Hello,
I keep seeing that the security tab for the _msdcs delegation folder will not show security items. Rather show a red 'X' with message "The requested security information is either unavailable or can't be displayed".
This is a brand new domain controller in a new forest, and the only thing that has been done is to setup secondary zones on servers on in another forest and made an outgoing trust from this forest to another.
Anyone else see this, is this normal?
Thanks
Robert
I am trying to migrate Active Directory from a Windows 2012 (TSSERVER) to Windows 2016 server (2016SERVER). I have already migrated the roles as per netdom fsmo query:
Schema master 2016SERVER.ABCCORP.local
Domain naming master 2016SERVER.ABCCORP.local
PDC 2016SERVER.ABCCORP.local
RID pool manager 2016SERVER.ABCCORP.local
Infrastructure master 2016SERVER.ABCCORP.local
So far so good, however when I run dcdiag, I am getting a bunch of error messages. Dcdiag completed with no errors when TSSERVER was the only domain controller. I have heard some of these could be DNS related. One other thing I have noticed is that if I try to ping 2016server from itself, I keep getting replies from ::1 even though I have done everything I can to disable IPv6.
Directory Server DiagnosisWhat can I do to troubleshoot?
Thanks,
drdx
Hi,
2 Questions here:
1. On the Windows Active Directory server, where can I get any event log of "Reset Account" action performed on a computer/system account listed on the AD server directory. If audit logging is not enabled.
2. When we do a "Reset Account" to a computer account say 'comp1", we need to connect back to AD server from comp1. Can we have a policy or a rule on AD server to do this, if yes then where can I find such a rule/policy enabled ? Is there any other way the connection between comp1 and AD server can break ?
More info: Comp1 is an linux machine using Samba Winbind to connect to Windows AD server.
I have a scenario we have migrated the users from one AD tenant to other and the plan is the application servers will be there ion the source , how users from the target domain are going to authenticate the application servers .
Please explain in the details
we have established the trust among both companies.Hello,
I want to view deleted objects in AD using the ldp.exe in the primary DC but when I expand the CN=deleted objects, it is saying "No children". I tried it again on other DC but there is no deleted objects on the tree. Do I need Domain Admin to view
this?
Hi,
We have One domain and which has 10 DC with mix of windows 2008r2, windows 2012 and windows 2016. The current domain functional level is windows 2008 r2. All FSMO rolls are on windows 2008r2 server. Now we want to upgrade domain functional level to windows 2016.How can we do? Now raise domain functional level no option to upgrade. Our all DCs are working fine without any issues. Please guide me with tutorial if possible. We have ADFS and ADFS proxy servers with windows 2008r2 OS.
Thanks.
Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD. My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?
I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.
i've created an OU higharcy and delegated access to a group with full control over all objects and descendant objects. Why cant a member of the group with delegated access rename a domain joined computer in the OU? i've verified the group is local admin on the server and even created a second delegation for the write all properties of descendant computer objects in the OU. I can see in the security setting on the server object all of the settings are as expected. there are no deny's in any of the settings on the OU. Could there be a GPO i'm not thinking of that is restricting this?
i've gone through multiple pages on technet looking for answer that isnt local admin / write all properties on the computer object.
thanks,
jason
Hi Team,
One of our customer is running AD services on Windows 2008 R2. We are looking to migrate Directory services to Server 2016.
What should be the right approach?
- Does 2008 R2 supports in place upgrade directly to Server 2016?
- Shall we go with side by side approach. Installing Server 2016 as an additional DC and then transfer the FSMO roles from 2008 to 2016?
Regards,
Hi,
We have to demote the current ISTG and replaced it by new domain controller.
what's the best practice to perform this migration without any issue on replication topology
A part of our current company is split off and will start operating on its own. It has been agreed upon to split the current forest into 2 separate entities that will continue operating independently.
There will be no network connectivity between the 2 companies anymore.
I know this is not supported by MS, but it has been decided nonetheless for various reasons.
Does anyone have experience with this scenario? What would be the high-level steps to accomplish this? Any critical steps we definitely should not overlook?
I have a domain with two domain controllers with certificates that will expire soon, but the issuing certificate authority has been demoted and the member server will be retired soon.
