Why I can't install a new domain in a new forest?

February 25, 2009, 12:04 am

≫ Next: how do I find "delegated rights" assigned to Groups and Users

≪ Previous: Migrating DHCP from 2000 AD to 2008 r2

I try to install Active Directory & DNS on Windows 2003 in silent mode.
I want a new domain in a new forest. the win2k3 will be the DC, it is the root node.
My answer file is:

-----------------------------------------------------------------------------------------
[DCInstall]
NewDomain = Forest
AutoConfigDNS = Yes
SiteName = mydomain
ReplicaOrNewDomain = NewDomain
InstallDNS = Yes
SetForestVersion = Yes
SafeModeAdminPassword = xxxxxx
ReplicaDomainDNSName = mydomain.com
ReplicateFromMedia = Yes
NewDomainDNSName = mydomain.com
DomainNetBiosName = mydomain
AllowAnonymousAccess = No
CriticalReplicationOnly = No
DisableCancelForDnsInstall = No
DNSOnNetwork = No
IsLastDCInDomain = Yes
RebootOnSuccess = Yes
RemoveApplicationPartitions = Yes
ReplicaOrMember = Replica
-----------------------------------------------------------------------------------------

But when I execute dcpromo /answer:"c:\myfile.txt", it always popup a dialog and ask me to input User/Passwd/Domain. Why? This would happen only if NewDomain=Tree or Child.
Anybody can help me out?
Thank you.

↧

how do I find "delegated rights" assigned to Groups and Users

January 16, 2012, 9:16 pm

≫ Next: Multiple A records for Domain Controller on AD integrated DNS Zone

≪ Previous: Why I can't install a new domain in a new forest?

Hello,

I have been asked to manage a customer domain and document the rights/permissions assigned to users and groups. I could gather the information which are pretty straight forward such as Users in built in AD groups, group policy delegation etc...

AD is in good shape however the earlier admin left organisation without doing knowledge transfer. Lately I realised, he has a delegated rights to users and groups on some OUs and services which has been not documented anywhere.

Now my concern is, how do I identify what rights have been delegated to users and groups on AD ? I could not find anything upfront from AD UC.

Any help here would be really helpful.

Thanks

~ Knowledge Seeker

↧

Multiple A records for Domain Controller on AD integrated DNS Zone

October 30, 2012, 7:00 pm

≫ Next: View delegate report & revoke back?

≪ Previous: how do I find "delegated rights" assigned to Groups and Users

Hi All,

We have two domains and single forest for our clients. Both the Forest and Domain functional levels are 2008 R2. Both the parent and chield domains are with AD integrated DNS zones. More then one Network adapters are configured on some of our DCs. Backup and Management IPs are configured on the same. During our regular DC health check reports we found that replication test to these DCs are failed (Those who has multiple NIC). We come to know that all the domain controllers are registered their static A records on their DNS zones. I understand that this is part of the Netlogon process of DC, however the issed DCs has registered 2 or 3 IPs for the same hostname on the DNS zones. When I deleted the other unwanted A records, it creates automatically after some time. I am not sure what is the cause and how can we avoid of Multiple host A record creation for the same Domain Controllers.

↧

View delegate report & revoke back?

February 14, 2011, 8:44 pm

≫ Next: Logon Scripts and AD 2008r2

≪ Previous: Multiple A records for Domain Controller on AD integrated DNS Zone

Greetings all,

I'd like to check for delegation permission for user/group in AD.

Let say previous admin has assigned delegate permission to security group HelpDesk to reset user password.

I would like to know what other permission are being delegated to this group, and/or other group is this possible to achieve?

2. And also, once the delegation permission is granted, is it possible to revoke back?

Thanks in advanced for kind advice.

regards,

---Packie

↧

Logon Scripts and AD 2008r2

November 8, 2012, 10:30 am

≫ Next: Active Directory Web was unable to determine if the computer is a global catalog server.

≪ Previous: View delegate report & revoke back?

