I am trying to configure an RODC server in DMZ. One of the cloud based application need LDAPS authentication, so I am trying to install external certificate in NTDS\Personnel and do LDP query. But post installing the certificate LDP is not connecting on
LDAPS. What I am doing wrong?
↧
RODC Configuration in DMZ with LDAPS and external certificate
↧
Primary domain controller and Global Catalog
How do I view the bad password count stored on the primary domain controller? I know it maintains the counts between domain controllers, but how do I view the value?
How do I view the attributes stored on the global catalog server? Through the port 3628 using the lightweight access protocol browser?
↧
↧
Domain Controller
Hi there,
I have a question regarding putting domain controllers in place. I just started working for a company with 40 employees. I do have some experience with DCs however I never architect one. We don’t have any servers in the environment yet, so we want to start with having a domain controller in place. We are thinking about putting it in AWS. I read few articles and also did an installation of Forest, domain and Child domain controllers at home in my test environment. I want to move forward with putting domain controller system in place. In an environment like ours which may double in next 5 years, I am wondering if I need to put 2 forest servers also in place or can I simply start with putting two domain controllers and not worry about Forest? Please let me know! Thanks!KS
↧
Windows cannot query for the list of Group Policy objects
I have my session on a DC 2003 with account locked status and some of the error events generating as 1030/1058.
Error:1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Error:1058
Windows cannot access the file gpt.ini for GPO cn={1342C4-E50B-4708-AC94-0F2Cfd2CC8},cn=policies,cn=system,DC=xx,DC=xx,DC=com. The file must be present at the location <\\xx.xx.com\SysVol\xx.xx.com\Policies\{1342C4-E50B-4708-AC94-0F2Cfd2CC8}\gpt.ini>.
(The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted.
I am suspecting it as a result of account authentication of my existing session on DC. and due to its locked status my profile is not allowed to lookedup in list of GPOs and apply them on nexy group policy referesh cycle. Kindly correct me if I am wrong.
We have still a 2k3 DC structure :)
Regards, pwnkmr www.ITtechPoint.com
↧
Network DC Topologies
Hello ,
Site A (country A) : Have a DC with 5 FSMO Roles
Site B (Country B) : Have DC GC , A and B are PMLS Network
New Site C (Coutry B ): we are planned a MPLS Network with Site B and Site C
My question : In theses conditions , could i deploy a new DC GC in site C ?
Regards
↧
↧
Cannot Manage a User Computer from a Recent Promoted DC
Hello,
I have 3 DC on my Company, the Original and First one was 2008 R2, I promoted 2 additional DC both on 2012 R2, I transfer the FSMO Roles to one of the 2012 Servers.
But I noticed that when I try to manage a User Computer from the Active Directory Users and Computers Tool from the DC that have the Roles, it is give an error, ask me to verify network path and give me the Option about to enable Firewall Rule.
But tha strange thing, is that I can manage the PC from the DC 2008R2 and the Third DC that have 2012R2 too.
NOTE: 2008R2 is a Physical Server, and the 2 additional DC on 2012R2 are on VMWare Server.
Any suggestions? I already restarted the DC with the error with nbo luck.
↧
Taggin user AD user ID with machine details
Hello All,
We are looking for an opportunity where we can see the computer name ) HostName in user Attributes
I have gone through all the attributes to check if we can use it or possibly to update it
Thanks HA
↧
Isolating an existing AD environment
I have a question on isolating a DC. I have some servers in a virtual environment that are currently connected to our production AD environment and we are supposed to take off the live network and use the servers and the application they provide for historical purposes only. I would like to create a DC in the virtual environment for the said servers and then isolate it, the servers and a couple desktops and create a kiosk type of setup. Is it possible to take a DC and isolate it from the other production DC's and still use it to authenticate the users who will use the kiosk setup in the isolated environment? I hope this makes sense and let me know if it doesn't. I am wondering if there will be issues since the FSMO roles on the current production DC's will cause an issue for the DC that will be isolated and authenticating the kiosk users. Any suggestions and help is much appreciated.
Thanks!
Chad Guiney
↧
sync a ldap group with more than 1500
Hello,
I want to syncronize a group with more than 1500 users.
I tested the parameter member;range=1500-2999, but I always get the first 1500 users.
Here my Filter: UserFilter="(memberOf:1.2.840.113556.1.4.1941:=cn=Groupname,OU=Name,OU=APP,OU=USER,OU=XXX,OU=XXX,OU=Groups,DC=XXX,DC=XXX,DC=com)(member;range=1500-2999)"
I have a Windows Server 2008 R2 running.
Thanks for your Help.
Regards,
Lucas
↧
↧
clean up the object which on longer available
Hi everyone,
I wanna know how to clean up the object (user or computer) which on longer available .
e.g.
some people leaved or some computers were dis-commission but we didn't do anything on our AD. So there lots of invalid user and computer in our active directory.
is there has some way to clean up those objects?
for example, query out over 60 days not "online" objects, and delete it? btw, we have SCCM, if this can be done by sccm ?
thank lots
Jerry
↧
One way domain trust between two domains in same forest
Hi Guys,
I want to create one-way domain trust between two domains (blue.local and red.local) are located in the same forest (blue).