Certificate services have been removed and we don't plan on reinstalling if we can avoid it.
What happens to the domain controllers and active directory when the certificates expire? Do we need to do something manually before that happens?
Thank you.
I am facing a issue in Group Policy.
I have five sites and only on two sites group policy is successfully applied while on three sites i am facing issue.
Please see below screen shots of affected sites.
Site 02
Site 03
And the site in which polices is successfully applied.
Hello, I have 3 DC servers, 2 in prod environment and 1 in DR and I just found out that the DNS Server is not replicating in the DR server. I change a DNS entry in 1 Prod dc last Mar 9. It replicated in the other prod DC but not in DR. So I just manually
edit the entry in the DR. Is there a command to force replicate DNS changes from 1 DC to other? What other ways I can very if there is a issue in my DR server? Is there a log also to check maybe someone has edit it???
Hi All,
I have 3 Domain controller under ABC.COM. All the five roles in DC1, DC2,DC3 additional domain controller.
My requirement and query is when the DC1 is down due some failure. All FSMO roles need to move automatically to another DC. Either DC2 or DC3, If it possible ?.I have seen some articles in Microsoft that option is possible.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780487(v=ws.10)
becomeRidMaster
becomeSchemaMaster
becomeDomainMaster
becomePDC
becomeInfrastructureMaster
GiveAwayAllFsmoRoles
Please share the steps how do it. or blog or link.
Hi,
I know you can't do a direct upgrade from 2008 to 2016 so it will be a step upgrade via 2012. However do i need to purchase a full version of 2012 for the sake of a couple hours or can i use the Trail Version of 2012 to get me to that step then upgrade to 2016 with my "retail" version and key?
It needs to be an in-place upgrade as we don't have any other hardware to migrate back and forward from.
Many Thanks for any advice
List of Certificate Templates seems to be refreshed periodically. If ADCS is inactive (no certificate is issued) for approx. 15-20 minutes it takes a long time (20-25s) refresh the list of Certificate Templates from DC. (It is equivalent
to the process of displaying certificate templates in: mmc console –> module certification authority –> folder Certificate Templates)
- Until the Certificate Template list is downloaded it is not possible to issue a certificate, so this behavior add unacceptable delay to whole certificate issuance process.
- The error was observed in both Windows Server 2012R2 and 2016 versions.
- Any repeated request (which is sent after the Certificate Templates are refreshed) is processed immediately (overall delay <1s)
- After 15-20 minutes of ADCS inactivity (no certificate is issued) the situation with 20s delay repeats.
Is this by design ?
Can we control the behavior and delay time?
Hi,
I want to move computer/device from one OU to another OU using VB Code.
The below code is working great under login of service account into target PC.
but is there any way to execute below code with different credentials. I did google and tried but not able to make it work?
if you guys have worked on this scenario and please share some thoughts?
' *****************************************************************************
strLDAPofOU="OU=Desktops,OU=Computers,DC=domain,DC=locale"
' *****************************************************************************
On Error Resume Next
'Get MachineObjectOU Value
Set wshNetwork = CreateObject("WScript.Network")
Set oFso = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject( "ADSystemInfo" )
Set ArgObj = WScript.Arguments
'Use first argument as target OU
strMachineObjectOU = strLDAPofOU
strComputerDN = objSysInfo.ComputerName
'msgbox(strMachineObjectOU)
nComma = InStr(strComputerDN,",")
strCurrentOU = Mid(strComputerDN,nComma+1)
strComputerName = Left(strComputerDN,nComma - 1)
'msgbox(strCurrentOU)
'If current ou is different than target OU. Move object
If UCase(strCurrentOU) <> UCase(strMachineObjectOU) Then
Set objNewOU = GetObject("LDAP://" & strMachineObjectOU)
Set objMoveComputer = objNewOU.MoveHere("LDAP://" & strComputerDN, strComputerName)
'msgbox("LDAP://" & strComputerDN & strComputerName)
End If
'//----------------------------------------------------------------------------
'// End Script
'//----------------------------------------------------------------------------Regards
Er Reddy
Hi,
Do you know if there is a way to force using ldaps 636 and disable LDAP access on non secure port 389 without affect AD features?
Regards
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill