Forum Replies Created
October 27, 2006 at 12:59 am in reply to: Duplicating whole AD structure to another server with Export/Import utility #236387
Re: Duplicating whole AD structure to another server with Export/Import utilityguyt;43762 wrote:Have you considered using GPMC scripts ?
Wow… some of them are really useful.
I also found some interesting methods to catch information from AD by just taking a look at source code on those scripts :-)
Thanks so much !!! :-DOctober 27, 2006 at 12:56 am in reply to: Duplicating whole AD structure to another server with Export/Import utility #236386
Re: Duplicating whole AD structure to another server with Export/Import utility
I think I found the easiest way to export with no admin rights :-)
Usually, the easiest solution is the best one ehheCode:csvde -f outusers.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=user)”
csvde -f outou.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=organizationalUnit)”
csvde -f outgroups.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=group)”
csvde -f outcomputers.csv -d “dc=projectsr2,dc=net” -l “DN,objectClass,ou,description,distinguishedName,cn,department,title,mail,telephonenumber,mobile,physicalDeliveryOfficeName” -r “(objectClass=computer)”
and then reimport them in new domain.
You don’t need admin right to export those fields from AD :-) This is the best thing
Also, Exchange fields are not exported, so I don’t have to install E2K3 on destination domain.October 26, 2006 at 8:28 am in reply to: Duplicating whole AD structure to another server with Export/Import utility #236385
Re: Duplicating whole AD structure to another server with Export/Import utility
Thanks for your help
but you probably missed a “little” particular I wrote on my post
quote: “I don’t have admin rights in domain”
so No admin rights, No DCpromo :-)
Re: Doubt regarding restore of Enterprise CAjasonboche wrote:You should build your CA with redundancy meaning subordinate CA servers to handle the load and authentication if and when a CA server fails.
Rebuild DC2 and restore the system?state there.
My question was slightly different.
Don’t consider redundancy with SubCA.
My question is: what if, for any reason, I cannot restore DC2 and restore its SystemState and I want to install CA to another server?
The only possibilty is deleting all objects from Configuration Partition and reinstall CA on the new server?
Re: Round Robin priority vs. MX preference.guyt wrote:It is not Exchange only. To my understanding this is a normal DNS behavior, as the priority is the DATA part of the RR returned, while all the RRs are round-robined.
I believe that it is actually up to the SMTP to look at the query results and select the destination based on Priority and not the order in which the records were returned.
Yes, this is what Exchange is expected to do, I’m sorry to realize that it doesn’t!
It seems that Exchange’s SMTP is not RFC CompliantQuote:Are you looking at the SMTP logs on the sending or receiving server ? Any mail-relays in transparent-bridge mode on the way ?
SMPT Logs on the sender.
Sending multple messages to different @repubblica.it recipients (in some cases also sending multiple mail to the same recpient) results in every single mail sent to a different MX record, regardless of MX preference.
BTW, follow-up to http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1156796 where I started the same thread (I was using a different nickname but it’s always me :-) )
Re: Forcing deletion of folder with ReadOnly files.ahinson wrote:If you look at the MS documentation for the vbscript filesystem object you’ll see that what I submitted is the correct syntax to delete a folder with files that have the read-only file attribute set to true.
If it’s not working the file may be in use or something else.
I know, and that’s the reason why I told you I already tried.
So now the intresting fact is: how the hell do I know which process is locking a file inside one user’s TEMP folder during computer startup???????? :-(
Maybe I have to try another solution….. for example renaming TEMP folder during startup, so at user logon TEMP is created empty once again. Meanwhile I can run some executable in background which try do delete the renamed temp….
If you have any idea, you’re welcome to suggest !! :-)
Re: Forcing deletion of folder with ReadOnly files.jasonboche wrote:UPHClean does not strictly apply to the deletion of an entire user profile and I did not suggest you were deleting or should delete the entire user profile.
One of the items that UPHClean addresses is the proper closing of hung open file handles (which in your case may be open file handles on the temp directory which is why I suggested the UPHClean utility).
Sorry, probably I used wrong words. I meant: my need is delete that folder during STARTUP. I suppose during startup there are no files locked inside one user’s account TEMP folder… just because that user had not logged on yet.
My doubt was: is there a way to force deletion of read-only files (talking about read-only flag attritbute, not ntfs permissions)? I asked also for deleting locked files because, if I cannot find a way to delete RO files, I have to find an alternate way during user logon which may imply deleting locked files.
Hope to be clear now :-)
Re: Forcing deletion of folder with ReadOnly files.jasonboche wrote:In that case, Microsoft UPHClean may also be needed. Improperly unloaded User Profile Registry Hives will leave open files which cannot be deleted.
You missed the point
I’m trying to delete only TEMP folder during computer startup (not entire profile, not during logon)February 23, 2006 at 6:27 am in reply to: Single Print server printers limits and IPP over NLB #236378
Re: Single Print server printers limits and IPP over NLB
>Usually Win 2003 support up to 50 printers without a problem
Is there any official document from Microsoft that confirm this value of 50 printers?
