| Author | Messages | |
kamleshap
Posts:27
 | | 09/10/2005 4:25 AM |
| | Message body was not found. | | | |
| ZJORZ
Posts:133
| | 09/10/2005 10:50 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Kamlesh Parmar
Sent: Sat 9/10/2005 6:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Restricting machine to specific DC for domain join
Dear All,
At one of the locations, firewall restricts port 139, 445 towards other locations.
And we are mass migrating computers from this location to our domain.
And We know that, normal 2k/XP machine when asked to join domain, will run LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to create account there.
And if the first DC of the result, is remote DC, this attempts is thwarted by firewall, as client can't make initial connection to remote DC's IPC$
Can we do something about this,
Like making sure that for DC Join process, clients go to specific DC only.?
Regards,
Kamlesh
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| dwells
Posts:39
| | 09/11/2005 1:52 AM |
| This
seems a little obvious so I may have misunderstood your scenario, nonetheless
-
http://support.microsoft.com/kb/266651/EN-US/
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh
ParmarSent: Saturday, September 10, 2005 12:25 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Restricting machine
to specific DC for domain join
Dear All,
At one of the locations, firewall restricts port 139, 445 towards
other locations.
And we are mass migrating computers from this location to our domain.
And We know that, normal 2k/XP machine when asked to join domain, will run
LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to
create account there.
And if the first DC of the result, is remote DC, this attempts is thwarted
by firewall, as client can't make initial connection to remote DC's IPC$
Can we do something about this,
Like making sure that for DC Join process, clients go to specific DC
only.?
Regards,
Kamlesh-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend
the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| ZJORZ
Posts:133
| | 09/11/2005 2:45 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Dean Wells
Sent: Sun 9/11/2005 3:50 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Restricting machine to specific DC for domain join
This seems a little obvious so I may have misunderstood your scenario, nonetheless -
http://support.microsoft.com/kb/266651/EN-US/
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 10, 2005 12:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Restricting machine to specific DC for domain join
Dear All,
At one of the locations, firewall restricts port 139, 445 towards other locations.
And we are mass migrating computers from this location to our domain.
And We know that, normal 2k/XP machine when asked to join domain, will run LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to create account there.
And if the first DC of the result, is remote DC, this attempts is thwarted by firewall, as client can't make initial connection to remote DC's IPC$
Can we do something about this,
Like making sure that for DC Join process, clients go to specific DC only.?
Regards,
Kamlesh
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| kamleshap
Posts:27
| | 09/11/2005 4:16 AM |
| No you haven't misunderstood the scenario, its just that I didn't mention the whole information,
We are using ADMTv2 to migrate computers (fairly large number),
and on a big scale we received a error: Domain affiliation didn't change,
and investigating DNS, netsetup.log etc, we found that, ports are blocked.
And you have to admit, as KB says, this DC options is a hidden gem. And glad to discover with your help.
I will whip up a small script, using netdom.exe for that DC.
And join those machines using this script.
Regards,
Kamlesh
On 9/11/05, Dean Wells wrote:
This
seems a little obvious so I may have misunderstood your scenario, nonetheless
-
http://support.microsoft.com/kb/266651/EN-US/
--
Dean WellsMSEtechnology
* Email:
dwells@msetechnology.com
http://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh
ParmarSent: Saturday, September 10, 2005 12:25 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Restricting machine
to specific DC for domain join
Dear All,
At one of the locations, firewall restricts port 139, 445 towards
other locations.
And we are mass migrating computers from this location to our domain.
And We know that, normal 2k/XP machine when asked to join domain, will run
LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to
create account there.
And if the first DC of the result, is remote DC, this attempts is thwarted
by firewall, as client can't make initial connection to remote DC's IPC$
Can we do something about this,
Like making sure that for DC Join process, clients go to specific DC
only.?
Regards,
Kamlesh-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend
the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| deji
Posts:150
| | 09/11/2005 4:48 AM |
| If you are using ADMT, then you won't really be doing a netdom. So, you won't
have the dc switch available for use. If you are using ADMT, you need to get
the V3 version. This lets you target a specific DC for the migration process.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Kamlesh Parmar
Sent: Sun 9/11/2005 9:13 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Restricting machine to specific DC for domain join
Thanks Dean,
No you haven't misunderstood the scenario, its just that I didn't mention the
whole information,
We are using ADMTv2 to migrate computers (fairly large number),
and on a big scale we received a error: Domain affiliation didn't change,
and investigating DNS, netsetup.log etc, we found that, ports are blocked.
And you have to admit, as KB says, this DC options is a hidden gem. And glad
to discover with your help.
I will whip up a small script, using netdom.exe for that DC.
And join those machines using this script.
Regards,
Kamlesh
On 9/11/05, Dean Wells wrote:
This seems a little obvious so I may have misunderstood your
scenario, nonetheless -
http://support.microsoft.com/kb/266651/EN-US/
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 10, 2005 12:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Restricting machine to specific DC for domain
join
Dear All,
At one of the locations, firewall restricts port 139, 445 towards
other locations.
And we are mass migrating computers from this location to our domain.
And We know that, normal 2k/XP machine when asked to join domain,
will run LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to create
account there.
And if the first DC of the result, is remote DC, this attempts is
thwarted by firewall, as client can't make initial connection to remote DC's
IPC$
Can we do something about this,
Like making sure that for DC Join process, clients go to specific DC
only.?
Regards,
Kamlesh
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| kamleshap
Posts:27
| | 09/11/2005 10:39 AM |
| Also, problem is every DC was left in default config, so everybody is
at priority 0, so even if I want to use this solution, I have to lower
the priority of other 49 DCs to nonzero value.
If I want to implement this, Is there a better way to lower the priority of other DCs, using script or dnscmd?
Because, I can convince my engineers to work at night, and while I
change the priorities and before users return can revert them back.
On 9/11/05, Almeida Pinto, Jorge de wrote:
you
could try to tweak the DNS priority of that particular DC (by lowering
it) so that it will be the first DC to be used... However, other
processes will also go to that DC and that may not be desired!can't think of something else right now..cheersJorge________________________________From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Kamlesh ParmarSent: Sat 9/10/2005 6:24 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Restricting machine to specific DC for domain join
Dear All,At one of the locations, firewall restricts port 139, 445 towards other locations.And we are mass migrating computers from this location to our domain.And We know that, normal 2k/XP machine when asked to join domain, will run LDAP query _ldap._tcp.dc._msdcs.domainname
will go to first DC of returned from the result, and try to create account there.And
if the first DC of the result, is remote DC, this attempts is thwarted
by firewall, as client can't make initial connection to remote DC's IPC$Can we do something about this,Like making sure that for DC Join process, clients go to specific DC only.?Regards,Kamlesh
--~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~This
e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
|
|