I am using the Get-addomain -identity my.domain.local (its a domain in a forest) | select-object -property *
However the results are limited and cannot see all the attributes.
Or if that is not possible. I can see the name in the properties, but I dont know if changing the name would have any effect on the domain and it's children any effect at all
Thank you for your assistance
This is an example of one of the domains our forest domains. What are the consequences of changing thename attribute on a domain itself, if any? Are there any services or anything that is tied to theName attribute?
I want to be able to change this attribute so that I can pull the name that is easy for the techs to understand.
regional.mydomain.com
Thank you!
Paul
We have four DC's over two sites. The PDC Emulator is configured to use NTP and get its time from our internal NTP source. All other DC's use NT5DS, so they get their time from the PDCE. The Announce Flags setting is 5 on the PDCE and 10 on all the other DC's.
We recently had the PDCE down for a short time. One of the non-PDCE's had a much different time from the others until the PDCE was back up. I think it may have been related to a BIOS flaw on the server hardware that would cause the system to use Universal Time as local time on the CMOS clock, but I don't know that for sure. While I have now updated the BIOS with a new version that corrects that flaw, I am still unsure about what will happen with time if the PDCE goes down again.
What happens with time on the non-PDCE's when the PDC goes offline? Do they then revert to their internal CMOS time clock? If so, is that internal CMOS clock continuously reset from NT5DS while the PDCE is up?
Can all the DC's be set to use NTP, getting their time from the same source?
Thank you for your help with this.
Hello everybody!
I'm currently trying to migrate our Root Certification Authority (CA) from Windows Server 2008 (x86) to Windows Server 2016 (x64). I followed the migration guide under https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/
for the main steps.
Both old and new CA-Server will be standalone CA-Servers in our domain and will havedifferent hostnames (the CA-Name will stay the same of course).
The migration process works without any error messages. The CA-Service starts without any problems before restoring the CA-Backup.
But as soon as I restore the CA-Backup and try to start the CA-Services again, I receive the following error message:
"Current log file missing 0xc8000210 (ESE: -528 JET_errMissingLogFile)"
The service won't start anymore. The eventlog shows similiar error messages.
I made a procmon-trace to analyse which files the certsrv.exe is looking for and found out, that it's looking for "edb,chk", "edb.jcp" and "edbtmp.log" in the CA-data-folder. Those files are not there (and I don't know why, as I only restored the previous created CA-backup).
Any hints? :)
Thank you!!
Hello,
Does anyone know how to troubleshoot this? It started last week with our ADFS server not accepting Windows Authentication on some Windows 10 PC's. This weekend I turned off the extra protection feature in ADFS as a test and magically the computers began to work. After reading up this seems to point the finger at channel binding.
The PC's in question are domain joined and on the internal network. They are fully up-to-date with Windows Updates. There is no internal proxy only a transparent one if you were to go to the internet. Communication between the PC and ADFS should be direct. ADFS to domain controllers would either be direct or via IPSEC or to an Edge RODC depending on which DC ADFS talked to.
Any ideas on how to troubleshoot the root cause would be much appreciated.
Thanks,
Robbie
Hi,
We have a customer with 2 DC`s running Windows Server 2012 R2.
They said that if they shutdown DC1 then no one is able to login.
Then I tried it, but I seem to be able to login, one client did take some time, but was able to login at the end.
Since the customer is running VMware, I had a look into vCenter while the DC1 was shutdown, and there something strange happens. Several ESXi hosts suddenly appears as "Not responding", and then offcourse the VM`s running on these ESXi hosts gets disconnected. I was able to boot up the DC1 again, and the ESXi hosts where ok again.
To me this seems like a DNS issue or something else related to AD and not the configuration of the ESXi host?
I have looked into DNS on both servers, and could not find anything wrong except the subdomain called _msdsc within this directory only DC1 is recorded on both DC`s. My question then is should I add DC2 here also on both servers, what happens if this record is not there... could this be related ?
I have also check repadmin and dcdiag and both seem fine.
Thanks for reply
/Regards Andreas
Hey MS Experts,
I have implemented RDweb server on 2012R2 OS and Domain Controller is running on Server2008R2 in PCI zone,
https://localhost/RDWeb/Pages/en-US/password.aspx
Above is the URL for IOT Users to access over the SSL from User VLAN.
The issue is Localhost website taking 30-34 second
Configuration - IIS8.5, ASP.Net 4.5, 2012R2 OS with Sept Month Patch, 8 GB RAM, 2 CPU, VM, Pri & Sec DNS IP's our AD server ID. and I have followed below MS article to configure the Web servers
https://social.technet.microsoft.com/wiki/contents/articles/10755.windows-server-2012-rds-enabling-the-rd-webaccess-expired-password-reset-option.aspx
Please suggest.
Dharmendra
I needed to virtualize the only domain controller (2008 r2) to solve the problem of dying hardware. I temporarily promoted a 2016 server to a DC, and transferred the FSMO roles, and let everything propagate, just in case. After the P2V migration succeeded, I transferred the FSMO roles back, and demoted the 2016 server back to a member server. That's when the trouble started. The demotion did not go perfectly, as per usual, so I cleaned the Metadata in ntdsutil, I removed the 2016 server from Sites and Services, and checked it was not in ADUC. Then I removed references to the 2016 server from the DNS. I have done this whole process literally dozens of times, but lo and behold, going back and looking, I still see SOME of the DNS records, and this is causing me to be unable to add a new DC, leaving me still stuck with a single DC for the domain. Yes the 2016 server is still in the domain, as a member server and serves as the main file storage for the company. No telling how many shortcuts there are on peoples desktops pointing to it, so renaming it is not a good option. Incidentally, I can't promote it back to a DC either, because the object still exists SOMEWHERE in AD.