Thanks :-)February 3, 2006 at 3:20 am in reply to: Disabling KCC for Large Enterprises: a phylosophical view [Long post] #236377
Re: Disabling KCC for Large Enterprises: a phylosophical view [Long post]
>You can do better than just this default config; see my previous post,
>and more in particular: the branch office deployment guide for
I think you refer to this: “I referred to the possiblity to not publish certain SRV records anywhere but in its own site. So what you do is to have the hub site publish generally, so that ALL clients can find the hub, but publish branch DC’s only locally”
I do not think it is a good practice, you loose fault tolerant features :-)
BTW, if link briges are on, and obviously routing is on, why should I disable one branch to contact another’s branch DC in case needed?
If KCC is correctly configured, and costs are correctly set, whenever one branch’s client need to find a DC and it cannot find its site’s DC, it will ask for central HUB dc; then if central hub DC is down, it will try to contact another branch DC. What’s wrong with this?February 1, 2006 at 9:31 am in reply to: Disabling KCC for Large Enterprises: a phylosophical view [Long post] #236376
Re: Disabling KCC for Large Enterprises: a phylosophical view [Long post]wkasdo wrote:> Not so. The hub-spoke topology (just one hub?)
Yes, just one Hubwkasdo wrote:make sure that all branches will create connection objects to the hub, and vice versa. The bridge-all-she ite-links setting makes it possible to create co’s between branches IF the hub is down.
Sorry to tell you’re wrong :-)
Or, at least, what I see now is that KCC is creating connectors between one branch and another branch, not only between branch and central hub. This is quite unexplainable.wkasdo wrote:I admit I would have disabled that setting with such a simple topology to exclude accidents.
And that’s what we usually do.wkasdo wrote:If you put all sites in a single sitelink, the resulting topology is onpredictable (at least, undocumented). The chances of it generating the correct hub-spoke topology is basically zero, of course.
Yes, but the fact I am remarking is that currently, in this configuration, KCC is NOT creating hub-n-spoke connectors! It is creating a mesh topology. So that’s where my doubts come from.wkasdo wrote:You can increase KCC logging to see how much time a KCC cycle takes. You probably can also see it in the taskmanager.
That’s a good point.wkasdo wrote:With W2003, yes. Push it to the limits.
So we are not so crazy at the end :-Dwkasdo wrote:Another interesting question: did they optimize DNS to make sure that branche offices will never log on to each other?
Well, this is an easy question, as you can imagine the only work you have to do to grant correct DC auth, is ensuring that sites, subnets and SRV records are correctly registered. You just need at least 1 DC+DNS at each site (and that’s the current configuration) and subnets correctly mapped in AD Sites.Quote:I think we need to separate this to sub-topics:
Of course, in fact, the LSASS problem came suddenly out while we were doing something completely apart of it! Indeed 99.9% of bugs are discovered this wayQuote:1) To my understanding the crash of LSASS has nothing to do with Exchange (as outlined in the KB wkasdo has pointed to). The cause is the conflict between the user right of helpdesk to do anything with the object (as they are the owners of the object) and the Deny ACE in the DACL.
Of COURSE it hasn’t!!! it’s related to AD ACLsQuote:a. Proxy the creation of user accounts via an external process that does not make the helpdesk staff the owners of the user objects
Yes this may be a good and reasonable fact, but as we wrote, this way delegation become more complex process and Microsoft Delgation Wizard becomes useless (please, avoid comments like “as 90% of microsoft tools” ehehe)Quote:c. Not allow deletion of user objects to Helpdesk (I would let them only only disable the accounts) and proxy the deletion via the same external process (can be easily done via web). This will give you the level of control that prevents most of accidental deletions and f#$k ups…
Mmhhh. this may be a real problem. A great enterprise has a great turnover with users, so every week there may be the need to create and/or delete hundreds of user accounts!…. I think you know what I’m talking about ;-)Quote:The point ? as long as someone can pull your plug, you do not really own the show
I completely agree with this!!!
just another point about delegating. In the test we did we used the default “Create, delete and manage user accounts” in the Delegation Wizard.. This settings enable the delegated user/group to create user inside the OU but also grant FC an all user objects..
This could be OK if your organization doesn’t use Exchange, since the delegated user/group has the Send AS permission on all user objects.
Users need to trust their administrators but there are many organization where this could not be applied.. Moreover, users have no way to protect themselves againist a bad administrator.. So next time we will talk about security, we should say “administrator is God, can do whatever he/she wants and no one can block him/her”: the real owner any company is the IT Admin!
Have a nice day
Luke suggests if it is possible to rename the topic to “A good reason to upgrad your servers to SP1”, in order to avoid some stupid people to damage their DCs….. well… I think it may be a good idea…
Of course our post was not intended for stupid admins who means to make damages, I think you understand :-)
Is it possible?
Let’s start with some comments :-)
1) Guyt is right, it’s a good practice delegating only write properties but this way, the delegation work becomes tedious, and you loose all AD potential.
2) Guyt, ASAP we’re gonna pm you, as you can see we changed our nick; last topics were written only by one of us, now are writing toghether, so we use a common account (if you wan you can write us, our email address is public)…we’re very curious!!!! :-)
3) We noticed that SP1 resolved this, we just have not tested this on w2000
4) The real problem stands still. FC delegated to HD dept is too dangerous if Exchange is present on the Enterprise!