|
Coredump posted:Is there a way to keep AD from allowing computer objects with the same name from joining the AD? For instance, when we join a computer to the domain, it goes into the ".edu/Net/Computers/New" OU. We then can move the object into the Classroom or staff OU as necessary. Your computer joins are not behaving right. A computer joining the domain with the same name as an existing computer should kill the trust relationship of the existing pc and take over as the computer linked to that object in ad, regardless of location. You've either got replication issues or an image that wasn't sysprepped and assigning the same SID to every computer built with it.
|
# ? Feb 20, 2015 18:27 |
|
|
# ? May 14, 2024 03:48 |
|
I was just thinking myself, sounds like a sysprep gone wrong and you have both computers with the same SID.
|
# ? Feb 20, 2015 18:31 |
|
Coredump posted:Is there a way to keep AD from allowing computer objects with the same name from joining the AD? For instance, when we join a computer to the domain, it goes into the ".edu/Net/Computers/New" OU. We then can move the object into the Classroom or staff OU as necessary. This is not default Active Directory behavior.
|
# ? Feb 20, 2015 19:04 |
|
enjoy your weekend coredump
|
# ? Feb 22, 2015 03:00 |
|
hihifellow posted:Your computer joins are not behaving right. A computer joining the domain with the same name as an existing computer should kill the trust relationship of the existing pc and take over as the computer linked to that object in ad, regardless of location. You've either got replication issues or an image that wasn't sysprepped and assigning the same SID to every computer built with it. Just double checked everything this morning. The SID's are different, so the machines have been sysprepped correctly. The new machine does kill the trust relationship of the existing pc and take over as the computer linked to the object in AD. My question is, can this be stopped? Is there a way to have the AD check to see if there is a computer objected in AD and stop the new one from joining? We have people who are not checking names properly and will add a new computer to the AD and kill the trust relationship of a computer in a classroom causing all sorts of issues.
|
# ? Feb 23, 2015 17:48 |
|
You have a people problem, not a technical problem. I guess you could write a script to create a new computer account and have that check whether the object already exists, and tell people to use that (hell, configure a service account for creating computer accounts then revoke access from others).
|
# ? Feb 23, 2015 21:31 |
|
Coredump posted:Just double checked everything this morning. The SID's are different, so the machines have been sysprepped correctly. The new machine does kill the trust relationship of the existing pc and take over as the computer linked to the object in AD. My question is, can this be stopped? Is there a way to have the AD check to see if there is a computer objected in AD and stop the new one from joining? We have people who are not checking names properly and will add a new computer to the AD and kill the trust relationship of a computer in a classroom causing all sorts of issues. Automate the process so people aren't manually doing this? I just wrote a vbscript (don't ask, I wanted powershell, they said no for now, in 6-months when our backend is refreshed I'll be allowed to do the powershell version), it takes a csv of objects I'm creating, checks if that objects exists, if it does, it logs the information and moves to the next object, if it doesn't already see the object in AD it will create it and do all sorts of other fun stuff. The nice thing is that this whole process is automated, the CSV is a feed from one of other systems, so now that it's setup and tested I don't do shiiiiit.
|
# ? Feb 24, 2015 22:29 |
|
Anyone use Cisco ScanSafe? We're moving to it from Sophos Web Appliance. Any opinions?
|
# ? Feb 25, 2015 02:29 |
|
Does anyone have any prefab web -based forms that are reasonably secure for internet-facing password changes for Active Directory? We are moving from exchange 2010 to google apps and I'm trying to get away from relying on OWA for remote password changes. I suppose I could have an RDS server just for password stuff but it seems like a waste. After some searching on the web it seems like this is typically a $800 software package (nonprofit) I know it's for pretty good reasons...security is important with internet-facing things. Just wanted to know if there's a cheapo option that people are familiar with.
|
# ? Feb 25, 2015 19:27 |
|
Cheap, secure, or end-user friendly. Pick one! I've used ManageEngine ADSelfService Plus in the past, that might be something along the lines of what you're looking for.
|
# ? Feb 25, 2015 19:37 |
|
If I rename a pc in AD, will this rename the local pc too and leave everything else as-is?
|
# ? Feb 25, 2015 20:24 |
|
Tab8715 posted:If I rename a pc in AD, will this rename the local pc too and leave everything else as-is? No. To rename, you need to manually log it off the domain, rename, and re-connect to domain.
|
# ? Feb 25, 2015 20:32 |
|
Tab8715 posted:If I rename a pc in AD, will this rename the local pc too and leave everything else as-is? No. If you want to rename a pc in ad you have to do the leave-rename-rejoin dance. AD won't let you rename a pc through like ADUC
|
# ? Feb 25, 2015 20:34 |
|
If a domain user has data stored on that pic locally, does it remain if I leave the domain, rename and re-join the domain?