Here is what I experience(d) with DNS:
As soon as you refresh the DNS, the references come back in company.domain.local, but not in _msdcs.domain.local or in the reverse lookup zone.
I may be wrong, but I'm guessing there is someplace in ADSIedit where I can find and delete this, but I don't even know where to start to look.
Dears,
any one can help to create wmi user with non-admin privilege, user will be able to scan all windows computer and can read all information from domain computers?
if you can provide me a steps or powershell script!
Domain Controller windows 2012 R2
Thanks,
I have an issue where if i have a local account that has the same username as the AD account, and the passwords do not match, it will lock out the domain account. This is a recent
occurrence. The only thing that has changed lately is the deployment of Exchange 2010 CAS server. Does anyone know why Windows 7 would try to pass local credentials to the domain as if they were domain credentials? Perhaps a new feature of Exchange 201o that
tries to do some authentication in the background? This is happening to accounts that have had local accounts on their machines for a couple of years without any issues, but suddenly these local accounts are locking out the domain account. I am hopeful there
is something I can change on the server side to prevent this.
Thanks,
Rich
Hello,
We have active directory 2016 across the board.
I have a new RODC in the DMZ and the firewall allows full access of the RODC to all internal network, which took a lot to get it working and so far so good with the exception of service accounts that are used by servers in the DMZ. I am able to use service accounts to login interactively, but applications that use those service accounts are failing with the following error:
RPC error: Access is denied. Code: 5
I have added the service account to "Allowed RODC Password Replication Group" group but that does not seem to help.
This started only after deploying the RODC.
Any ideas?
Thanks
HelpNeed
To whom it may concern,
I'm trying to get the Active Directory Web Services installed in my Windows Server 2008 box. The update is Windows6.0-KB968934-x64, and I keep getting the error message stated in the title. After researching, it seems that a next rollup is needed, but I can't find it. It seems that maybe I need to ask the Micorsoft people directly. Any help would greatly be appreciated. I know updating to a newer version of Windows will probably solve this problem, but I'm not ready to do so yet.
Regards,
I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine.
All other websites work just fine.
Any suggestion as why this is happening and how to resolve this?
On the client:
C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server: dc02.company.com
Address: 172.16.9.212
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dc02.company.com timed-out
On the DC02
C:\Users\JSMITH_da>nslookup p2energysolutions-my.sharepoint.comHello, can someone please help me with the following question, thanks in advance
I have a LAB setup with a forest root domain Forest-Root.pri
I then have a new Tree (rather than a direct child domain) under this forest root called
MyDomain.pri
The fact the forest has a 'tree' (with a different domain name than the forest, which is a supported design) may or may not be relevant to my question, but I thought I would point it out in case it was
I wanted to recreate the top level _msdsc DNS zone e.g. the one that lives directly under the 'Forest lookup zones' folder (just under the DNS Server name in the console) so I following the article at the following URL
http://itcalls.blogspot.com/2011/11/active-directory-integrated-dns-zone.html
Once I deleted the zone , I recreated it and then restarted DNS and NetLogon service
after I restarted these two services 'two' SRV records were automatically created under the _msdsc zone namely the following two records
Start of Authority (SOA)
Name Server (NS)
Question 1:
I thought/think there should be more than just these two srv records under this zone ?
(unfortunately I forget to check which records were their before deleting, as only a LAB and I was trouble shooting a sync issue)
The reason I think their should be more records under this zone is because under the forward lookup zone for the domain itself e.g.
_msdsc.Forest-Root.pri
There are lots of srv records e.g. dc, domains, gc, pdc
Can anyone help me with the above question please.
Thank very much
CXMelga
Hi
we deployed server and domain name is same as email server name (email is hosted to cloud)
not users are not able to access email via web access. outlook working only with POP3 and SMTP ip address
if mention server name in outlook that is also not working.
e.g our domain name is abc.com and email also abc.com:8880
pop3 - mail.abc.com
smtp - mail.abc.com
now where need to update any record or any thing.
kindly guide
Arvind
Remote Desktop Services has taken too long to load the user configuration from server \\DC for user administrator
Event Id 20499
Ram Prakash Sharma
No previous experience in Windows AD other than last few days so please bear with me.
I have installed some software on a VM which is part of an AD and I loaded Adobe as a domain admin onto the VM. When the domain admin logs in to the VM there is an Adobe icon on the desktop and they can use Adobe.
The issue is when a normal user logs in to the VM they do not have access to Adobe ie. no desktop icon and the rest of thep desktop is locked down because of a group policy being applied.
I managed to track down the setting in Group policy that stops the user getting the Adobe desktop icon -
User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove common programs from Start Menu
if I turn this off then the user can use Adobe. Unfortunately it has to be enabled so a couple of questions -
1) Is this problem at all related to loading software as domain admin ? Is there another account I should be using, note that I cannot give any of the users permissions to load software
2) How do I solve this. From my reading I have an idea it is something to do with copying files from the domain admin profile to the user profile(s) and modifying permissions but I may be completely off base here.
Any pointers, help would be much appreciated.
Hello,
I would like some help with mapping network drives for multiple users via group policy that are all in pre-organised security groups.
I have seen a few posts/videos, documents on how to map via group policy but how do we apply it to specific security groups?
For example we have two security groups with:
HR - 10 users
MARKETING - 20+ users
I want it to apply to alone those groups, with those specific users inside those groups.
Thank you - *I have a looked a several posts, and other resources before posting.