We have deployed LAPS throughout the organisation to secure and centralise local administration account password. However, as we have set LAPS to reset the passwords every 30 days, we have a problem when we practice disaster recovery tests as we can not log on to recovered DCs prior to active directory being restored. We absolutely need to be able to log on these servers with the local administration account. Is there any way to recover the historical LAPS passwords? As it is the only way this will work is if the DR is performed within the 30 days of the setting by group policy of the current active local administrator password. Thanks
↧
LAPS password database and recovering previous local admin passwords
↧
External NTP server usage
Hi,
I am working on mid-level enterprise with 12 DC and 3 AD sites, 590 and clients.
I don't have external time server. All servers and clients use PDC for time sync.
Is there any advantage,if I use external time server for time sync.
why we need external time server. Please assist
↧
↧
One domain , 3 sites
Guys,
Got the following upcoming situation:
1 domain with 3 sites. Each site is going to have 2 dc's. I am thinking about how to create this. I will start with the first dc for my domain, adding the second dc for redundancy. But what is next? How should i install the 4 other dc's for the 2 other sites and how should i create dns? Every tutorial i am reading is about setting up sites and services, and that isnt difficult. One of the tutorials is about setting up the other dc's and dns.
Hope someone can advice me
↧
User Profile Cant be loaded
Recently we stat to get an issue with our Internal Network workstations ( not accessible from internet physically and logically).
the error message start to appear on Windows 7 workstations, during the first days the error was reported from about or 1 or 2 workstations
daily but now the issue is happening on windows 10 & Windows 7 and the calls are becoming about 5 to 8 calls per days.
the error message “ The User Profile Service service failed the login. User profile can’t be loaded “
We fix the problem by overwriting the default profile folder for the workstation from another working one, but we don't have an explanation
why the problem is happening and why its spreading everywhere.
Notes :-
1-the problem is happening on Windows 10 and Windows 7 workstations with different build versions and different PC hardware models.
2- we are using Mcafee antivirus with latest daily update (downloaded and pushed offline) and the path for default profile has been excluded from scanning
for troubleshooting reason.
3-When we check infected workstation we found error regard network disconnect and then follows by not applying GPs on that workstations
4-We are using a local profile kindly for our domain users.
5- When we check infected workstation we found error regard network disconnect and then follows by not applying GPs on that workstations
last changes before problem happening:-
1- Applied password policy ( group policy ) and apply it on domain level. (Working currently)
2- Pushed Internet explorer 11 ( upgrade ) for windows 7 only through SCCM 2012R2SP1
3- Configured antivirus policy to block Temp folder,
We did the following steps to troubleshoot the issue:
1- Stopped pushing IE11 deployment.
2- Remove antivirus policy to block Temp folder.
3- Stop scanning Users folder through antivirus (MacAfee)
But the issue still exist and keep increasing. Recently windows 10 have that issue as well. Event IDs are as follows:
1- 1509 (source: user profile general)
2- 1534 (source: user profile general)
On infected computers, we followed one Microsoft article, but the path on the mentioned folder was not exist on most of those computers (windows7 only), so the user’s profile issue is not occurring because updating IE:
And we followed the following Microsoft article regards antivirus:
↧
Hi why global catalog and infrastructure master not placed in same dc?
Hi folks,
Pls clarify this why GC and Infrastructure master not placed in same DC?
Thanks& Regards, SelPri | India | +91-9986655633 Future Looks Bright...
↧
↧
Windows AD server all computer list with Samaccount?
Hello Team,
We have AD win2k 12 R2 server with ADFS server O365. We have multiple locations all over country.
We need to identify all workstation with inventory + operating system + samaccount+ 60 days last logon+o365 license used in csv output.
How we can find out all these description in power shell command or script.
Please help me out how to get all the result in one for audit purpose.
Please suggest any freeware tool or ps scripts.
Thanks,
WS
↧
Replication Isse
HI
our infrastructure consist of two domains in one forest:
Domain-A: contain 2 DCs all Windows server 2012R2 with latest update and patch installed
Domain-B: contain 2 DCs all Windows server 2012R2 with latest update and patch installed
when i run
repadmin /showrepl /errorsonly
it shows ...
