Would Active directory application mode work in this scenario?

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - 802.1x, Computers, Wired Security Howdy, I am trying to setup 802.1x using HP's IDM and W2K3 IAS. I am able to get the user to authenticate to IAS once they have logged on to Windows. The problem is I cannot get the computer to authenticate which is an issue because none of the GPO's will be refreshed at boot up. I've exported my CA's root certificate and have imported it into a GPO so that I can see it listed under Trusted Root Certification Authorities on the client so I'm not sure what I am missing. Does the client computer need to have a cert? Here is my setup and the error from the IAS server is below... DC1 - AD/DNS/DHCP/IAS Primary/IDM Agent DC2 - AD/DNS/DHCP/IAS Secondary/IDM Agent/Enterprise Root CA Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 7/11/2008 Time: 9:13:50 AM User: N/A Computer: DC1 Description: User host/stations20dcnb.domain.com was denied access. Fully-Qualified-User-Name = DOMAIN\STATIONS20DCNB$ NAS-IP-Address = 192.168.73.2 NAS-Identifier = CORE2 Called-Station-Identifier = 00-17-08-cc-2f-00 Calling-Station-Identifier = 00-17-a4-d7-6b-45 Client-Friendly-Name = CORE2 Client-IP-Address = 192.168.73.2 NAS-Port-Type = Ethernet NAS-Port = 93 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = <undetermined> Authentication-Type = Extension EAP-Type = <undetermined> Reason-Code = 21 Reason = The request was rejected by a third-party extension DLL file. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 .... Thanks ! Tag: Would Active directory application mode work in this scenario? Tag: 132250
  - 2
    - Merging active directory + NT4 domain I am part of of a large government organisation which has recentl merged with another much smaller organisation. Our organisation is stil running an NT4 domain with Exchange 5.5 - however the smalle organisation already has an active directory installed, but n centralised email system. We are planning to set up a new Active Directory for the entire ne organisation, however there is a very strong push to give the smalle organisation access to Exchange before this takes place. Managements current idea is to set-up a separate Exchange server in the Exchange 5. site and then grant access to the smaller orgs AD via a domain trust. I feel that they are going about this the wrong way and that we shoul migrate/merge as follows: 1) upgrade the NT4 domain to AD (still running Ex5.5) 2) install an Ex2003 into the new AD 3) do an AD migration of the smaller org into the new AD and give thes users accounts on the Ex2003 server 4) migrate the Ex5.5 users to Ex2003 Does anyone have any ideas/recommendations? Thanks Rya -- Rhynova ----------------------------------------------------------------------- Rhynovan's Profile: http://forums.techarena.in/member.php?u=5290 View this thread: http://forums.techarena.in/showthread.php?t=99949 http://forums.techarena.i Tag: Would Active directory application mode work in this scenario? Tag: 132245
  - 3
    - AD user account Security modified automatically? OK, I have a good one for all AD guru's... Domain Windows 2003 (SP2), SINGLE DC I have an account (I admit, MINE, the network admin) wich for some reason, when I add an account (a Blackberry related, so SEND AS is enabled) to the security tab, it keeps disapearing away at interval (have not look at exactly, so I suspect it is a default AD review time), even if that Blackberry account is also propagated to all the other users in the same OU I am a member. I tried auditing, I am uncertain exactly WHAT I should auti to find the reason behind this. I can't think of any kind of exceptions or Group policies that could cause that Blackbery account to be removed from my security Anyone with an idea or troubleshooting steps? Or more so, how to force whatever event is removing the account so I can more easily find it in the security event log? Thank you in advance! Tag: Would Active directory application mode work in this scenario? Tag: 132243
  - 4
    - watch actress profile and photo watch actress priyamani photo watch actress profile and photo watch actress priyamani photo http://priyamaniforyou.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132241
  - 5
    - A HOT NEWS FOR MICROSOFT USERS............ It's really a hot news for everyone http://polticsinfs.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132239
  - 6
    - watch actress profile and photo watch actress priyamani photo watch actress profile and photo watch actress priyamani photo http://priyamaniforyou.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132234
  - 7
    - DC failure Hi What will be the impact to the member servers if my DC is down. Let' say all my DC are down. We are trying to find out how the member server will be affected if the DCs are down. We have cluster servers and membe servers. Can someone advise us on this? Thank -- Domo ----------------------------------------------------------------------- Domon's Profile: http://forums.techarena.in/member.php?u=4809 View this thread: http://forums.techarena.in/showthread.php?t=99940 http://forums.techarena.i Tag: Would Active directory application mode work in this scenario? Tag: 132229
  - 8
    - Prestage computer account and Windows Deployment Hi I would like to know how I can prestage a computer account in our AD so I can use it with our Windows Deployment server? /Lasse Tag: Would Active directory application mode work in this scenario? Tag: 132228
  - 9
    - rendom, ADSIEdit, and GPUpdate issues I appear to have the problem indicated in: http://support.microsoft.com/kb/896983/en-us 1. The "link below" to "rendom.exe" doesn't exist in that link. 2. Using ADSIEdit a) I don't see the rootTrust or trustParent attributes and b) I don't see how you would add or remove an attribute even if I found it. 3. The only cross-ref object I'm seeing is under Schema. Am I even close? Tag: Would Active directory application mode work in this scenario? Tag: 132219