I just migrated an old 2000 AD to 2008r2 and it turns out there was a logon script which mapped a bunch of drives and loaded explorer automatically pointing to the company intranet. Users authenticating on the new 2008dc are not getting drives mapped. Eventually I will handle this using GPO but for the time being I would simply like to re-enable the logon script. I notice each user has logon.bat associated with their account, where is this on the 2000 DC and where do I put it on the 2008 DC?

Thanks!

↧

Active Directory Web was unable to determine if the computer is a global catalog server.

November 8, 2012, 1:22 pm

≫ Next: Admins sporadically getting "You do not have sufficient privileges to delete " but they have sufficient permissions to delete the object

≪ Previous: Logon Scripts and AD 2008r2

My my domain, only the Win2008 R2 is a DC. Now has the problem mentioned in title.

in Event log, can see Event ID: 1206, Source: ADWS.

How can fix it?

Thanks,

yxh

↧

Admins sporadically getting "You do not have sufficient privileges to delete " but they have sufficient permissions to delete the object

August 7, 2012, 7:07 am

≫ Next: LDAP search capabality attribute error

≪ Previous: Active Directory Web was unable to determine if the computer is a global catalog server.

We've been getting a handful of calls lately from our Network Admins complaining that they can't delete computer accounts.

The get an Active Directory dialog box that states that they are a loser..."You do not have sufficient privileges to delete XXXXXX".

When it occurs, it affects all of the Adminis for the particular problem object in question.

As a domain admin and enterprise admin, I am able to delete the object without a problem.

The Admins are able to delete other comptuers accounts as well as create new computer accounts with in the same OU. The security and ownership is identical for both problem objects and non-problem objects.

I'm stumped and I couldn't get any relavant hits on TechNet or the web.

David W. King

Techical Architect - Systems, Information Technology
(919) 784-3889 david.king@rexhealth.com

REX Healthcare, 4420 Lake Boone Trail, Raleigh, NC 27607

David W King

↧

LDAP search capabality attribute error

November 8, 2012, 11:13 pm

≫ Next: Active directory changes back over night

≪ Previous: Admins sporadically getting "You do not have sufficient privileges to delete " but they have sufficient permissions to delete the object

Hello,

I have the following problem. We are using a server 2008R2 this server has the follwing roles/features installed:

Directory services
DNS
Exchange server

The servers IP is 172.20.x.x, in the past we have added an 192.168.1.x Ip adres for moving mailboxes to this exchange 2010 server. But is seems the the fully AD is registered on this IP address. When I start a DCDIAG /test:dns with both IP addresses the test passed, but when I remove the 192.168.1.x IP address the test failed with this error:

Ldap search capabality attribute search failed on server mailserver, return
value = 81

We want remove that 192.168.1.x address because many people has random problems with opening their mailbox, if they cannot op their mailbox the computer is looking for the 192.168.1.x IP Address. With ipconfig /flushdns they can reconnect.

I hope anyone can help me!

Best regards, Willem

Some additional information, when I run the DCDIAG tool in DNS event event ID 404, 407 and 408 are listed and also event id 1054 for the group policy is listed.

↧

Active directory changes back over night

November 5, 2012, 6:58 am

≫ Next: Run adprep32.exe /forestprep never finnish, never display any output

≪ Previous: LDAP search capabality attribute error

I have this problems, that i change the user’s password, but the next day it have change back to the old password.

I remember that i have this problems early on some other systems, but can’t seem to find the Microsoft kB about this.

On this system there are only one DomainController, so it not something synchronisation that have gone wrong over night.

Could someone help me out here?

Regards Kenneth Dalbjerg

↧

Run adprep32.exe /forestprep never finnish, never display any output

November 8, 2012, 3:20 pm

≫ Next: Is an Event ID for a completed Domain Controller promotion logged on the PDC?

≪ Previous: Active directory changes back over night

HI, everyone i read a lot of articles having the same problem and they could correct all their problems. but i can't.

i execute schupgr and i got this:

C:\WINNT\Profiles\mlopez>schupgr
Opened Connection to NTDAPSA30
SSPI Bind succeeded
Current Schema Version is 47
Upgrading schema to version 47
The schema has already been upgraded. Rerun setup to upgrade this DC.

when i run dcpromo in a elevated command promt on the w2k8 r2 and try to join it to the existing forest it displays that i have to run adprep /forestprep.

can anyone helpme?

thanks!