Repadmin: running command /showrepl against full DC localhost
Domain-A\Domain-A-DC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 4077a8e8-e3ee-4339-85e3-a016a01cca4e
DSA invocationID: 2faef392-74fa-42fd-bf63-6ca9ed8cb0bf
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=Domain-A,DC=local
Domain-A\Domain-B-DC02 via RPC
DSA object GUID: 8cc3f6b0-6e03-4493-8185-11c9c3134eb3
Last attempt @ 2018-09-02 16:47:51 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1596 consecutive failure(s).
Last success @ 2018-07-02 08:58:03.
Domain-A\Domain-B-DC01 via RPC
DSA object GUID: ddb11ce5-fb4a-4fd4-8b6d-af9e30e81ff3
Last attempt @ 2018-09-02 16:47:51 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1627 consecutive failure(s).
Last success @ 2018-07-01 04:58:01.
CN=Schema,CN=Configuration,DC=Domain-A,DC=local
Domain-A\Domain-B-DC01 via RPC
DSA object GUID: ddb11ce5-fb4a-4fd4-8b6d-af9e30e81ff3
Last attempt @ 2018-09-02 16:47:51 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1525 consecutive failure(s).
Last success @ 2018-07-01 04:58:01.
Domain-A\Domain-B-DC02 via RPC
DSA object GUID: 8cc3f6b0-6e03-4493-8185-11c9c3134eb3
Last attempt @ 2018-09-02 16:47:51 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
1497 consecutive failure(s).
Last success @ 2018-07-02 08:58:03.
DC=ForestDnsZones,DC=Domain-A,DC=local
Domain-A\Domain-B-DC02 via RPC
DSA object GUID: 8cc3f6b0-6e03-4493-8185-11c9c3134eb3
Last attempt @ 2018-09-02 16:47:51 failed, result 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
1594 consecutive failure(s).
Last success @ 2018-07-02 08:58:03.
Domain-A\Domain-B-DC01 via RPC
DSA object GUID: ddb11ce5-fb4a-4fd4-8b6d-af9e30e81ff3
Last attempt @ 2018-09-02 16:47:51 failed, result 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
1626 consecutive failure(s).
Last success @ 2018-07-01 04:58:01.
DC=Domain-B,DC=local
Domain-A\Domain-B-DC02 via RPC
DSA object GUID: 8cc3f6b0-6e03-4493-8185-11c9c3134eb3
Last attempt @ 2018-09-02 17:27:44 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
67316 consecutive failure(s).
Last success @ 2018-07-02 09:45:55.
Domain-A\Domain-B-DC01 via RPC
DSA object GUID: ddb11ce5-fb4a-4fd4-8b6d-af9e30e81ff3
Last attempt @ 2018-09-02 17:27:56 failed, result 1908 (0x774):
Could not find the domain controller for this domain.
114805 consecutive failure(s).
Last success @ 2018-07-01 05:05:51.
Source: Domain-A\Domain-B-DC01
******* 114800 CONSECUTIVE FAILURES since 2018-07-01 05:05:51
Last error: 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
Source: Domain-A\Domain-B-DC02
******* 67315 CONSECUTIVE FAILURES since 2018-07-02 09:45:55
Last error: 1256 (0x4e8):
The remote system is not available. For information about network troubleshooting, see Windows Help.
can somebody help meSpar
↧
delegation permission
I need to give a help desk the ability to create an account but <g class="gr_ gr_51 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="51" id="51">i</g> don't want him to enable or disable it or delete it
what should <g class="gr_ gr_89 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="89" id="89">i</g> do
↧
Disabled AD user
Hi experts
From windows powershell how i can check on which date an AD account has been disabled.
↧
↧
Question on the cosmetic/functionality of active directory computer objects.
Hello,
I was messing around in active directory and noticed that when I clicked on some computers they had a right pointing arrow pointing towards them in active directory after I clicked on the computers the arrow disappeared and did not come back. Later on I lost a connection with one of my computers. I was wonder why the blue right arrow point at the computer vanished and if it could be related to my PC falling off the domain?
Thanks.
