+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 51
Windows Server 2008 R2 Thread, Brand new Active Directory - From scratch in Technical; If you are going to be using Macs then it is also worth bearing in mind that .local domains cause ...
  1. #16

    Join Date
    Jul 2009
    Posts
    568
    Thank Post
    46
    Thanked 106 Times in 91 Posts
    Rep Power
    68
    If you are going to be using Macs then it is also worth bearing in mind that .local domains cause a few issues too.

  2. #17

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,016
    Thank Post
    614
    Thanked 2,194 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    632
    Moving to correct forum.

  3. #18

    Join Date
    Aug 2007
    Posts
    818
    Thank Post
    101
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    With our rebuild we did the following which we found helped us....

    1) We tried to create individual policies for different settings. Only the Student and Staff Default policies have multiple settings ..

    2) Label each GP clearly. All computer policies begin with (C) computer, (U) user or (L) for loopback. Then the general area and then description of the GP, e.g....

    "(C) - SW INSTALL - Install Flash player"

    If they call a script add (Script) on the end.

    3) Not sure if this helps with performance but disable the USER section on all COMPUTER policies and vice versa.

    Goodluck

  4. 2 Thanks to burgemaster:

    jbailey (1st March 2014), karlr (6th February 2014)

  5. #19

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,265
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    @localzuk thanks.

    While looking for an answer to my own question I found the successor to the information I read when first doing this...
    http://go.microsoft.com/fwlink/?LinkId=157704

    and the grand daddy of AD design documents:

    Best Practice Active Directory Design for Managing Windows Networks

  6. Thanks to psydii from:

    karlr (6th February 2014)

  7. #20

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,230
    Thank Post
    13
    Thanked 230 Times in 219 Posts
    Rep Power
    68
    I've got a document I will share from the new build of one I did last year if I can find an electronic copy of it.

  8. #21

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by computer_expert View Post
    If you are going to be using Macs then it is also worth bearing in mind that .local domains cause a few issues too.
    Cause a "few" problems - that's an understatement! I would rather have my fingernails pulled out one by one than try to use Macs on a .local network. It can also cause problems for other systems as well.

  9. #22
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    486
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    21
    Quote Originally Posted by seawolf View Post
    Cause a "few" problems - that's an understatement! I would rather have my fingernails pulled out one by one than try to use Macs on a .local network. It can also cause problems for other systems as well.
    We have a Mac... On a .local domain. No issues with it 99% of time.

  10. #23

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by MordyT View Post
    We have a Mac... On a .local domain. No issues with it 99% of time.
    One Mac is one thing - 300+ on a .local network is another all together.

  11. #24
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    486
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    21
    Quote Originally Posted by seawolf View Post
    One Mac is one thing - 300+ on a .local network is another all together.
    Can you explain/expound on said issues. It's info I would need to know if more people get a Mac...

    That being said, the Mac user has had such a miserable time with the Mac and lack of our support I think we scared everyone back into windows.

    (Old captive portal used old java which apple blocked... He had no internet access for months... Fortunately for him we were in middle of replacing the whole system anyways and now it does SSO if a domain user)

  12. #25

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by MordyT View Post
    Can you explain/expound on said issues. It's info I would need to know if more people get a Mac...
    I'm not surprised your sole user has had issues. Here are some things you are likely to come across at one time or another:

    1. Inability to bind to AD domain or losing the AD domain bind. This seems occur periodically with various releases on both the Mac and Windows server side
    2. VERY, VERY, VERY slow network account logins, sometimes exceeding 5 minutes on the LAN, and taking over 20 minutes for logging onto mobile (network) accounts off the LAN due to the number of timeouts that occur.
    3. VERY slow mounting of network drives, slow copying to said drives.
    4. VERY slow printing to network printers
    5. Major bonjour issues, including for AirPrint and AirPlay on iOS devices.

    Some links with discussions about these sort of issues commonly faced in .local domains. As I said, .local domains were a cruel joke played on the world by being in Microsoft's "Best Practice" documentation that was then espoused by MS technicians the world over.

    https://discussions.apple.com/message/15834652#15834652

    OS X 10.7, Lion, and ".local" domains | Thursby Software

    http://www.centrify.com/downloads/pu...workaround.pdf

    Dmitry Dulepov: OS X Lion and local DNS issues

    active directory - Painfully slow login to AD bound Mac OS X Leopard machine when off home network - Server Fault

    https://jamfnation.jamfsoftware.com/...n.html?id=8872

    https://jamfnation.jamfsoftware.com/...n.html?id=6581

    https://discussions.apple.com/thread...t=105&tstart=0

    https://discussions.apple.com/message/12346886#12346886

  13. Thanks to seawolf from:

    MordyT (6th February 2014)

  14. #26
    Out_of_Sync's Avatar
    Join Date
    Aug 2008
    Location
    Windhoek
    Posts
    50
    Thank Post
    13
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Hi,

    why do you feel .local for a domain is not acceptable? I see mention of .internal and I don't understand what the difference would be. Anyone care to explain?

    thanks

  15. #27

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,892
    Thank Post
    518
    Thanked 2,494 Times in 1,935 Posts
    Blog Entries
    24
    Rep Power
    839
    Quote Originally Posted by Out_of_Sync View Post
    Hi,

    why do you feel .local for a domain is not acceptable? I see mention of .internal and I don't understand what the difference would be. Anyone care to explain?

    thanks
    The post above explains why .local is a bad idea. It is a reserved name used by mDNS.

  16. #28

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    @Out_of_Sync see .local - Wikipedia, the free encyclopedia

    @burgemaster Our current GPOs are set up similar to this. Each individual software package has its own GPO object, and even individual settings like "always wait for network" seem to have their own dedicated GPO. I can certainly see some of the appeal to doing this, but I believe it goes against Microsoft best practise. IIRC you should avoid having more than 9 GPOs active on a single scope. In a previous school I created GPOs containing all of our general settings, and then assigned to them to the root of the Computers/Users OU. Then each layer down would contain a GPO containing the more specialized settings (e.g. "Student Computer Policy"), and so on.

    Software installation can be done from a single or maybe a few high level GPOs, and then computers added into security groups to enable that software for them (another big thing we want to do is have all file server permissions controlled by groups, e.g. "Student Share RW" or "Student Share RO" rather than granting permissions to groups like "Students" or even directly to users).

    @psydii hm, that doc does seem to suggest that two DCs are the recommendation for a single domain/site.

  17. #29
    Out_of_Sync's Avatar
    Join Date
    Aug 2008
    Location
    Windhoek
    Posts
    50
    Thank Post
    13
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    thanks for the info.

  18. #30

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Another big concern is user profiles; We currently use roaming profiles for staff and this leads to an awful lot of problems. No doubt Win 7+ will handle this better, with increased support for redirection etc, but it's still a worry. I'm also not able to find any proper, clear guidance from Microsoft on this.

    Edit: Actually I did bookmark and plan to read through http://www.grouppolicy.biz/2010/08/b...irtualization/ - but what are you guys doing in terms of profiles?
    Last edited by karlr; 6th February 2014 at 05:02 PM.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 16th January 2012, 10:00 AM
  2. Importing new users into Active Directory
    By Mr_M_Cox in forum How do you do....it?
    Replies: 16
    Last Post: 4th November 2008, 11:36 AM
  3. Replies: 2
    Last Post: 28th November 2007, 04:40 PM
  4. Replies: 3
    Last Post: 16th November 2006, 09:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •