I need a script where I can find the "whenChanged" date/time for users accounts and if within 24hrs to write to a file in csv format.

Need the sAMaccount, email field  written to the file.

Any help would be great.

Thanks

Hello,

Is there a cheatsheet for correlating what is seen in the AD Users and Computers when applying Restrictions to control Delegation?  For instance the general aspects like name, address, description are obvious on the General, Address, Account, Profile, Telephone, and Organization tabs but want to restrict all the other tabs.

It would be great to know how to turn on or off each of the properties as how it relates to it being seen in.

Start delegating control, Create Custom task to delegate, Only the following objects in the folder, now we have a ton of ojects to choose from and how do you find the right one to restrict the Member Of tab for instance?

Is there a cheetsheet else it has been taking up a lot of time trying to determine which Object\sub objects are the right ones to restrict.  Is there a 3rd party application that allows better Delegation control and managing who has what restrictions?

Thank you!

Hi,

I was sent here from the Exchange forums.

The original thread is: http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/ea798a34-d009-4158-a50d-05b494e8c718/

It would be great if someone could take a look at this very weird issue and point me into the right direction or suggest some way to debug that.

Thanks for reading!

I have 2 fresh installs of windows server 2012. One has the DC role, the other one is domain member + exchange.

The active directory was just setup in order to be able to install exchange, so nothing was configured manually apart from the installation process.

All user accounts in active directory have been created by exchange in the process of adding new mailboxes.

The weird thing is that local user accounts have no problems setting up an Outlook profile for Exchange, while domain accounts are struggling.

Even more weird is that the very first domain user account logging in per workstation is able to complete setup outlook -> exchange.

Once this is done and the user logged out, noone else logging in on that workstation is able to setup an (the first) outlook profile for Exchange anymore.

After the autodiscover process (the second checkmark) succeeds, when Outlook uses the username (=primary smtp address) + password for the first time to complete the setup of the profile an error appears: "Theconnection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action."

I've tried that with 3 different, freshly installed Windows XP SP3 Clients.

I used a different user account when logging in for the first time after domain join on either of them. All of these accounts were able to complete the Outlook setup wizard. While the next account on the same workstations wasn't able to.

It's like that: 3 accounts: user1,user2,user3 and workstation1,2,3

User1 -> workstation 1 --> success (first user account to login on that workstation)

User2 -> workstation 1 --> fail (second user account to login on that workstation)

User2 -> workstation 2 --> success (first user account to login on that workstation)

User1 -> workstation 2 --> fail

User3 -> workstation 3 --> success

User3 -> workstation 2 & workstation 1 --> fail

etc, etc.

When user 2 on workstation 1 failed, I logged out and back again with User1 to check whether it still worked and yes, everything was fine.

Then I noticed that only Windows XP was affected by that issue.Windows 7 clients have no problems.

I would have thought about a certificate common/alternative name problem, but as mentioned earlier local user accounts don't have those problems. Also user accounts in an old nt4 domain don't have those problems.

After 1 week of trial and error I discovered that sometimes there was an exception and another user account was able to setup an outlook profile. This is however hard to reproduce and definitely not linked to certain accounts. It's kinda random. Could this be a problem with some kind of time out/session/machine&user?

Does anyone have any idea what could be the cause of that or where to start looking?

Thank you very much for any help! this really is driving me crazy ;)

I'm wondering if it is necessary to use SQL cluster mirroring for ADFS site resiliency and failover.

1. I have 2 sites, connected by a site-to-site VPN
2. I use an external host for DNS. It points to the main site but is configured to failover the ADFS server's A record to point to the other site's IP in the event the main site is unreachable (and failback the A record when connectivity is restored).
3. I'd like to put 1 federation server in each site each configured identically to each other (same relying party trusts, communication, decrypting, signing certs), each server uses its own local database (WID or SQL). Any configuration changes going forward would of course have to be performed on each server but that is ok.

Is this possible? Thanks for any feedback.

I'm getting this error:

"Verification of replica failed.  The forest functional level is Windows 2000.  To install Windows Server 2012 domain or domain controller, the forest functional level must be Windows Server 2003."

My forest level is set at 2008R2, per AD Domains and Trusts (on both the 08 servers and 2012).  The forest was set at 2003 before, so I demoted the old 2003 server and raised it to 2008 with no luck, then went ahead and went to 2008R2. 

The 2012 server (clean install, no upgrades) is already a member of the domain.

adprep /forestprep reports "forest wide information has already been updated" 

Connectivity seems to be fine (ping, no firewalls) between the 2 08R2 DCs and the new 2012 server.  Weird thing is all the AD tools are installed in 2012, and I can even create new domain users from it. 

Attempting 100 users profile folder migration from one domain to another (different forest, two way external trust setup) and getting error when attempt to log in with a test account that I have migrated and copied user profile folder over.

Error :  The group policy client service failed the logon error;  access is denied.

Old environment:

Users connect only via RDS. User profiles are roaming.  Profiles
are stored on a share on the old domain RDS servers are on old domain.

new environment

Users connect only via RDS. User profiles are roaming.  Profiles
are stored on a share on the new domain RDS servers are on new domain.

Used AD migration tool to copy over user ids and groups.

did not use SID migration as dont have auditing set up in the old domain.

user roaming profiles load / work ok in both the old and new domain when using new

accounts in both domains. thus permissions and gpo are set ok.

roaming profiles are working fine in the old domain.

Only issues is after trying to copy the profiles to the new domain.

Copied over user folders to new share on new server in new domain.

Used

xcopy /d /e /v /c /i /h /r /k /x /y \\old_share\Shares\Profiles\\new_share\Shares\Profiles

changed the permission to the folders with subinacl /noverbose /subdirec "\\new_share\Shares\*.*" /changedomain=old=new

renamed the user folders in the new location so that userid.olddomain.v2  is now correct ; userid.NEWdomain.v2

user profile location is set via AD GPO .

checked all permissions to  \\new_share\Shares\Profiles and they are appear correct

no errors in event logs. 

if i delete the \\new_share\Shares\Profiles\userid folder I can log in ok and get roaming profile created ok with userid. 

Thus i suspect a permissions issue after the folder copy.

not sure where to go here.

all servers are 2008 r2. 

domain controllers in old domain are running at functional level of windows 2000
in new domain running at functional level of windows 2008

I renamed the ntuser.pol and ntuser.dat .
no help. they got recreated ok but couldnt connect still.

We have an environment like 1 root domain with 1 additional domain controller in windows server 2008 r2 and 1 child domain controller with 3 additional domain controller of which 2 domain controller run in Windows server 2003, 1 domain controller run in Windows server 2008 and 1 run in Windows Server 2008 R2. In client end we use the Windows Server 2008 and Windows Server 2008 R2 additional child domain controllers address as DNS address.

The issue is when any policy change in Windows Server 2008 additional child domain controller group policy it is not replicated to others. But if any group policy change in Windows Server 2008 R2 additional child domain controller  it replicate all child domain controllers except Windows Server 2008 additional child domain controller. And there is no error in event log.

Mithun Dey Web: http://cloudmithun.wordpress.com

Hi,

Our domain controller running on Windows Server 2008. Before this we are using single IP Address to access active directory server.

Now our organization already change the network structure and using multiple VLAN.Our client using windows 7 Pro, cannot join to domain. error "The following error occurred attempting to join the domain "XXX.Local" The specified network name is no longer available.

Below is my test:-

1. Test ping server AD = Successful

2. Test nslookup = Successful

     
C:\>nslookup
Default Server:  biru.itnmb.local
Address:  192.168.42.4

> itnmb.local
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    itnmb.local
Address:  192.168.42.4

> 192.168.42.4
Server:  biru.itnmb.local
Address:  192.168.42.4

Name:    biru.itnmb.local
Address:  192.168.42.4

3. Test running dcdiag = successful and passed test

4. Telnet from client (all port required joining to domain) = Successful

what can i do?

Thanks,

Ezzy

Ezzy

I have domain controller installed on windows 2008 32 bit sp2 , now i want to add additional domain controller on  windows 2008 R2 SP1 .

Is it possible ? . If yes is there any negative impact ? . Do i need to run adprep /forestprep  again on the existing domain (windows  2008 32 bit ) or  on windows 2008 r2. 

What all i need to care about before or after installation 

Thanks

Hi all,

i have two domains, one old 2003 domain and new one 2008 domain. Two way trust working fine.

Migrated groups and users with SID history to 2008 domain.

I have succesfully migrated file server to new domain with ADMT and choosed to ADD permissions, so there should be both permissions.

After migration i can see "doubled" permissions like this:

newdomain\DL_M

newdomain\DL_M

, if i assign the server to old domain, i can see correct both permissions like this

olddomain\DL_M

newdomain\DL_M

thats fine, but only when the server is in old domain.

If the server is in new 2008 domain and im searching (want to add permission) for Domain Local group placed in old domain, i cant find it, only Security groups are visible, i dont have any universal, so i dont know...

Is there any chance to get this working?

Hi all,

on a Server 2008R2 Sp1 with IIS installed in Netmon trace I see that a new TGT  for the IIS WEB Pool account is requested aboutevery 60 seconds. Sometimes also in the range of 100 ms. The WEB application is working fine.

usually the flow is as follows:

1. Server  --> DC:  AS-REQ
   
2. DC --> Server: KRB Error: KRB5DDC_ERR_PREAUTH_REQUIRED
3. Server -- DC: AS-REQ
4. DC --> Server: AS-REP
5. Server --> DC: TGS-REQ
6. DC --Server: TGS-REP

The first AS-REQ fails due to missing time stamp in the request. In the AS-REP I can see in padat that PA-ENC-TIMESTAMP, PA-DAS  and PA-PK-AS-REP are missing. In second AS-REQ PA-ENC-TIMESTAMP is insertet in padata.

