Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Controller change - how to tell

November 22, 2018, 1:52 pm
$
0
0

Hi,

Is there a way to find out when a domain controller was changed to host a global catalog?

Thank you

Regards

Peter

Search

Duplicate UPN Suffixes shows in Windows 2012 AD Domain and Trust.

November 19, 2018, 11:37 pm
$
0
0

Hi,

I have AD 2012 environment where for my couple of trusted domain i could find Duplicate UPN Suffixes. I am not aware if those are legitimate or can be removed safely.

Deleted/Recreated ADUC User, Drive Mapping Fails

November 26, 2018, 12:27 pm
$
0
0

I recently deleted my user account from ADUC and recreated it (with the same user name). The Group Policy should automatically map the drives, and it did, for one of them. When I look at a GP result it tells me that all of the drive mappings were a success. I tried manually mapping the drives but I get an error, "The network folder specified is currently mapped to a different user name and password...first disconnect any existing mappings to this network share."  I have a hunch it's my old account that's blocking me.

A few things to note:

- All 3 folders I'm attempting to connect  to (including the one that is successful) on are the exact same file server.

- Running the net use command I only see a connection to the one share that's currently visible

- I went to the "C:...AppData/Roaming/Microsoft/Windows/Network Shortcuts" folder on my old account to make sure there wasn't anything listed.

-WMIC useraccount get name,sid verifies that the old SID isn't lingering around on the domain

- The old account wasn't deleted from the computer prior to making the new one so under users I now show as [username.domain] rather than just username.

Do I need to completely delete the user account from the C: of the local machine or is there some way to view/manage mappings from the File Server itself?

-Edit: Turns out it really was the most simple problem. In short I took a look at my permissions and realized I had them for one domain but not the other. Once I added that it was fixed.

Script to reset pwdlastset for all user in the OU

December 5, 2018, 2:02 am
$
0
0

Hi,

i am looking for a script to reset pwdlastset to the current date for all user in an OU, i know how to set it manually from setting it to 0 and after that to -1. but i need to do this for 120+ users.

searched a lot for a script but haven't found a working one so far.

Lock Down OU for Disabled Objects

December 5, 2018, 2:21 am
$
0
0

Good day,

I have an OU that I need only disabled objects on. The problem is my team mates once they re-enable accounts they do not move them to their relative containers (they just leave them there on the disabled objects OU). I would to lock everyone from enabling an object from the disabled objects container and only be able to move an object in or out to another container. Once the object is on another container it can then be enabled. 

Looking forward to an exciting exercise.

Many Thanks

Anele L.P. Takane

Delegation tab is missing for user account in AD

December 5, 2018, 4:13 am
$
0
0

Hi All,

I have one of the service account in that delegation tab is missing. I've checked and found that SPN needs to be enabled for that account to get delegation features, but this account is not associated with SQL service and is it possible to create SPN for this account without specifying any service in that?

Thanks in advance.

vicky

Active Directory Web Services has resumed checking if the computer is a global catalog error

December 5, 2018, 6:29 am
$
0
0

HI,

I have two Domain Controller server 2016 that the second one is an additional DC. I'm getting the following error in additional dc :

Active Directory Web Services has resumed checking if the computer is a global catalog server.

Note that I'm not getting this error on primary domain controller and replication is occurring between domain controllers.  Any help would be appreciated. Thanks

remove read-only domain controller from active directory

December 2, 2018, 7:18 am
$
0
0

Dear forum,

my company have many brand and currently we installed Domain Controller at head office and RODC at brand site.

and we want to centralize our active directory and remove  RODC.

Please help me out to remove RODC role without affecting the server production environment. Is there is a way to perform it?

I am using windows server 2012 R2. RODC is in forest environment.

Thanks !

Search

System Volume Information increase Daily Increase

December 5, 2018, 1:14 am
$
0
0

Hello Brothers, 

System Volume Information increase Daily Increase and way to delete theses files

This windows 2012 server which is domain control and have Veritas Netbackup client installed. 

We try some command and 

PS C:\Windows\system32> vssadmin delete shadows /all

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2013 Microsoft Corp.

 

Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the

backup application which created them.


PS C:\Windows\system32> vssadmin delete shadows /for=D: /all

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2013 Microsoft Corp.


No items found that satisfy the query.

PS C:\Windows\system32>

Thanks, 

Windows Server 2008 R2 unable to sync to domain

December 5, 2018, 4:19 am
$
0
0

I have windows server 2008 R2 which is unble to communicate to AD after every 1 week , due , to which we're unable to login via domain credentials. I tried to rejoin the server to domain but the error came again.

Is it because of trust relationship error from DC?

DNS Tomb-stoning

December 5, 2018, 10:05 am
$
0
0

We currently have the setup where we have two DCs that are replicated. Somehow two of the static round robin a records turned into a folder, and we are unable to get it to be normal. Is this a result of tomb-stoning? and would deleting the entries until the time limit expires enable us to create them as normal again?

They create a folder if we make it a a record or an alias.

Active Directory services error

November 19, 2018, 1:13 am
$
0
0

Dear Team,

This is sateesh here, whenever we are trying to do changes on group policy on windows server 2008R2 we are getting below message error popup on screen.

Error Popup : Unhandled exception has occurred in a component in your application if you click continue. the application will ignore this error and attempt to continue. 

the process cannot access the file because it is being used bye another process (Exception from HRESULT :0X80070020).

Note : after clicking continue also policy is not getting applied please help me to resolve this. 




How do I change the Domain Admin Password complexity requirement

December 4, 2018, 4:07 am
$
0
0
I'm looking for the GPO that controls the Domain Admin Password complexity in Windows Server 2008 R2. Can anyone help me locate this setting?

