Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Correct sequence for adding new DCs, Sites and Subnets

October 25, 2018, 4:30 pm
$
0
0

I'm interested to learn the correct sequence for adding new DCs, Sites and Subnets, so that I can avoid creation of unnecessary/unwanted DNS entries and/or AD objects.

Current Environment:

2 x DCs in site HeadOffice-LAN (2 x subnets)

1 x RODC in site HeadOffice-DMZ (1 x subnet)

What I'm Adding:

2 x DCs in a new site NewSiteName-LAN (1 x subnet)

1 x RODC in a new site NewSiteName-DMZ (1 x subnet)

I've prepared some new VMs but have not yet installed the AD-related roles.  What is the optimal way to deploy this new infrastructure?

e.g. do create the new Site(s) first, then deploy AD roles on the new VMs and point them to the new Site in the Wizard?

e.g. do I deploy the AD roles on the new VMs connected in the existing HeadOffice-LAN first, then create the new Site, then move the DCs to the new Site?

Thanks for any recommendations.  I've looked around for some clear MS guidance on this, but haven't been able to find what I need as yet; if you know of such guidance, just point me in that direction.

Search

ADMT v3.2 Interforest user migration fails

April 24, 2012, 3:04 pm
$
0
0

Hello, I'm having a hard time migrating a user from one forest to another. I'm using 2 different domain controllers in different forests and I've already established a forest trust. The source DC is also the RID Master, just saying. When I try to migrate the user it fails and gives me this log:

[Settings Section]
Task: User Migration (13)
ADMT Console
    User:       A06\administrator
    Computer:   A06-MEM-F99.A06.NID (A06-MEM-F99)
        Domain:     A06.NID (A06)
        OS:         Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
Source Domaina
    Name:   A06.NID (A06)
    DC:     A06-DC-F4.A06.NID (A06-DC-F4)
        OS:     Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
    OU:     
Target Domain
    Name:   A99.NID (A99)
    DC:     A99-DC-F1.A99.NID (A99-DC-F1)
        OS:     Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
    OU:     LDAP://A99.NID/OU=Migratie,DC=A99,DC=NID
Intra-Forest: No
Password Option: Generate passwords, only for new objects = No
Password File:   'C:\Windows\ADMT\Logs\passwords.txt'
Migrate Security Identifiers: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source
Migrate groups: No
Migrate service accounts: Yes

[Object Migration Section]
2012-04-25 00:02:17 Starting Account Replicator.
2012-04-25 00:02:17 ERR2:7301 Failed to migrate source object 'CN=Mig-a06.nid' to domain 'A99.NID'. The target object could not be created. hr=0x80070005  Access is denied.
2012-04-25 00:02:17 Operation completed.

For the past couple of hours I tried to work my way around this but I've failed...big time and it has left me with a bit of headache to say the least.

Could anyone please tell what I'm doing wrong here?

Unable to join a windows 10 device to test domain

October 4, 2018, 11:28 pm
$
0
0

Hi,

I have built a test lab win VM Workstation to test various upgrade options.

I have used Windows2012 R2 as the server and have installed all the necessary options and promoted it to a DC. 

I have 2 laptops and a small hub connected to the server.

1 laptop is Windows7 and I have managed to get that to join the domain and it works fine.

1 laptop is Windows10 and I am having problems with it.....

If I use the applet to join the domain it "can't find the domain". If I try via PowerShell it says "Access Denied"

I have checked many times that the settings (IP address, etc) and everything seems correct 

Any ideas what I have missed?

ldp say forestFunctionality: 0 = ( WIN2000 ); but is W2008

October 12, 2018, 6:08 am
$
0
0

Hello,
I'm try to add a new W2016 DC to my domain (2 DC W2008 R2 already presents), I can't procede to promote W2016 to DC because says that forest level is W2000.

In both DC W2008, in mmc gui, "Active Directory Domains and Trusts" say "Current forest functional level:Windows Server 2008"

In ldp.exe, in DC1: forestFunctionality: 0 = (WIN2000 );

but in DC2: forestFunctionality: 3 = (WIN2008 ); 

How can I solve this issue?

thank you in advance.

LastlogonTimestanmp Shows Future Date - showobjectmeta shows f191c38d-bdea-4cb4-862d-24ed6f996ed1 instead of DC Name

October 3, 2018, 11:06 am
$
0
0

I have several machines that show a last logon in the future.

I ran repadmin /showobjmeta DC "OU Paths" >temp.txt and the output for the DC looks like a GUID.

