Astatine

I'm pretty sure I read about a ~130gig limit in some BIOSs in regards to hard drive size. Maybe that's coming into play here.

And now the fun begins.... When I try to make a new email a box appears saying "Not implemented". Clicking on Tools>Email Accounts causes "The operation failed due to a registry or installation problem". This is a fresh installation of .NET RC2, Exchange 2003 and Office 11 under vmware. Anyone else run into it?

I got confirmation of the kit I ordered being delivered. Should be good to see what changes there are. Did you install it on a bare PC or under something like vmware?

Protocols? If TCP/IP, are you using static or dynamic? Which addresses? Can you ping? etc.

Where to begin....the main network has an IP range of 192.168.101.* and has been working fine with a number of DCs. The outgoing IT manager has setup a child domain called "training" for the training rooms for security purposes. These rooms use an IP range of 192.168.200.* and have two DCs. There is supposedly a trust relationship in place between the domains to allow the training staff to authenticate against the parent domain and yet, still get access to resources on the child domain. The trust is apparently one way to pretent students "hacking back up the tree". For a start, there is...endless Warning entries in the Directory event log, with event ID of 1265, "Knowledge Consistancy". The description is below: Quote: The attempt to establish a replication link with parameters Partition: CN=Configuration,DC=domain,DC=com,DC=au Source DSA DN: CN=NTDS Settings,CN=114-IT14378,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com,DC=au Source DSA Address: ea1dc668-433f-47dc-9419-373ba2af0998._msdcs.domain.com.au Inter-site Transport (if any): failed with the following status: The RPC server is unavailable. The record data is the status code. This operation will be retried. These will occur in blocks of about three in about 90 seconds, slightly different and then it will try again in about 15 minutes. So obviously something is amiss there. In AD Domains and Trusts, Properties>Trusts lists the child domain in both boxes, as type Child with transitive set to Yes. If I select one, click Edit and then Verify, an error will appear "Windows cannot find a primary domain controller for the training.domain.com.au domain. Verify that the PDC is functioning and then try again." When viewing properties for the child domain, the General tab says "The Active Directory object could not be displayed. A referral was returned from the server." The Trusts tab returns no data. Pinging training.domain.com.au on machines connecting to the parent domain returns an address in the 192.168.101.* range that times out. Also, pinging dc.training.domain.com.au (where DC is the name of either training room DCs). The IPs returned are in the 192.168.200.* range and are correct for the starting IP of each room's subnet. Using NET VIEW \\servername where servername is a DC in the training domain gives "Access is denied", even when logged in as an administrator on the parent domain. When attempting to manually map a drive letter to the server, the following error is returned: Quote: System error 1311 has occurred. There are currently no logon servers available to service the logon request. I think it's pretty obvious there's some sort of issues here but I literally don't know where to start. Any suggestions, help, etc? Thanks.

Quote: I just spent an hour replying to your post and the session timed out when I hit submit and I lost it all. Can't get it back...... ;( Yeah, it happened to me before. Quote: In the mean time, check your sites and services for correct subnetting. Make sure that the subnets are actually assigned to correct sites. In ADSS, there are two sites - Default-First-Site-Name and Conferencing. *All* the DCs are allocated there in the Default one. To me, this seems just a tad fishy and I had asked about creating extra sites in a previous topic. Under Subnets, there are a few - 192.168.101.0/24 (the head office range), 192.168.200.0/24 (training), 192.168.200.32/27 (training), 192.168.200.64/27 (training again) and 192.168.200.96/27 (training). When you go into Properties for each, the site it set to Default-First-Site-Name. There are missing subnets for the other offices (which use ranges such as 192.168.102, 103, etc but I think they use VPN so that might be why they're not there). Quote: Check that your child domain DC was actually promoted to a DC. Look for it in the AD MMC. When looking at AD Users and Computers for the parent domain, no child domain DCs are listed.

Forgot to mention - all DCs and servers are running Windows 2000 server. Clients are a mix of 95, 98 and 2000. The domain is set to mixed mode. Is there any real reason not to switch to native mode?

Quote: Generally speaking, I would suggest that start with general troubleshooting procedures for AD. First, verify that DNS is setup properly. Make sure it allows for dynamic updates and since your running an AD, integrate all critical zones into it. Just because you have a child domain entry in your DNS does not mean that you have performed a DCPROMO of your child domain. Was this actually ever done? Not sure if that was done as I didn't setup the network. Quote: If so, you should have an entry in your DNS forward zone, in the _msdcs section off the root of your primary zone. You should also have a DC entry in the _msdcs section of your child domain. There should also be a full compliment of global catalog, sites and services etc entries on EACH domain. So in other words you should see child domain entries in the DNS at both domain.com and child.domain.com. Under that section, there are Alias entries for each DC, with weird names like 8d987675-9043-421b-8482-904d145a3eb8. Under the child domain, there is only the dc and pdc folders in the _msdcs folder. There's no gc folder. Also, the gc folders are just that, "gc", not with the underscore at the start like in your example. Quote: It really sounds to me like whoever set the domain up may not really understand the concept of a "child domain" from every aspect. I could be totally wrong here, but it will cost you for me to be sure. Since this is what I do for a living, I dont mind sharing and helping, but firm analysis on site would incur fees. Hope this helps. deg Understandable. The guy who set it up is insisting there shouldn't be any problems with it. I'll keep plugging away.

Thanks for the starting points, guys. There's some weird things on how the child domain systems are setup (like the DCs having multiple IPs) and I'll have to get more details about it when I'm at work. If I can find out anymore, I'll post about it.

Quote: Though I havent played with SUS recently, I believe it can be applied to machines as well as users. I should read their ADM file. Try it out on a test machine Just a followup on this - I created an organisational unit last night and assigned a policy to do the SUS up[censored] and moved a test machine into the unit. The user reported it downloaded 80megs of stuff and then asked to reboot. All done. Logs on the SUS server confirmed the up[censored] and when visiting the Windows Update site manually, there was no critical updates that needed installing.

At the moment, the network I work on is divided between the head office and several remote sites. All of these sites connect to the head office via VPN over ADSL. Most of these sites have their own 2000 servers on site as well. At the moment, the entire organisation is allocated inside the one site if I go into AD Sites and Services under admin tools. In addition to this, there is just a general "Staff" organisational unit with some sub units in the AD Users and Computers. The only thing in the way of actual group policies is one I've made for IT staff to test out automatic up[censored] of Windows 2000 off a Software Update Services (SUS) server I've setup. What I'd like is any suggestions about the best way to make use of Active Directory on this setup. In another topic, DS3Circuit has kindly provided feedback on using AD group policies for Office and SP3 installations. Under the current setup "odd" things happen, like head office PCs will run the login script off a remote server. Would it be better to create Sites under AD Sites and Services for each physical site? Any benefits/suggestions? Any other suggestions or comments on how to make the most of AD in this setup? Thanks.

Okay, so I guess a summary is in order here. Based upon what the organisation has, I'd be best off doing the following: 1. Creating AD Sites for each office that has a Domain Controller, along with a Global Catalog 2. Create organisational units for the storage of all the Windows 2000 systems and apply group policies to them to allow easy rollout of things such as Office 2000, Service packs, etc. 3. To facilitate #2, each office DC would have a local mirror of the required files. 4. The only site with more than one DC is the head office. (Not too sure what you mean by bridgehead though, DS, you might have to explain that term for me) 5. Set Exchange 2000 to native mode and fix OWA Anything missing?

Quote: Quote: As for using OWA and all that, yeah that's an option I'd like so people could check their email from home and offsite without going through the Terminal Server (ick). I think it's been half setup and is currently not working. Never worked at a business that used Outlook in terminal services, congrats for being daring Well at the moment, only the IT staff use Outlook through Terminal Services, because this gives us roaming capabilities for email and other bits and pieces throughout the organisation, as a lot of the PCs here are...not good. Also, the current setup means that if you don't use TS, your email is tied to the PCs where it's configured (I don't know if this is the "natural" way things are done). Having OWA working fully would be great for allowing full roaming Outlook functionality for all staff. As for Exchange 2003, I've ordered the beta and will be having a lot of playing around with it to see what's there, although I doubt they'd shell out for it unless there was a very compelling case for it.

