Hello All,
I did a bulk modification " through .csv file" for all AD users and i did add a description "description field" for each user "in Arabic language" but it showing the description as " ♥♥♥♥ ". If i type it manual then it works fine.Is there is anyway to add the description "Arabic language" through bulk modification.
Best Regards,
Hi,
I am working on mid-level enterprise with 12 DC and 3 AD sites, 590 and clients.
I don't have external time server. All servers and clients use PDC for time sync.
Is there any advantage,if I use external time server for time sync.
why we need external time server. Please assist
Hello everyone:
I have to install LAPS in my AD and I was thinking of doing it in this way in case there was a failure when making the update of the scheme:
-Block the replication of the DC that has the schema role (it only has that role, the other roles have another DC)
REPADMIN /OPTIONS SERVERNAME +DISABLE_INBOUND_REPL
REPADMIN /OPTIONS SERVERNAME +DISABLE_OUTBOUND_REPL
-Make the change and see if the execution was correct. If it was correct to enable replication again:
REPADMIN /OPTIONS SERVERNAME -DISABLE_INBOUND_REPL
REPADMIN /OPTIONS SERVERNAME -DISABLE_OUTBOUND_REPL
-In case of failure, disconnect the DC from the network, take the schema role(seize) from another DC, reinstall a new DC and clean the remains of the other DC (ntdsutil)
Is a good idea?
What do you think?Thanks!
Hi AD Expert,
We are integrate our AD to VPN access; we have some AD user have multiple AD group. When AD pass those user with multiple AD group it will causing the issues, users with single AD group do not have such issues.
We noticed that VPN only accept the user with single AD group, it will return with error when multiple AD group's users.
Our concern is; how do we set those users have multiple group to have primary group of AD so that AD server can pass primary group to VPN? How to achieve this in AD server? We did some research at technet, but seem like not very straightforward.
Any comment do feel free to feedback, Thanks! Regards,
Shiro
I recently installed a new DC and made it the PDC. The old PDC was demoted and removed from the domain.
On the new PDC in GP management I have this "error" 1 Domain Controller with replication in progress.
I have all IP addresses on the DC's. DCDIAG passes except replication. All member servers can ping both DC's. Net share shows sysvol on both DC's. I can browse both servers with \\<servernames>\sysvol
On both DC's I periodically see first Event ID 5014 and then Event ID 5002.
I have google and read many articles but none of them gave me a fix for my issue.
We added an attribute which caused AD services stopped working. The issue got resolved by rebooting the server.
What are the precautions we need to carry to prevent such issue when adding attributes to Schema
Hi,
I have two physical servers. Each server hosts a DC. The PDC gets it's time from an external source us.pool.ntp.org. The Host servers are members of the Domains controlled by the virtual DCs.
When there is a power outage the virtual DC's are paused and the host shutdown. The problem is that when the DC's are restarted their clocks are set to the moment the VM was paused. Client computers on the network have cmos batteries that keep their clocks going so those clocks are set to the correct time but the DC clocks can be hours off. Because of the time difference the clients can't login to the network. Eventually the DC's update their clocks from the Internet and all starts working again.
I'm just wondering if there is a better way to sync time across the network?
Thanks.
Paul Raflik
Hi,
does anybody know why a domain local group needs/occupied 40bytes in a token, and a global group only needs 8bytes ?
The attributes on this two groups are all the same..
https://support.microsoft.com/en-sg/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou
Thank you for answers :-)
Hi
I encountered this question online. I am unsure which is the correct answer.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to ensure that the members of the Backup Operators group can back up domain controllers. What should you do?
A. From the Computer Configuration node of DCPolicy, modify Security Settings.
B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
D. From the User Configuration node of DCPolicy, modify Security Settings.
E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
F. From user Configuration node of DomainPolicy, modify Administrative Templates.
G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.
Thanks in advance
Hi everyone,
i'm searching for the setting to allow users to delete computers but do not create any. All tutorials are about creating AND deleting so i think i'm missing a right here.
Currently i've the group to:
| OU=Clients_W10,OU=DOM_Computers,DC=domain,DC=local | Domain\ACL_IT-ClientMgmt | Allow | False | Child Objects Only | ReadProperty, GenericExecute | Info |
| OU=Clients_W10,OU=DOM_Computers,DC=domain,DC=local | Domain\ACL_IT-ClientMgmt | Allow | False | This object and all child objects | Delete computer | Warning |
What else do i need to accomplish this task? At the moment it states:
And no it is not protected
<h3>Regards Stephan</h3>
HI,
We are planning to have AD authentication for users with smart card and certificate for smart card comes from third party issuer. How to do this.
How smart card authentication works.
Thanks,
Sai Siva Kumar
Thanks
Hello,
Now I have all the users and passwords stored in openldap (no domain) and I want to introduce Active Directory on the network.
Is it possible to configure AD to use openldap as a password manager?AD store 'account name',permission,group and openldap store 'account name' and password (same 'account name' both).
Or the best solution is to force all users to change their password (populate AD), join the domain and switch off openldap?
Dear All,
we are facing a issue with our domain controller (windows 2012r2) when i was accessing the server via remote session its took long time to login after given credential and some time it got disconnect and again took it remote session its working fine..we have one domain controller & one ADC controller.Earlier same issue found on ADC and still Persist but now we are facing on DC also..
note:The DC up time is up 440 Days now ..i guessed that due to more days up-time its happening so i rebooted the ADC server but same issue we are getting
Please suggest how to rectifies the issue...........
Hi,
A user is locked out per the lockoutstatus.msi tool.
There are no entries in the event viewer security log for event id 4740 on either of my two domain controllers. Also no 4771, 4776, or 529 event ids. My security log goes back years -- it is not the case that the data is archived/overwritten.
I have "Audit Account Management" enabled for success and failure domain-wide via GPO.
How do I determine the source of the lockout?
Thank you,
Chris
Not sure if this is the appropriate category/forum, but I'm posting here as this is where I've found a few related issues/queries.
Is there a version of LockoutStatus.exe newer than 1.0.0.60? Several posts from ~5 years ago that described issues similar to what I'm experiencing (being unable to set a password using the tool when required minimum length is greater than 1) mention an internal version (.62?) that was in development at the time but had no timetable for release.
In the last 5 years, has there been any change? Or has everyone switched to a different tool or created their own?
In previous years we would perform a DR test consisting of bringing up a handful of our Windows Server VMs (On VMWare) at our Disaster recovery location. The DR location has it's own SAN array that is replicated to regularly throughout the day. And when we do the test we connect the VMs to a standalone "sandbox" network that has no connectivity to the other 6 sites with domain controllers at each.
Previously we've had no problems spinning up the Windows 2008 DC (FSMO role holder) first, then exchange, then the file and sql servers. Earlier this year we installed a new 2012 DC as the FSMO role holder and demoted and removed the old 2008 DC (role
holder). So I go to do kick off the test, start up the new 2012 DC and find that AD is not functioning on it. DNS appears to be running and not giving any errors. Running a "netdom query fsmo" returns a "the specified domain
either does not exist or could not be contacted". I'm also getting eventID 2092 "This server is the owner of the following FSMO role but does not consider it valid...." Which appears to give a course of action in option 3.
3. In the rare event that all replication partners being down is an expected occurance,
perhaps because of maintenance or a disaster recovery, you can force the role to be validated.
This can be done by using NTDSUTIL.EXE to seize the role to the same server.
This may be done using the steps provided in KB articles 255504 and 324801
on http://support.microsoft.com.
However when I try to seize the roles, following that process with a reboot. I'm still in the same position I was in earlier. So I'm left to wonder what I should try next. The production version of this VM appears healthy and runs like a top. Any suggestions?