Hi,
what is wrong :) I delegate permission for aminis group. Give more than you need permissions. And still can`t manage members of the groups. If I delegate full permission - it works :)
what's wrong?
↧
Permission that access modify groups members in custom OU
↧
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Hello all,
We have one forest multi child domain environment at different sites.
Domain function level is 2008
I am getting these events on one of my domain controllers from one of my child domain.
Just for the information, i am only having an issue during new group policy creation, when try to click on policy "Settings" on the domain controller at remote site "The System Cannot find the file specified" Popup occurs. Not sure if below event is relevant to this. Need support on this...
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication
Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
Regards, Sarfraz Aslam
↧
↧
log to computers.
hi all,
my environment consists of 2 domain controllers (dc1 and dc2)
and exchange 2010 that consists of 4 servers:
2 HUB/CAS servers (srvhc01,srvhc02)
2 mailbox servers (MBx01,MBX02) all of these servers reside in the same site.
one of the admin in active directory decided to set the " log on to computers " for each user to contain the user's computer
only .but that makes users can't access the outlook web access mail ,so beside adding the users computers to "log on to computers" ,he added (srvhc01,srvhc02)
but I noticed that outlook client keeps prompting for user name and password for a shorter period of time
so I added DC1 and DC2 to" log on to computers" in each user the solution still under test.
so the question what servers shall I add in the "log on to computers" so that I can not disturb logging to exchange services
is my conclusion right "the reason for being outlook keeps prompting for user name and password because the user logs to active directory through the hub/cas server "
please help me because my manager insist for applying this
↧
W7: Locked user account - "Road warrior" - how to get them back "online"
Hi everyone,
i locked a user yesterday because of problematic traffic and kicked him out of VPN.
Today i inspected his notebook after reenabling the user and everything was fine. So i though...
After lunch he called and said he cannot login because his account is disabled. In AD his account was enabled in the morning.
So we are stuck at the login screen. He has no possibility to go to an office. We have a dummy user that can login and start a VPN session. So i though - runas user and then the client would save the unlocked state of this user.
Well it did not. How to reenable a remote worker after he got disabled?
My next approach is "Switch user" i hope this will work. But what is best practice here?
<h3>Regards Stephan</h3>
↧
Trust between 2008 and 2012R2 domain controllers
Hi,
I have a forest with 1 domain which has 3x domain controllers running on 2008 forest\domain functional levels.
I need to have a two way trust with another forest with 1 domain which has 1x domain controller running on 2012R2 forest\domain functional levels.
I have set up all the DNS, everything is pingable.
When I try to set up the two way forest trust I get the following error at the end of the wizard:
Cannot Continue
The trust relationship cannot be created because the following error occurred:
The operation failed. The error is: The request is not support.
Any ideas what could be wrong?
Thanks
↧
↧
How to backup Active Directory when D:\Windows\NTDS folders are not on C: volume (no longer part of System State)?
Our architect specified servers for new AD forest and domain. ADDS is to be installed to D:\Windows\NTDS (not the default C:\Windows\NTDS). These are VMs and a cloud provider will be backing up the VMs by snapshot. I suspect the backups of the VMs will be trustworthy (but "suspect" is not good enough in my estimation), so I always like to have my own Microsoft-specified and Microsoft-supported backup in my back pocket for when the complete disaster arrives - so I'm still covered, even if the cloud provider fails.
In the past I've used the usual Windows Server Backup, ran a scripted backup that performs a System State Backup of C: (which would have contained C:\Windows\NTDS, the registry, and all of Active Directory's components on the DC). But now I have to also back up D:\Windows\NTDS and System State Backup will not be backing up D:.
What is the recommendation?
Here is the essential working section from the scripted backup:
WBADMIN Delete SystemStateBackup -KeepVersions:1 -Quiet >> %MyLogFile%WBADMIN Start Backup -BackupTarget:E: -SystemState -Quiet >> %MyLogFile%
Notice that my script cleans up the destination backup volume E: to minimize the size of the backup and to ensure there is free space prior to starting the backup. WBADMIN does not have an equivalent "Delete" option for non-SystemStateBackup backups. The E; volume is then picked up as a file system backup and archived, so I always have multiple generations of backup history.
So what does Microsoft's Active Directory team recommend for a good solid backup of the DC?
P.S. I had already asked this question in the Windows Server > Backup– Windows and Windows Server forum, but that moderator recommended I ask here.
George Perkins
↧
EventAggregator for WAP messages received by SMS Router.
Hi,
In our domain controller I can see the following error several times a day, I have tried searching the internet, but not found any suggestion to what it is...
Comments ?
/Regards Andreas
↧
How to keep the same both Active Directory servers in isolated network?
We operates two AD servers. I want to add one server to operate the same domain as necessary. However, unlike the two existing servers, one network that will be added must be secure and isolated.
Assuming that the port needed for synchronizing AD between two networks should be blocked for security reasons, I would like to get your experience or technical knowledge of what method is best to use. Also, it would be better if you let me know the port that should be open at least when using the method.
If possible please tell me the way to do with a well-known tool or powershell.
Thanx alot!
↧
GPO for disabling client administrator accounts on my Domain.
Hi, I am attempting to disable the builtin local administrator accounts for all of my client PC's on the domain using group policy preferences. My Domain runs Server 2012 and the computers I am trying to disable the local admin account on are Win 7 and
10 pro. I have created the GPO through 'Computer Configuration-Policies - Windows settings - Security Settings - Local Policies - Security options' And then selected the option for 'Accounts Administrator Account status'and selected it to Disabled. (Assuming
disabled means to disable all admin accounts on the client computers within the domain). I have linked the GPO to an OU with the PC's of my choice and enabled the link. In the scope I have added the machine group called Brandall that I am targeting. Under
delegation I applied the policy to 'Domain admins' and the machine group 'Brandall'. Authenticated users is not added. I then raised the precedence of the GPO to'1' on the OU. I then went to the client computer and ran a Gpupdate/force and rebooted.
Once rebooted I run 'Gpresult /r' and it shows that the GPO has not been applied. However When I run 'Gpresult /r /scope computer' it shows that the policy has been applied. However sadly when I check to see if the local administrator account on the client
machine is disabled it is not. I have tried multiple methods and nothing seems to work. What am I doing wrong?
Support analyst
↧
↧
Event ID 36886
I have 4 domain controllers – all of them are windows server 2008 R2 with function levels to match.
I am constantly getting this warning in system logs :
Event ID 36886 , Schannel
No suitable default server credential exists on this system.
This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections.
An example of such an application is the directory server.
Applications that manage their own credentials, such as the internet information server, are not affected by this.
-I would like to know how i can track down whats trying to authenticate with SSL and fails…. but i am stuck, can somebody please point me in the right direction?
-I also know i can disable the logs for this, and i can safely ignore this. but i would like to properly clean this up before migrating over to 2016.
Thank you,
↧
Failed DCPROMO - First Domain Controller of a new Child Domain
Hi
I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows
Root
/ \
A B
/ | | \
C D E F
Summary of domains
Root - 2012 R2 DCs / Domain and Forest Function Levels 2012R2
A, C, D - 2012 R2 DCs / Domain Function Level 2012R2
B - 2016 DCs / Domain Function Level 2016
E - 2016 DCs / Domain Function Level 2012R2
F - Failing to create first DC
All replication and firewall rules appear to look fine, however on trying to create the first domain controller for the Domain F (basically the same setup as Domain E) I get the following error in the GUI
The operation failed because
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=…… from the remote Active Directory Domain Controller ….
"The replication operation encountered a database error"
DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix
-----------------------------------------
10/09/2018 10:17:20 [INFO] Replicating the schema directory partition
10/09/2018 10:17:20 [INFO] EVENTLOG (Error): NTDS Replication / Replication : 2140
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest. The Active Directory Domain Services is currently enabling or disabling one or more optional features. Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed. The Active Directory Domain Services will temporarily discontinue this replication request. The replication request will be attempted again later.
Request Details:
Object being modified: CN=BootMachine,O=Boot
Attribute being modified: msDS-EnabledFeature
Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
Optional feature: Recycle Bin Feature
10/09/2018 10:17:20 [INFO] EVENTLOG (Error): NTDS Replication / Replication : 2140
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest. The Active Directory Domain Services is currently enabling or disabling one or more optional features. Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed. The Active Directory Domain Services will temporarily discontinue this replication request. The replication request will be attempted again later.
Request Details:
Object being modified: CN=BootMachine,O=Boot
Attribute being modified: msDS-EnabledFeature
Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
Optional feature: Recycle Bin Feature
10/09/2018 10:17:20 [INFO] EVENTLOG (Warning): NTDS General / Internal Processing : 1173
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
e0010002
e0010002
Parameter:
20d9
20d9
Additional Data
Error value:
8451
8451
Internal ID:
11d0700
11d0700
10/09/2018 10:17:20 [INFO] Error - Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=X,DC=Y from the remote Active Directory Domain Controller DC1.W.X.Y. (8451)
10/09/2018 10:17:20 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
10/09/2018 10:17:20 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741823
-1073741823
Error value (hex):
c0000001
c0000001
Internal ID:
30017ac
30017ac
10/09/2018 10:17:20 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
Active Directory Domain Services was shut down successfully.
Active Directory Domain Services was shut down successfully.
------------------------------------------
All sensible suggestions gratefully received
Thanks
↧
Erroneous Results from Get-ADUser
The below AD query gives me thousands of results, including four named: 7-Jan, 7-Mar, 1-Apr, 8-May.
Does anyone have any idea or explanation for this?
Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | export-csv -Path c:\users\me\desktop\wtf.csv -NoTypeInformationHowever, when I use Powershell to ask AD to show me users with the samaccountname of any from the above list I get nothing:
Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | Where-Object {$_.samaccountname -eq "7-Jan"}Does anyone have any idea or explanation for this?
↧
ping reply from local domain
Hi,
We have 2 sites.
Site a = DC1 and DC2
Site b = DC3
Within Sites and Services on the domain controllers we have configured Sites>Subnets and associated 10.0.0.0/24 with Site A.
Today when I logged into a server that is located in 10.0.0.0 network, I did a ping local.domain, and then DC3 answered, why is that ? After a couple of minutes I did a ping again, and then DC1 answers. I know that there has not been any network issues, and all the DC`s are online.
Thanks for reply.
/Regards Andreas
↧
↧
Problems after upgraded domain
Hi,
We have 3 domain controllers
Site a = DC1 and DC2
Site b = DC3
We have upgraded DC2 and DC3 a couple of weeks ago, and that has gone well. Yesterday we upgraded the last domain controller DC1, and this domain controller is what is preferred DNS on all clients. Every thing seems fine, I cannot see anything special in
the logs on the domain controllers. But we have noticed on some clients the following error in the logs, see images. These messages appears right after we have rebooted the clients.
I also noticed a warning on the Time-Service that it could not locate the time source, but after a couple of minutes it was able to sync with the domain controller. I am able to ping the domain, ping DC, resolved correct IP / Names and so on... so to me this is strange, it looks likes either there is some cache things or some services that starts faster than other services...
Thanks for reply.
/Regards Andreas
↧
Active Directory - forget to demote the old AD server
Hi
I have done a second AD server with NetDOM /query FSMO
And the new server has all
I have forget to get promte the old server before I re-install the server.
Is it possible to repair that ?
The new server cannot run AD etc.
Please Assist
----- S-O-K-O-B-A-N -----
↧
Unable to join Windows 10 clients in domain
Hi
I am unable to join Windows 10 client PCs in domain since few days but still can add Windows 7 PCs. While joining Domain it says "Network path not found" Tried so many resolutions but still, nothing works.
Please help me with this
Thanks
↧
Cannot open advanced audit policy configuration
Hi Microsoft Team,
I am facing issue with advanced audit policy configuration, i cannot create advanced audit policy to audit object access and account management, any one can help me?
↧
↧
Cannot read the uSNChanged attribute for some users - why?
I have an application that sync's AD users and uses the uSNChanged attribute to detect changes. At two customer sites I have an identical issue - for a number of users the uSNChanged attribute isn't being returned. In fact when I use LDP to dump all the attributes from these users they are all missing the same attributes. e.g.
accountExpires
adminCount
badPasswordTime
badPwdCount
deletedItemFlags
dSCorePropagationData
extensionAttribute1
homeDirectory
homeDrive
instanceType
lastLogoff
lastLogon
lastLogonTimestamp
memberOf (8)
msExchDelegateListLink
msExchSafeSendersHash
msNPAllowDialin
publicDelegates
pwdLastSet
userAccountControl
userParameters
uSNChanged
uSNCreated
whenChanged
whenCreated
What setting is causing these attributes to be hidden for a domain user (domain admins can read) or, conversely, what permissions do I need to give my account in order to read them?
↧
When attempting to install the Active Directory Management Gateway service, the installation fails with the error "the update does not apply to your system".
To whom it may concern,
I'm trying to get the Active Directory Web Services installed in my Windows Server 2008 box. The update is Windows6.0-KB968934-x64, and I keep getting the error message stated in the title. After researching, it seems that a next rollup is needed, but I can't find it. It seems that maybe I need to ask the Micorsoft people directly. Any help would greatly be appreciated. I know updating to a newer version of Windows will probably solve this problem, but I'm not ready to do so yet.
Regards,
↧
A question about _msdsc.MyDomain.local domain
Hello, can someone please help me with the following question, thanks in advance
I have a LAB setup with a forest root domain Forest-Root.pri
I then have a new Tree (rather than a direct child domain) under this forest root called
MyDomain.pri
The fact the forest has a 'tree' (with a different domain name than the forest, which is a supported design) may or may not be relevant to my question, but I thought I would point it out in case it was
I wanted to recreate the top level _msdsc DNS zone e.g. the one that lives directly under the 'Forest lookup zones' folder (just under the DNS Server name in the console) so I following the article at the following URL
http://itcalls.blogspot.com/2011/11/active-directory-integrated-dns-zone.html
Once I deleted the zone , I recreated it and then restarted DNS and NetLogon service
after I restarted these two services 'two' SRV records were automatically created under the _msdsc zone namely the following two records
Start of Authority (SOA)
Name Server (NS)
Question 1:
I thought/think there should be more than just these two srv records under this zone ?
(unfortunately I forget to check which records were their before deleting, as only a LAB and I was trouble shooting a sync issue)
The reason I think their should be more records under this zone is because under the forward lookup zone for the domain itself e.g.
_msdsc.Forest-Root.pri
There are lots of srv records e.g. dc, domains, gc, pdc
Can anyone help me with the above question please.
Thank very much
CXMelga
↧