Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Rebuild DC with same name/IP

December 3, 2018, 3:34 am
$
0
0

I'm trying to weigh up the options (least risk) for building a ew DC (DNS) server on new hardware but retaining server name and IP.

My environment is:

DC1 (Site 1) - rebuild but retain name and IP.
DC2 (Site 2)
DC3 (Site 3)

I have figured there are two options (demote DC first, and build new with DC1 details, or build temp DC first, demote then rename/re-IP)

Option 1:

  • Demote DC1
  • Rename DC1 to Server1 (re-IP)
  • DC2 and DC3 will ensure no service impact for AD/DNS (even in different sites)
  • Build new DC - DC1 (re-IP with original DC1 IP)

Option 2:

  • Build new DC - TEMPDC
  • Demote DC1
  • Rename DC1 to Server1 (re-IP)
  • Rename TEMPDC to DC1 (re-IP with original DC1 IP)

Best practice? Risks?


Search

New DC's in an old broken environment

November 29, 2018, 5:11 am
$
0
0

I've had a look at other topics on this but none seem to answer my query completely.

We have two DC's that have multiple profile problems so after a lot of thought and planning we've decided to build two new ones. 

The current DC's are on server 2012 R2 but have the 2008 configuration as they were moved over in a "as is" state. They are VM's sitting on the local Hyper-V hosts. The site has a cluster environment complete with several VM's including a 2016 Exchange server. 

The new DC's will be Server 2016 Standard VM's also sitting on the 2 HV hosts. 

I need a little guidance on what is the best way to introduce the two new servers - add a new domain or bring in the new one to the broken domain?

Adding the new DC's to the existing domain will just copy all the problems across with it won't it? 

A tidy up will be completed but I can't see doing it like this would be beneficial. AD will be cleaned up after this removing old users etc and new profile (Roaming) locations on the new file server will be created. User data will then be moved to the new File server.

The other way is to create a new domain, enable a trust between them and build AD from scratch. However, this is a cluster environment so not sure how this would work when it comes to demoting the old DC's. What if we lose connection completely? We'll obviously need to manually add in PC's to the new domain but it's the cluster and current setup I'm concerned about.

Having said that I think having a new domain is a better option so it doesn't pull the rubbish over but I don't know enough about it to make a decision.

The time line is to complete before the end of this year so any help here would be greatly received.

Many thanks

delegation permissions: access to deny after one move !!!!

November 29, 2018, 7:42 pm
$
0
0

Hello
I delegated permissions to a group to move users from one OU to another OU.After moving them once, if they want to move them another time, they have access to deny.

they have also the permission to create and delete users.

Is someone understand what is happening.

thanks

Group Managed Service Accounts in Business Essentials 2016 Sites and Services

December 1, 2018, 1:37 pm
$
0
0

The Group Key Distribution Service does not show up in the Active Directory Sites and Services under my domain.   Frankly, Services does not show up under my Sites and Services.   A week ago, I created a KDS-Root

"Add-KdsRootKey -EffectiveImmediately"

I was hoping it might create the hive in the Sites and Services that is called Services.   Nothing shows after a week.   Does the Business Essentials Server need prodding to get the Services to show?

R, J

Delegate specific field (Profile)

December 3, 2018, 8:30 am
$
0
0

Hi

Is it possible to delegate permission only for the field on this tab?

thanks

Who will be announced as the next Directory Services Guru? Read more about December 2018 competition!!

December 3, 2018, 12:02 pm
$
0
0


What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in December 2018 and must be in English. However, the original blog or forum content can be from before December 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.


PS: Above top banner came from Vimal Kalathil.

Ad to Ad replication not working

September 5, 2018, 10:21 pm
$
0
0

Dear Support,

We have recently install PDC in our network and moved the roles for the same and its working properly.

But our AD to AD replication not working which is previously working fine.

So please give us solution for the same.

