Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Repadmin - syncall vs replicate switch?

April 2, 2013, 4:28 am
$
0
0

Hi there,

I've been doing some maintenance work on a environment (basically uplifting it to 2008 R2 from 2003) that has involved the removal and addition of some DCs.

Post removal I've occaisonally noticed that some DCs in remote sites take a little while to update to reflect the change (and I'll see an error when I runrepadmin /replsum * for example).

It usually sorts itself out in time but if I want to nudge things along I'll normally userepadmin /syncall /APed

However I've noticed that repadmin also has the replicate switch - I was wondering what the difference between the two is? Reading the technet documentation they seem to do much the same thing (albiet the replicate switch seems to be more targetted than syncall).

Thanks

Chris

Search

How could I grant security right of user to specific user by command ?

March 18, 2013, 10:26 pm
$
0
0

I would like to grant sender right (in English? , security tab of user in ADUC by windows2003DC ) of user to specific user by command(Ad command or Powershell )

How could I do that ?

I expect    command  userid  XXXXX

or

cmdlet  userid XXXXX like that.

Active Directory: Cannot create new user on operations master, but can on other DCs in domain.

March 28, 2013, 11:32 am
$
0
0

We have a domain for the school I work for that has our main operations master (HS-DC2), and 4 global catalog DCs all on the same domain.  On our oper master, we cannot create / copy a new user because it gives the following error:

Windows Cannow set the password for (user) becaues:
The specified directory object is not bound to a remote resource

you click ok, then it pops up with:

Windows cannot remove the newly created object automatically.
Remove it manually or contact your system administrator.

The object is not created, it's not there...i'm lost.  THEN, i can connect to another domain controller in our network and create the account / copy another account and it works perfect.  NO problems whatsoever, and then it replicates back to the operations master just fine.

I'm at a loss and need some help. 

Thoughts?

Thanks in advance!

Active directory users and computers wont start on a dc, "the server is not operational"

April 2, 2013, 7:01 am
$
0
0

In our environment, we have 3 dc's 

two which run server 2008 (they work perfectly)

and one never off branch dc that runs server 2008 r2.

We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:

We have a third party DNS solution.

How do i troubleshoot this issue?

Logon Caching old password

April 2, 2013, 4:13 am
$
0
0

Hi,

I have created a domain user user1 in my domain.

I have logged into  domain using user1's credential from my Windows 7 and Windows XP systems.

Then from windows 7  i changed the user's domain password, still using the old password i can login to domian from Windows XP machine even

 after restarting the XP machine. 

How can we stop the old credentials being cached  so that the user cant login using old password.?


regards, Faisal

Server 2003 to Server 2012 migration

April 2, 2013, 7:04 am
$
0
0

I am a student finishing my last semester and we have been contracted out to a local college to look at the possibilities of migrating server 2003 to server 2012.

They want to migrate AD (which is very simple just users and a few printers),DNS and WINS while keeping the same names and IP addresses from the old server 2003 dcs to the new 2012 dcs. I was just wondering if you could migrate these things to Server 2012 because Ive been unclear whether you could or not.

So far our plan is to migrate the FSMO roles to the new 2012's and then demote the old servers and then give them the same name and IP as the old servers. I was wondering if our methodology was correct or if AD, DNS, WINS replication will take care of the new server 2012 name/AD resolution.

I am new to these forums and any help is appreciated!! Thanks! :)

Password of AD-user with local admin rights is not pushed to all clients?

April 2, 2013, 5:46 am
$
0
0

Hey guys,

I created a GPO that sets a "restricted group" as member of the local administrators on every client.

That worked fine so far.

Now, in order to raise the security level a little, I changed the Password of thedomain/localAdmin user. Most of the clients can't use the old password anymore to do "local admin stuff", but some still can. Eventhough they restarted their computer 2-3 times, while being connected to the companies lan.

Is there any possibility to push the new password to all computers to guarantee that noone has access to the local"restricted group" admin anymore.

Encryption method use to store password of active directory users in active directory DataBase

April 2, 2013, 7:34 am
$
0
0

Hi,

What is the method use to store password of Active directory and also please help0 me to understand , is there any possiblity to decrypt the password.

