Put "homeDrive", "H" objNewUser.SetInfo At the end of the script, everything looks good. Permissions are set properly. However, on first logon, the folder does not map in the login script. When the user tries to get to their home folder manually, xp throws a message about access to the resource being disallowed. I can fix it by going into AD Users and Computers, setting the home folder to local, applying it and then setting the home folder back to where it is supposed to be. (I'd rather not do this for the 100 plus students and users that we get at the beginning of each year. Thanks for your ideas. Steve Ediger Any ideas? Tag: Member Server in DMZ Tag: 134311
  - 3
    - Useracc dissapeared resulted in a disconneted mailbox Hi all Environment: Windows 2003 SP2 AD (No SBS2003), Exchange 2003 SP2, Win XP Clients w SP2 Problem: An AD useraccount dissapeared, no information about HOW, resulted in a lost account and a disconnected mailbox. Solution: Recover the exchange db to e RSG and recover the mailbox, accociated It to a new created user and reconnected it. Q: (I need to now what may have resulted in a deleted account when no admin with rights and knowledges has been logged on to the one Exchange server with Exchange tools, and not ot a server with ADUC tool.) 1.) Has anyone any knowledge of bugs, issues, faulty third party apps that might cause this scenario of the deleted usser account? 2.) Most important, How can I, afterwards, search how this might have happened with the deleted/removed user account (where, how, what tools etc.)? I need to find out if the account was deleted by a user and If so, who. Secondly, If not a user, what and why. Pls, any help would be highly appreciated. In this thread, suggestions of improvements are not wanted at the moment (I know that my enviroment Is poorly set up and not properly configured, will create other threads for that). TIA Henrik (Hear), MCP-SBS Tag: Member Server in DMZ Tag: 134308
  - 4
    - 2003 Server Internet DNS configuration I have 26 web sites hosted on my own web server that are public to the internet. I have 2 servers, NS1 and NS2. NS2 runs Apache web server. I would like to know if it is necessary for the domain DNS (ns2.company.net) entry to be Active Directory-Integrated. All the rest are simply primary and secondary. Tag: Member Server in DMZ Tag: 134297
  - 5
    - Folder redirection - client's profiles on multiple pcs We're looking at implementing folder redirection in an already well-established client estate. The implementation guidelines are always drawn up with the assumption of a greenfield site, or a relatively uncomplicated one-machine-per-user setup. The issue we have is where the same user might log on to several machines, and may have files scattered across these. Certainly we may have the case where exchange has invited the user to autoarchive their email onto the local hard disk, and so they will have two or more machines where a user has an "archive.pst" sitting. How does folder redirection work for a user, where their folder has already been redirected from one machine? Does it look for and use the redirected folder if it exists, regardless of the local profiles? Can they get to any files on the local machine? Thanks for your help! Tag: Member Server in DMZ Tag: 134295
  - 6
    - email address as login name I want to grant external users access to resources in our domain. Is it possible to register these users with their usernames being their own custom email addresses? How is Microsoft doing it with their passport authentication? Tag: Member Server in DMZ Tag: 134293
  - 7
    - KCC error This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm configuring a additional Domain Controller, however some error = appear. The environment: UK Network and have a VPN connection to HK The dcpromo process is complete without any error and the DC is appear = at the "Active Directoty Users and Computers" Snap-ins. The erro appear = at the Event Viewer The attempt to establish a replication link for the following writable = directory partition failed.=20 =20 Directory partition:=20 CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller:=20 CN=3DNTDS = Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 Source domain controller address:=20 43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk=20 Intersite transport (if any):=20 CN=3DIP,CN=3DInter-Site = Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 This domain controller will be unable to replicate with the source = domain controller until this problem is corrected. =20 =20 User Action=20 Verify if the source domain controller is accessible or network=20 and Event Type: Information Event Source: NTDS Replication Event Category: Replication=20 Event ID: 1557 Date: 8/17/2008 Time: 2:43:02 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: KCAHKFS Description: The local domain controller has not completed a full synchronization of = the following directory partition. The local domain controller will not = be advertised to clients by the domain controller locator service until = this task is completed.