  - 10
    - Where is Admin account being used? Hello, I am working with a domain where the main Administrator account has been (stupidly) used as a service account somewhere on the nework. The password has been changed for this, and now i am seeing many many events where the administrator account has attempted to logon, but cannot as the password is wrong. As this is the main admin account, it is not locked out, but i would like to know how to find out where the account is being used from. This would be handy to audit other accounts floating on the network also. Cheers. Tag: Would Active directory application mode work in this scenario? Tag: 132218
  - 11
    - AD Administrator account - where is it being used? Hello, I am working with a domain where the main Administrator account has been (stupidly) used as a service account somewhere on the nework. The password has been changed for this, and now i am seeing many many events where the administrator account has attempted to logon, but cannot as the password is wrong. As this is the main admin account, it is not locked out, but i would like to know how to find out where the account is being used from. This would be handy to audit other accounts floating on the network also. Cheers. Tag: Would Active directory application mode work in this scenario? Tag: 132217
  - 12
    - We, www.chinadvdwholesaler.com, located in China, are specialized in Dear Sir or Madam. 1.What we are: We, www.chinadvdwholesaler.com, located in China, are specialized in the wholesaling and distributing of varies of DVD, VCD, MOVIE, TV SHOW, etc with high quality and competitive price. 4. Our Products: Nearly all the popular titles are available in our store, recently we have Sopranos, Stargate, Star trek, Star War, CSI,Baby Einstein, La Femme Nikita,007,West Wing, Friends, Sex and the City, Desperated Housewives etc on sell. All DVDs are Chinese original release, region free and NTSC/PAL format compatible, will play on all region code DVD players with original English audio. Please feel free contact us for the details 5. Contact : E-mail : sales@chinadvdwholesaler.com Website : www.chinadvdwholesaler.com Tag: Would Active directory application mode work in this scenario? Tag: 132216
  - 13
    - Creating Subdomains and routing emails Hello, We have Windows 2003 domain called abc.com. I want to create a subdomain caled marketing.abc.com. We need to create users with address name@marketing.abc.com under AD. What is the best way of approaching this? We also run Exchange 2003 at this primary site. What needs to be configured for routing mails addressed to this subdomain? Also, will this cause issues to current root domain, meaning user@abc.com? Thanks much Tag: Would Active directory application mode work in this scenario? Tag: 132215
  - 14
    - 2008 DCPromo OS Compatibility Warning "Some operations on clients running versions of Windows earlier than Vista with Service Pack 1 are also impacted, including domain join operations performed by the Active Directory Migration Tool..." We actually want to use ADMT to take a bunch of XP SP2 boxes and migrate them to the 2008 domain. Are we sunk? Will SP3 take care of this? What other 2008 AD compatibility issues could we face? Tag: Would Active directory application mode work in this scenario? Tag: 132211
  - 15
    - Date format on server and client Hi, We are deploying active directory on windows server 2003 R2 SP2 and windows XP Pro SP2 and SP3 clients. It seems on rare occasions, the date format used on the client computer changes to the one that is used on the server. We are in Canada so the date format should be dd/mm/aaaa but on the server it was set to aaaa/mm/dd. The client computer has the right settings localy, but sometimes it picks up this odd date format. I was wondering if there is a way for me to change this. I tried changing the date format on the server, but it didnt change anything on the client, after the gpupdate or a new session. If i open a session locally on the client, the date format is ok, but connected to the domain, it's wrong. It seems also i dont see this happening on every station. Any hint ? If you need more info, let me know. Thanks for your time. Bertrand Tag: Would Active directory application mode work in this scenario? Tag: 132209
  - 16
    - Group Policy Hi We want to setup a policy in our domain where screensavers will come on and lockout after a certain amount of time. The problem is we don't want all workstations/servers to have the screensaver policy. We would like to have two different groups. One with the policy of screen savers and one without. I thought creating another GPO would be key but I'm not sure how to proceed. I am kinda new but I do have GPMC installed and I can edit my default domain policy and it works fine. Thanks for anyone who can help me out. Tag: Would Active directory application mode work in this scenario? Tag: 132206
  - 17
    - "List in the Directory" permission How can I only assign a certain custom security group that I have created "Printer Publishers" the "list in the directory" right/permission? Right now it seems any user can clikc "List In The Directory" for any shared printer and it show up in my list of printers in active directory... don't want that, only want the group to be able to publish printers. Tag: Would Active directory application mode work in this scenario? Tag: 132197
  - 18
    - Docs Redirect and Administrator permissions Hi all, I want to make sure I've done this right. I am working on a server in which redirects were applied for My Documents. The option in Group Policy to make access Exclusive was checked. I needed to setup a robocopy script to move files nightly to another folder for backup redundancy. (It's a temporary measure.) I followed the instructions here: http://support.microsoft.com/kb/q288991/ I allowed a particular account in and given them full control. (In my case, the parent folder I applied the permissions to is D:\Redirects) In order to reapply permissions on all objects, I had to take ownership of the files and folders. Subfolders (the user folders) are not inheriting permissions from D:\Redirects) Here's where I'm confused: Creator Owner is set to Full Control on D:\Redirects, but even though I've reapplied ownership for each user on those objects in their folders, Effective Permissions doesn't show them to have full control on the objects. My goal: Allow Administrators FC to ALL user's redirected folders and their contacts and to allow each uesr FC access to their own folder and objects. Cheers, Mike.... Tag: Would Active directory application mode work in this scenario? Tag: 132194
  - 19
    - Merge / consolidate GPO's Hi, I need to consolidate multiple group policies into one. However I would like to avoid having to do this manually and was wondering if a tool existed which could merge policy settings. The import functionality within GPMC doesn't do it, it just overwrites any existing settings. I've looked into powershell scripts and 3rd party tools and cannot fins anything. Any help would be greatly appreciated. Regards, Dunc. Tag: Would Active directory application mode work in this scenario? Tag: 132186
  - 20
    - watch actress profile and photo watch actress priyamani photo watch actress profile and photo watch actress priyamani photo http://priyamaniforyou.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132183
  - 21
    - Outlook office 2003 + Group policy I need my users to use the same signature fomart. I have been able to disable the the signatures but now to link the required signature to the GP is the problem -- Any job can always be better done, when pple share ideas Tag: Would Active directory application mode work in this scenario? Tag: 132181
  - 22
    - A SHOCKING NEWS from Microsoft....... It's really a hot news for everyone http://polticsinfs.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132180
  - 23
    - watch actress sexy photo from movie clips and watch actress profile watch actress sexy photo from movie clips and watch actress profile http://priyamaniforyou.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132173
  - 24
    - finding out client name for a user logging in to a remote server I have a requirement to display last successful logon for an account and the location from which that logon occurred. When a user logs on to a workstation the location would of course be the hostname of that workstation. I'm using Visual Basic Scripting to do this. It was working fine until today while I was of course showing it to our security person. Even though I took into account when the user logs on to a workstation and the %CLIENTNAME% environment variable is not set, it seems that for some reason when logging onto a server %CLIENTNAME% can be set to "console" sometimes. This is strange considering I'm not asking for the Session Name which can be "console". I'm asking for the Client Name. When %CLIENTNAME% equals "console" when running my script or when running the 'set' command, if I look at the Users tab in Task Manager the Client Name is still the hostname of the maching I'm using to remote into the server. Strangely, I thought that on the Users tab the Session Name would be listed as "console" when I use Remote Desktop to logon to the console of the server. I'm using Win2k3 R2. The Session name is always a RDP session # whether I connect to the console or not. But that's not something I'm worrying about at the moment. Can anyone explain to me the circumstances that cause %CLIENTNAME% to be set to "console" as opposed to the user's workstation? I could test for it in my script if I knew the conditions under which it occurs. I'm currently using the following to grab the variable: strFromHost = objShell.ExpandEnvironmentStrings("%CLIENTNAME%") Thanks Brandon Tag: Would Active directory application mode work in this scenario? Tag: 132167
  - 25
    - Windows XP Mini-Setup not joining computers to existing account in We have a Win XP SP2 standard image we deploy onto a lot of our computers. The image has been sysprep'd and when booted, it goes through XP's Mini Setup using sysprep.inf to answer all questions except Computer Name. What we've tried doing is creating machine accounts in Active Directory (2003 Mixed Mode) in the OUs that we want the computers to end up in, and then (days later) booted the machines and allowed them to join the domain during Mini Setup. However, instead of joining the existing accounts, Mini Setup is creating a NEW account in the Computers OU in the root of AD. So now I have two machine accounts in AD with the same name. I have to track down the other account, delete it, and move the computer into that container a few minutes later after replication has finished. As far as I'm aware, this isn't the way its meant to work, is it? In Windows XP, if you join a computer to the domain by hand (outside of Mini Setup), it joins the existing account. Shouldn't the same happen in Mini Setup, or is there something I'm missing? TIA Tag: Would Active directory application mode work in this scenario? Tag: 132166
- Next
  - 1
    - Loggin on in determinate DC Hi, I have 3 Domain Controllers. Two in Site A and one in Site B. Is ther possible set a numeber of users to log on in a DC of Site A, being that users from Site B? Thanks. Luiz Tag: Would Active directory application mode work in this scenario? Tag: 132158
  - 2
    - Setting File -- Open Dialog box to a default location All, How can I through GP setting the default location for the File -- Open Dialog box to My Computer? We restricted C drive, it it defaults to that, so everytime they go to file -- Open, it gives them an error saying that its restricted. Thanks! Tag: Would Active directory application mode work in this scenario? Tag: 132152
  - 3
    - Certificate Help Hello, I've just installed our first Enterprise Root CA on one of our DC's running W2K3 Standard SP2. On another DC I'm trying to request a computer certificate, but am having trouble. When I go to the web page to request an advanced cert I am given the option of Administrator/Basic EFS/EFS Recovery Agent/User/Subordinate CA/Web Server. Am I missing something? I need a computer certificate becuase this DC is also my RADIUS server and I need a cert inorder to setup PEAP. Thanks! Tag: Would Active directory application mode work in this scenario? Tag: 132150
  - 4
    - AD Replication Monitor I ran the AD Replication Monitor. Under Current Transitive Replication Partner Status I am showing 7 "Partner Name: **DELETED SERVER #7". What exactly is this telling me? Is this a previous dc that didn't get deleted properly? I am fairly new to this organization so I don't have a lot of history on this domain. Thanks! Tag: Would Active directory application mode work in this scenario? Tag: 132149
  - 5
    - Adding Domain Controller Hi. I'm adding an additional domain controller (2k3) to an existing domain, which has only one DC that is also a 2k3 server. I ran dc promo on the new server and chose to copy active directory from an an existing DC. I received an error stating the forest was not ready, and to run adprep against the existing DC. I checked the functional level of the domain and forest in the existing DC and found it was set to 2000 level. I raised it to 2003 and thought that would help. It didn't. I also got an errors when trying to run adprep against the existing DC. I didn't think adprep was necessary when there weren't any 2000 servers on the domain. Any ideas? thanks Tag: Would Active directory application mode work in this scenario? Tag: 132134
  - 6
    - Moving FSMO roles I plan to install a new DC w/gc on new hardware and transfer all the FSMO roles from the existing DC. What are the best practices for moving them? Is there a certain order, waiting period between moving roles, etc.? Very simple environment - 2 dc's, default site config, 1 domain. The old and new servers will be in the same vlan, same physical location. The other dc (not a gc) will be in a different office (25mi.) - GigE 100Mb WAN connection. Thank you! Tag: Would Active directory application mode work in this scenario? Tag: 132133
  - 7
    - Event ID 1030's I'm seeing a number of 1030's on the clients, and this in GPMC: Group Policy Infrastructure failed due to the error listed below. Overlapped I/O operation is in progress. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available I've verified the admin name and passowrd in DHCP manager, and checked for cached passwords to the server on the clients, and still no luck. Any other ideas? Tag: Would Active directory application mode work in this scenario? Tag: 132128
  - 8
    - repadmin /removelingeringobjects Hi, i'm getting an error message on a mailserver. event id 2042 "it has been too long since this machine last replicated with the named source machine etc etc. looking at the dates mention further down the message, the tally up to a date when a previous DC failed and was removed from the domain. hardware failed from within the DC and dcpromo was never run to remove it from the domain, and as a result a lot of messages have been appearing around the servers relating to the missing dc. The 2042 message gives 3 options, and the only relvant one refers to using repadmin to clear up any residue following the servers demise. my question is that reading up on repadmin, I'm being told that 2003 server needs to be running on "both" servers....the problem is that only one server is running and i want to clear up the mess following the server dying in the first place. Or is it just a case of repadmin actually being able to determine what and where the issue is and clearing it automatically? cheers Tag: Would Active directory application mode work in this scenario? Tag: 132127
  - 9
    - Setting the home page for all users Hi, I have the IE7 AD template installed on our DC's and am trying to set the home page, but the users IE7 is having none of it! I have gone to User Configuration > Administrative Templates > Windows Explorer > Disable changing home page settings > enable http://intranet DC - gpupdate /force User - gpupdate /force No http://intranet page any ideas? Tag: Would Active directory application mode work in this scenario? Tag: 132126
  - 10
    - Policy (GPO) Order Hi, one question about Policy (GPO) Order applying: - I have 3 policies: one enabled, the second disabled and the third disabled. The disabled policy will predominate, ok? Thanks. Luiz Tag: Would Active directory application mode work in this scenario? Tag: 132120
  - 11
    - Creating New Domain Tree in Existing Forest We just bought a company that I have to integrate into our active directory. They currently have Windows 2000 AD and I have Windows 2003 AD. How do I bring their Windows 2000 AD into my AD as a domain tree without losing their users? If you could point me to instructions on how to make this possible I would appreciate it. thanks -- dee Tag: Would Active directory application mode work in this scenario? Tag: 132117
  - 12
    - problems with single level dns name (domain) Hi a new customer has a w2k3 server on location vienna with a single level domain "intern" and no "intern.local" as normally used. we have to install a second AD-Controller an location linz (connected with vienna via a 2 MBit VPN-Tunnel). after using KB 300684 we could move the second server in the domain as member. then we installed AD on the sec. server, tested dns with nslookup, all works fine. Our problem: the user locally in linz cann't access to the local shares on the sec. AD-Controller, they get the message access denied. when i remove the AD on the second server and chance the dns entry to the vienna dns-server all works fine. workstation systemlog: source: BROWSER, err: 8021, no list from Browser, source: BROWSER, err: 8032, read fails, applicationlog: source: userenv, err: 1058, gpt.ini access denied can you help me ? Tag: Would Active directory application mode work in this scenario? Tag: 132111
  - 13
    - problem with steadystate and restricting rights from administrator I have a domain Active directory on a windows 2000 Server and I moved the rights I made on a pc with steadystate to the server with the active directory with SCTSettings.adm. Then I did some changes in the group policy at the All Windows Steadystate restrictions hopping that this will affect only to users that also have Steadystate restricting the right click on desktop, the access on C:\, and in all windows programs but this affected on the privilages of the administrator rights too!!! Now I can't have access to c:\, not to administrative programs not even right click to the workspace!!! Is there other way to have access to the gpedit (group policy editor) to change the policy again ? cause even the administrator doesn't have any rights now and... I think... this is a HUGE bug!!!! nomater what administrator shouldn't affect on any change of GROUP policy... Pls I need help imidiatly not to setup the server again cause I have 200 users to put again in active directory one by one... Tag: Would Active directory application mode work in this scenario? Tag: 132110
  - 14
    - Re: Site link configuration question.. again my bad... this should be: adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f "objectCategory=siteLink" siteList have not had coffee yet ;-( -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * How to ask a question --> http://support.microsoft.com/?id=555375 ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test ANY suggestion in a test environment before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message news:... > my bad... > > this should be: > adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f > "objectCategory=siteLink" siteObjectBL > > -- > > Cheers, > (HOPEFULLY THIS INFORMATION HELPS YOU!) > > # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # > > BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx > BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx > ------------------------------------------------------------------------------------------ > * How to ask a question --> http://support.microsoft.com/?id=555375 > ------------------------------------------------------------------------------------------ > * This posting is provided "AS IS" with no warranties and confers no > rights! > * Always test ANY suggestion in a test environment before implementing! > ------------------------------------------------------------------------------------------ > ################################################# > ################################################# > ------------------------------------------------------------------------------------------ > "Kent" <Kent@discussions.microsoft.com> wrote in message > news:7278BC24-A71C-4CFF-8533-48BF0FC49AD3@microsoft.com... >> post the IP of the client you used >> ---------------------------------- >> 192.168.1.22 >> >> >> post NLTEST /DSGETSITE >> ---------------------- >> C:\Documents and Settings\administrator>nltest /dsgetsite >> Client >> The command completed successfully >> >> >> post NLTEST /DSGETDC:<DOMAIN> >> ----------------------------- >> C:\Documents and Settings\administrator>nltest /dsgetdc:contoso.com >> DC: \\hq-con-dc-03.contoso.com >> Address: \\192.100.0.2 >> Dom Guid: 6de92f82-4b65-4711-9abc-2e86c0ade8ed >> Dom Name: contoso.com >> Forest Name: contoso.com >> Dc Site Name: AsiaPacific >> Our Site Name: Client >> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN >> DNS_FOREST >> CLO >> SE_SITE >> The command completed successfully >> >> >> post NLTEST /DSGETSITECOV >> ------------------------- >> C:\AdFind>nltest /dsgetsitecov >> DsGetDcSiteCoverage failed: Status = 50 0x32 ERROR_NOT_SUPPORTED >> >> >> adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL >> ------------------------------------------------------------------- >> C:\AdFind>adfind -config -rb "CN=Sites" -f "objectCategory=Site" >> siteobjectBL >> >> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007 >> >> Using server: hq-con-dc-01.contoso.com:389 >> Directory: Windows Server 2003 >> Base DN: CN=Sites,CN=Configuration,DC=contoso,DC=com >> >> dn:CN=Europe,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=10.0.0.0/8,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC= >> com >> >> dn:CN=AsiaPacific,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=192.100.0.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> dn:CN=America,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=138.169.0.0/16,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> dn:CN=Client,CN=Sites,CN=Configuration,DC=contoso,DC=com >>>siteObjectBL: >>>CN=192.168.