Enterprise Administrators communicate
enterprise-wide changes to domain and OU administrators via the CalNetAD
Change Management System (CCMS). The CCMS serves as the primary vehicle
for the notification, coordination, authorization, and archiving of
notable changes to the CalNetAD forest.
| Date |
Who |
Change |
| 11/18/08 |
Curtis Salinas |
ACTDIR08 virtualized and promoted at UCLA |
| 11/18/08 |
Forrest Smalley |
ACTDIR09 virtualized and promoted at UCLA |
| 10/29/08 |
Forrest Smalley |
ACTDIR09 demoted at UCLA for maintenance |
| 10/23/08 |
Forrest Smalley |
ACTDIR07 rebuilt on new hardware at RSSP |
| 7/24/08 |
Michael Leefers |
Extended Schema in preparation of OCS |
| 6/30/08 |
John Weber |
Installed latest hotfixes on ACTDIR08 and ACTDIR09 |
| 6/25/08 |
John Weber |
Upgraded ACTDIR03 to Server 2008 |
| 5/16/08 |
John Weber |
Re-registered DNS records for ACTDIR03 |
| 5/14/08 |
John Weber |
Installed KB932755 to mitigate any system lockup issues on ACTDIR03 |
| 4/21/08 |
John Weber |
Extended Schema for SCCM 2007 |
| 4/16/08 |
John Weber |
Upgraded Cisco Security Agent on ACTDIR03 |
| 4/9/08 |
John Weber |
Changed ACTDIR07's IP address to 128.32.70.195 |
| 3/13/08 |
Michael Leefers |
Extended Schema in UC and Campus for Exchange 2007 |
| 2/29/08 |
John Weber |
Reverted ACTDIR03 to Server 2003 to mitigate NetApp NAS appliance issues. |
| 2/27/08 |
John Weber |
Upgraded ACTDIR04, ACTDIR07 to Server 2008. |
| 2/26/08 |
John Weber |
Upgraded ACTDIR05 to Server 2008. |
| 2/25/08 |
John Weber |
Upgraded ACTDIR08 to Server 2008. |
| 2/21/08 |
John Weber |
Upgraded ACTDIR02 and ACTDIR09 to Server 2008. |
| 2/20/08 |
John Weber |
Upgraded ACTDIR03 to Server 2008. |
| 2/19/08 |
John Weber |
Upgraded ACTDIR01 to Server 2008 RTM. |
| 1/25/08 |
John Weber |
Rebooted ACTDIR04 after console was hung. |
| 1/18/08 |
John Weber |
Powered down ACTDIR03 due to service issues. |
| 1/16/08 |
Michael Leefers |
Upgraded Actdir03 to Server 2008. |
| 1/16/08 |
Michael Leefers |
Extended Campus Domain Schema for Server 2008. |
| 1/14/08 |
Michael Leefers |
Upgraded Actdir01 to Server 2008. |
| 1/14/08 |
Michael Leefers |
Extended Forest and UC Domain Schema for Server 2008. |
| 1/7/08 |
John Weber |
Removed Kerberos Realm trust with BERKELEY.EDU (MIT KDC). |
| 12/7/07 |
John Weber |
Added 10.254.0.0/16 and 10.32.137.128/26 to site BerkeleyCampus. |
| 12/5/07 |
John Weber |
Updated Cisco Security agent on ACTDIR03. |
| 11/5/07 |
John Weber |
Updated Cisco Security agent and installed OS patches on ACTDIR03, 04, and 07. |
| 11/1/07 |
John Weber |
Updated Cisco Security agent and installed OS patches on ACTDIR05, and 06. |
| 10/31/07 |
John Weber |
Updated Cisco Security agent and installed OS patches on ACTDIR01, 02, 08, and 09. |
| 10/5/07 |
John Weber |
Removed trust with PUBLIC_Health. |
| 7/11/07 |
John Weber |
Installed MS07-039 on all DCs and rebooted. |
| 6/11/07 |
John Weber |
Removed LDAP Signing requirement because of Mac compatibility. |
| 6/5/07 |
John Weber |
Required LDAP Signing for UC and CAMPUS domains. |
| 5/18/07 |
John Weber |
Virtualized ACTDIR02 |
| 4/24/07 |
John Weber |
Virtualized ACTDIR01 |
| 3/28/07 |
John Weber |
Moved HDC-AD-C to site "Haas" |
| 3/26/07 |
John Weber |
Moved HDC-AD- A to site "Haas" |
| 3/19/07 |
John Weber |
Added "Authenticated Users" to "Users" group per KB924035. |
| 3/6/07 |
John Weber |
Created site "Haas", assigned subnet 128.32.64.0/24 to it, and moved HCS-AD-D domain controller to it. |
| 3/6/07 |
John Weber |
Created 2-way trust with PUBLIC_HEALTH in preparation for migration to CAMPUS. |
| 2/28/07 |
John Weber |
Removed trust relationship with RECPSORTS. |
| 2/5/07 |
John Weber |
Removed trust relationship with IAS. |
| 12/4/06 |
John Weber |
Enabled GPO preventing the use of "CTRL-ALT-DEL" to change passphrase. |
| 12/4/06 |
John Weber |
Blocked all communication from "off-campus" hosts to domain controllers. |