=20 =20 Directory partition: DC=3Dkcacad,DC=3Dco,DC=3Duk=20 =20 An attempt to complete a full synchronization of this directory = partition will be tried again later. For more information, see Help and Support Center at = http://go.microsoft.com/fwlink/events.asp. It seems something wrong to synchronize the domain informations. Is any = one have ideas about this? ------=_NextPart_000_0015_01C90079.ECDE3C40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6000.16705" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY> <DIV><FONT face=3DArial size=3D2>I'm configuring a additional Domain = Controller,=20 however some error appear.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The environment:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>UK Network and have a VPN connection to = HK</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The dcpromo process is complete without = any error=20 and the DC is appear at the "Active Directoty Users and Computers" = Snap-ins. The=20 erro appear at the Event Viewer</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG><FONT color=3D#ff0000>The = attempt to=20 establish a replication link for the following writable directory = partition=20 failed. <BR> <BR>Directory partition:=20 <BR>CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk <BR>Source domain = controller:=20 <BR>CN=3DNTDS=20 Settings,CN=3DLONDONFILE,CN=3DServers,CN=3DKCALONDON,CN=3DSites,CN=3DConf= iguration,DC=3Dkcacad,DC=3Dco,DC=3Duk=20 <BR>Source domain controller address:=20 <BR>43126dc7-4083-4e14-9a77-eade6892a697._msdcs.kcacad.co.uk = <BR>Intersite=20 transport (if any): <BR>CN=3DIP,CN=3DInter-Site=20 Transports,CN=3DSites,CN=3DConfiguration,DC=3Dkcacad,DC=3Dco,DC=3Duk = <BR> <BR>This=20 domain controller will be unable to replicate with the source domain = controller=20 until this problem is corrected.  <BR> <BR>User Action = <BR>Verify if=20 the source domain controller is accessible or network</FONT></STRONG>=20 </FONT></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><STRONG><FONT face=3DArial size=3D2>and</FONT></STRONG></DIV> <DIV><STRONG><FONT face=3DArial color=3D#ff0000 = size=3D2></FONT></STRONG> </DIV> <DIV><FONT face=3DArial color=3D#ff0000 size=3D2><STRONG>Event=20 Type: Information<BR>Event Source: NTDS Replication<BR>Event=20 Category: Replication <BR>Event=20 ID: 1557<BR>Date:  8/17/2008<BR>Time:  2:43:02=20 PM<BR>User:  NT AUTHORITY\ANONYMOUS=20 LOGON<BR>Computer: KCAHKFS<BR>Description:<BR>The local domain = controller=20 has not completed a full synchronization of the following directory = partition.=20 The local domain controller will not be advertised to clients by the = domain=20 controller locator service until this task is completed. = <BR> <BR>Directory=20 partition:<BR>DC=3Dkcacad,DC=3Dco,DC=3Duk <BR> <BR>An attempt to = complete a full=20 synchronization of this directory partition will be tried again=20 later.</STRONG></FONT></DIV> <DIV><FONT color=3D#ff0000><STRONG></STRONG></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><STRONG>For more = information,=20 see Help and Support Center at </STRONG></FONT><A=20 href=3D"http://go.microsoft.com/fwlink/events.asp"><FONT=20 color=3D#ff0000><STRONG>http://go.microsoft.com/fwlink/events.asp</STRONG= ></FONT></A><FONT=20 color=3D#ff0000><STRONG>.<BR></STRONG></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT = color=3D#000000>It seems=20 something wrong to synchronize the domain informations. Is any one have = ideas=20 about this?</FONT></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT color=3D#ff0000><FONT=20 color=3D#000000></FONT></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT=20 color=3D#ff0000> </DIV></FONT></FONT></BODY></HTML> ------=_NextPart_000_0015_01C90079.ECDE3C40-- Tag: Member Server in DMZ Tag: 134292
  - 8
    - Suddenly DHCP server service can't start I'm getting the following errors: Event ID 1008 The DHCP service failed to start as a RPC server. The following error occurred : Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event ID 1008 The DHCP service is shutting down due to the following error: Not enough resources are available to complete this operation. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Anyone has a clue??? Thanks Tag: Member Server in DMZ Tag: 134289