|
# ? Feb 25, 2015 20:38 |
|
hihifellow posted:No. If you want to rename a pc in ad you have to do the leave-rename-rejoin dance. AD won't let you rename a pc through like ADUC What? No. You can rename a PC without leaving the domain - you have to do it on the PC in question though and definitely not through ADUC. It's done through the same control panel that you join the domain with - just rename the computer. No need to switch it back to a workgroup then rename it then rejoin the domain at all.
|
# ? Feb 25, 2015 20:41 |
|
Thalagyrt posted:What? No. You can rename a PC without leaving the domain - you have to do it on the PC in question though and definitely not through ADUC. It's done through the same control panel that you join the domain with - just rename the computer. No need to switch it back to a workgroup then rename it then rejoin the domain at all. Just because you can doesn't mean you should. I've seen that cause a lot of trust issues with the domain controllers.
|
# ? Feb 25, 2015 20:45 |
|
mayodreams posted:Just because you can doesn't mean you should. I've seen that cause a lot of trust issues with the domain controllers. This. Yes it's a few extra minutes but not leaving the domain is asking for trouble.
|
# ? Feb 25, 2015 20:53 |
|
Tab8715 posted:If a domain user has data stored on that pic locally, does it remain if I leave the domain, rename and re-join the domain? Bleh, phone posting makes multi quoting hard. Yes the data will stay, the folders themselves are linked to the user SID (I think, I've never found documentation on just how windows marries user to folder, but it's definitely not by folder name).
|
# ? Feb 25, 2015 20:56 |
|
mayodreams posted:Just because you can doesn't mean you should. I've seen that cause a lot of trust issues with the domain controllers. Suppose I've just been lucky then. I'll avoid it in the future, can't hurt and a few extra minutes isn't that bad.
|
# ? Feb 25, 2015 22:33 |
|
mayodreams posted:Just because you can doesn't mean you should. I've seen that cause a lot of trust issues with the domain controllers. This sounds like you have a multitude of replication issues then. Tab8715 posted:If I rename a pc in AD, will this rename the local pc too and leave everything else as-is? You can do it from powershell on anything relatively current and it saves time over the GUI's multiple screen process. code:
|
# ? Feb 25, 2015 23:26 |
|
Eh, I just took it of the domain and renamed. I'm don't want any trust issues coming up
|
# ? Feb 25, 2015 23:40 |
|
Nebulis01 posted:This sounds like you have a multitude of replication issues then. This lines up with my experience on it. I've done hundreds of renames and never once had a trust issue.
|
# ? Feb 25, 2015 23:55 |
|
We've encountered what I'm sure is a bit of an odd problem. We have a small sub-department where the former head (User A) created a shared calendar in Outlook 2010 for booking events. User A left and we logged in as her to make her successor (User B) the calendar's owner so she could work with it rather than just view it. Yesterday we tried to delete User A's Exchange mailbox. Upon this, User B could no longer access the folder. We recovered User A's mailbox and this fixed the problem for user B. However, we don't want to keep User A's zombie account around indefinitely. It seems that Exchange tied the calendar to its creator rather than its owner, deleting the calendar upon her mailbox's deletion rather than just leaving it for its current owner. Have any of you encountered this, and if so how did you fix it?
|
# ? Feb 26, 2015 00:03 |
|
Would a room mailbox not work? Doesn't tie up an exchange cal either (I may be wrong I'm no licensing guru)
|
# ? Feb 26, 2015 01:52 |
|
Rooms and equipment don't use a CAL. Only mailboxes tied to users.
|
# ? Feb 26, 2015 01:52 |
|
mayodreams posted:Just because you can doesn't mean you should. I've seen that cause a lot of trust issues with the domain controllers. This sounds like one of those things where "this happened in windows 2000 server so it's still always a problem forever". The technet about rename-computer says nothing about having to remove from domain.
|
# ? Feb 26, 2015 03:18 |
|
Maybe it's because it's only ok to do in Powershell?
|
# ? Feb 26, 2015 03:21 |
|
I have been renaming AD joined computers for years and have yet to have a trust issue occur. SCCM sometimes does strange things though...
|
# ? Feb 26, 2015 03:36 |
|
Hold up, when you say renaming how are you renaming them?
|
# ? Feb 26, 2015 03:37 |
|
Tab8715 posted:Hold up, when you say renaming how are you renaming them? I've always done it with the system properties control panel, just rename the computer like you normally would. Never once had a problem, not even back in the Windows 2000 days.
|
# ? Feb 26, 2015 04:02 |
|
I'm starting to wonder if all the times I was told "don't rename a computer without leaving the domain first" were all from people who had that one bad experience in a NT/2000 era domain... Gonna try that powershell cmdlet, we almost never have to rename computers but its nice to know about.
|
# ? Feb 26, 2015 04:10 |
|
Thalagyrt posted:I've always done it with the system properties control panel, just rename the computer like you normally would. Never once had a problem, not even back in the Windows 2000 days. This is what I'm doing and it has never caused a problem.