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=contoso >> ,DC=com >> >> 4 Objects returned >> >> >> adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >> "objectCategory=Site" siteObjectBL >> -------------------------------------------------------------------------------------------------- >> C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >> "objec >> tCategory=Site" siteobjectBL >> >> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007 >> >> Using server: hq-con-dc-01.contoso.com:389 >> Directory: Windows Server 2003 >> Base DN: CN=IP,CN=Inter-Site >> Transports,CN=Sites,CN=Configuration,DC=contoso,DC= >> com >> >> 0 Objects returned >> >> "Jorge de Almeida Pinto [MVP - DS]" wrote: >> >>> >>> >>> * post the IP of the client you used >>> * post NLTEST /DSGETSITE >>> * post NLTEST /DSGETDC:<DOMAIN> >>> * post NLTEST /DSGETSITECOV >>> * adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL >>> * adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f >>> "objectCategory=Site" siteObjectBL >>> >>> ADFIND can be downloaded from joeware.net >>> >>> -- >>> >>> Cheers, >>> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # >>> >>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> ------------------------------------------------------------------------------------------ >>> * How to ask a question --> http://support.microsoft.com/?id=555375 >>> ------------------------------------------------------------------------------------------ >>> * This posting is provided "AS IS" with no warranties and confers no >>> rights! >>> * Always test ANY suggestion in a test environment before implementing! >>> ------------------------------------------------------------------------------------------ >>> ################################################# >>> ################################################# >>> ------------------------------------------------------------------------------------------ >>> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> news:7A167365-80B5-4300-8246-D8326440E443@microsoft.com... >>> > Yes, there are currently 2 site links configured. >>> > >>> > First Site Link with the cost of 50 are configured to contain 2 HUB >>> > sites >>> > (SITEA & SITEB). >>> > Second Site Link with the cost of 80 is configured to contain 1 BO >>> > (SITEC) >>> > & >>> > 1 nearest HUB site (SITEB). >>> > >>> > I've tried with nltest and set command, the logon server for a client >>> > at >>> > SITEC is going to DC at SITEA & SITEC randomly. By right, it should >>> > only >>> > goes >>> > to DC at SITEB right as there is already a Site Link configured? >>> > >>> > Thanks. >>> > >>> > >>> > "Jorge de Almeida Pinto [MVP - DS]" wrote: >>> > >>> >> it should not matter what the costs is because the site link between >>> >> the >>> >> BO >>> >> and the HUB is always the cheapest!. Do you have other site links >>> >> configured? >>> >> use can also use NLTEST on both the client and the DC to test >>> >> configurations >>> >> >>> >> -- >>> >> >>> >> Cheers, >>> >> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >> >>> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services >>> >> # >>> >> >>> >> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> >> ------------------------------------------------------------------------------------------ >>> >> * How to ask a question --> http://support.microsoft.com/?id=555375 >>> >> ------------------------------------------------------------------------------------------ >>> >> * This posting is provided "AS IS" with no warranties and confers no >>> >> rights! >>> >> * Always test ANY suggestion in a test environment before >>> >> implementing! >>> >> ------------------------------------------------------------------------------------------ >>> >> ################################################# >>> >> ################################################# >>> >> ------------------------------------------------------------------------------------------ >>> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> news:B7DFA04D-45B2-4E35-9FB6-D6C3574E2DE6@microsoft.com... >>> >> > Hi Jorge, >>> >> > Thanks for your advice below. >>> >> > >>> >> > I've tested out the 1st solution in virtual environment (without >>> >> > site >>> >> > aware >>> >> > apps), and it's working perfectly. >>> >> > >>> >> > However, when i test out the 2nd solution it seems that the >>> >> > authentication >>> >> > is not consistent. Let me brief you on my virtual setup. >>> >> > >>> >> > - 3 sites = SiteA (with 1 domain controller), SiteB (with 1 domain >>> >> > controller), SiteC (clients without domain controller) >>> >> > - SiteA & SiteB is in the same Site Link with a cost of 20 >>> >> > - SiteB & SiteC is in the same Site Link with a cost of 50 >>> >> > >>> >> > When a XP machine from SiteC is logging on to the domain, it should >>> >> > be >>> >> > authenticating to domain controller at SiteB but sometimes it's >>> >> > going >>> >> > to >>> >> > domain controller at SiteA. >>> >> > >>> >> > But when changing the Site Link cost of 50 to 15 (SiteB & SiteC), >>> >> > authentication is constantly going to domain controller at SiteB >>> >> > (which >>> >> > is >>> >> > what i want). So, my question is whether is it correct to have >>> >> > lower >>> >> > cost >>> >> > between Branch and HUB than HUB to HUB? >>> >> > >>> >> > Appreciate your advice on this. >>> >> > Thanks again. >>> >> > >>> >> > >>> >> > "Jorge de Almeida Pinto [MVP - DS]" wrote: >>> >> > >>> >> >> in that case I would: >>> >> >> * create an AD site for each HUB >>> >> >> * create an AD site link and put the HUBs in it >>> >> >> * create an AD subnet for each subnet at one HUB and link it to >>> >> >> the AD >>> >> >> site >>> >> >> of the corresponding HUB >>> >> >> * create an AD subnet for each subnet at the branch offices and >>> >> >> link >>> >> >> it >>> >> >> to >>> >> >> the AD site of the nearest HUB >>> >> >> >>> >> >> this way client at a branch office will use the nearest HUB >>> >> >> >>> >> >> if you were to have site aware apps in the branch office site I >>> >> >> would: >>> >> >> * create an AD site for each HUB >>> >> >> * create an AD site for each branch office (BO) >>> >> >> * create an AD subnet for each subnet at one HUB and link it to >>> >> >> the AD >>> >> >> site >>> >> >> of the corresponding HUB >>> >> >> * create an AD subnet for each