Regards,

Itsupport

DCPromo as ROWC fails - Server 2016

September 28, 2018, 8:20 am
$
0
0

I've been working on a DCPromo issue for about 6 months that I can't seem to get around.  Some of my specific details are a little fuzzy at this point since it's been so long but I tried the process 3 times in the last 24 hours & I still get a failure.

2016 servers were RWDC & I demoted them & then tried to DCPromo as RODC.  I continuously get these results:

The operation failed because:

While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

"The replication operation failed because the target object referred by a link value is recycled."

I have tried deleting any related AD recycle bin records short of just deleting everything, which I'm not doing.  I'm searching by date, by server name & by "KRBTGT_" & deleting anything I find but the issue persists:

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server domaincontroller.domain.com | Where-Object {$_.DistinguishedName -like "*krbtgt_*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server myDC.mydomain.com | Where-Object {$_.DistinguishedName -like "*xxxxxx*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server myDC.mydomain.com | Where-Object {$_.WhenChanged -gt "7/17/2018 4:00:00 PM"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

I've also waited over 30 days between attempts (after deleting the recycle bin items) - no good!

The only way around it is to promote as an RWDC again.

Any suggestions would be appreciated.

-Dave


Search

prefix of email addresses appears in CAPS. How do I make it in lower case,

November 25, 2018, 1:33 am
$
0
0

I have a client who have this strange not causing any issues with services yet a problem. All the users email addresses have prefix in capital letters for instance USER@contosso.com and need it to be user@contosso.com. I am well aware that email addresses are not case sensitive but still need it in lowercase. 

I've checked in AD, OWA mailbox policy and Email address policy in office 365 but I couldn't find anything helpful.

Everything appears to be in place but still prefix of the SMTP address appears in CAPS.

Any help is appreciated.

Migrating Active Directory Services from 2012 R2 to 2016 server for our Organization Domain

November 28, 2018, 12:50 am
$
0
0

Scenario:

Platform : Windows 2012 R2 Single forest -Single domain having 20 Domain Controllers and trust is in place with couple of different organization Domains and Forests. Root DC and other DCs are windows 2012R2 only for our domain. All DCs are AD-Integrated DNS.  

Requirement: Plan to provision 4 nos of Windows2016 DCs and decommission all other existing 2012R2 DCs. What are steps to follow to complete this entire activity. 

Our Plan: Add all 4 servers with O/S 2016 one by one within current domain and promote them as DCs individually. Transfer the FSMO roll to identified newly promoted 2016 DC. Check DC replication after validating site replication. Then keep this hybrid mode for 4-5 days and check for any issues then decommission 2012 R2 Dcs one by one. Old Root DC will be decommissioned at last.

As this is very critical activity, we need some expert suggesstion and thus any suggestions would be highly appreciated.

Regards,

SoumenG



DNS Issue( dns could not be contacted access was denied)

April 17, 2018, 2:57 am
$
0
0

The DNS services have issue and not synchronized with primary DC .

## The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

error code 4000

Any suggestions would be appreciated

Thanks,

Yahmedi

Cannot Install ADWS on server 2003 Standard SP2

March 18, 2010, 9:24 am
$
0
0
From log file:

FileVersion of C:\WINDOWS\system32\netlogon.dll is Less Than 5.2.3790.4482


The following has been installed: KB969166

Unfortunately DLLHelp is no longer available as this was usually the fastest way to find a resolution.
Jim Vierra

PO to append safe sender list suddently stopped working for Outlook

January 16, 2014, 6:35 pm
$
0
0

I opened a similar post with the Exchange team as per link below, and they advised to open a new one with the directory services team/

http://partnersupport.microsoft.com/thread/d3df7c0c-92f5-40fd-8961-276c8debbd41

We have a GPO to append safe sender list that suddenly is not working for Outlook 2010 and 2013.

When you start Outlook and examine the Safe Senders list in theJunk E-mail Options dialog box, you see that the Safe Senderslist has not been updated after you configured GPO to append safe sender list correctly. This used to work until last week. From an Exchange and AD point of view, nothing has changed lately

They noticed the key "JunkMailImportLists" is under "HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Options\Mail" and it will be set back to "0", so the exchange team suspect there is another key which is in hign level such as "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Options\Mail" will change the value, so their recommendation is to add the key in "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Options\Mail"  and test this issue.