|
# ? Feb 26, 2015 04:14 |
|
NevergirlsOFFICIAL posted:This sounds like one of those things where "this happened in windows 2000 server so it's still always a problem forever". The technet about rename-computer says nothing about having to remove from domain. I stand corrected then. My experiences with AD have always been dealing with years of awful before I got there, so I guess my experiences may not be universal.
|
# ? Feb 26, 2015 04:34 |
|
Speaking of years of awful with an AD environment, I just inherited one. No GPOs other than default domain policy, 2003 domain controllers, passwords not set to expire, no password complexity, dhcp isn't centralized for proper dns registration, literally everything in Computers and Users OUs, everyone local admin, the one admin at the site runs his normal account as domain admin, etc etc etc. I'm working on fixing all that; the good news is that it's pretty much a blank slate I can turn into something better. Since i'm a lazy admin and don't want to go through all of the options in group policy, is there a list somewhere of "enable/disable/modify this in group policy no matter what" to get me started? I'm thinking more security related; things like disabling LMHASH. Obviously group policy is situation-specific for the most part, but there's gotta be some general "hey do this" items that get applied when the recommendation comes out and forgotten about.
|
# ? Feb 26, 2015 12:47 |
|
devmd01 posted:Speaking of years of awful with an AD environment, I just inherited one. No GPOs other than default domain policy, 2003 domain controllers, passwords not set to expire, no password complexity, dhcp isn't centralized for proper dns registration, literally everything in Computers and Users OUs, everyone local admin, the one admin at the site runs his normal account as domain admin, etc etc etc. This sounds very much like the environment I am in the process of fixing now. We had a few 2003 DC's along side some 2008 R2's but a 2000 functional level as of the middle of last year. When we bumped the functional level to 2008 R2 so we could start doing the O365 migration, all hell broke loose. In what we termed a 'policy bomb', years and years of built up GPO's were somehow unleashed once a bound machine was rebooted. Our guess was that the 2000 functional level was prohibiting these changes from actually working, but once the level was raised and the machine rebooted and updated its policy, bad things happened. Stuff like:
|
# ? Feb 26, 2015 14:51 |
|
devmd01 posted:Would a room mailbox not work? Doesn't tie up an exchange cal either (I may be wrong I'm no licensing guru) It's not just a specific room, though. Technically it is, but it's one of those rooms you can logistically divide up into multiple rooms with air walls. The ultimate point is, though, that the departed user create the calendar and we'd rather not have to have the current user have to manually recreate the calendar. Much of that's because this place tends to have a bit of a revolving door nature in terms of personnel, so we'd just have the same problem crop up again if the incumbent leaves. Is there a way to divorce a calendar from its creator and then assign it to someone else, or is it forever tied to the person who made it? It's just a regular calendar that the user shared with people.
|
# ? Feb 26, 2015 18:07 |
|
Ok AD WAN question here. We have 35 branch sites all with their own domains/forests and we have headquarters with its own domain/forest. We are connecting everything with a dedicated 100Mb WAN and want to offload the backup domain controllers at each site to the headquarters. Right now each site has two physical servers, both running as domain controllers, both running DNS, and one running DHCP. We would like to virtualize a single domain controller for each site (no fsmo roles) back at the headquarters, and retire the second physical server from each office. Anyone see an issue with this? I know its the opposite of what post people do, which is having one large domain and keeping RODCs at each branch, but this is the situation we are stuck in. Should I expect any issues with 35 different backup RODCs for 35 different domains living on the same subnet/broadcast domain? The only reason they are here is so that we can have more than one GC in each site and also so we have a copy of the AD if we have a physical server failure at the branch.
|
# ? Feb 26, 2015 18:32 |
|
syg posted:Ok AD WAN question here. Without seeing your network and AD topology, this sounds really hosed. Especially the bolded part. I'd recommend trying one or two as tests (or just deploying a new VM at headquarters instead of retiring/P2V existing stuff) and seeing how that works first.
|
# ? Feb 26, 2015 18:47 |
|
Gyshall posted:Without seeing your network and AD topology, this sounds really hosed. Especially the bolded part. Oh yeah it would happen very gradually, we aren't insane. We wouldn't P2V anything, just build a fresh 2k8 server on a vm at HQ and then join and dcpromo it to the appropriate branch domain.
|
# ? Feb 26, 2015 19:56 |
|
|
# ? May 14, 2024 03:48 |
|
Anyone here work in an environment where the traditional file server environment was replaced with something like box, dropbox, google drive etc? What does it look like if you have like a 500gb shared drive that is moved to dropbox - do all your users keep that entire 500gb folder locally and sync back and forth (like how my personal dropbox does)? Do they just go via web interface and download on demand?
|
# ? Feb 27, 2015 18:57 |