↧

Is an Event ID for a completed Domain Controller promotion logged on the PDC?

November 8, 2012, 5:33 pm

≫ Next: AD snapshot or Backup?

≪ Previous: Run adprep32.exe /forestprep never finnish, never display any output

Hello,

Does an Event ID for the successful promotion of any Domain Controller into the Forest/Domain get logged in the Security/System/Application event log on the PDC FSMO role server? If so, what is the Event ID? I've researched this, and cant find any info.

SCOM monitors our AD infrastructure and we want to generate an alert when a new Domain Controller gets promoted into the domain, so if an event log entry is generated to one of these logs on the PDC, SCOM could 'see' it and generate an alert. Thanks in advance.

Thanks for your help! SdeDot

↧

AD snapshot or Backup?

November 9, 2012, 3:52 am

≫ Next: Custom ADUC MMC

≪ Previous: Is an Event ID for a completed Domain Controller promotion logged on the PDC?

Hi All

With regards to protecting my ad settings I wondering what the most effecient & easiest way is.

Im concerned that if AD goes spastic for some weird reason or if another user does something dumb is there a way to rervert back in time to time when things were working correctly? With 2 DC's the mishap can replicate and then every DC could have the wrong configuration.

I was musing over

* having an e.g. extra DC that only receives replication traffic periodically and lags behind the others and servers as a potential means to recover and re replicate. perhaps having this on a virtual machine that can be pulled out for AD disaster recovery but I am worried about replication errors in the mean time as it would be a DC that just disspears with without being gracefully removed from the network.

* taking an AD snapshot, though Im not sure how thorough this is and if its dependable

Is there a good way to recover a bad AD without resorting to backup tapes?

Thanks for reading

Confuseis

confuseis

↧

Custom ADUC MMC

November 9, 2012, 6:46 am

≫ Next: Forest Trust / External Trust - Which one to choose?

≪ Previous: AD snapshot or Backup?

Hi i have created a custom MMC so users can add or remove users from groups.

The problem is that when they open the AD group, they can also double click on the user and see all his settings (not change them)

Is there a way so i can just allow users to add/remove users to a group and nothing else?

Like clicking on a user and see all his groups, etc..

Thanks

↧

Forest Trust / External Trust - Which one to choose?

November 9, 2012, 6:59 am

≫ Next: Is it safe to move Active Directory objects when there is no gpo linked to the source OU or to the destination OU

≪ Previous: Custom ADUC MMC

Hello,

I've two individual forest level domain named "Domain A" and "Domain B". I deployed SCOM 2012 on "Domain B". I created a Stub-Zones on both Domains. Both forest domains are in two different subnets.

However the SCOM Agent unable to contact "Domain B". Then I come to know that I need to create a trust.

But I'm confused on selecting the right trust level.

Can anyone let me know the best way to choose the right trust in this scenario. Any further help would be greatly appreciated. Thank you!

↧

Is it safe to move Active Directory objects when there is no gpo linked to the source OU or to the destination OU

November 9, 2012, 1:12 am

≫ Next: Multiple Active directory issues.

≪ Previous: Forest Trust / External Trust - Which one to choose?

Hi!

I have a real mess in one Active Directory. I have distribution groups, security groups (domain local, global, universal), security groups with email address associated with it, users, users for mailboxes, users for conference rooms and service accounts in different OUs.

I want to sort all the objects and put them in separate OUs.

Can I move the objects without causing a lot of trouble, if there is no GPO linked to the source OU and the destination OU except default domain GPO?

There is only one domain in the Active Directory

The domain functional level is 2008 R2.

With kind regards

↧

Multiple Active directory issues.

November 9, 2012, 7:32 am

≫ Next: Is it possible to SAML enable Sharepoint 2010 without ADFS or custom code?