subnet at one BO and link it to the >>> >> >> AD >>> >> >> site >>> >> >> of the corresponding BO >>> >> >> * create an AD site link for each BO and its nearest HUB >>> >> >> in this last scenario the DCs in the HUB will register SRV records >>> >> >> in >>> >> >> the >>> >> >> linked BOs and therefore service those BOs as you want >>> >> >> >>> >> >> -- >>> >> >> >>> >> >> Cheers, >>> >> >> (HOPEFULLY THIS INFORMATION HELPS YOU!) >>> >> >> >>> >> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory >>> >> >> Services >>> >> >> # >>> >> >> >>> >> >> BLOG (WEB-BASED)--> >>> >> >> http://blogs.dirteam.com/blogs/jorge/default.aspx >>> >> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> * How to ask a question --> >>> >> >> http://support.microsoft.com/?id=555375 >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> * This posting is provided "AS IS" with no warranties and confers >>> >> >> no >>> >> >> rights! >>> >> >> * Always test ANY suggestion in a test environment before >>> >> >> implementing! >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> ################################################# >>> >> >> ################################################# >>> >> >> ------------------------------------------------------------------------------------------ >>> >> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> >> news:4CC9443D-62AC-4307-AF6B-B71ADBEB8539@microsoft.com... >>> >> >> > Hello, >>> >> >> > Yes, subnets are defined correctly and linked to the correct >>> >> >> > sites. >>> >> >> > Branch sites does not have any DC and no apps like DFS, MSMQ, >>> >> >> > etc is >>> >> >> > installed. >>> >> >> > >>> >> >> > So are there any good ideas for me get the logon authentication >>> >> >> > to >>> >> >> > work >>> >> >> > correctly? >>> >> >> > Thanks >>> >> >> > >>> >> >> > >>> >> >> > "dave m" wrote: >>> >> >> > >>> >> >> >> I assume, and hate to, that there is only a single domain >>> >> >> >> involved >>> >> >> >> here. >>> >> >> >> >>> >> >> >> dave Admin >>> >> >> >> >>> >> >> >> >>> >> >> >> "Kent" <Kent@discussions.microsoft.com> wrote in message >>> >> >> >> news:1CCC2FC3-6F2E-4F58-92B3-7A858F054CFC@microsoft.com... >>> >> >> >> > Hi All, >>> >> >> >> > I would like to seek some opinions from AD experts regarding >>> >> >> >> > my >>> >> >> >> > scenario >>> >> >> >> > below: >>> >> >> >> > >>> >> >> >> > Scenario: >>> >> >> >> > --------- >>> >> >> >> > 1. Active Directory contains 8 domain controllers (all >>> >> >> >> > configured >>> >> >> >> > as >>> >> >> >> > GC), >>> >> >> >> > 4 >>> >> >> >> > located at UK data centre and 4 more located at Singpapore >>> >> >> >> > data >>> >> >> >> > centre. >>> >> >> >> > 2. There are around 20 sites created on AD which are located >>> >> >> >> > at >>> >> >> >> > Asia >>> >> >> >> > Pacific >>> >> >> >> > region and around 40 sites created on AD which are located at >>> >> >> >> > Europe >>> >> >> >> > & >>> >> >> >> > America region. >>> >> >> >> > 3. I want to ensure computers at sites located at Asia >>> >> >> >> > Pacific >>> >> >> >> > will >>> >> >> >> > authenticate to domain controllers at Singapore data centre >>> >> >> >> > and >>> >> >> >> > computers >>> >> >> >> > at >>> >> >> >> > sites located at Europe/America to authenticate to domain >>> >> >> >> > controllers >>> >> >> >> > at >>> >> >> >> > UK >>> >> >> >> > data centre. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > Current setup: >>> >> >> >> > -------------- >>> >> >> >> > 1. Site link between Singapore DC and UK DC is having a cost >>> >> >> >> > of >>> >> >> >> > 10. >>> >> >> >> > 2. A site link is configured to contain multiple sites from >>> >> >> >> > Asia >>> >> >> >> > Pacific >>> >> >> >> > to >>> >> >> >> > Singapore DC with a cost of 50. This is the same to >>> >> >> >> > Europe/America >>> >> >> >> > site >>> >> >> >> > link >>> >> >> >> > but it's configured to UK DC instead of Singapore one (with a >>> >> >> >> > cost >>> >> >> >> > of >>> >> >> >> > 50 >>> >> >> >> > as >>> >> >> >> > well). >>> >> >> >> > 3. The problem with this setup is users are authenticating to >>> >> >> >> > different >>> >> >> >> > domain controllers, sometime to Singapore then UK. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > My suggestion is to: >>> >> >> >> > -------------------- >>> >> >> >> > 1. Configure 2 site links for 1 site with different costing. >>> >> >> >> > Example: >>> >> >> >> > Site >>> >> >> >> > A >>> >> >> >> > is located at Asia Pacific, computers at Site A must >>> >> >> >> > authenticate >>> >> >> >> > to >>> >> >> >> > domain >>> >> >> >> > controllers at Singapore data centre so i will create a Site >>> >> >> >> > Link >>> >> >> >> > to >>> >> >> >> > Singapore DC site with cost of 40 and another Site Link to UK >>> >> >> >> > site >>> >> >> >> > with >>> >> >> >> > cost >>> >> >> >> > of 80. This would ensure the logon authentication will go to >>> >> >> >> > the >>> >> >> >> > correct >>> >> >> >> > domain controllers. >>> >> >> >> > 2. Site Link betwenn Singapore DC and UK DC will have a cost >>> >> >> >> > of >>> >> >> >> > 10. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > But i'm not sure whether is this solution practical because >>> >> >> >> > it'll >>> >> >> >> > create >>> >> >> >> > alot of Site Links on Active Directory. >>> >> >> >> > Anyone can give some suggestions? >>> >> >> >> > >>> >> >> >> > Thanks in advance. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >>> >> >> >>> >> >>> >> >>> >>> > Tag: Would Active directory application mode work in this scenario? Tag: 132108
  - 15
    - watch actress sexy photo from movie clips and watch actress profile watch actress sexy photo from movie clips and watch actress profile http://priyamaniforyou.blogspot.com/ Tag: Would Active directory application mode work in this scenario? Tag: 132100
  - 16
