Hi,
Currently we have few custom attributes in Windows Server 2016 AD. Now we are trying to extend the AD schema to install MS Exchange 2016. Will it affect the current custom attributes in the ad when extending AD schema.
Regards
Irfan
↧
Extending AD Schema with custom attributes
↧
IADsUser SetPassword gives hresult as 80070005(access denied) when accessed from DMZ
Hi,
I tried sample Reset password code given by microsoft to reset password for test user account with service account which has limited privilege to set password.
https://docs.microsoft.com/en-us/windows/desktop/api/iads/nf-iads-iadsuser-setpassword
But it showing access denied from machine which is not joined to domain controller(DMZ machine). It works fine without error with domain Admin privilege. I can login with such service account in AD and can do reset password using ADUC and powershell too. It reset password without any error.
net user username password /domain command shows error same error in domain joined machine. But worked in DC directly. I hope service account has sufficient privilege to reset password since it reset password with ADUC but not from outside network. Microsoft technician says some privilege is required to perform operation from outside but not gave specific one. I am not sure what privilege is needed for outside domain password reset.
I can confirm all the required ports are opened from DMZ to domain controller. List of some ports are 389,636,445,464,88.
Vignesh
↧
↧
High CPU usage on domain controller
I have a fairly small environment, about 100 PC's, Exchange, SQL. One of my domain controllers has unusually high CPU usage lately. In the past it would idle between 1-5% CPU which I feel is pretty normal for a VM that is nothing but a domain controller.
I've tracked the issue down to the security log. If I clear the security log out it will be happy at 1-5% CPU for a few hours, then go right back to constant 20-50% CPU usage. The larger I make the security log, the more CPU usage there is. I made the log file size 20MB and it will say around 10% CPU usage, but I can only get about 1/2 a day's log entries in there if I'm lucky. Usually about 1 hour will fill the 20MB log. I also tried a 2GB log and that just absolutely kills the CPU. I'm at 150MB in the log and the CPU is a constant 50%+.
The only thing that I have changed since this happened is a few CU updates in Exchange, and I ran a script to fix some errors in the exchange event viewer:
add-pssnapin Microsoft.Exchange.Management.PowerShell.Setup
$path = "C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf"
$items = Get-ChildItem -Recurse $path
$files = $items | ?{$_.extension -eq ".xml"}
Write-Host "Registering all perfmon counters in $path"
Write-Host
$count = 0;
foreach ($i in $files)
{
$count++
$f = $i.directory, "\", $i.name -join ""
Write-Host $count $f -BackgroundColor red
New-PerfCounters -DefinitionFileName $f
}
Any help would be very appreciated.
↧
script to copy users specifying some fields
I have 2008 Active Directory Service and I'm trying to duplicate every user using text file, which contains every row for every user.
Columns could be :
1st column: original user account
2nd column: new user account
3th column: new user
4th column: new surname
5th column: new user password
Does it exist script to create new users by using 1st column as user reference, so groups and other fields will be copied?
↧
Windows Server 2012R2 Password expire notification
Hi Guys,
I have a problem where, All our domain admin account's password has been expired at the same time and when we try to login to the server, we get the error 'Your password has been expired, Please contact your administrator" but we are not being asked for entering our new password. Can you please let me know how to enable that option?
In short, When our password has expired, System should tel us password has been expired and should ask us to enter the new password.
Regards,
Vishwas.P
↧
↧
LDAP-query to Active Directory: where-clause on ADSPath
All
I have an application which retrieves folder information from a Win2012-server. One of the retrieved attributes is the owner of the folder. Windows sends it back in the format CN=User X,OU=Users,OU=City,OU=Sitename,DC=Company,DC=com
I now need to lookup information from that folder owner in Active Directory so I tried
strLDAP = "'LDAP://Company.com"
strUser= "CN=User X,OU=Users,OU=City,OU=Sitename,DC=Company,DC=com"
Set rs = cn.Execute("select adspath, sAMAccountName from " & _
strLDAP & " WHERE objectClass = 'user'" & _
" And adspath = '*" & strUser & "*'")
However, this does not result in any returned row although the object exists. If I replace the last line with e.g. " And sAMAccountName = 'userx' this does retrieve a record
So is there a solution how to filter on adsPath?
Regards
Ino
↧
When running ldifde, I'm missing the SID values. How do I get that?
I'm able to generate an LDIF export of my active directory like this
ldifde -f test-data.ldif
ldifde -f test-data2.ldif -d "CN=Configuration,DC=domain,DC=com"
I then combine these two files together and I have a pretty useful exported LDAP.
But when I look into the exported data, the SID stuff is not there.
Why is that missing? What can I do to get that included in the export?