| 11/13/06 |
John Weber |
Removed 2-way trust between CCS-SDA and CAMPUS. |
| 11/1/06 |
John Weber |
Removed 2-way trust between OHR and CAMPUS. OHR migration complete. |
| 10/3/06 |
John Weber |
Established 2-way trust between RECSPORTS and CAMPUS in preparation for migration to CAMPUS. |
| 9/18/06 |
John Weber |
Modified Default Domain Controller GPO to disable spooler service per KB246906. |
| 8/24/06 |
John Weber |
Modified Default Domain Controller GPO to increase maximum log size. |
| 8/18/06 |
John Weber |
Finished promotion of ACTDIR08 (CAMPUS) and ACTDIR09 (UC) located at UCLA . |
| 8/11/06 |
John Weber |
All domain controllers - Patched and rebooted. |
| 6/30/06 |
John Weber |
Extended Schema to support Windows 2003 R2. |
| 6/28/06 |
Michael Leefers |
Modified Default Domain Controller GPO. Gave Exchange
Enterprise Servers Manage auditing and security log rights. |
| 6/28/06 |
Michael Leefers |
Extended Schema in Forest Root and Campus for future support of
Exchange Server. |
| 1/6/06 |
John Weber |
actdir03 - restored to service on new hardware. IM FSMO moved back to actdir03. |
| 1/2/06 |
Michael Leefers |
actdir03 - Hardware failure. Infrastructure Master moved to actdir05. |
| 12/7/05 |
John Weber |
Extended Schema for SMS 2003. |
| 11/22/05 |
John Weber |
Promoted new ACTDIR05 DC located in Haas School of Business. |
| 11/18/05 |
John Weber |
Installed hotfixes on ACTDIR01, ACTDIR04, ACTDIR06. Rebooted DCs. |
| 11/17/05 |
John Weber |
Installed hotfixes on ACTDIR02, ACTDIR03, ACTDIR07. Rebooted DCs. |
| 11/3/05 |
John Weber |
Established 1-way trust between IAS and CAMPUS in preparation for migration to CAMPUS. |
| 10/7/05 |
John Weber |
Demoted ACTDIR05 to member server role, retired hardware. |
| 9/22/05 |
John Weber |
Configured Symantec Anti-Virus for highest performance on all DCs. |
| 8/29/05 |
John Weber |
Removed 2-way trust between OUARS and CAMPUS. OUA migration complete. |
| 8/19/05 |
John Weber |
Removed 2-way trust between CGSS and CAMPUS. Career Center migration complete. |
| 8/2/05 |
John Weber |
actdir04 - Replace failed power supply. |
| 7/14/05 |
Michael Leefers |
Established 2-way trust between OHR and CAMPUS in preparation for migration to CAMPUS. |
| 6/22/05 |
John Weber |
actdir01-07 - Installed Symantec symevent v11.6.2 to solve event id 2019 problem. |
| 6/22/05 |
John Weber |
actdir07 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/21/05 |
John Weber |
actdir06 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/20/05 |
John Weber |
actdir05 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/16/05 |
John Weber |
actdir04 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/15/05 |
John Weber |
actdir03 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/15/05 |
John Weber |
actdir02 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 6/13/05 |
John Weber |
actdir01 - Upgraded Dell OpenManage, RAID firmware, upgraded to Server 2003 SP1. Hotfixes also current. |
| 3/23/05 |
John Weber |
actdir04 - Replaced RAID controller, rejoined to domain, assumed RID and PDC FSMOs. |
| 3/8/05 |
John Weber |
Established 2-way trust between CGSS and CAMPUS in preparation for CGSS migration to CAMPUS. |
| 2/28/05 |
John Weber |
actdir04 - Hardware failure. RID and PDC FSMOs moved to actdir05 |
| 2/11/05 |
John Weber |
Installed hotfixes (including MS05-011) on actdir01,02,03,04,05,06,07. Rebooted all DCs. |
| 12/22/04 |
John Weber |
Raised UC forest level to 2003 |
| 11/16/04 |
John Weber |
Raised UC.BERKELEY.EDU domain level to 2003 |
| 11/15/04 |
John Weber |
Raised CAMPUS.BERKELEY.EDU domain level to 2003 |
| 11/10/04 |
John Weber |
Removed trust relationship with OR_SS_IMAGING |
| 11/8/04 |
John Weber |
actdir06 - Upgraded to Windows Server 2003 |
| 11/5/04 |
John Weber |
actdir07 - Upgraded to Windows Server 2003 |
| 11/3/04 |
John Weber |