↧
msds-generationid is not set for windows 2012
msds-generationid is not set for windows 2012 virtual domain controller on vmware. Could it be because it was upgraded from earlier versions of the OS or any other reason and what would be the implications of the msds-generationid not being set?
↧
Workstation shows GUID in search results
Hi experts,
I have been asked by the end user on why the search results of a machine came out with the server GUID as attached. Pls advise
↧
Authentication with around 30 seconds delay
Hello,I get a 30 sec delay, when I have two Forest in Microsoft and We have established Trust Between Them, The user Authentication process is delayed around 30 seconds.
I guess for example; User-A in Forest-A, for authentication & identification First Refer to Forest-B and if authentication Fail, after 30 seconds authentication process will be Refer to Forest-A(its Forest).
is this guess correct?
how can change this 30 seconds interval timer?
I guess for example; User-A in Forest-A, for authentication & identification First Refer to Forest-B and if authentication Fail, after 30 seconds authentication process will be Refer to Forest-A(its Forest).
is this guess correct?
how can change this 30 seconds interval timer?
↧
↧
Restrict the Admin account to unlock a single user account not more than two times in a day.
Dear Team,
We need to restrict the Admin account to unlock a single user account not more than two times in a day.
Is there any option or script available to achieve the same.
Thanks
Jijo Antony. K
↧
Deleting Child Domain Domain
I was able to successfully deleted child domain but i see that entry has not removed and child domain entry shows again.
I wanted to delete child domain
hadeed.com.pk
↧
Unable to import objects using ldfide
Getting the below error when importing objects using: ldifde
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x209a Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).
The extended server error is:
0000209A: SvcErr: DSID-031A1081, problem 5003 (WILL_NOT_PERFORM), data 0
↧
Admins sporadically getting "You do not have sufficient privileges to delete " but they have sufficient permissions to delete the object
We've been getting a handful of calls lately from our Network Admins complaining that they can't delete computer accounts.
The get an Active Directory dialog box that states that they are a loser..."You do not have sufficient privileges to delete XXXXXX".
When it occurs, it affects all of the Adminis for the particular problem object in question.
As a domain admin and enterprise admin, I am able to delete the object without a problem.
The Admins are able to delete other comptuers accounts as well as create new computer accounts with in the same OU. The security and ownership is identical for both problem objects and non-problem objects.
I'm stumped and I couldn't get any relavant hits on TechNet or the web.
Techical Architect - Systems, Information Technology
(919) 784-3889 david.king@rexhealth.com
REX Healthcare, 4420 Lake Boone Trail, Raleigh, NC 27607
David W King
↧
↧
Nltest /dsregdns shows ERROR_NO_LOGON_SERVERS
Hi,
3 domain controllers, 2 in site A, 1 in site B
We have replaced our domain controller in site B, so it is now running Windows Server 2016. All replication seems fine, and can not see anything spesific error in dcdiag or repadmin.
But when we run the command "Nltest /dsregdns" we are getting this error
********************
C:\Windows\system32>Nltest /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
********************
I read another question on the forum that the problem had solved it selft after a couple of days, but now our domain controller has not been rebooted for 4 days, so I guess it will not self heal itself :)
The domain controller is pointing to itself for DNS, it is a global catalog (all servers in the domain are).
The DNS service is running and will permit me to ping other domain controllers.
The other 2 domain controllers are reporting ok on the command
********************
PS C:\Windows\system32> Nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\Windows\system32>
********************
Suggestions ?
/Regards Andreas
↧
ADFS claims rule to issue a list array
Hi,
I need to issue multiple values against a claim - EXACTLY like a list of groups would be. I have tried this with 2 rules, both issuing against the same claim and it works: i.e in the array/list jwt format.
"myClaim" : ["value1", "value2", "etc"],
what I need is the rule syntax to do this in one rule (as I need to issue a lot of values for the ONE claim), i.e myClaim= ' [ "Value1", "Value", "etc" ]' (this does not work - obviously, I get "unexpected input")
Any ideas????
>>> This is issuing a claim with a list of values in one rule, NOT multiple claims in one rule <<<
Regards
Eadmund
↧
ROSP Takes ages to show the results
When I run rsop.msc on the Servers, it takes forever and no results seen. Has anyone experienced the same issue?
↧