So anything such as TokenGroups or anything involving an SID is not working from the exported data.
↧
Windows Server 2012 - Domain Controller & Profile Issues
So we had to power down everything for Hurricane Florence. Luckily, we didn't get hit. However, I'm running into an issue now with one of my domain controllers. We have a small, standalone training network that does not connect to the internet. We have two domain controllers (one primary (DC1), one secondary (DC2)) that are running Windows Server 2012.
After booting up all the domain controllers/servers in order (primary first), I noticed on DC2 it was logging me and others in as a temporary profile. It turns out all of our profiles were removed on DC2. Even the default Domain Administrator account was logging in as a temporary profile.
To resolve the temporary profile issue, I deleted the associated profile entries for HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST. This resolved the temporary profile issue for user accounts. However, now when I log in using the default domain administrator account, there are no pinned icons on the task bar, on the start screen, and when I click on apps under "all apps" on the start screen, nothing happens and nothing opens.
I don't have this same issue with other domain administrator accounts that I created. Everything works fine. And I'm able to login and use the default domain administrator account on DC1 without any problems.
Any assistance would be greatly appreciated. Thanks in advance!
↧
How to Delete Multiple OU's at once (Active Directory)
How to Delete Multiple OU's at once (Active Directory)2012?
Hussain Arif(Senior System Administrator)
↧
↧
Active Directory - Automating object movement between ou's
Evening,
When a computer is created it appears in the default computer container in AD.
What i need to happen is for computer accounts to remain in the default container for 48 hours, then to automatically move to another particular OU.
Does anyone know of a script that would move objects between ou's ? Perhaps set a scheduled task to run the script every 48 hours ?
Thanks,
Andrew
↧
Child domain trust issue with parent domain
Dear Support
We have a Client that is having issues with their child domain not replicating to top domain. Replication is giving an error of access denied and the schema and Domain naming master is showing old deleted server.
Users in Child domain are get authentication pop ups when trying to access the parent domain.
Please help
Need urgent assistance!
Business cant work
↧
Enabling LDAPS on Windows Server 2012 R2 Standard
I have need to enable LDAPS on our Windows 2012 R2 Standard DC's and have a question. If I add the Active Directory Certificate Service Role to one of the DC's and make it the Certification Authority with a Enterprise CA, will the all the DC's in the domain
answer both LDAP and LDAPS queries? Also, what kind of problems may this cause since LDAPS has never been enabled on our DC's. Thanks!
↧
How to Count Sub Ou's Under the Specific OU
How can I Count the Sub Ou's Under the Specific OU in active directory for example Root OU: Test Ou1 and sub-OU's are: Test Ou2, test OU3, Test OU4
Hussain Arif(Senior System Administrator)
↧
↧
RD Web services on windows 2012R2 server to Manage IOT Users to their password through Web URL
Hey MS Experts,
I have implemented RDweb server on 2012R2 OS and Domain Controller is running on Server2008R2 in PCI zone,
https://localhost/RDWeb/Pages/en-US/password.aspx
Above is the URL for IOT Users to access over the SSL from User VLAN.
The issue is Localhost website taking 30-34 second
Configuration - IIS8.5, ASP.Net 4.5, 2012R2 OS with Sept Month Patch, 8 GB RAM, 2 CPU, VM, Pri & Sec DNS IP's our AD server ID. and I have followed below MS article to configure the Web servers
https://social.technet.microsoft.com/wiki/contents/articles/10755.windows-server-2012-rds-enabling-the-rd-webaccess-expired-password-reset-option.aspx
Please suggest.
Dharmendra
↧
SID / Friendly Name display
Hi all,
I need to know if there's a way to force migrated groups between Domains to retain their friendly group name after their source domain is no longer available.
We have 2 domains, Domain A and Domain B. Users in Domain B (also migrated from Domain A) access resources based on permissions assigned to groups from Domain A via SIDHistory.
When Domain A is decommissioned, I suspect the group names given the permissions will revert back to their SID names when looking at permissions.
Going forward all permissions will be granted to new groups on Domain B, but there are hundreds of groups being granted permissions to millions of files which have the legacy Domain groups being applied.
Is there a way to force Domain B to retain the friendly group name as a one off process once the trust with Domain A is removed?
Thank you in advance.
Martin
↧
Zombie AD DC appearing in dfsrmig proccess
A long time ago, we had a specific DC, removed by an unexperienced admin, so we had to remove all related objects, mannually, using Sites And Services tool, and making sure that all old objects were also removed, like deleting DNS records and also checking ntdsutil/metadata cleanup procedure
So, now, í´m migrating from FRS to DFS-R and, the mig tool is showing references of the old (and previously removed AD/DC)
dfsrmig /getMigrationState
The following Domain Controllers are not in sync with Global state ('Redirected'):
Domain Controller (Local Migration State) - DC Type
===================================================
OLD_SERVER_NAME ('Start') - Writable DC
OTHER1 ('Start') - Writable DC
OTHER2 ('Start') - Writable DC
Where the heck this reference is coming?
