+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 51
Windows Server 2008 R2 Thread, Brand new Active Directory - From scratch in Technical; If you are going to be using Macs then it is also worth bearing in mind that .local domains cause ...
  1. #16

    Join Date
    Jul 2009
    Posts
    478
    Thank Post
    41
    Thanked 89 Times in 76 Posts
    Rep Power
    50
    If you are going to be using Macs then it is also worth bearing in mind that .local domains cause a few issues too.

  2. #17

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,466
    Thank Post
    524
    Thanked 1,993 Times in 932 Posts
    Blog Entries
    23
    Rep Power
    575
    Moving to correct forum.

  3. #18

    Join Date
    Aug 2007
    Posts
    802
    Thank Post
    95
    Thanked 60 Times in 45 Posts
    Rep Power
    25
    With our rebuild we did the following which we found helped us....

    1) We tried to create individual policies for different settings. Only the Student and Staff Default policies have multiple settings ..

    2) Label each GP clearly. All computer policies begin with (C) computer, (U) user or (L) for loopback. Then the general area and then description of the GP, e.g....

    "(C) - SW INSTALL - Install Flash player"

    If they call a script add (Script) on the end.

    3) Not sure if this helps with performance but disable the USER section on all COMPUTER policies and vice versa.

    Goodluck

  4. 2 Thanks to burgemaster:

    jbailey (1st March 2014), karlr (6th February 2014)

  5. #19

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,132
    Thank Post
    100
    Thanked 217 Times in 176 Posts
    Blog Entries
    1
    Rep Power
    69
    @localzuk thanks.

    While looking for an answer to my own question I found the successor to the information I read when first doing this...
    http://go.microsoft.com/fwlink/?LinkId=157704

    and the grand daddy of AD design documents:

    Best Practice Active Directory Design for Managing Windows Networks

  6. Thanks to psydii from:

    karlr (6th February 2014)

  7. #20

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,054
    Thank Post
    11
    Thanked 204 Times in 198 Posts
    Rep Power
    63
    I've got a document I will share from the new build of one I did last year if I can find an electronic copy of it.

  8. #21

    seawolf's Avatar
    Join Date
    Jan 2010
    Location
    Melbourne
    Posts
    725
    Thank Post
    7
    Thanked 218 Times in 171 Posts
    Rep Power
    150
    Quote Originally Posted by computer_expert View Post
    If you are going to be using Macs then it is also worth bearing in mind that .local domains cause a few issues too.
    Cause a "few" problems - that's an understatement! I would rather have my fingernails pulled out one by one than try to use Macs on a .local network. It can also cause problems for other systems as well.

  9. #22
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    367
    Thank Post
    38
    Thanked 64 Times in 59 Posts
    Rep Power
    18
    Quote Originally Posted by seawolf View Post
    Cause a "few" problems - that's an understatement! I would rather have my fingernails pulled out one by one than try to use Macs on a .local network. It can also cause problems for other systems as well.
    We have a Mac... On a .local domain. No issues with it 99% of time.

  10. #23

    seawolf's Avatar
    Join Date
    Jan 2010
    Location
    Melbourne
    Posts
    725
    Thank Post
    7
    Thanked 218 Times in 171 Posts
    Rep Power
    150
    Quote Originally Posted by MordyT View Post
    We have a Mac... On a .local domain. No issues with it 99% of time.
    One Mac is one thing - 300+ on a .local network is another all together.

  11. #24
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    367
    Thank Post
    38
    Thanked 64 Times in 59 Posts
    Rep Power
    18
    Quote Originally Posted by seawolf View Post
    One Mac is one thing - 300+ on a .local network is another all together.
    Can you explain/expound on said issues. It's info I would need to know if more people get a Mac...

    That being said, the Mac user has had such a miserable time with the Mac and lack of our support I think we scared everyone back into windows.

    (Old captive portal used old java which apple blocked... He had no internet access for months... Fortunately for him we were in middle of replacing the whole system anyways and now it does SSO if a domain user)

  12. #25

    seawolf's Avatar
    Join Date
    Jan 2010
    Location
    Melbourne
    Posts
    725
    Thank Post
    7
    Thanked 218 Times in 171 Posts
    Rep Power
    150
    Quote Originally Posted by MordyT View Post
    Can you explain/expound on said issues. It's info I would need to know if more people get a Mac...
    I'm not surprised your sole user has had issues. Here are some things you are likely to come across at one time or another:

    1. Inability to bind to AD domain or losing the AD domain bind. This seems occur periodically with various releases on both the Mac and Windows server side
    2. VERY, VERY, VERY slow network account logins, sometimes exceeding 5 minutes on the LAN, and taking over 20 minutes for logging onto mobile (network) accounts off the LAN due to the number of timeouts that occur.
    3. VERY slow mounting of network drives, slow copying to said drives.
    4. VERY slow printing to network printers
    5. Major bonjour issues, including for AirPrint and AirPlay on iOS devices.