Loc.USN                          Originating DSA                       Org.USN  Org.Time/Date            Ver Attribute

38623490      f191c38d-bdea-4cb4-862d-24ed6f996ed1   3555424 2032-04-21 08:22:12   78 lastLogonTimestamp

Should be something like

38623490                             City\DCNAME                      3555424 2018-10-03 08:22:12   78 lastLogonTimestamp


Is there a way to get AD to report correctly.


- LZ


Can't log in to local computer after created active directory

October 7, 2018, 10:38 am
$
0
0
Hello, so I have some problems...I'm a computer systems student and now I'm studying system administration.I'm using Windows Server 2008 R2 on VMware software.I had a task to try create an active directory, so after I made it using tutorials, I had to restart my virtual machine, after done that I can't see my created users which I created before, I named my active directory randomly: ACTIVE , now when I turn on my virtual machine I see log in to ACTIVE/Administrator and I can log in to it, when I try to change user I see that if I want to log in back to my local computer I need to write SERVER\local user name , SERVER is the name how I called my computer when installed windows server, so when ever I type SERVER\Administrator it shows that it will connect to SERVER but when ever I type password it just says that can't log in because user name or password is incorrect, I know that everything is correct, I even tried to log in to other users I created before but none of them worked...I can't edit anything on my active directory , I even can't disable it...I'm beginner at this so please can anyone help me how can I log back to my local computer ?? Also sorry for not the best english language skills..

Protected user group in 2012 R2

October 8, 2018, 9:04 am
$
0
0
Hi,

I have few privileged user account in my domain, planing to implement "protected user group" authentication mechanism.

All my NetApp shares can be connected using IP address.

Technically if user is part of protected user group NTLM authentication does not works.

In this case if I'm adding privileged account in storage shares will I able to connect the shares without issues.



User Account Issues

October 19, 2018, 1:17 pm
$
0
0
I purchased my laptop from my previous company when I was leaving and I kept all of the info on the laptop. I had a username with admin rights on the company domain. Since the company removed me from the domain, I cannot download or run any programs on the machine as it is saying that I need admin rights. Tried all the tricks found online but none seem to work. My IT knowledge is little to none to please advise in an easy manner how to go about fixing this. It shows my name as an admin under username but it is not allowing me to remove my profile or make any changes. Seem like the machine is stuck with no workaround. 
Search

What is the recommendation for DNS when using multi-domain forest

October 19, 2018, 10:21 am
$
0
0

Hello, can someone please help me with the following question

If I have a Forest with a 'tree' under to forest root domain as follows

Forest-Root.Local  # forest root domain

Tree01.Local  # which is a direct child (child tree) of the above forest root domain

then I have one more domain which is a child of the above e.g.

Sales.Tree01.Local

with the above configuration how should the DNS be configured ?

for example should Tree01.local has a 'stub' zone to refer to  Forest-Root.local (and visa versa)

How should the DNS tab look in the TCP/IP settings of the Network card look (e.g. how should the IP addresses of the DNS servers be listed and it which order for each of the above.

I would be very grateful if someone could help me with this please

Thanks

Charlie

Adding a UPN Suffix that is already synced to O365

October 11, 2018, 11:46 am
$
0
0

Hello,

We have 2 forests: one.org and two.ca; Both are synced with Office365 in a single tenant.

We would like to add a UPN suffix called two.ca to the one.org forest - will this cause any issues since that UPN suffix is already synced to Office365 and assigned to another forest? Is there any other way to achieve this?

Thanks!


Installation of Certificate Authority Role

October 12, 2018, 10:17 am
$
0
0

Where should I install certificate authority role ? do I need to have dedicated machine in a domain, can I install in domain controller where Active Directory is installed.

Thanks, Ram Ch

Forest level before migration to o365

October 17, 2018, 5:30 am
$
0
0

Hello All, 

We're in the middle of a migration to O365 and we're currently in hybrid mode, my question is does our domain/forest level need to be at a certain level for the migration? Does it matter if we move from 2008r2 level to 2012 or 2016?

Thanks,

How to set up deny interactive logon with limited hours for service account

October 17, 2018, 5:56 am
$
0
0

Hi,

I am looking for a solution to set up deny interactive logon with limited hours for service account.

Since it is a service account, the service has to run all the time.  But I would like to configure the logon hours.  I know I can change the logon hour setting for that account from the object property.  However, when change the logon hour setting, the service is also stopped - that is the problem.  We just want to limit the logon hours, but the service is running all the time.

Thank you,

Syslog daemon and Auditing daemon

October 22, 2018, 2:21 am
$
0
0
What is an SYSLOG  daemon? What is an auditing daemon?




What does error code 8007203c mean?

October 24, 2018, 12:23 am
$
0
0
While performing modification actions in Active Directory, Error 8007203c error occurs. 
Search

(apparently) random AD accounts keep being locked due wrong logins

October 25, 2018, 7:40 am
$
0
0

Hello there,

we have an issue since beginning of August where Active Directory accounts are being locked - not always the same accounts. It really seems to appear randomly. So far these accounts having nothing special specific attribute or group or whatever in common. I mean nothing that seperates them from the accounts not beeing locked.

Google provided me a script which offers me time, username, hostname and IP of machine where the lock happened. (gathers the DCs Eventlog and searches for EventID 4771 (Kerberos Preauthentication failed)) But it does not get me any further. Find nothing helpful in eventlog of these machines where the lock happen.

Activated gpo so that attribute msDS-FailedInteractiveLogonCount is counted and I monitor it with netwrix. On "special days" e.g. yesterday several accounts raised one higher other days nothing happens.

Researched the process which is responsible: svchost.exe -k netsvcs -pBut does it help me getting the program which leads to this behaviour? Could be several things according to google e.g. Task Scheduler. We don't push scheduled tasks to the machines with maybe outdated password and on the machines I researched no suspicious task could be found.

I have started performance monitor according to this link (we did not have any domain migration but I gave this link a try to monitor kerberos activities)

https://blogs.technet.microsoft.com/askpfeplat/2013/12/15/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers/

In this report even two locks actually happened. But it is a really large file. Although it seemed to work I did not find anything helpful again. No question: maybe I have been searching wrong - that's why I am writing...surprise.

I hope I could summarize everything I did. Maybe some help to get a new trace which leads us to the mole?

Everything in general I find at google is more like some service using an old password to login..but on machines of so many users? And even if and we push it out via gpo, why not all users then? So I am lost...

We have Windows 2012R2 Domain and DCs. Clients are Win10 Enterprise 1803.

If you need more information, please ask. Tried to make it as short as possible with all "helpful" information I have.

Thanks for your help.

Mapping Network Drive via GP for Security Groups - Win Server 2016,

October 25, 2018, 4:28 am
$
0
0

Hello,

I would like some help with mapping network drives for multiple users via group policy that are all in pre-organised security groups. 

I have seen a few posts/videos, documents on how to map via group policy but how do we apply it to specific security groups?

For example we have two security groups with:

HR - 10 users

MARKETING - 20+ users

I want it to apply to alone those groups, with those specific users inside those groups.

Thank you - *I have a looked a several posts, and other resources before posting.

Direct LDAPS connectivity into internal Active Directory

October 23, 2018, 3:10 am
$
0
0

Hi all,

I am looking at a solution which includes 3rd party access into the internal AD environment directly via LDAPS.  The connection is external and via the internet.  The purpose of the connection is for AD authentication to allow a piece of software to extract data from it.

I'm not too happy with having direct connectivity into our AD from the outside like this and was wondering if this was something which is common elsewhere and has a valid technical reason i.e. just port 636 used, encrypted, etc.

Alternatively, what other options are reasonable available?  I'd rather not have an RODC on the perimeter as this exposes the whole AD externally, even if it is read only, for what is essentially a small data extract requirement.  Considering ADFS but I'm not yet too conversant with it and was hoping for a little advice.

Does anyone have a pros and cons they can think of between authenticating directly via LDAPS as opposed to the other available options?

Thank you all in advance.

Regards,
Martin



W2008R2: replication error 8418

October 26, 2018, 6:13 am
$
0
0

Hi, I have two servers, running repadmin /syncall /e /d

I obtain following message:

CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local
CALLBACK MESSAGE: Error issuing replication: 8418 (0x20e2):
    The replication operation failed because of a schema mismatch between the servers involved.
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8418 (0x20e2):
    The replication operation failed because of a schema mismatch between the servers involved.
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local

In "ADSS", I read different info between servers, particulary server DC01UKIP has an old site still visible.

Any suggestion?

Thank You in advance

secure channel

October 26, 2018, 7:11 am
$
0
0

I am needing to get some understanding on the secure channel.  What makes if intermitted?  I was under the impression if the secure channel was broken then a user would not be able to login to a device.  What I have is a \\server\share that at random users will get access denied.  I run test-computersecurechannel on the server and false is returned.  But minutes later users are able to access the share and test-computersecurechannel is true.  How can it be false and then true?

https://support.microsoft.com/en-us/help/2753702/secure-channel-problems-detected  

"These symptoms may be intermittent or consistent.  They may also be tied to a specific network location or locations.  This condition is known as a “broken secure channel”."

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>