actdir05 - Upgraded to Windows Server 2003 |
| 11/1/04 |
John Weber |
actdir03 - Upgraded to Windows Server 2003 |
| 10/29/04 |
John Weber |
actdir04 - Upgraded to Windows Server 2003 |
| 10/27/04 |
John Weber |
actdir02 - Upgraded to Windows Server 2003 |
| 10/25/04 |
John Weber |
actdir01 - Upgraded to Windows Server 2003 |
| 10/1/04 |
John Weber |
Removed trust relationship with ASD. ASD migration complete. |
| 8/20/04 |
John Weber |
Established 2-way trust between OUARS and CAMPUS in preparation for OUA migration to CAMPUS. |
| 8/10/04 |
John Weber |
CAMPUS - Updated Campus - Domain GPO to allow cross-forest user policies |
| 8/9/04 |
John Weber |
actdir01, actdir05 - Installed hotfixes, rebooted |
| 8/4/04 |
John Weber |
actdir07 - updated lmhosts configuration |
| 7/7/04 |
John Weber |
actdir03 - Replaced faulty memory and rebooted. |
| 7/1/04 |
Eric Chamberlain |
CAMPUS - disable EFS encryption see Security
Subcommittee minutes for more information |
| 6/30/04 |
Eric Chamberlain |
CAMPUS - migrate PDC emulator role to actdir04 |
| 06/28/04 |
Eric Chamberlain |
CAMPUS - migrate FSMO roles from actdir05 to actdir03 |
| 06/28/04 |
Eric Chamberlain |
UC - migrate FSMO roles from actdir06 to actdir01 |
| 06/28/04 |
Eric Chamberlain |
actdir07 - update lmhosts configuration |
| 06/25/04 |
Eric Chamberlain |
actdir01, actdir03 - Powered down and moved to new data center |
| 06/18/04 |
Eric Chamberlain |
actdir02, actdir04 - Powered down and moved to new data center |
| 06/16/04 |
Eric Chamberlain |
CAMPUS - Migrate FSMO roles to actdir05 in preparation for the
data center move. |
| 06/16/04 |
Eric Chamberlain |
UC - Migrate FSMO roles to actdir06 in preparation for the data
center move. |
| 06/02/04 |
John Weber |
actdir05 - Updated BIOS, firmware, and rebooted. |
| 05/27/04 |
Eric Chamberlain |
Actdir07 - added to the campus.berkeley.edu domain. |
| 05/24/04 |
Eric Chamberlain |
CAMPUS - Updated Campus
- Domain GPO to require NTLMv2 |
| 04/28/04 |
Arden Pineda |
Removed trust relationship with FBS. FBS migration complete. |
| 04/19/04 |
Arden Pineda |
Removed trust relationship with IIR. IIR migration complete. |
| 04/12/04 |
Arden Pineda |
Set up 2-way trust between PHIL and CAMPUS domains |
| 03/30/04 |
Arden Pineda |
Set up 2-way trust between OR_SS_IMAGING and CAMPUS domains |
| 03/15/04 |
Eric Chamberlain |
CAMPUS - Updated Campus
- Domain and Campus
- Domain Controller GPO's to set NTLMv2 at domain level. |
| 03/12/04 |
Arden Pineda |
Set up 2-way trust between ASD and CAMPUS domains. ASD migration
start. |
| 03/02/04 |
Arden Pineda |
Added CHAMACOS-135 to the RAS and IAS Servers group to authorize
it as a VPN server. |
| 01/22/04 |
Arden Pineda |
set up 2-way trust between IIR and CAMPUS domains. IIR domain
migration starts. |
| 01/21/04 |
Arden Pineda |
removed trust relationship with BOALT domain. LAW migration complete. |
| 12/05/03 |
Arden Pineda |
setup 2-way trust between FBS and CAMPUS domains. FBS domain to
be migrated by COIS to CAMPUS domain. |
| 12/02/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04,actdir05,actdir06 - Upgraded
Cisco Security Agent |
| 11/21/03 |
Arden Pineda |
removed 2-way trust with LSNT domain. LS Deans Office migration
complete. |
| 10/31/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04,actdir05,actdir06 - Installed
hotfixes, uninstalled RoboMon agent, and updated Cisco Secure Agent |
| 10/31/03 |
Eric Chamberlain |
actdir03,actdir04,actdir05 - Modified DC GPO to use a fixed AD
RPC replication port and a limited range of RPC dynamic ports |
| 09/01/03 |
Arden Pineda |
Established 2-way trust between LSNT and CAMPUS in preparation
for LSNT migration to CAMPUS. |
| 08/13/03 |
Eric Chamberlain |
actdir04 - Install SP4. |
| 08/12/03 |
Eric Chamberlain |
actdir03, actdir05, actdir06 - Install SP4. |
| 08/07/03 |
Eric Chamberlain |
actdir02 - NIC lost link light. Reset switch port. |
| 08/06/03 |
Eric Chamberlain |
actdir01,actdir02 - Install SP4 |
| 07/28/03 |
Eric Chamberlain |
actdir01,actdir02,actdir06 - Okena blocking in effect. |
| 07/28/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04,actdir05,actdir06 - Modified
DC GPO to use IPSEC when communicating between DCs. |
| 07/17/03 |
Eric Chamberlain |
actdir01,actdir02,actdir06 - Modified DC GPO to use a fixed AD
RPC replication port and a limited range of RPC dynamic ports |
| 07/16/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04 - Enabled Schlumberger GINA
for smart card authentication, rebooted machines. |
| 07/02/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04 - Evans basement flood, machines
powered down from 6pm to 10pm. actdir05 and actdir06 were unaffected. |
| 06/30/03 |
Eric Chamberlain |
actdir06 - rebooted machine and network connection was restored
Disabled NetBIOS on ERA PPP network connection, see The
Remote Access Controller (RAC) Service Slows Local Network Browsing
in the Microsoft® Windows® 2000 Operating System in
the Dell Knowledge Base for more information.
|
| 06/27/03 |
Eric Chamberlain |
actdir06 - Network connection lost on reboot, machine unavailable |
| 06/17/03 |
Eric Chamberlain |
actdir03,actdir04,actdir05 - updated lmhosts file to fix trust
with ccs-sda domain. |
| 06/16/03 |
Eric Chamberlain |
actdir03 - Updated hotfixes and rebooted. |
| 06/09/03 |
Eric Chamberlain |
actdir05 - Upgraded Okena agent |
| 06/09/03 |
Eric Chamberlain |
actdir05,actdir06 - Installed Schlumberger Smart Card User Kit
(installs drivers for smart cards and tokens) and rebooted servers |
| 06/09/03 |
Arden Pineda |
Imported lmhosts_0.5 to ACTDIR03, ACTDIR04 and ACTDIR05.Established
2-way trust between CAMPUS and BOALT domain in preparation for the
LAW migration. |
| 06/06/03 |
Eric Chamberlain |
actdir04 - Uninstalled old Okena agent. Tried to install new wetwork
driver, but agent would disable network interface. Had to uninstall
new agent. |
| 06/06/03 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04 - Installed Schlumberger Smart
Card User Kit (installs drivers for smart cards and tokens) and
rebooted servers |
| 06/02/03 |
Arden Pineda |
Added BCC-VPN01 to the "RAS and IAS Servers" group in
the campus domain. This authorizes the Windows 2000 VPN server for
COIS. |
| 05/16/03 |
Eric Chamberlain |
actdir01, actdir03 - reboot
actdir05 - update OS patches and hotfixes |
| 05/15/03 |
Eric Chamberlain |
actdir02 - Install Okena Agent and updated OS patches and hotfixes |
| 05/11/03 |
Eric Chamberlain |
Rejoin actdir06 to UC domain |
| 04/08/03 |
Eric Chamberlain |
Schema change to support Server 2003 with adprep /forestprep
UC domain updated with adprep /domainprep
UCB Root Certificate Authority 01 certificate published in Enterprise
Root Certificate Store |
| 04/04/03 |
Eric Chamberlain |
actdir06 - hardware failure. DC unavailable |
| 03/13/03 |
Eric Chamberlain |
actdir03, actdir04, actdir05 - Remove unneeded domains from lmhosts
file |
| 03/08/03 |
Eric Chamberlain |
actdir01 - updated Okena agent and updated OS patches and hotfixes.
actdir03 - updated Okena agent |
| 03/06/03 |
Arden Pineda |
Re-authorized aardvark.coe.berkeley.edu as a DHCP server. There
are 5 authorized DHCP servers in CalnetAD: 64-198-91-67.cprc.net,
aardvark.coe.berkeley.edu, hcs-ad-b, hcs-ad-c and ls.haas.berkeley.edu. |
| 03/06/03 |
Eric Chamberlain |
actdir06 has been added to the uc.berkeley.edu domain. This is
the third
domain controller for the UC domain and is located out of Evans
Hall at
HAAS. CalNetAD would like to thank HAAS and CNS for the use of the
space. |
| 03/06/03 |
Eric Chamberlain |
Allow campus-test.berkeley.edu to trust campus.berkeley.edu domain. |
| 03/03/03 |
Arden Pineda |
Removed trust entries for CHANCE domain in campus.berkeley.edu. |
| 10/21/02 |
Arden Pineda |
Removed trust relationship between campus.berkeley.edu and COEDEAN.
COEDEAN migration project completed. |
| 10/20/02 |
Arden Pineda |
actdir01,actdir02, actdir03, actdir04, actdir05 - Installed SP3 |
| 10/3/02 |
Eric Chamberlain |
actdir01,actdir02 - installed Okena Agent v3.1 |
| 10/3/02 |
Eric Chamberlain |
actdir01,actdir02,actdir03,actdir04 - uninstalled Okena Agent
for upgrade |
| 9/11/02 |
Eric Chamberlain |
actdir03 - installed Open Manage OMSA update and rebooted machine. |
| 9/5/02 |
Eric Chamberlain |
actdir05 - installed Okena agent |
| 9/4/02 |
Eric Chamberlain |
actdir02, actdir04 - installed Okena agent |
| 8/30/02 |
Eric Chamberlain |
actdir01, actdir03 - installed Okena agent |
| 8/29/02 |
Eric Chamberlain |
actdir03 - implemented hotfix Q326830
to address MS02-045:
Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service |
| 8/28/02 |
Eric Chamberlain |
actdir02, actdir04 - implemented hotfix Q326830
to address MS02-045:
Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service |
| 8/27/02 |
Eric Chamberlain |
actdir01, actdir05 - implemented hotfix Q326830
to address MS02-045:
Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service |
| 8/27/02 |
Eric Chamberlain |
actdir01, actdir02 - remove Administration share, eliminated excessive
replication traffic problem. |
| 7/22/02 |
Eric Chamberlain |
UC and CAMPUS domains - Domain Controller and Domain GPO Change-
Implemented Q239869
Domain controllers refuse LM and NTLM responses (accept only
NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session
security if the server supports it; domain controllers refuse
NTLM and LM authentication (they accept only NTLM 2).
If a client/server program uses the NTLM SSP (or uses secure
Remote Procedure Call [RPC], which uses the NTLM SSP) to provide
session security for a connection, the type of session security
to use is determined as follows:
- The client requests all the following items: message integrity,
message confidentiality, NTLM 2 session security, and 128-bit
encryption.
- The connection does not succeed if message integrity is
not negotiated.
- The connection does not succeed if message confidentiality
is not negotiated.
- The connection does not succeed if NTLM 2 session security
is not negotiated.
- The connection does not succeed if message confidentiality
is in use but 128-bit encryption is not negotiated.
|
| 7/19/02 |
Arden Pineda |
Added external 1-way trust between campus.berkeley.edu and COEDEAN
domains where campus.berkeley.edu trusts the COEDEAN domain. This
is is a temporary solution until the COEDEAN domain migration is
completed.. |
| 7/15/02 |
Eric Chamberlain |
All DCs - Implemented InetOrgPerson schema change. |
| 7/12/02 |
Eric Chamberlain |
actdir03,actdir04,actdir05 - imported lmhosts_0.3 for COEDEAN
domain migration. |
| 6/24/02 |
Mike Blasingame |
actdir04 - rebooted machine. (CalNetAD trouble ticket #00024152) |
| 5/13/02 |
Eric Chamberlain |
actdir05 - Installed machine at Boalt.
Made a Global Catalog. |
| 5/7/02 |
Eric Chamberlain |
actdir03 - Installed Terminal Services Licensing service.
Removed
registry entry that was preventing service from starting
Rebooted machine. |
| 4/30/02 |
Eric Chamberlain |
actdir02 - Installed NIC with IPSEC off-load capabilities.
Disabled NetBIOS support.
Rebooted machine. |
| 4/30/02 |
Eric Chamberlain |
actdir04 - Installed NIC with IPSEC off-load capabilities.
Rebooted machine. |
| 4/30/02 |
Eric Chamberlain |
actdir03 - Remote Registry service set to disable and not running.