    Some links with discussions about these sort of issues commonly faced in .local domains. As I said, .local domains were a cruel joke played on the world by being in Microsoft's "Best Practice" documentation that was then espoused by MS technicians the world over.

    https://discussions.apple.com/message/15834652#15834652

    OS X 10.7, Lion, and ".local" domains | Thursby Software

    http://www.centrify.com/downloads/pu...workaround.pdf

    Dmitry Dulepov: OS X Lion and local DNS issues

    active directory - Painfully slow login to AD bound Mac OS X Leopard machine when off home network - Server Fault

    https://jamfnation.jamfsoftware.com/...n.html?id=8872

    https://jamfnation.jamfsoftware.com/...n.html?id=6581

    https://discussions.apple.com/thread...t=105&tstart=0

    https://discussions.apple.com/message/12346886#12346886

  13. Thanks to seawolf from:

    MordyT (6th February 2014)

  14. #26
    Out_of_Sync's Avatar
    Join Date
    Aug 2008
    Location
    Windhoek
    Posts
    49
    Thank Post
    9
    Thanked 2 Times in 2 Posts
    Rep Power
    12
    Hi,

    why do you feel .local for a domain is not acceptable? I see mention of .internal and I don't understand what the difference would be. Anyone care to explain?

    thanks

  15. #27

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,095
    Thank Post
    511
    Thanked 2,309 Times in 1,785 Posts
    Blog Entries
    24
    Rep Power
    803
    Quote Originally Posted by Out_of_Sync View Post
    Hi,

    why do you feel .local for a domain is not acceptable? I see mention of .internal and I don't understand what the difference would be. Anyone care to explain?

    thanks
    The post above explains why .local is a bad idea. It is a reserved name used by mDNS.

  16. #28

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    @Out_of_Sync see .local - Wikipedia, the free encyclopedia

    @burgemaster Our current GPOs are set up similar to this. Each individual software package has its own GPO object, and even individual settings like "always wait for network" seem to have their own dedicated GPO. I can certainly see some of the appeal to doing this, but I believe it goes against Microsoft best practise. IIRC you should avoid having more than 9 GPOs active on a single scope. In a previous school I created GPOs containing all of our general settings, and then assigned to them to the root of the Computers/Users OU. Then each layer down would contain a GPO containing the more specialized settings (e.g. "Student Computer Policy"), and so on.

    Software installation can be done from a single or maybe a few high level GPOs, and then computers added into security groups to enable that software for them (another big thing we want to do is have all file server permissions controlled by groups, e.g. "Student Share RW" or "Student Share RO" rather than granting permissions to groups like "Students" or even directly to users).

    @psydii hm, that doc does seem to suggest that two DCs are the recommendation for a single domain/site.

  17. #29
    Out_of_Sync's Avatar
    Join Date
    Aug 2008
    Location
    Windhoek
    Posts
    49
    Thank Post
    9
    Thanked 2 Times in 2 Posts
    Rep Power
    12
    thanks for the info.

  18. #30

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Another big concern is user profiles; We currently use roaming profiles for staff and this leads to an awful lot of problems. No doubt Win 7+ will handle this better, with increased support for redirection etc, but it's still a worry. I'm also not able to find any proper, clear guidance from Microsoft on this.

    Edit: Actually I did bookmark and plan to read through http://www.grouppolicy.biz/2010/08/b...irtualization/ - but what are you guys doing in terms of profiles?
    Last edited by karlr; 6th February 2014 at 05:02 PM.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 16th January 2012, 10:00 AM
  2. Importing new users into Active Directory
    By Mr_M_Cox in forum How do you do....it?
    Replies: 16
    Last Post: 4th November 2008, 11:36 AM
  3. Replies: 2
    Last Post: 28th November 2007, 04:40 PM
  4. Replies: 3
    Last Post: 16th November 2006, 09:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •