Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Correct way of blocking and archiving users in AD+Azure hybrid environments

September 26, 2018, 5:09 am
$
0
0

Hello,

I would like to ask for opinions about correct or "best practice" way of disabling users in hybrid AD/Azure/Exchange online environments.

Below are the steps that we would like to apply for "leavers" in order to preserve their local and exchange data as well as to block the user and remove exchange licenses(we have 90% of exchange lite/plan1 - does not include"office archive license")

Steps:

  1. Go to Azure security/ediscovery and create new case for the user
  2. Wait until case is finished
  3. Go to Local AD block user, change password, remove all groups, remove user Certificate from Published Certs
  4. Archive user data and home directory
  5. Move user in Local AD to "blocked" OU which is not synced to Azure
  6. Sync local AD with Azure, wait until done
  7. Go to Azure Portal to check if user has disappeared and license is back
  8. Go to EAC to check if mailbox is gone as well
  9. Verify if ED case is available

This is our idea how this should be done but I'm open to any thoughts, comments or advise how this process should be done correctly

Thanks in advance!

Search

Schema Upgrade for Active Directory

September 25, 2018, 8:33 pm
$
0
0

can I upgrade the schema version from Active Directory 2003 to 2016 directly? 

Dharmendra

Error ID 12294 Directory-Services-SAM

September 12, 2012, 6:07 am
$
0
0

Hi,

we have 2 windows 2008 R2 doamin controllers. I changed password for built-in domain Administrator two days ago and now I am getting errors on both controllers.

Error ID 12294 Directory-Services-SAM

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

How could I solve this?

Enable Kerberos AES encryption on an existing one-way trust

August 22, 2018, 10:39 am
$
0
0

I'm trying to get kerberos to work between an internal and a DMZ forest with a one-way trust between them and have narrowed the issue down to encryption type between the client and DC.

After some research the issue is appears to be the option "The other domain supports kerberos AES encryption" under the forest trust settings on the incoming side.

This option is currently disabled and the checkbox is greyed out so I can't select it, after plenty of searching I haven't found another way to enable this option on an existing trust. Is removing and re-creating the trust the only way to correct this?

The internal forest & domain are both Server 2008R2 functionality level, and the DMZ forest & domain are both Server 2016 functionality level.


forest is incompatible with the complete behavior of this optional feature - Current functional level: 4294967295

September 19, 2018, 10:04 am
$
0
0

forest is incompatible with the complete behavior of this optional feature -  Current functional level: 4294967295

An optional feature is enabled on this DC. However, the functional level of the forest is incompatible with the complete behavior of this optional feature.

 This condition could be due to a delay in replication to this Active Directory Domain Controller of a change to the functional level of the forest, and may correct itself automatically. If this condition persists, manual intervention may be necessary.

 User Action
 Raise the functional level of the forest to at least the minimum required functional level.

 Optional feature: Recycle Bin Feature
 Minimum required functional level: 4
 Current functional level: 4294967295

  The full story:

1) Between 2009/May and 2016/Jan, all DCs were Win2008R2

2) Jan/2016, we introduced the first AD/DC Win2012R2-based

3) 3 days ago, we introduced the first WIN2016 DC/AD

AD replications is fine, usera are being created, deleted, no problem

But during the install/dcpromo and even several hours after the WIn2016 install, the error was there.: Current functional level: 4294967295


PS C:\Windows\system32> Get-ADDomain | fl Name,DomainMode


Name       : qgog
DomainMode : Windows2008R2Domain

PS C:\Windows\system32> Get-ADForest | fl Name,ForestMode


Name       : qgog.ad
ForestMode : Windows2008R2Forest

My recycle bin is working well, no problem, i tested restoring a deleted object

It´s a BUG?

I´m trying to figure out why is the number so bizarre and if maybe could be a replication latency issue (18 DCs, apreaded arrount the world, including very-low latency - satellite - networks)


The specified account already exists.

September 24, 2018, 2:29 am
$
0
0

HELP.

I am in a twist here as to what is going on and am unable to resolve.

History.

Two of our Domain Controllers Tombstoned due to network card issues.

I attempted to demote the controllers but had some access issues. I believe at least one of them is now ok and has demoted successfully (I believe). I tried to re-join the domain but kept getting "the specified account already exists" and it would not re-join. I checked DNS objects etc and there were no remnants of the server anywhere. Other Domain controllers cannot see this computer either.

I eventually deleted the Server completely and built another VM using the same credentials as the original. However, when I attempt to join the domain I get the same issue "the specified account already exists".

I really don't know what to do next and need to get this resolved soonest as we are due to migrate objects in AD to a different domain.

Please could someone offer any advice.