≪ Previous: Is it safe to move Active Directory objects when there is no gpo linked to the source OU or to the destination OU

I have 4 sites in my domain.

Out of 4, 2 sites are ghost sites which don't have any DCs. But in 2 sites I have 9 domain controllers.

My concerns are below:

1: what is ghost site and what is use of this?

2:- I have near about 30,000 users in one site than how much DCs & GCs I requiered to be placed that site as per best practise from microsoft to manage the authenication.

Also I have windows 2008 R2 OS enterprise edition with 4 Xeon X7550 2.00GHz CPU, 10 GB RAM deatils.

3:- On the 3rd site, i have lots of application authentication , so what should be best practise to placed the DCs and GCs positions.

----------

4:- Is there any tool or script through which I can run in my domain and get to know about my all forest, domains structure issue, designing issue, replication issue, authenication issue and how can correct them ?

--------

My infrasture details are below:

Root domain.. eg. contoso.com -----> this is only parent domain and use nothing purpose..

child domain: child.contoso.com----> all the user and application authenicated in child.contoso.com domain.

↧

Is it possible to SAML enable Sharepoint 2010 without ADFS or custom code?

September 26, 2012, 12:16 pm

≫ Next: nested group membership design question

≪ Previous: Multiple Active directory issues.

I would like to integrate my IdP with Sharepoint 2010 using SP's native support for WS-Fed. When I look at the SSO from ADFS to SP it seems like its just a SAML assertion wrapped in a WS-Trust wrapper; is there any reason I cannot simply mimic that behavior in my IdP? While it seem like I could I cannot help but notice that no one seems to be doing this. The two approaches seem to be a) use ADFS or b) use forms based auth and write some custom code.

↧

nested group membership design question

November 9, 2012, 8:55 am

≫ Next: Accessing shares across non-trusted domains

≪ Previous: Is it possible to SAML enable Sharepoint 2010 without ADFS or custom code?

I have several divisional file shares. Within each of those file shares is a folder for every department. I want to make a security group for accessing each department folder. I also have a divisional admin security group. I want to have my divisional admin security group me a member of every departmental security group. That way, I can give the division admin user permissions to every department folder with a single group membership for that user.

To further complicate things, within some departments there are units. I want to do the same thing where I have security groups for the units of which the divisional admin security group is also a member of. The following directory path illustrates the layout. There is some obvious inheriting stuff going on, but we don’t need to discuss that here J. The example shows 1 division with 3 departments. Department 1 has 1 unit, department 2 has 2 units, and department 3 has 3 units. If I were to nest everything like I want and add my admin user to the divisional admin security group, that user would be a direct member of 1 group and an indirect member of 9 groups via the nesting. This example is small for what we’re doing. We have one case where a division has 50 departments with an average of 3 units. Adding my admin user as a member to the divisional admin security group would give that user 1 direct group membership and 200 indirect group memberships. I've read up on token bloat and we do have a lot of users that work remotely over a VPN connection via their home cable or dsl connection, so that’s a concern. Another thought is all of the these groups will be universal groups, we're in the midst of our file servers and users being in different domains. That said, there's also the concern of added GAL replication among our DCs. Is there anything else I’m missing?

Thanks for the help!

\\server\ Division Share #1\ Department Folder #1\ Unit #1

\\server\ Division Share #1\ Department Folder #2\ Unit #1

\\server\ Division Share #1\ Department Folder #2\ Unit #2

\\server\ Division Share #1\ Department Folder #3\ Unit #1

\\server\ Division Share #1\ Department Folder #3\ Unit #2

\\server\ Division Share #1\ Department Folder #3\ Unit #3

↧

Accessing shares across non-trusted domains

November 9, 2012, 8:52 am

≫ Next: use adaminstall and install from dsdbutil backup file

≪ Previous: nested group membership design question

Workstation 1 is in domain A
Server is in domain B

There is full network connectivity between both just no domain trust. UserA has the exact same username and password in domains A and B and can access shares just fine. Should't there still be an auth prompt without a trust?

↧