Started service. Modified Domain Controller GPO to force automatic
setting for Remote Registry. |
| 4/28/02 |
Karl Grose |
actdir03, actdir04 - Archived Eventlogs, reset crashonauditfail
registry key, rebooted machines. Disabled CrashOnAuditFail key in
GPO, until the follwoing changes can be made: http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/46685.htm |
| 4/1/02 |
Eric Chamberlain |
actdir03, actdir04 - Archived Eventlog files. Removed Site GPO
and replaced with modifications to domain GPO. Modified domain GPOs
to disable IIS services by default. Set UC Domain to use LM, NTLM,
after trying to negotiate NTLMv2. |
| 4/1/02 |
Eric Chamberlain |
actdir01, actdir02 - Archived Eventlog files. Removed Site GPO
and replaced with modifications to domain GPO. Modified domain GPOs
to disable IIS services by default. Set UC Domain to only use NTLMv2
or better. |
| 3/20/02 |
Eric Chamberlain |
actdir04 - Archive Eventlog files and reboot. |
| 3/20/02 |
Eric Chamberlain |
actdir04, actdir03 - Change Domain Controller Policy to refuse
LM authentication. |
| 3/8/02 |
Eric Chamberlain |
actdir01, actdir02, actdir03, actdir04 - Power up servers. |
| 3/7/02 |
Eric Chamberlain |
actdir01, actdir02, actdir03, actdir04 - Power outage, power down
servers. |
| 3/4/02 |
Eric Chamberlain |
actdir03 - Reset crashonauditfail key and reboot. Change Domain
Controller GPO to 100MB Security log file max size and overwrite
when needed. |
| 2/26/02 |
Eric Chamberlain |
Actdir01, Actdir02 - Reset crashonauditfail key and reboot. Change
Domain Controller GPO to 100MB Security log file max size and overwrite
when needed. |
| 2/20/02 |
Eric Chamberlain |
Actdir02, Actdir04 - Turn on Change Journal for Legato Backup.
Testing showed no problems on other DCs. |
| 2/20/02 |
Eric Chamberlain |
Actdir03 - Remove FRS shares from DC. |
| 2/19/02 |
Eric Chamberlain |
Actdir04 - FRS filled up F: drive. Rebooted machine to restart
netlogon. |
| 2/14/02 |
Eric Chamberlain |
Campus domain established two way trust with CCS-SDA NT4 domain. |
| 2/14/02 |
Eric Chamberlain |
Actdir04 - frs corrupted. Restarted service. |
| 2/14/02 |
Eric Chamberlain |
Actdir03, Actdir04 - Change Security log file size to 180MB, and
overwrite as needed to prevent log write lockout. |
| 2/14/02 |
Eric Chamberlain |
Actdir03, Actdir04 - Clear crashonauditfail and reboot. |
| 2/12/02 |
Eric Chamberlain |
Actdir01 - Remove Dell OpenManage ITassist server and SQL database.
Migrate monitoring to fish.berkeley.edu with other SDA servers. |
| 2/11/02 |
Eric Chamberlain |
Actdir04 - Reset crashonauditfail key. Cleared security log file.
Rebooted machine. |
| 2/11/02 |
Eric Chamberlain |
Actdir01, Actdir03, - Turn on use of Change Journal in Legato
backup. |
| 2/8/02 |
Farhad Milani |
Actdir01 - Replace bad DIMM. |
| 1/28/02 |
Eric Chamberlain |
Modified UPS shutdown procedure to wait for low battery condition.
Setup notification to notify users, ntdoctors, and ADdoctors of
UPS events.
Changed antivirus to scan weekly and disabled realtime monitoring.
Removed registry key for detailed Kerberos logging
Re-enabled halt on security log full or unwriteable.
Reboot all DC's. |
| 1/23/01 |
Eric Chamberlain |
Create OE OU and sub-items. |
| 1/18/01 |
Eric Chamberlain |
Disable halt on security log full or unwriteable to troubleshoot
DC reboot and lockout problem. |
| 1/15/01 |
Eric Chamberlain |
Enable Global Catalog on all DC's in UC and CAMPUS domains. |
| 12/3/01 |
Eric Chamberlain |
Setup Domain and DC GPO's on Campus Domain. Removed Authorized
Users and Pre-2000 Users from Builtin, Computers, Domain Controllers,
ForeignSecurityPrincipals, and Users security lists. Those containers
are now not viewable in AD as an ordinary user. |
| 11/28/01 |
Eric Chamberlain |
Removed renamed administrator account from Domain Admins
and Enterprise Admins. Added Eric Chamberlain's account to Enterprise
Admins. |
| 11/28/01 |
Eric Chamberlain |
Set Restricted Groups on UC Domain GPO |
| 11/28/01 |
Eric Chamberlain |
Modified ddns_sc.adm to include ddns.adm. |
| 11/28/01 |
Eric Chamberlain |
Added Dfs.adm to UC DC GPO and enable Dfs FQDN referral. |
| 11/26/01 |
Eric Chamberlain |
Changed user workstation quota on UC Domain from 10 to 0. See
http://www.jsiinc.com/subi/tip4300/rh4321.htm, now users can only
add machines if they are granted the right to add workstations. |
| 11/21/01 |
Eric Chamberlain |
Updated version of Norton Antivirus. Scheduled nightly scan and
weekly LiveUpdate. |
| 11/21/01 |
Eric Chamberlain |
Replaced realflags.adm template with a RealmFlags entry in Security
Configuration tool. |
| 11/21/01 |
Eric Chamberlain |
Added Schema Admins and Enterprise Admins UC Domain Group Policies.
Set restricted groups setting Schema Admins has no entries. Enterprise
Admins has Krishna for member. Set Policies for no override. Setup
separate policies so that we could turn off the GPO with out affecting
anything else when making Enterprise Admin or Schema Changes. |
| 11/21/01 |
Eric Chamberlain |
Changed permissions on uc.berkeley.edu domain in Users and Computers.
Removed Authenticated users and Pre-2000 permissions. Added Domain
Users with same permissions Authenticated users had before. This
will prevent users in other domains from browsing for items in the
UC domain. |
| 11/21/01 |
Eric Chamberlain |
Renamed Administrator in UC domain to something else. Removed
ad-ent-admin account. |
| 11/19/01 |
Eric Chamberlain |
Changed Site GPO to use Kerberos.berkeley.edu and Kerberos-1.berkeley.edu
for Kerberos. |
| 11/16/01 |
Eric Chamberlain |
Added calnetdfs Dfs roots to actdir03 and actdir04. |
| 11/16/01 |
Eric Chamberlain |
Added Administration Dfs roots on actdir01 and actdir02. Added
image shares on both machines. Now save/access administration files
at \\uc.berkeley.edu\Administration. |
| 11/16/01 |
Eric Chamberlain |
Site GPO to use ks2.berkeley.edu for Kerberos. |
| 11/13/01 |
Eric Chamberlain |
Started Remote Registry Service on ACTDIR01, ACTDIR02, ACTDIR03,
and ACTDIR04. http://support.microsoft.com/support/kb/articles/q284/9/14.asp?id=Q284914.
Fixed Object picker error message. |
| 11/13/01 |
Eric Chamberlain |
Modified UC DC GPO. Removed disable from Remote Registry Service
and Intersite Messaging. Started Intersite Messaging Service on
ACTDIR01 and ACTDIR02. |
| 11/9/01 |
Eric Chamberlain |
Created Global OU-Admin groups and removed Local OU-Admin groups.
Removed unused GPOs from OUs. Admins can create the GPOs as needed,
removal will reduce network traffic and delay for GPO to be processed
on client. |
| 11/9/01 |
Eric Chamberlain |
Established our side of two way trust with CHANCE NT4 domain.
See http://support.microsoft.com/support/kb/articles/Q306/7/33.ASP
for procedure followed. |
| 11/9/01 |
Eric Chamberlain |
Created lmhosts file for NT trusts. See http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP
for procedure. File is located in \\actdir01\images. Go to each
DC and import the file under TCP/IP Advanced settings on Network
control when changes are made. Verify changes with nbtstat -c at
command prompt. |
| 11/9/01 |
Eric Chamberlain |
COIS-OU-Admins could not create group policy. Needed to be added
to the Group Policy Creators Owners. I have created the OU-Admin
Global group in the Users folder and added it to the Group Policy
Creators Owners group. OU-Admin groups are Domain Local and cannot
be added to the Global groups. Need to create Global groups for
each OU-Admin group. |
| 11/5/01 |
Eric Chamberlain |
Created Domain Controller group policy to extend DDNS refresh
to 1 hour and 1 day for TTL, per Mike's recommendation. Created
ddns_dc.adm template in \\actdir01\images\policy and added UC Domain
Controller DDNS Policy. Added that policy to Campus Domain Controller
OU. |
| 11/5/01 |
Eric Chamberlain |
DDNS updates are too frequent. Need to change update interval
to the following:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DnsRefreshInterval
0x15180 1 Day.
http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/55952.htm
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DnsTtl
0xE10 1 Hour
http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/55950.htm
Will want to add to Domain Controller Policy.
|
| 11/2/01 |
Eric Chamberlain |
Turned on DHCP client on DCs. Client is required to send DDNS
updates to DNS server. |
| 10/29/01 |
Eric Chamberlain |
Eric Chamberlain joins AD project. |
| |
|
All 4 servers have a backup to file on e:\backup.bkf which has
the system state. This backup was done when the servers were done
in a virgin state when they first joined the domains.
Terminal services should be switched to 128 bit secure mode.
Right now the custom policies are applied to the OU "Custom
Policy Test." Once I will move them out Friday but wanted
to make sure not to affect too many machines until I was sure
it was safe.
Right now the NIC card on the servers are running the Microsoft
driver. This should get changed to the updated Intel one, since
I believe since I believe the card is really a Pro/100 S Server
adapter (according to dell web page), which does IPSEC on the
card (this update has to be run from the console since the Terminal
session will die if you update NIC drivers).
Right now both domains have the same administrator account name
and password. This should get changed shortly. |
| |
|
Enterprise level - Go to Active Directory Domains & Trusts,
Right click and choose properties. Add the UPN name BERKELEY.EDU.
Images for RTK, Support tools & policy are located on actdir01
in the e:\images directory.
I talked to Alex (the backup guy) and supposedly they have not
run a test as of yet. The Legato Networker clients are installed
on all 4 servers so they should do this shortly.
IPSEC on all 4 servers is kicking off errors every two hours.
I do not believe this is a config error on our end. IPSEC is working
properly, so it may be a timeout, although I specified key renewal
every hour from our end. I sent an email to Mike S. about this
to see if he could come to any conclusions.
Norton AV Corporate is installed on all the servers. Right now
its set to update once weekly - you should change that to daily
late in the evening. |
| |
|
A Custom MMC for Administrators
Providing custom MMC consoles to administrators could be a means
to limit the range of Administrative utilities available to groups
of administrators. A custom MMC console is created as follows:
Start /Run/MMC
" Add desired snap-ins and extensions from the Add/Remove
Snap-ins dialog
" Open the Option dialog and click the Console tab
" Select User (or Author) mode
" Configure the allowable view
" Save the MMC console
Author and User modes determine how easily the target administrator
can change the console. Author mode freely allows any changes
to the console. In User mode the console is not changeable by
default. Regardless of whether the custom MMC console was saved
in Author or User mode, a user can always modify the console by
right clicking the console, clicking Author, and then changing
the console. The only way to prevent this is to not assign NTFS
Write permission to the .msc file. Also, the only way to prevent
a user from creating their own MMC console and including restricted
utilities is to remove the utilities or deny file permissions
on the target computer. There are several ways to distribute a
custom MMC console, including the following:
" ?File (through email or on a removable media)
" ?Group Policy
" ?Shared Folder
Only the shared folder distribution method allows NTFS file permissions
to prevent the recipient from changing the file after receiving
it. |
| |
|
Running dcpromo for the 3rd, offsite root server:
1) Your DNS servers should be ns1.Berkeley.edu and ns2.Berkeley.edu.
2) Apply SP2 and apply post sp2 patches (use the hotfix auditing
tool from MS).
3) Establish ipsec rule with reznor.Berkeley.edu under local security
policies snap-in in the MMC or Administrative tools. Run ipsecmon
and send a couple pings to reznor to make sure ipsec is working
properly. Make sure Mike Sinatra sends you a key for your server.
4) Run dcpromo - choose additional domain controller when asked
what the server should be used for - (i.e. root, forest or child)
and place it in the UC domain.
5) Choose where logs, database & sysvol will be located according
to the chart on the previous page (if the server is identical)
6) Upon completion of the dcpromo process, reboot the server.
You are now finished. |
| |
|
Reverse Dynamic Registrations (PTR Records) are turned off on
all 4 servers. See Article ID: Q246804 in MS Knowledgebase. |
| |
|
All 4 Domain controllers were backed up to a file call "E:\1018backup.bkf"
including the system state. Restore process is as follows:
During the start up press F8.
On the Windows advanced options menu select directory services
restore mode press enter. This makes sure the domain controller
is offline and not connected to the network.
Select operating system to start prompt select Windows 2000.
Log on as administrator.
On the desktop message that says windows is running in safe mode
click OK.
Point start, point programs point system tools point backup.
On the welcome to Windows backup select restore wizard.
In restore wizard expand the media type that contains the data
you want to restore or click import file (type or file media).
Expand the appropriate media set until the data that you want
to restore is visible. You can restore a backup set or specific
files and folders
Click finish to start the restore process. The restore wizard
requests verification for the source of the restore media and
than performs the restore. During the restore the wizard displays
status information about the restore. |
| |
|
IPSEC to reznor.Berkeley.edu is installed and functioning.
IPSEC must be set as a local security policy on the intended
domain controller before you attempt a promotion. The IPSEC policy
points to reznor.Berkeley.edu. Once promotion is successful, this
policy can be disabled since I have made a domain controller IPSEC
policy that makes it unnecessary in both domains.
The OS2 & POSIX subsystems are removed from all servers.
The Forest Time server actdir01 is synched with ntp2-1 &
ntp2-2.
Domain Controller Security Policy was tightened up. I left Domain
security policy (I did add the Kerberos Policy for the registry
- nt style) as is which will have to be determined by further
discussions.
|
| |
|
- Server Configuration:
Dell 2550
933 SMP 1GB
UC Domain
actdir01 169.229.131.10
actdir02 169.229.131.11
CAMPUS Domain
actdir03 169.229.131.12
actdir04 169.229.131.13
Drive Configurations
1 RAID 5 Drive
1 RAID 1 Drive
C:\ System RAID 1
E:\ DB RAID 5
F:\ LOGS RAID 1
E:\ SYSVOL RAID 5
|