So, just checking if I have this right....The mixed mode/native mode situation depends *only* on the versions of Exchange Server and as such, I could quite easily move to native mode for Exchange. (Note: the client OS and Outlook versions vary. OSes are 95, 98 and 2000, while Office versions are 97 and 2000) As for using OWA and all that, yeah that's an option I'd like so people could check their email from home and offsite without going through the Terminal Server (ick). I think it's been half setup and is currently not working.

At the moment, there's only one Exchange server, which is at head office. As for the mode, if I go into Exchange System Manager and check the properties for the top most item in the tree, it lists the mode as "Mixed Mode"

One thing that just sprung to mind - would creating extra sites break and/or effect any software functionality, such as Exchange 2000 Server (which they run), etc.

The IT manager has made a big deal about having servers at any site with 3/4 or more PCs, so there should be a DC at most of the sites. The Global Catalog thing I can see being very useful as sometimes the DSL links for some of the sites do actually go down. And what's Microsoft PSS? Thanks for the help so far too, DS3Circuit.

Since I have the actual ADSS screen in front of me now, I can fill in some details. There are two sites - "Default-First-Site-Name" and "Conferencing". The Conferencing site is empty and is probably a result of the IT Manager playing around with some video conferencing stuff he's been looking at. In the Default-First-Site-Name, there is all the DCs in the entire organisation, including those in the head office and remote offices. Under NTDS Site settings, one of the head office DCs is set as the server for Inter-Site Topology Generator (whatever that means....). Licensing Site Settings is also set to the same DC. Under Servers, all the DCs are listed. All are set to use IP and SMTP as inter-site data transfer transports. If I expand each server out and view their NTDS settings, they list between 3 and 8 items that just say "automatically generated". In Properties for NTDS settings, only one server has the Global Catalog checked on, and it's a different one from that specified as the Inter-Site Topology Generator. Viewing properties for each automatically generated connection shows that it seems to be a randomly assigned group of other servers to replicate off. In all instances, the transport is set to RPC. Replication schedules are set to once an hour. Under Subnets, there are 5 items. The first, 1.1.1.1/32, has its site set to Conferencing. The others are private LAN address ranges that are set for Default-First-Site-Name. Nothing comes up in the right window pane when I click on them. In AD Users and Computers, there's an organisational unit called "Staff" and then sub-units under that for each division in the company. There is a Domain Controllers OU (can't remember if this is a default or not) with most of the DCs in it. Only the Default Domain Controllers Policy is applied to this OU. The Computers Folder has all the other workstations allocated in it. Can't seem to see any Policy tab for properties here. The Printers OU is empty. I don't know if there's any benefit or not in having them in there. Lastly, do you recommend any particular books on this subject matter? Thanks.

Quote: SUS doesnt work with Service Pack Deployment Only Hotfixes No, I mean, at the moment, I have a group policy setup to do automatic updates from the SUS server. The policy is applied on users. What I was trying to ask was, could I apply the policy directly to the machines (in a similar fashion to how the policy on the machines is used to install SP3/Office 2000, etc) and still have it work?

Would Software Update Services (SUS) work in a similar configuration? I've currently got a test group policy applied to just the IT staff logins, but of course, we need local administrator access to use it (which we do have). Obviously, if the updates are applied regardless of the login name, that'd be great.

Just got a couple more questions about this, DS3Circuit... 1. Can the PCs be allocated to the same organizational unit as people? (ie. you have a unit called "headoffice" with all the people and PCs there) 2. Have you used this approach for any other type of installations such as Office? Is it effective?

Do the users login under the regular account? And does their account need local admin rights?

Did you run Netmeeting recently? I was getting the same error message too and managed to track it down to Netmeeting causing the problem. If you run and then close Netmeeting, the problem should go away.