    - How to remove\add workstation from\to domain remotely? How to remove\add workstation from\to domain remotely? Tag: Would Active directory application mode work in this scenario? Tag: 132098
  - 17
    - Unable to create Domain on Server 2008 When running 'dcpromo' I receive the following error: 'The new domain cannot be created because the local Administrator account password does not meet requirements.' I have tried multiple passwords using 6 or more Upper case, Lower case, & Special characters. This is a new server setup with no existing domains. Tag: Would Active directory application mode work in this scenario? Tag: 132094
  - 18
    - Restricting Trusted Domain user login hour Hi there, I was wondering if there is anyway to limit user's logon hour by configuring AD Domain A while the user account is in a trusted Domain B please? What I have got is a computer lab with all computers and network resources belonging to Domain A. Domain A trusted Domain B (with the same forest), hence users from Domain B can log onto computers in the lab. Now we want to limit users from using the lab after hour. I know I can set the logon hours for the users in AD User and Computer in Domain B but I only want to limit their access to computers in Domain A, not the entire organization/AD forest. Is there a way to control that within Domain A please? Thanks, Edmond. Tag: Would Active directory application mode work in this scenario? Tag: 132093
  - 19
    - Password policy We have Windows 2003 domain and we are in the process of implementing password policy across the domain. What will be the suggested/ recommended pathway to exclude administrator/ special purpose admin related accouts from this password policy? Thanks Tag: Would Active directory application mode work in this scenario? Tag: 132078
  - 20
    - Automate home directory for a new user All, How can I automate the creation of a users home directory, when the user is created in AD? I am not wanting to use the my documents folder redirection, but rather still with standard drive mappings. Thanks! Tag: Would Active directory application mode work in this scenario? Tag: 132077
  - 21
    - LDAP Bind Is it possible to remove anonymous bind in Active Directory? Tag: Would Active directory application mode work in this scenario? Tag: 132073
  - 22
    - LDAP Bind Can you disallow Anonymous Bind in AD? Tag: Would Active directory application mode work in this scenario? Tag: 132072
  - 23
    - idlist error I am thinking this is a possible account error. I have a user who gets the following error no matter what computer she logs onto on our domain : Cannot find/ idlist,:216:4800,//dc01/netlogon/ If other users log onto her computers they dont get this error but this error seems to follow the user. Any ideas ? Cant see anything obvious wrong with the account in AD. Thanks Tag: Would Active directory application mode work in this scenario? Tag: 132067
  - 24
    - Best method for moving 2003 sp2 Domain controller to new hardware. Hi, I need to move a domain controller to faster better hardware. The new hardware will have different drive controllers and most likely a different storage layout. What are best practices to ensure minimum disruption to the network? Max Tag: Would Active directory application mode work in this scenario? Tag: 132066
  - 25
    - Role based administration for password resets Hello, We have a Windows 2003 domain.We are in the process of implementing password policy on the domain. Currently we add helpdesk staff to server operators group for AD administration. Is there a role based administration model in Windows 2003 so that I can add some helpdesk staff to just reset password and not server operators? Thanks Tag: Would Active directory application mode work in this scenario? Tag: 132061

We have a situation where our organization is represented as an OU in
the overall corporate directory.
We have our own admins for the OU, however the Enterprise Admins for
the corporate AD reside elsewhere( in a diff country).
For some reason we are not comfortable with the EA's and do not want
them to be messing around with the users and groups within our OU.
However I understand that in AD, forest is a security boundary and
there is no way one can prevent EA's within that forest. Moving out of
the corporate forest and creating one AD forest for ourselves is not
an option with us due to the expense involved.

The issue is that we have a certain application which we want to guard
and donot want any other to launch it except one of those within our
OU. At present AD users would simply launch this app, it would check
whether that user belongs to one of the groups in our OU , if yes it
will run under the context of the user and perfrom its work. Here is
the EA's can create a user and add it to one of our groups and gain
access to our application.
Also this application unfortunatley needs windows tokens to work i.e.
an ADAM logon token wont work.

We are thinking of using ADAM ( inexpensive to maintain ) and
exporting all our users and groups from our OU in AD to within ADAM.
The user name and passwords of ADAM users will be known to our ppl
only and being a diff boundary the corporate directory EA's wont be
able to get in.
We can then require the users to launch an application x whcih would
authenticate against ADAM , if successful that application would lauch
our application but it does so in a manner that the second application
gets launched under the context of a AD user. That is the first
application x verifies the user name and password against the ldap
store in ADAM , if successful some kind of programming converts this
to the AD logon token of a respective user in our OU in the AD and
then launches the hidden application under the creds of AD user.

I dont know whether the above made any sence but any help is
appreciated.

Top