We're installing a new fax system and while attempting to tie it to active directory I had to create some new attributes. however i didn't realize until to late that when i pasted the names in the Common Name field (name had a "-") it removed
the "-" in the LDAP Display name. is there any way i can correct this?
thanks
I am needing to get some understanding on the secure channel. What makes if intermitted? I was under the impression if the secure channel was broken then a user would not be able to login to a device. What I have is a \\server\share that at random users will get access denied. I run test-computersecurechannel on the server and false is returned. But minutes later users are able to access the share and test-computersecurechannel is true. How can it be false and then true?
https://support.microsoft.com/en-us/help/2753702/secure-channel-problems-detected
"These symptoms may be intermittent or consistent. They may also be tied to a specific network location or locations. This condition is known as a “broken secure channel”."
Hi All,
I wondered if there was any Microsoft Service Native Tool that allows administration of Active Directory?
Basically what I am after is a check on System Services, Domain Services, DFS Namespace, Replication, DNS, KKDC etc I would also like to know about monitoring Account management, logon/logoff etc, policy changes etc.
What do other IT Engineers usually Monitor in Active Directory and what is generally used.
Any help would be greatly appreciated.
Regards.
Hello everybody!
How can I disable the feature "Password history check (N-2)" ?
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)
This causes me many problems, the account should be blocked after using any wrong password.
Thanks in advance.
Hi IT Experts,
I need help. Here's the background:
Half yearly i will bootup a backup image of Server 2012r2 Domain Controller (with DNS, DHCP, Print Server, File Server, Folder Redirection) to test whether it is working perfectly. If you need to know, i am using ShadowProtect to backup incrementally everyday and when i restore the image, the RPO will be the night before. As usual, i will bootup the virtual server with the network disabled. No problem to login.
After enable the network and configure the ip address, subnet mask, gateway and dns (127.0.0.1), and rebooting the server, it will keep loading on "Please Wait". I have waited for 1 hour, but it remains the same. So I turn it off and disabled the network. Turn it on again, i was able to login again.
Can anyone guide me what i can do to resolve this?
Thanks in advance.
Hi, I have two servers, running repadmin /syncall /e /d
I obtain following message:
CALLBACK MESSAGE: The following replication is in progress:In "ADSS", I read different info between servers, particulary server DC01UKIP has an old site still visible.
Any suggestion?
Thank You in advance
Dear Team,
We have windows server 2003 R2 with sp2 DC. All the users password was set never expired. Yesterday i had applied Default Domain Policy with complex Password enabled, Minimum Password age:8 character, 3 Password history,Maximum password age:60 days,Miniumum Password age:59 days.
I have removed never password expired on few users, but still they are not able to change password nor its prompting for Password expired message.
Kindly advise.
Hi everyone,
i locked a user yesterday because of problematic traffic and kicked him out of VPN.
Today i inspected his notebook after reenabling the user and everything was fine. So i though...
After lunch he called and said he cannot login because his account is disabled. In AD his account was enabled in the morning.
So we are stuck at the login screen. He has no possibility to go to an office. We have a dummy user that can login and start a VPN session. So i though - runas user and then the client would save the unlocked state of this user.
Well it did not. How to reenable a remote worker after he got disabled?
My next approach is "Switch user" i hope this will work. But what is best practice here?
<h3>Regards Stephan</h3>
Hi,
I have built a test lab win VM Workstation to test various upgrade options.
I have used Windows2012 R2 as the server and have installed all the necessary options and promoted it to a DC.
I have 2 laptops and a small hub connected to the server.
1 laptop is Windows7 and I have managed to get that to join the domain and it works fine.
1 laptop is Windows10 and I am having problems with it.....
If I use the applet to join the domain it "can't find the domain". If I try via PowerShell it says "Access Denied"
I have checked many times that the settings (IP address, etc) and everything seems correct
Any ideas what I have missed?
Hi,
I have parent domain (domain1) and two child domains(childdomain1 and childdomain2). I was trying to find the SID details of a user with the following cmdlets.
$objuser = new-object system.security.principal.ntaccount "childdomain1\testacc1"
$objuser.translate([system.security.principal.securityidentifier])
The above works perfectly in child domains I can resolve the account and get the SID.
But it does not work on the parent domain and not on any servers joined to the parent domain. I can resolve the account but not translate the account to SID.
The Global catalog seems to be updated and has the user information. Not sure where i am going wrong. Looks like it must be something simple that am missing...
Could anyone shed some lights where i am going wrong please...
-Dhayanandh
Hi Guy's,
we have a slight issue with Microsoft Edge which cannot be resolved with our current build and we need to revert to I.E. as our default browser.
Can anyone let me know if there is a GPO that can disable Microsoft Edge and ENABLE Internet Explorer. Any information would be greatly received.
Regards.
Currently we use KMS to activate our Win 7 , Server 2012 R2 and lower and Office 2013 Pro Plus x86
We are now going to introduce Windows Server 2016 , o365 client , Windows 10 in our environment
Looking at the need for activation what is recommend for these products
I checked there is something called ADBA available as well is that a beter option than updating our KMS
Can both methods co-exist , how does a new client determine the activation source KMS or ADBA
What would we do for the non-domain joined machines (Use MAK)
Please suggest
Please get me help to resolved below scenario issues.
System Windows Server 2012 tries to and have failed for logon attempts on Domain credentials using cache credentials. We have checked server neither showing any of connections in file share nor in credential manager. As per our understanding, cache credential can be zero via registry or secpol.msc. Can you assist if this does not affect other processes as this system is critical and system restart is not an option.
Need assistance and feedback on this will be highly appreciated
So I'm trying to understand if we have an issue here or not…
We have a PowerShell script that uses the Get-ADPrincipalGroupMembership cmdlet.
One of our domain controllers was offline temporarily and the script suddenly started to fail with an error stating, "The server is not operational." When the domain controller came back online the script suddenly worked again.
From what I can tell, the Get-ADPrincipalGroupMembership cmdlet requires a global catalog to perform the group search, so I presume the domain controller in question was somehow the global catalog server of choice for the server running the script. However, I'm confused as to why the server would not simply try to locate another global catalog server in the site (of which there are two).
If I run Get-ADForest, I can see all the global catalog servers listed correctly. The DC in question has held FSMO roles in the past, but does not any longer.
So the question is, does the above behavior indicate some kind of issue? I wouldn't expect the loss of a single domain controller in a site with multiple domain controllers to cause this issue.
The link below talks about RPC settings for clients in a GPO. My question is if this setting is enabled but only on desktops can it still cause issues?
https://blogs.technet.microsoft.com/askds/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face/
We are looking to implement LAPS in our environment. However, during testing we notice when using powershell to check for extended right holders on an OU: Find-AdmPwdExtendedRights -identity:"OU=Test,DC=Test,DC=COM" | format-table extendedRightHolders
The extended right holders display users/groups which are not present on the same OU via ADSIEDIT. For example, if I:
1. Launch ADSIEDIT
2. Right click on TEST OU
3. Go to properties
4. Go to security
5. Go to Advance
I don't see the user/groups listed which Powershell listed. We wan't to make sure only Domain Admins has access to view the LAPS password. Any idea what I'm missing? Could it be the users/group are present in child objects under TEST OU?
Hi
I am unable to join Windows 10 client PCs in domain since few days but still can add Windows 7 PCs. While joining Domain it says "Network path not found" Tried so many resolutions but still, nothing works.
Please help me with this
Thanks
Hi,
I have given Account Operator access to a domain user but when he opens ADUC, it asks for username and password. How can I allow him to open ADUC in windows 2012 Domain?
Thanks.
I had to replace a failed server. It was running Server 2016. I replaced it with another 2016 server but named the new server with a different name but same IP address. Now I am getting several different messages in the Server Manager. The old server name was HFES and my secondary DC in named HFES2. My new DC is named TRON. I can not find where to make the change for the DFS server name. I have run this command to force the server to the PDC and other things but still come up with the following errors.
(Command Ran)
Move-ADDirectoryServerOperationMasterRole –Identity TRON –OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -force
(Errors Still Seen)
This is the replication status for the following directory partition on this directory server.
Directory partition:
DC=ForestDnsZones,DC=HFE,DC=COM
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically
blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
and
The DFS Replication service failed to communicate with partner HFES for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
Partner DNS Address: HFES.HFE.COM
Optional data if available:
Partner WINS Address: HFES
Partner IP Address:
The service will retry the connection periodically.
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 0C274A8D-B4C2-4F8A-BC12-CF65064DEF56
Replication Group ID: A01B8E8A-4F0D-4FF2-915B-F5A8C1008D91
Thanks for any help.