We have Windows XP SP3 System approx 30 and we are using windows 2016 domain controller

December 2, 2018, 9:52 pm
$
0
0

Hello Team,

We are using windows 2016 domain controller  and there are 30 windows XP system . our domain user login on xp system these system lockout users of domain which is  login

Home Folder - User Move to Another Server

November 30, 2018, 10:57 am
$
0
0

Greetings.  For our AD users, we have the home folder path set to the data server user share (ex.\\dataserver\username$).  As a school district, each school has it's own data server.  Users (teachers/students) often move locations which moves them to a new data server but everything is routed together as a WAN. <o:p></o:p>

The issue is when a user moves to a new school, often they log in there before their data share is moved to the new server and then the local profile is still looking to the old server.  The only way we've found to fix this is to remove the local profile which then will then pull the new account location.  We are not doing roaming profiles and are using folder redirection that points to the home folder drive (H:).<o:p></o:p>

Is there a way to have this home directory information renewed at each login?  <o:p></o:p>

Thank you for your help.

Ryan

Search

Orphaned dc entry in REPADMIN /SHOWVECTOR /LATENCY

November 30, 2018, 5:54 am
$
0
0

Hi everyone, 

scenario: total 4 DomainController one of these RODC. The three writeable DCs are on the mainsite (default-first-site) and the rodc located on remote site. One year ago there was a dc crasch and one dc was uninstalled and installed again. Before metadatacleanup was done (after crash). DCs name is the same as before crash. No replication issues after the installation. 

Here is my question: after integrating the "new dc" I detected after executing this command

repadmin /showvector /latency "CN=schema,dc=domain,dc=de"

that DSA is set to "deleted DSA"

I found these Links, so everything was fine. 

https://www.mcseboard.de/topic/143789-alte-repadmin-einträge-entfernen/

https://community.spiceworks.com/topic/505590-server-2012-tombstoned-objects-cleanup

Event ID 1864 occured serveral times and half a year later it disappeared. Great!

After executing the same command again I see 3 DCs alive and one orphand. 

If I use PowerShell see the Output: 

Get-ADReplicationUpToDatenessVectorTable -Target dc01 | fl


LastReplicationSuccess : 29.10.2018 16:42:46
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df93389127af
Partner                : CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : db5d40d3-95f4-4b47-99bf-c6133424188
Server                 : dc01.domain.de
UsnFilter              : 10698889

LastReplicationSuccess : 24.11.2017 18:04:15
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df93389127af
Partner                :
PartnerInvocationId    : 8c568a69-233b-454d-8294-01d33be3d02f
Server                 : dc01.domain.de
UsnFilter              : 23959668

LastReplicationSuccess : 29.10.2018 16:41:12
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df9cd89127af
Partner                : CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : 71171eab-c620-49ff-b1c4-9e331fe034da
Server                 : dc01.domain.de
UsnFilter              : 34571773

LastReplicationSuccess : 29.10.2018 16:42:10
Partition              : DC=domain,DC=de
PartitionGuid          : 527f8e23-92f1-4cb3-8064-df9c339127af
Partner                : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default-First-S
                         ite-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
PartnerInvocationId    : 57f842e8-9b08-427a-b194-db919e333529
Server                 : dc01.domain.de
UsnFilter              : 35223142

Is it possible to remove the cursive entry (no PartnerInvocationID)? If it is possible how and where can I remove it? I searched in ADSI but found nothing. Sites and Services also no match. 

Thanks for your advice. 

Viele Gruesse /best wishes Alexander (blog.it-koehler.com)

Issues with GPO

November 30, 2018, 5:48 am
$
0
0

HI All,

I have a question related to weird Domain Controller behaviour.
We got two DC they both are in different OU with different Group policies. (I Know this is not right but this was setup badly initially and we are still suffering from changed policies etc)

Now our PRTG software users (using AD authentication ) can only (force) authenticate to one domain and with second domain only domain administrators can login. I believe this issue is related to group policies. Would anyone can help as why this is happening and what setting in group policy is creating this behaviour.

I have described my scenario with details.

userxyz (normal domain user) and adminxyz(domain administrator). Both users are domain users and authorized users for prtg
PRTG is using domain administrator account as a service account.

DC1: Authorised users can authenticate from by forcing through DC1.   Both users can authenticate
DC2: Only authenticated domain administrator can authenticate from PRTG.
userxyz Cannot authenticate using DC2.


Regards

O365 Integration

November 29, 2018, 7:41 pm
$
0
0

Hi,

Please find the below scenario,

Client A - AD Domain name is A.COM and Email domain is A1.com

Client B - AD Domain Name is A.COM and Email domain is B1.com

In this situation can both client utilize O365 as email solutions, if so what is complexity?

Thanks in advance. 

new RODC in other site: LDAP Error 81(0x51): Server Down

November 27, 2018, 7:22 am
$
0
0

Hi,

I installed a new RODC in an other site and when I know try to do the replication from one of my existing DC in my site:

Repadmin /showrepl DC

    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:

Repadmin /bind

LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:

I'm able to start the replication from the RODC through Sites and Services, but not from my local DC.

I got the error rpc Server not available.

ADFS 2016 change service account to gMSA

December 5, 2018, 6:38 pm
$
0
0

I've been running ADFS for a while now on Server 2016. I used a domain account for the service account but was recently asked to change this to a gMSA account. All the articles I see keep referencing this link:

https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-ddb67df0

But that doesn't apply to Server 2016. I tried. 

Does anyone know of any scripts that do exactly what the script in the link does but for Server 2016 or does anyone know of the manual process. 

I would hate to rebuild my ADFS servers for a service account change.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>