Client name in the AS-REQ is the name of the account the WEB service is running. Kerberos request Server (service) name is krbtgt/domain-name.

I wonder why TGT is requested at least every minute, as Kerberos ticket TTL is 10 hours per default in domain and can't even be set even below one hour.

Probably as a side effect we notice "RPC Server unavailable" in the event log with clients failing to connect to IIS twice a week.

Around the time of "RPC failure" I see a TGS-REP "KRB5KDC_ERR_BADOPTION" for an TGS-REQ with kerberos server (service) name: "server-name$@domain-name" and KDC option "constrained-delegation".

Questions are:

Can the "KRB5KDC_ERR_BADOPTION" invalid the server's TGT and shut down the RPC service for ever (until reboot?

Where to start troubleshooting this (I know the IIS server should be configured for delegation). But for days the server and WEB service runs without problems, and I wonder wether just a "KRB5KDC_ERR_BADOPTION" can shut down the RPC Service and the server at all?

(Also is it possible to start kerbtray in the Kontext of IIS and server?)

Thank You

Jochen

Hi All,

We want to disable the remote access for our domain administrator account by default it is enabled. can anyone please tell me how to do this.

Our Domain Controller is on Windows 2008 Server

Thanks

Agha

I have problemen on my windows 2012 server.

My setup is with 2 sites:

site 1:

srv01 and srv09 are DC's

site 2:

srv06 and srv10 are DC's

On srv01 i am unable to get netlogon and sysvol share, i re installed the server many thimes with out result.

I put the out put ipconfig /all and dcdiag /q on my gdrive:

https://drive.google.com/folderview?id=0B2HFwIHoNbnfU2M4RmtjeDgzdVk&usp=sharing

Any one sugestions

With kind regards, Bas van den Dikkenberg

I already have Windows Server 2008 R2 as domain controller with all services installed on it. For safe side I want to install an additional Server 2008 R2 domain controller in existing forest. My questions are below...

1. What NIC configuration do I make for additional domain controller "Primary DNS, Secondary DNS?
2. Should I install another DNS server and Global Catalog with active directory installation process?
3. Can I install Hyper-V after ADS installation? Will it conflict with ADS services or not?

Your help on this regard will be appreciated. Thanks

I'm working on a two-node, multi-site Failover Cluster running Windows Server 2008 R2 with Service Pack 1.  Each site has a domain controller running Windows Server 2008 R2 with Service Pack 1.  Forest and domain both run Windows Server 2008 R2 native mode.  The zone containing the host records for the cluster resources is replicated to all domain controllers in the domain.

I'd like to trigger immediate replication of DNS entries that are changed when the cluster resources are failed between sites.  I have enabled Auditing for the DomainDnsZones partition and have created an event triggered scheduled task for Event 4662 to run repadmin.exe /replicate destinationdc sourcedc DC=DomainDnsZones,DC=contoso,DC=local.

This works pretty well.  When the resource group is moved from site A to site B, the DNS record for the resource is changed on the domain controller in site B and generates the 4662 event.  The scheduled task replicates the change to domain controller in site A and ADSIEdit shows the object has been updated on the site A domain controller.  But in my testing, it takes 2-3 minutes for the change to be reflected in the DNS table on the site A domain controller.

Questions:

1.  How long should it take for the replicated DNS record to reflect in the DNS table on the site A domain controller?

2.  Is there any way to accelerate the refresh of the table after the change has been replicated?

Thanks in advance for your help.

hi all,

can i promote a windows server 2008 R2 to a domain controller while i have all domain controllers are 2012 servers ? and both domain functional and forest functional levels are set to windows server 2008 R2. my concern is about sequence .. is it applicable to raise a windows server 2008 after that you have a windows server 2012 domain controllers (but my forst and domain functional levels are still 2008R2)

I've got a little problem, not a show stopper but one that I can't seem to figure out.  We have several unix systems that use AD for user authentication.   When setting up the users in AD everything works fine except auto generation of the Unix UID.  Whenever the system creates a UID I always get the error Duplicate UID, Assign a uniqueUID.

To get things to work I typically have to increment the UID by 2 numbers.  Then I can apply.

The next user I create I end up having to do the same thing.  Where can I look to fix this?

Server: 2008 R2 64bit

Servers are used for: AD, DNS, DHCP

thanks!

Robert

I have a small test network with 2 DC's. My original DC was Windows Server 2008 R2 Core. I joined a Windows Server 2012 Core DC to replace the old one; then once the 2008 was removed, I raised the functional level to Server 2012.

The Server 2012 Core server is functioning correctly and works as a DC\GC, but when I join a second DC (Server 2012 Full UI), I can't get the SYSVOL and Netlogon shares to appear, and the new server won't authorize logons.

It looks like the original 2012 Core is trying to use FRS to replicate, while the new one appears to be trying to use DFS. Only the second DC shows up in the DFS manager, and I can't see a way to add the first one to the set.

The second DC appears to throw an error that says that its "Waiting on initial synchronization" from the first dc. Is there a way to add this other original DC to the DFS replication?