I will paste the thread from other post in case you cannot open the link above

Franki

Cannot access Windows NT folder within default group policies

December 3, 2018, 2:43 pm
$
0
0

Greetings,

 I am trying to run DCGPOFIX. I get an error saying it is unable to delete the folder 'WINDOWS NT' which is under the default domain policy. When I look at that folder in the file system and open the security tab, it says I dont have read permission. If I click the continue button to 'attempt the operation with administrative privileges' it says I do not have permission. I am doing this on a DC with domain admin privileges. How can I successfully change the permissions on the 'Windows NT' folder in the group policy to grant permission so that DCGPOFIX will work please?

Thanks

David Z



i configured the schedule to sync between domain controllers but its not working

November 29, 2018, 1:26 am
$
0
0

well the idea is to make one domain controller sync after 5 days ... so that if any thing gets wrong with the mains like virus or corruption we would still have one domain controller active that did not sync for 5 days

i went to trust and sites and edited the schedule to sync for 6 hours on one day but whenever i change anything in the active directory it changes on all other servers including the delayed one

did i get the schedule idea wrong ? is it for something else ? is there a missing step to make the idea work as expected .

Search

User rights report

November 28, 2018, 8:16 am
$
0
0
Can Anyone tell me how to obtain a system generated list of privileged user rights in Active Directory(e.g., users with full system access or access to security administration functionality or how to provide a system-generated report of all privileged users in the system? Privileged users would be those users who have access above and beyond what a typical end user would have.

Support analyst

new RODC in other site: LDAP Error 81(0x51): Server Down

November 27, 2018, 7:22 am
$
0
0

Hi,

I installed a new RODC in an other site and when I know try to do the replication from one of my existing DC in my site:

Repadmin /showrepl DC

    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:

Repadmin /bind

LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:

I'm able to start the replication from the RODC through Sites and Services, but not from my local DC.

I got the error rpc Server not available.

DNS Forwarders disappear on Server 2012 R2 PDC emulator

November 26, 2018, 10:56 am
$
0
0

As the subject line suggests, when I enter the list of Forwarders under the domain controller "properties" the list stays there for about 20 minutes and then disappears. The list of Forwarders on my secondary DNS server (secondary as that as how it is assigned to domain PCs via DHCP) remain in tact.  

This is causing lookup requests that run through the PDC emulator to timeout. I'm looking for hints on if this is a common issue and there's a handy blog post about it or if there's a way to troubleshoot what's going on.

Active Directory Web Services

November 26, 2018, 7:40 am
$
0
0
Hello.

Recently I noticed a problem.

There are 4 DC:

DC1 \ DC2 on OC 2016

DC3 \ DC4 2 on OS 2012R2

Problem associated with Active Directory Web Services, when requested in PS:

Get-ADGroupMember -Identity "Domain Users" - after 5 minutes the timeout takes off.

The timeout limit was exceeded

This problem is only on 2 DC3 and DC2 hosts. ADWS configs are identical, the limits for the test were raised - no change. There are more than enough resources, when full logging is enabled, there are no errors, it is just clear that the request for problem 2 DCs is more than 5 minutes, and very slowly (on DC1 \ DC4, the result takes about 15-20 seconds) ( so no, already rolled up the most recent.

Can anyone come across? or send in the right direction.

Thank you in advance!

AD LDS able to accept wholeSubtree queries to RootDSE?

November 21, 2018, 7:12 pm
$
0
0

Hello All,

I have multiple outlook clients which are already configured to do contact lookup to a special Unix box via LDAP.
The LDAP query configured on these clients does not specify any base DN, and is querying directly to the RootDSE for contacts, which this special box is somehow able to respond.

But when I do this query to a AD LDS instance, it gives me a Result <32>, problem 2001 error. 

Is there a way to configure AD LDS to accept wholeSubtree queries without specifying the baseDN?

Thanks!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>