As far as I konow, this old server never had DFS Namespace amd maybe it had DFS replication for file services purposes, but anyway, why this old refernces are there, if we got rid of this old DC/AD a long time ago? (now we have Win2008R2, WIn2012R2 and WIn2016, but at the time of the removal of this old DC, there were only WIn2008R2)
Also the NETDOM QUERY DC also shows the name of this old Server too...
↧
Clarification regarding Group Policy applied to Domain Controllers
Can someone please help me with the following question,
I know there is a 'default domain' group policy linked to the domain root, and also a 'default domain controllers' policy linked to the domain controllers OU. I also believe setting applied at the domain level will also apply to the domain controllers if not overridden by a policy with higher precedence e.g. the default domain controllers policy.
Assuming the above is correct thus far (please correct if wrong),
I then read the following post
https://support.microsoft.com/en-gb/help/259576/group-policy-application-rules-for-domain-controllers
last updated the 6 July 2018
I am not 100% clear on its meaning, (and this is where I need help), I believe it saying that certain GPO setting will only apply if attached the domain controller itself and not the OU (as the DC could be moved out of the Domain Controllers OU), it talks about sever such GPO settings including ' Force logoff when logon hours expire'
The first thing I do not understand is apart from Local Group policy for the computer itself (which has the lowest precedence) the way you can link a GPO is to the Site, Domain or OU ?
So I do not understand when they say the policies it refers to only take effect if linked to the domain controller itself, do they mean a Local Policy setting as in gpedit ?
In other words if I set the ' Force logoff when logon hours expire' either at the domain level or the domain controllers OU level it would 'not' take effect as it is not linked direct to the domain controller.
Please advise, thanks very much in advance
CXMelga
↧
↧
DNS issue on second DC
Hi,
we are having problem with second domain controller. BPA results shows 3 error.
Here is an output from repadmin /replsum
C:\Windows\system32>repadmin /replsumReplication Summary Start Time: 2018-02-26 21:58:01
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
SERVER1 11m:15s 0 / 5 0
SERVER2 13m:31s 0 / 10 0
Destination DSA largest delta fails/total %% error
SERVER1 01m:47s 0 / 5 0
SERVER2 11m:15s 0 / 5 0
RODC1 13m:31s 0 / 5 0
↧
isolating domain controller that we want to demote in a temp site.
hi all
to safely remove a domain controller I read the following :
temporary AD site and move the Domain Controller which you want to remove, make sure the temporary AD site only has the DC Subnet,
Also check the DC SRV records are pointing to new temporary AD site and delete if any record pointing from old user site, this should be dynamic and no manual action required, just make sure SRV records in-place as excepted
question 1
make sure that the temporary AD site only has the DC Subnet, that means that this site has the same subnet as the dc for example if the ip of domain controller is 192.168.1.2 so the subnet assigned to the site must be 192.168.1.0/24
question 2
"also check the DC SRV records are pointing to new temporary AD site"
records like what ,does he mean another folder with the name of the site has the srv records of the moved domain controller as shown below.
I made a test environment with 2 domain controllers one is primary and the other is additional
and client with windows 7 and a router
I create another site and moved the second domain controller to it
from the client side I made the following lookup:
***************************************************************
_ldap._tcp.gc._msdcs.compu.local SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = dc2.compu.local
_ldap._tcp.gc._msdcs.compu.local SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = dc1.compu.local
dc2.compu.local internet address = 172.15.1.2
dc2.compu.local AAAA IPv6 address = 2002:ac0f:102::ac0f:102
dc1.compu.local internet address = 192.168.2.1
**************************************
> _kerberos._tcp.dc._msdcs.avitdc.local
Server: UnKnown
Address: 192.168.2.1
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
> _ldap._tcp.dc._msdcs.avitdc.local
Server: UnKnown
Address: 192.168.2.1
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
>
also checking the dns as shown below :
↧
Users that have been reset with the same password
Hello,
Is there a way to find AD users which password have been reset with the same password?
We have policies to prevent this from user point of view but of course no such limitation from admin point of view. For example I am administrator and I am able to reset my account every time with with one and the same password from AD Users & Computers console. I will uncheck "change password at next logon" and this way will use one same password for years for example, which is not OK from security point of view.
So, the question is, is it possible to find users which passwords are changed with the same/current passwords.
Thank you!
↧