Thanks in Advance.

Regards.

FSMO scinario

September 27, 2018, 12:40 am
$
0
0

Dear Tech,

i have three domain controllers in single forest and single Domain but its located in two diff locations. in location "x" their are tow domain controllers and forest wide fsmo role configured. in y location one domain controller and configured domain wide fsmo roles. in y location i have requirement that i have to add some number of users.. but i came to know that in x location schema master is down, is it possible to create users in y location. 

what are the possibilities and explain me any draw backs? 

please help me in this regards...

AmarPKST 

Replication Error : SyncAll exited with fatal Win32 error.

October 15, 2012, 12:30 am
$
0
0

Hello,

Our domain consist of three Domain controllers, all in server 2008. Everything was working fine till we restart our Primary domain controller. After the restart when I initiate the command "repadmin /syncall" it is returning an error as below:

CALLBACK MESSAGE: Error contacting server 20547b77-7bc2-486a-2cfb-9638a89d99dbd._
msdcs.xxx.com (network error): 5 (0x5):
    Access is denied.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.

But in additional domain controllers the same command is working fine and the  replication is happening successfully. Please help me out.

Regards,

Tony

Search

Account Lockout

September 14, 2018, 10:42 pm
$
0
0

Hi Experts,

I have AD account on which I have to perform my daily tasks such as login into the remote desktop, scheduler and other tasks.

From past 10 days, my account gets locked daily in the evening around 5:45 to 6:00 PM and daily I have to unlock it which is painful activity.

For troubleshooting purpose I have referred https://activedirectorypro.com/account-lockout-tool/ and performed and RND but unable to understand the real issue.

First I have check that the Orig Lock (Using Lockout Status tool)  is one of my domain so I just check event id on that domain controller for event  4740 and caller Computer name is "CSAPL-NMS" so next I log on the caller computer name and filter event 4625 but unable to find any relevant event to find more description of service on which caller computer is performed.

During review log on caller computer name "CSAPL-NMS" i have found event id 4648 and found that one of Windows Server 2003 name as "cs-new-hrms" is target server.

All the relevant screenshots and logs.

https://crescentpk-my.sharepoint.com/:f:/g/personal/osama_mansoor_crescent_com_pk/EtZfe2oWyF9BqRxgQGzAXfIB_qs5IT83i98u26SZ3eyzzQ?e=c9sc03





Network name after Domain Name Change - Workgroup PC

September 24, 2018, 11:46 am
$
0
0

Hi,

I recently inherited an Active Directory network to look after, fairly small network with around 50 PCs. They have two servers, one acting as the DNS and DHCP server and one acting as a file and print server.

Both servers are 2012 r2. The majority of clients are Windows 10 on DHCP and are Domain Computers.

The first error they wanted me to correct was their Active Directory Domain name was the same as their website domain, so internally they had no access to their website. I tried the usual easy fixes of entering a DNS record and manually altering the host table.

This hasn't worked so, I followed a guide for renaming a domain as I have never had to do this before. (this one to be precise: http://www.rebeladmin.com/2015/05/step-by-step-guide-to-rename-active-directory-domain-name/)

Everything seems to have gone correctly with this, bar one PC occasionally throws an error about a failed trust relationship, my plan is remove and re-join the domain. All others are fine, they can access their shares, printers etc no problem.

However, there are a couple of Workgroup PCs. When these PCs connect to the network and windows identifies the network, it sees it as the old domain.co.uk name, not the new local.domain.co.uk

How is this happening and what needs to be done to fix this?

This even happened today with two brand new PCs, as soon as they booted up after a fresh install of Windows they 'found' the network domain.co.uk and asked if I wanted to share across the network. Once they are joined to the domain it is displayed correctly as local.domain.co.uk

Under ipconfig 'connection-specific DNS suffix' is listed as domain.co.uk, not local.domain.co.uk

The issue seems to be causing very slow web browsing for the workgroup PC, presumably whilst the suffixs are appended then timeout? 

How are these workgroup PCs getting the old network name?

Once the domain name was changed I deleted the old dns zone.

I have seen some suggestions about GPOs, but these are workgroup so not affected by that. And some suggestions to release and renew an IP but that shouldn't be the case if new PCs are also getting this network name, they have never connected before.

Any help will great thank you.

Reinstall AD Connect on Windows Server 2012

September 27, 2018, 2:31 am
$
0
0
Dear All,

Current AD Connect server is on server 2012, it works fine without any issues (delta sync every 30 minutes). It is installed on D drive, storage team wants to take it back :)

I would like to uninstall and reinstall it on C drive, would there be any issues? 

