mmthomas

File Services Print Services

You should have an Active Directory Users and Computers MMC under administrative tools on your 2008 server, just like you had in 2003 for adding users. If you cannot find it in your start menu, try typing dsa.msc from the Run line. You may also be able to use LDIFDE or CSVDE to export users from your 2003 domain and into your 2008 domain. Here is some information to get your started there. If you want to continue with dsadd, here is some more information which might help you.

It sounds like you successfully have it listening for vpn connections. Did you set the user account to allow network access in the Dial-in tab of ADUC? Here is a very brief forum post on setting up vpn. Here is a longer article on setting up ssl vpn.

Is the Win7 machine configured to get a DHCP address and DNS IPs from the domain? If so, is the machine actually pointing to the correct DNS server? If the Win7 machine is not pointing to one of the domain DNS servers, adding it to the domain will fail. You can manually configure the DNS server if you need to.

I have seenthis article for repairing ownership problems when members of the administrators group need to be made the owner of their files rather than the administrator. I don't know that it would apply to you unless your users have accidentally been added to the local administrators group of the server. The default behavior of Server 2008 should be for non-administrative users to be the owner of objects which they create.

Are the users which are having this problem members of the administrator's group? Or are they just regular user accounts?

You've told us one of the permissions: (Everyone - full control). Is that the Share permission or the NTFS permission on the folder? If that was the Share permission, what are the NTFS permissions? If that is the NTFS permission, what is the Share permission?

You could probably accomplish this with NAP and a good deal of work. See this step by step guide. However, most decent wireless access points these days have the option for multiple SSIDs and can configure a dhcp scope for the individual SSID. It would probably be more cost effective to purchase one of these if yours doesn't already support it, unless you work someplace where your man-hours are not counted for project expense. Then you can hide or configure different security on the SSID for your domain users and have different security on the public SSID. For extra credit, configure VLANing to further segment public traffic.

I don't have a problem with users writing their password on a piece of paper and putting it in their wallet or purse, as long as they don't write down their username with it. Obviously it's better to keep it in something locked, but if you try to enforce that, you'll end up with people sticking it to their monitors or under their keyboards anyway because it is "too inconvenient" to open something locked. Additionally, your important administrative passwords should absolutely BE written down and stored (and kept updated) in your company vault or safe deposit box as security against the loss or untimely deaths of the IT people who know those passwords. It's part of our jobs as IT people to protect the security of business continuity and not only security against unauthorized entry. Thanks for taking the time to write all of these tips.

Do you mean which OSes can join a 2008R2 domain? XP and up should work fine. Older OSes may work if you install DSClient on them, just as with 2003. If you are talking about full support of group policies, there are a number of new policies in 2008 that require Vista or 7.

Microsoft has a step-by-step guide to upgrading your cluster to 2008 R2. Hope that helps.

According to Microsoft, "You cannot convert Server Core installations of Windows Server 2008 to non-Server Core installations of Windows Server 2008."

When the ns queries fail, is it failing on just the clients, or both the clients and dns server? Does just the query time out or is it failing to connect to the ns server, too? Are you able to resolve names within the domain and only failing on external names? Are there any performance issues on the DNS server at the time of these problems (low memory, high disk usage, high proc, etc). Some possibilities: DNS server NIC is intermittently failing and then coming back online (would result in failures to resolve local names as well as external names), firewall (or router or internet connection) is intermittently failing to forward DNS traffic (local resolution would work and external would fail), intermittent failure of the ns server which you have set for forwarding (local resolution would work and external would fail; could be resolved by using root hints and not a forwarder). Check your server logs, too, for and DNS failures or hardware failures occurring at the same time.

You don't say anything about the rest of your network. Are the NS lookups slow from client machines or from the servers? Are you allowing all traffic outbound through your firewall or are you restricting DNS traffic to only your server? When you remove DNS from the FF server, can you do resolution from the DC and not from clients, or does it fail from all machines? Your friend is correct that you shouldn't need DNS on both the DC and FF server. I'm assuming that the FF server is your gateway to the internet, in which case my guess is that you need to configure FF to allow the DNS traffic from your DC out to the internet. That would also explain some slowness -- your clients would try the primary DNS server which was available but blocked from querying external servers. Eventually it would time out and your clients would move to the secondary NS. But I could be wrong without knowing more about your setup.

Do you have a hiberfil.sys file in the root of your system drive? If you do, your system can still sleep and hibernate. There is a tool here for removing it. If that doesn't help, check your BIOS settings and make sure the ACPI power settings are correct. You might have Suspend to RAM or something set that is causing the sleeps.

This sounds like a problem with the secure channel not working properly. Things to check are system time synchronization between the affected machines and the DCs, DNS, and AD replication.

Do external sessions connect to the server at all or from the outside does it look like the server isn't on at all? If they are connecting, what kind of error messages or bounces are you getting when you try to send email from external? If they are not connecting, first check your firewall and make sure it is still allowing mail traffic through. It is possible that your power failure may have caused a problem there, too. Even if it looks right, go ahead and restart it just in case. I've seen firewalls stop forward one particular type of traffic even when everything else looked like it was working correctly.

Braidy, I split your question out as it didn't really relate to the other thread. The administrator on a system has access to any and all files on a system unless you encrypt them. Beyond that, the admin has the permissions to install any other type of software to keep track of other things you might do -- internet browsing history, log your instant messages, and so on. Even if you are encrypting files, if the admin has installed key stroke loggers (assuming they really want to keep track of what you are doing) they can capture your passwords. It may not be as much of an issue if this is a home machine, but if another user has admin privileges you should assume that you have no privacy.

I'm not sure why the difference, but it doesn't appear to be supported for 2008 NON-SBS versions. It appears to be possible, but that link lays out some pretty strong reasons for not doing it -- like not being able to apply any updates.

The Account Operators group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Another option, if you want to grant even fewer permissions, is to create a new group and delegate control for your computers OU to that group only for the "Create, delete, and manage user accounts" permissions. So the first option grants permissions in all of the OUs and the second option only grants for specific OUs.

How is your RAID setup? Are all eight disks in one RAID 5 array or some other configuration?

This KB lists all the ports that need to be forwarded/accessible from the public IP to the domain controller. There are a lot. If your firewall is capable, you will want to lock down access to these ports to only the other domain's public IP address. If it's not capable, then I would not recommend setting it up this way. I would normally say that if you have firewalls capable of forming a VPN, that would probably be safer. Or even a Microsoft VPN directly from one domain controller to the other would have fewer open ports. Setting up a VPN would also mean that you wouldn't need to resolve the private domain names from the internet as it could resolve directly across the VPN to the other domain's dns (with an appropriate conditional forwarder set up). However, since you would have the same IP pools on either side of the VPN (192.168.0.0/24) your connection wouldn't work. So that option is out, unless you change one of the networks to say 192.168.1.0/24. So, you'll need to use some host entries in DNS or in your hosts file to resolve the other domain to it's public ip address.

Try going into the Properties to the Ports tab and unchecking "Enable printer pooling".

What Atlas said. There is a point as the Windows installer loads where it says something like press F6 to install extra drivers from disk. This is where you would insert your controller drivers.