  - 9
    - GPO for MS office? I need a GPO for MS office 03/07 where can I download it from? Tag: Member Server in DMZ Tag: 134276
  - 10
    - promot 2003 sp2 to dc We have a 2003 DC and we want to promote a 2003 sp2 server to a dc. A message came up that we need to run adprep. would we take the adprep.exe from the sp2 server and run that on the 2003 dc? If we upgrade the 2003 dc to sp2 does it negate the need to run adprep? many thanks Ali Tag: Member Server in DMZ Tag: 134275
  - 11
    - adprep Hi I need to run adprep to allow a DC promotion. When can I find a whitepaper detailing what adprep does and available options etc... Regards Craig Tag: Member Server in DMZ Tag: 134271
  - 12
    - ADAMSync Problem with userProxy and SID? Dear all, I want to setup AD to ADAM sync and everything works fine so far. But during /sync command I get following error: Processing Entry: Page 1, Frame 1, Entry 10, Count 1, USN 0 Processing source entry <guid=bfbd971e58030f43abcabf91bfa284c9> Processing in-scope entry bfbd971e58030f43abcabf91bfa284c9. Adding target object CN=XXXXXXXXX,OU=USERS,OU=XXXXXXXXXXX,DC=XXXX,DC=XXXX,DC=XXXXX,DC=com. Adding attributes: sourceobjectguid, sn, c, l, title, description, postalCode, postOfficeBox, physicalDeliveryOfficeName, telephoneNumber, givenName, instanceType, displayName, co, department, company, streetAddress, userAccountControl, codePage, countryCode, primaryGroupID, objectSid, accountExpires, sAMAccountName, userPrincipalName, mail, mobile, lastagedchange, objectclass, Ldap error occured. ldap_add_sW: Unwilling To Perform. Extended Info: 000020E7: SvcErr: DSID-03152AA9, problem 5003 (WILL_NOT_PERFORM), data 1317 With option /force -1 all OUs and so on are created successfully. Only user objects will not be created and result in same error above. It could be something with the objectSID as stated in this link http://microsoft-programming.hostweb.com/TopicMessages/microsoft.public.metadirectory/2055221/1/Default.aspx But I've no idea how to resolve this! As background: The server which is running ADAM is not in the source domain of this snyc process. It's not in a domain at all. Thanks for any help in advance! Marc Tag: Member Server in DMZ Tag: 134262
  - 13
    - DNS change changes back by itself I changed a DNS entry on a test domain, and when I ping the machine name from that server, I get the proper (new) ip address back. When I ping it from anywhere else, I get the old value (the one I changed it from) back. It never seem to replicate properly, so I never get the new value when I ping it from anywhere except the DNS server on which I made the change. After a while, it changes back to the old entry on the DNS server where I made the change. Tag: Member Server in DMZ Tag: 134258
  - 14
    - Limit on AD fields? Is there a limit on the amount of characters that can be entered in physicalDeliveryOfficeName ('Office' field)?? We use qwests active roles and I receive an error when entering more than 128 characters. I do not see any policies in Active Roles to limit this. Thanks! Tag: Member Server in DMZ Tag: 134250
  - 15
    - Security for Active Directory LDAP Utilities Any articles I can read on how to be able to tighten the ability for "any" users to query Active Directory and modify it with the command line utilities and LDAP? How to create groups that only access using this service? Tina Tag: Member Server in DMZ Tag: 134243
  - 16
    - Additional Domain Controller requirement. I have Win2k3 Ent. Edition with SP1 running as Domain Controller holding all five roles.I have other member server with Win2k3 Standard SP2 running SQL Server 2005 with CRM server.I want to make this machine ADC of root domain controller alongwith making it a global catalogue server. suppose after making this changes successfully, will my exchange server 2003 running on separate machine able to function correctly in case my root domain controller cease to function correctly. Furthermore, making a server ADC running SQL Server 2005 and CRM is recommended or not since i have only this machine to make it ADC? THis machine is located within same LAN not across another SITE. regards Tag: Member Server in DMZ Tag: 134239
  - 17
    - Move users between DL's? Is it possible, preferably using some tool, to move users from one distribution list to another? Tag: Member Server in DMZ Tag: 134237
  - 18
    - GUI for ADAM Hi, Is there a GUI available for ADAM? Tag: Member Server in DMZ Tag: 134235
  - 19
    - replication and smtp address problem Hi, When i want to replicate with a dc in my forest i get the error below. That domain can replicate from my domain, but i cannot replicate from that domain. I couldn't solve this problem, has anyone got an idea? --------------------------- Replicate Now --------------------------- The following error occurred during the attempt to synchronize naming context ForestDnsZones.xxx.root from domain controller XXXXXSERVER1 to domain controller XXXDC1: The naming context is in the process of being removed or is not replicated from the specified server. This operation will not continue. --------------------------- OK Tag: Member Server in DMZ Tag: 134229
  - 20
    - Cannot login to domain controller The problem: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance." For the most part everything is working fine. Occasionally Iâ??ll get the above message and I can fix it by leaving the domain and joining it again. Sometimes the problem will come back in a few days, sometimes weeks later. On other workstations after correcting it once the problem never returns. I donâ??t see any errors generated in the workstation or domain controller event logs. The workstation has the correct DNS for the domain controller. It can ping the DNS controller. It can leave and join the domain with no problems at all. The problem seems to happen mostly to laptop users that take their PC away from the domain for a few days, but itâ??s not isolated to these users. It has happened to desktop users too. The server is running Windows Server 2003 R2. Itâ??s connected to another domain controller via a VPN using Logmein Hamachi. I have another location with the same configuration with but it does not experience the same problems. Any ideas on what can be causing the problem? Tag: Member Server in DMZ Tag: 134228
  - 21
    - Allowing users to update their own AD user information displayed in GAL? What is the most recommended tool/solution for allowing users to effectively update their own Active Directory user information (all informational fields) that is displayed in the GAL? Thank you. *note: All 2003 environment (AD, Exchange and Outlook). Tag: Member Server in DMZ Tag: 134224
  - 22
    - Restrict Administrators and Users from Joining Computers to the Do We would like to restrict all users and administrators from joining computers to the domain unless a computer account has already been created or "staged" in the Active Directory Users and Computers tool. We have a Windows 2003 domain. Does anyone know how to do this? Thank you for any and all comments clues...! Tag: Member Server in DMZ Tag: 134217
  - 23
    - Local administration and Group Policy Is there a was to add a new user as a Local Administrators on a PC thru Group Policy...without removing any current users (also Local Administrators) that are already on that PC. I know I can manually add directly on that PC, but curious if there is a way thru GPO. Thanks. Tag: Member Server in DMZ Tag: 134214
  - 24
    - Is there a way to get all the policy configurations for AD I am trying to find a way to pull all the Active Directory group policy configurations off a domain controller into some readable/ downloadable format. Anyone have any ideas? Thanks. Tag: Member Server in DMZ Tag: 134210
  - 25
    - Security Account Manager Initialization failed. This is what I'm trying to fix. My win2k3 DC server, keep getting the error "Security Account Manager Initialization failed because of the following error: Directory Service cannot start: error status 0xc00002e1. Please..... Reboot into Directory service restore mode...." I know to the fix this error I must use safe mode, but When I try to get to safe mode, I get the error "c:\window\system\Services.exe terminated unexpectedly and Status Code -1073741819 click ok to reboot" after taking a long time. Sorry if I post this before. -- Rich Tag: Member Server in DMZ Tag: 134201

I have done some research and know this is generally a bad idea, but... how
would one go about running a Member server joined to a domain (i.e.
domain.local) but reside in the DMZ?

I've looked at ADAM and using IPSec and such things. I'm basically looking
for the best approach to this. There are some internet applications that my
organization would like to authenticate to AD.

Thank you.

Top

Re: Member Server in DMZ by Jorge

Jorge
Tue Aug 19 09:40:48 PDT 2008

Hi
To secure a member server in DMZ, allow only what needs to be allowed in the
firewall, use certificates for communications and Apps. Depending of your
needs and apps, there're multiple designs that can be followed. You can also
search at security ngs.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top