When I create the second tree domain (red.local), by default the AD creates two-way trust with the first domain (blue.local).
I am unable to change from two-way domain trust to one-way domain trust under Active Directory Domains and Trusts settings.
Is there any way to set up the one-way domain trust at first, while creating the new tree domain within the same forest?
Any suggestions?
Jegen
↧
DNS Manager: Time, Address sorting is useless
How do I go about reporting the following bugs in the DNS Manager of Windows Server 2016... and actually getting them fixed in via Windows Update?
1. Sort DNS reservations by timestamp, is useless. It sorts the dates in alphanumeric value, rather than chronological order.
2. Sort DNS reservations by name or IP address is useless. It sorts by addresses by alphanumeric value, not numerical order.
Though it's not like these problems are anything new. If I try using the DNS Manager on a near decade old Server 2008 R2 ..... the same display problems exist there too.
↧
Keyboard and region settings different when the system is added to domain.
We have a Windows 7 machine where in I have installed some 14 keyboards like En-US, german, french etc. These keyboards are available only for the non-domain login. As soon I login to domain/ change it to active directory domain, i see only the English
keyboard in the region settings. How to make the region and keyboard settings be shared across all accounts? Also is there a way to do it via some script?
↧
↧
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Getting this below error in my windows server 2012 domain controller and getting restarted automatically.
i can find hotfix only for server 2012 r2 not for server 2012.
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Please advice.
↧
Crash dump
Will crash dump be created if the page file is set on a different drive other than the boot partition and is set to the same initial and maximum value? The OS is a virtual Windows Server 2012?
Is it advisable to have the same value for the initial size and maximum size for the page file on domain controllers?
↧
Workstation shows GUID in search results
Hi experts,
I have been asked by the end user on why the search results of a machine came out with the server GUID as attached. Pls advise
↧
Set Outlook app as default for all the clients.
Dear Team,
Please help us to Set Outlook app as default for all the clients using the GPO.
We are referring MS article, unfortunately its not working as expected.
Please assist.
Thanks
Jijo Antony. K
↧
↧
Globally unique identifiers
Why do I need to use GUID? Like why was the GUID introduced when SID and SID history was already present? If the purpose was to uniquely identify an object, couldn't SID and SID history be used? Can someone give me an example of a GUID in working?
↧
removing and adding AD forest trust
our existing forest trust has issues.
if the forest trust is recreated, what happens to the old user permission mapping across forest? For instance domain A user mapped to admin group on a server on domain B.
↧
Change notification
I am at a customer site and they currently have this layout:
In total there are 3 AD sites which map to their 3 physical locations.
In AD Sites and Services, they have a Primary Site with 2 other sites with a site link for the other 2 sites going back to the primary site
There are 2 DCs at each site.
From a networking perspective, all the locations can talk to each other and the speed of the links between the locations is fast and no issue.
They were considering consolidating the 3 AD sites into 1 site but i dont think that is a good idea. They have been having issues where changes made in AD havent replicated to all the other DCs in the other site so they were thinking that just making everything 1 site will fix that problem which i dont think it will.
What i wanted to ask is about the 'change notification' option. It looks like someone has enabled it in ADSIedit but the interval for intersite replication is still 15 minutes which i think is where the lag might be.
Name SiteCount Cost ReplInterval Schedule Options
---- --------- ---- ------------ -------- -------
HO - Branch01 2 100 15 24x7 1
HO - Branch02 2 100 15 24x7 1
I stumbled onto this blog post which in addition to the ADSIEdit change also had to 2 registry key additions. I have checked all the DCs and none of them have that key.
Should these reg keys exist and if so will they make intersite replication faster?
https://optionkey.blogspot.com/2018/07/fast-active-directory-replication-and.html
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Replicator notify pause after modify (secs)
Replicator notify pause between DSAs (secs)
In total there are 3 AD sites which map to their 3 physical locations.
In AD Sites and Services, they have a Primary Site with 2 other sites with a site link for the other 2 sites going back to the primary site
There are 2 DCs at each site.
From a networking perspective, all the locations can talk to each other and the speed of the links between the locations is fast and no issue.
They were considering consolidating the 3 AD sites into 1 site but i dont think that is a good idea. They have been having issues where changes made in AD havent replicated to all the other DCs in the other site so they were thinking that just making everything 1 site will fix that problem which i dont think it will.
What i wanted to ask is about the 'change notification' option. It looks like someone has enabled it in ADSIedit but the interval for intersite replication is still 15 minutes which i think is where the lag might be.
Name SiteCount Cost ReplInterval Schedule Options
---- --------- ---- ------------ -------- -------
HO - Branch01 2 100 15 24x7 1
HO - Branch02 2 100 15 24x7 1
I stumbled onto this blog post which in addition to the ADSIEdit change also had to 2 registry key additions. I have checked all the DCs and none of them have that key.
Should these reg keys exist and if so will they make intersite replication faster?
https://optionkey.blogspot.com/2018/07/fast-active-directory-replication-and.html
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Replicator notify pause after modify (secs)
Replicator notify pause between DSAs (secs)
↧