We suspect some specific AD attributes changed for many users, any way we can find this like what attributes changed for those users (or without knowing the users)
↧
finding the attribute changes
↧
Shutting down/Reboot active directory child servers
Hi, Just want to ask if it is safe to shutdown/reboot all AD servers at the same time in production and DR environment? The Root domain will be retained, all the child domain will be shutdown. Or atleast 1 child DC should be powered up?
↧
↧
2016 AD-LDS in a 2012 AD-DS environment
Hello,
I've been asked to deploy AD-LDS in our environment which is 2012 R2 AD DS.
Is it ok to deploy AD-LDS on Windows 2016 in a Windows 2012 R2 AD-DS environment?
Where can I get detailed information about this?
Thanks
↧
Reset Account event logging
Hi,
2 Questions here:
1. On the Windows Active Directory server, where can I get any event log of "Reset Account" action performed on a computer/system account listed on the AD server directory. If audit logging is not enabled.
2. When we do a "Reset Account" to a computer account say 'comp1", we need to connect back to AD server from comp1. Can we have a policy or a rule on AD server to do this, if yes then where can I find such a rule/policy enabled ? Is there any other way the connection between comp1 and AD server can break ?
More info: Comp1 is an linux machine using Samba Winbind to connect to Windows AD server.
↧
ldap bind issues
I have several Windows Servers that utilize ldap. Some of them show on the domain controllers as event id 2889, but others do not. These servers are
not on the domain. My question is why are some of the servers not showing that event id?
↧
↧
ADMT migration for a user which has been configured for a scheduled task
Hi everybody. I have done a user migration in ADMT. I have run the security translation for that user as well. That user is configured
to run a scheduled task on a workstation. Does the security translation takes the scheduled task into context and change it to the target domain migrated when I run the security translation on that workstation or server.
↧
CA migration: SHA1 to SHA2 in Windows 2016 OS
Hi,
We currently have a single Root CA (AD integrated) in our organization and it uses SHA-1. We have issued some certificates internally by using this CA. So now we need to migrate the certificate from SHA-1 to SHA-2.
We have tested the migration in our test environment by using the command below:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Once we run this command weobserved the Thumbprint algorithm as still to be SHA1 after upgrade of the CA from SHA1 to SHA2. Although the signature & signature hash alogrithm are SHA 256..
The other thing is we need to migrate the certificates which is issued by using SHA1 to SHA2. what are the step recommended for it?
↧
AD Attributes -Object class posixaccount and posixgroup
Hi,
Was trying to integrate an application for which object class posixaccount and posixgroup is required.
1-Was not able to trace this attributes to user or groups (searched in "attribute editor" Tab for user and groups) where to find this attribute other then the schema editor(Already exist).
2-We have also configured an user custom attribute which I do not find in user's attribute editor, How do I add it(options with out using ADSI editor)
Rgs,
Sntsh.
↧
change ip in active directory after creating active directory
Hello,
I've a Windows Server 2016 standard with 1 physical network card with 2 ethernet ports.
I'll create an active directory in that server and an remote desktop environment for pc client connect to his published application using remote desktop services..
If after created that active directory I change the ip of one ethernet port (changing ip, Gateway and netmask), can it Will be some kind of problema in my server? Will active directory work ok after that change? Will remote desktop work as expected
after that change?
Now the two ethernet ports are using dhcp for obtaining ip address, only one port connected.
Before creating active directory i'll change the ip of the port connected to one statically ip, Gateway and netmask. Next, after created domain directory, i'll create an "remote desktop environment" for accesing remote desktops to that
server from remote pc clients. They Will use the web for accesing remote desktop web Access and then access to his published application using remote desktop services.
Regards,
David.
↧
↧
Windows SErver 2012 R2 RID Manager
Hello, I have 3 DCs in my environment and i cannot create a new object from any of them. When i run the command Dcdiag.exe /test:ridmanager /v on my PDC (Server 2012 r2) which is the RID Master im getting this..
Starting test: RidManager
* Available RID Pool for the Domain is 1074741823 to 1073741823
* xxxxxxxx is the RID Master
* DsBind with RID Master was successful
The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDAllocationPool is 1073741823 to 1073741823
The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDPreviousAllocationPool is 1073741823 to 1073741823
* rIDNextRID: 1073741823
No rids allocated -- please check eventlog.
......................... xxxxxxx failed test RidManager
How can I resolve this issue,
Starting test: RidManager
* Available RID Pool for the Domain is 1074741823 to 1073741823
* xxxxxxxx is the RID Master
* DsBind with RID Master was successful
The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDAllocationPool is 1073741823 to 1073741823
The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDPreviousAllocationPool is 1073741823 to 1073741823
* rIDNextRID: 1073741823
No rids allocated -- please check eventlog.
