Active Directory mistake: Moving domain controller objects into a child OU of the domain controller is unsupported
Learn about this and other classic Active Directory mistakes
View full article »
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Hello there. First of all
Hello there.First of all thanks for your article, it is very good and clear. I, however, have a good reason for putting the domain controllers inside child OUs, and I have done so and incurred into problems, so I had to move them back to the default Domain Controllers OU.
My reason is that I have 5 domain controllers in 3 different and distant sites, and each site has its own WSUS server, so I would like to have the domain controllers getting their updates from their local WSUS server, but to do that I need to apply different group policies to the servers in different locations, therefore they need to be in different OUs.
So, I couldn't find any solution to that because I can't move my domain controllers, and I believe Microsoft should have thought of that... Anyway, would you have any ideas to solve my problem without moving the domain controllers to different OUs?
Thank you again!
Hey Felipe, your solution:
Hey Felipe,your solution: make 3 different GPOs that have 3 different WSUS paths. konfigure the CAL of every GPO in that way, that only the right DCs have the permission to read und apply their corresponding policy. then link EACH of the GPO with the OU domain controllers. thats all...
GPOs using WMI Filters
this is a common issue to solve in large global deployments of domains and the biggest issue people face is not updating the GPO's if they explicitly assign the DC computer object against on the security filter and they then decommission the DC and add a new one.the easiest way around this does of course depend on your global naming standard.
Using WMI filters in GPMC you can create a WMI filter that will only ensure that the GPO you assign will only apply to computers that start with a specific WMI filter.
ie root\CIMv2 Select * from Win32_ComputerSystem WHRE Name like 'SITE-A%'
assign this to the GPO on the domain controllers OU that specifies SITE A's wsus server. hence you keep them all in one OU.
Huh?
If Microsoft does not support or recommend moving DCs into child OUs of the DC OU, then they should not allow it with their tools.I have done so in one domain in the past and did not encounter problems. I simply did not KNOW of this recommendation.
Felipe
Felipe, apply the GPO at the site level.replica bags
If I didn't read this artcle ,I wounldn't believe these things replica bags happened in the world . Why people are always replica handbags so stoniess to others ? Man are really stupy creature.