1. Should I export and import the settings or just do the fresh installation? 

2. When it sync back, will it affect the existing user on cloud?

3. Would there be any impact to the end users after the installation? like password reset, login issue & etc., 

4. Any other precautionary steps need to be taken? 

Thank you so much in advance.



Regards,

Kottees

Kottees :My Blog Please mark it as an answer if it really helps you.

User's address is automatically getting change-AD 2012

September 27, 2018, 5:50 am
$
0
0
My one of user move from location A to location B. So I changed same in my Active Directory "Address" field of user. But next day when I see his address again it is reverted to A. Every day I change user's address as B but next day it auto change to A. assist please.

Arif

Clients become slowdown if the connectivity to a Domain Controller is lost temporary

September 27, 2018, 7:28 am
$
0
0

I have configured a logon script at Profile tab of the user. The purpose to make sure that all clients shall running own company application.

The problem is triggered by losing connectivity to the domain controller that served the logon. A typical scenario would be rebooting a DC for maintenance.

The problem being witnessed would be leading to various incidents including, major impacting clients are sluggish till Domain available again.

I have a question:

- Logon script at Profile tab just only working at user logon to Windows? 

or logon script will be checked always between Client - Domain?

- On DC, having one network location name "NETLOGON", what related between client & Domain of this folder?

What purpose of NETLOGON share?

Regards,

Hoang

Switching PDC Emulator/time source in existing domain

September 27, 2018, 11:36 am
$
0
0

We are transferring the role of PDC Emulator (currently on 2008 R2 OS) to a Windows 2016 OS DC.    Is there any thing special we have to do in order to switch the time source of the domain.    Will this automatically switch over during the transfer of the FSMO role or do we need to perform any steps afterwards to assure the time source gets switch over.

Thanks in advanced.

The permissions on NETLOGON (server) are incorrectly ordered, which may cause some entries to be inefective.

September 27, 2018, 12:41 pm
$
0
0

Hi Support,

How can I troubleshoot this problem.

If I select reorder will it fix existing permissions issue?

Is it recommended to reorder fix on NETLOGON?

What are the default permissions on NETLOGON folder?

How can I find what cause the permissions problem?

Thank you


Search

DFSR error ID:5008/4612 Towards demoted/removed DC

September 19, 2018, 4:59 am
$
0
0

I am having a issue where i see the following errors:

The DFS Replication service failed to communicate with partner OLDSERVER for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: OLDSERVER.Domain.local
 
Optional data if available:
Partner WINS Address: OLDSERVER
Partner IP Address: x.x.x.x
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner OLDSERVER.domain.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 4846FCD2-7777-4EDF-BC6B-13E8E16C4446
Replication Group Name: Domain System Volume
Replication Group ID: CB5BCAE8-C44F-40A8-80DD-A88DC4FDAF74
Member ID: FA911E0C-253C-426A-8EC7-71D85B49C0EB
Read-Only: 0


The server was not removed from the domain correctly so i am doing a lot of cleaning up. The issue I face is that the other solutions I have found on this is to use Meta data cleanup. OLDSERVER is not present there.

Or use ADSI edit to locate CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local and delete the record of OLDSERVER, but the record is not there.

I have 4 domain controllers atm. 2 of them are 2016. (newly installed) and 2 X 2012 r2

The error is only active on 1 of the 2012 R2 servers. and the rest see no DFSR errors. OLDSERVERs OLD DNS records have all been removed.

any pointers or ideas will be greatly appreciated.

LDAP last authenticated users report

September 21, 2018, 1:07 am
$
0
0
I am using AD LDAP server for authenticating users for CISCO meeting server (CMS) application. I want to take a list of all users with last successful authentication. Also need to take a list of users who never used the CMS application. Thanks for your help in advance. I am ok with powershell script. Thanks a ton in advance

Domain Controllers OU

September 27, 2018, 2:47 pm
$
0
0
Using Active Directory, I am looking into creating a new computer object and adding it into the Domain Controllers OU. I am not building a server and adding it to the domain, only going into active directory and creating the computer object. The reasoning behind this is to help carry out the setup of a honey pot. Are there any known issues with doing this? 

Group Policy Object

September 27, 2018, 10:17 pm
$
0
0
Can anyone please describe the guidelines sysadmin would use to set up a GPO for an organization a brief overview would do the basic settings etc.

Active Directory - Automating object movement between ou's

September 25, 2018, 9:51 am
$
0
0

Evening,

When a computer is created it appears in the default computer container in AD.

What i need to happen is for computer accounts to remain in the default container for 48 hours, then to automatically move to another particular OU.

Does anyone know of a script that would move objects between ou's ? Perhaps set a scheduled task to run the script every 48 hours ?

Thanks,

Andrew

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>