......................... xxxxxxx failed test RidManager
How can I resolve this issue,
↧
Moving single-label domain to new non-single-label domain
Hi threre.
unfortunatelly a single-label domain scenario with exchange, web and sql servers (domain joined) and TMG (domain joined).
The idea is to move it to "fresh" non-single-label-domain.
Technically could it be done?
One basic question: Will SQL servers need to be reinstalled or can they just be disjoined from domain and added to new domain?
I know that exchange will need to be reinstalled on new domain but don't know how SQL servers are impacted with moving them to different domain.
There is also domain joined TMG to single-label domain. Can it be simply be transfered to other domain? Anyone gone to that path? Or will TMG need to be reinstalled? I know that it's deprecated but still, can it be easily moved between domains.
with best regards
bostjanc
↧
Is NETLOGON folder necessary for domain controller?
Hi,
I know that the NETLOGON folder is used for Backward Compatibility for the domain controllers. My question is that is that folder necessary for proper functioning of the domain controller?
Thanks
↧
Windows 2008 R2 Directory Services. Upgrade Server 2008 R2 to Server 2016
Hi Team,
One of our customer is running AD services on Windows 2008 R2. We are looking to migrate Directory services to Server 2016.
What should be the right approach?
- Does 2008 R2 supports in place upgrade directly to Server 2016?
- Shall we go with side by side approach. Installing Server 2016 as an additional DC and then transfer the FSMO roles from 2008 to 2016?
Regards,
↧
↧
Need to know which windows services are running in Skype for Business frontend server.
I need the list of windows services running in skype for business frontend server.
↧
IF our DC Down user not able to access file folder and network printer or network resource
Hello Team ,
We have DC server and ADC server domain and forest functional level 2000 Native . DC and ADC sync successfully if our DC Down ( which is hold all FSMO role) user not able to access file folder and network resource . when our DC again online user to able to access the file folder and network resource.
↧
AD CS - Restricted enrollment agents issue
Hello, everybody.
Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny
And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.
The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.
Thanks in advance.
Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny
And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.
The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.
Thanks in advance.
↧
Upgrading from Windows Server 2008 r2 to Windows Server 2016
Hi,
I know you can't do a direct upgrade from 2008 to 2016 so it will be a step upgrade via 2012. However do i need to purchase a full version of 2012 for the sake of a couple hours or can i use the Trail Version of 2012 to get me to that step then upgrade to 2016 with my "retail" version and key?
It needs to be an in-place upgrade as we don't have any other hardware to migrate back and forward from.
Many Thanks for any advice
↧
↧
Issue in GP
I am facing a issue in Group Policy.
I have five sites and only on two sites group policy is successfully applied while on three sites i am facing issue.
Please see below screen shots of affected sites.
Site 02
Site 03
And the site in which polices is successfully applied.
↧
Move a Computer to an Active Directory with different credentials
Hi,
I want to move computer/device from one OU to another OU using VB Code.
The below code is working great under login of service account into target PC.
but is there any way to execute below code with different credentials. I did google and tried but not able to make it work?
if you guys have worked on this scenario and please share some thoughts?
' *****************************************************************************
strLDAPofOU="OU=Desktops,OU=Computers,DC=domain,DC=locale"
' *****************************************************************************
On Error Resume Next
'Get MachineObjectOU Value
Set wshNetwork = CreateObject("WScript.Network")
Set oFso = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject( "ADSystemInfo" )
Set ArgObj = WScript.Arguments
'Use first argument as target OU
strMachineObjectOU = strLDAPofOU
strComputerDN = objSysInfo.ComputerName
'msgbox(strMachineObjectOU)
nComma = InStr(strComputerDN,",")
strCurrentOU = Mid(strComputerDN,nComma+1)
strComputerName = Left(strComputerDN,nComma - 1)
'msgbox(strCurrentOU)
'If current ou is different than target OU. Move object
If UCase(strCurrentOU) <> UCase(strMachineObjectOU) Then
Set objNewOU = GetObject("LDAP://" & strMachineObjectOU)
Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, strComputerName)
'msgbox("LDAP://" & strComputerDN & strComputerName)
End If
'//----------------------------------------------------------------------------
'// End Script
'//----------------------------------------------------------------------------Regards
Er Reddy
↧
Script to Add User Account in Attribute Field in Active Directory
Dears,
I have plan to add user manager account in division field in attribute field in active directory 2012. Kindly I'm looking for script to run in Power shell to set all user account managers in division field at one time, I have prepared excel sheet it has two fields one for user account and the other field it is for manager field.
Best Regards,
↧