Thanks & regards,

Masud Hussain

Search

netdom join fails for Window 8 machines with access denied

April 2, 2013, 7:40 am
$
0
0

Hi,

I am getting an "access denied" when joining Windows 8 machines remotely into a AD domain with the following command:

netdom join /domain:<fqdn>\<pdc><machine name> /ud:<dn>\Administrator /pd:<domain admin pw> /uo:<machine name>\Administrator
/po:<local admin pw> /pm:<machine pw> /ro /reb /verbose
Establishing a session with <machine>

Joining domain <fqdn>\<pdc>

Deleting the session with <machine name>

Access is denied.

The command failed to complete successfully.

I am running the command on the PDC. I am rather sure that the passwords are correct, furthermore I know that the error message is different if the local admin password is wrong. On the remote machine (to be joined), I do not see any failed login attempts in the log. Actually, I am running out of ideas, because we use the very same command for years and it worked until (including) Windows 7. Any ideas?

Thanks in advance,
Christoph

Setting up a limited rights domain admin type account or group for allowing local software installs on domain workstations.

April 1, 2013, 12:57 pm
$
0
0

I'd like to lock down software installs on workstation in a domain.  My plan is to remove users as local admins and give them standard user rights to workstations.  Then setup a limited rights admin account or group that can be used for installing software on workstations, instead of using the domain admin's account.  Something that I could give the local managers access to either through a group assignment or specialized admin type account.

Thanks.

RODC with NETLOGON 5723 & 5805 EventIDs | Machines in Domain

March 27, 2013, 6:16 am
$
0
0

About 6 months ago, I travelled to a remote office where we had issues with machines falling out of the domain, more regularly then at our headquarters.  I decided to deploy a RODC at this site, hoping to alleviate the issue.  Since this deployment, every machine on that site now generates EventIDs for NETLOGON 5805/5723, but these machines are still in the domain.  I can remote to them, I see them as authenticated machines, and they act as if they are joined.  This error is only reported on the RODC. 

Perhaps I've done something wrong in setting up the RODC, such as the PRP is incorrect or the accounts that joined the machine to the domain are not setup properly for a RODC.  On the RODC, I hit properties and went to Password Replication Policy->Advanced, and I do see all the machines in the "Accounts that been authenticated to this Read-only Domain Controller".  The "Accounts whose passwords are stored o nthis Read-only domain controller" are only the krbtgt_xxxxx, and the RODC itself.  On the PRP tab of the RODC Properties, I see Allowed RODC Password Replication group as the only "allowed" group.

I am not sure what is occurring here, but these are Windows 2008 R2 servers reporting to this Windows 2008 R2 RODC, so the compatbility pack does not apply(I believe).  Is there some sort of delegation responsbilities I need to assign to the RODC?

Thanks all,

Windows 2008 Domain Controller does not Authenticate

April 1, 2013, 8:37 pm
$
0
0

Hello,

I have recently added a new Domain Controller to my environment.  Having one Windows 2003 Server R2 Domain Controller already in place, I have successfully updated the schema on the W2K3 DC (Adprep, Forest Prep, Domain Prep, GP Prep, and RODC Prep).  Schema version is 47 for Windows Server 2008 Standard R2.  Forest/Domain Functional levels are Windows 2003 Server for both too.

I promoted the W2K8 server to a Domain Controller.  Here is the problem.  I have a small environment, so I was able to UNPLUG the W2K3 Domain controller to see if authentication would occur on the new W2K8 DC server.  It doesn't.  In fact, when I reboot the new DC with the previous DC unplugged, it doesn't come back up as a real Domain Controller.  I cannot open Active Directory.  The User Profile Service Starts at logon, and the user that is loaded is not a user in Active Directory.  No logon scripts appear.  Even the network connection is severed for awhile.  What is going on???  Is this a RODC thing.  I don't want a Read Only DC.

I want to eventually decommission the W2K3 Domain Controller, so having a fully functional is a must!  Please assist.  Everything seems to work when I have the W2K3 DC plugged back in.

NTDSUTIL IFM file-can this be taken from a production environment then placed into a test environment which is another domain??

April 1, 2013, 8:18 pm
$
0
0

NTDSUTIL IFM file-can this be taken from a production environment then placed into a test environment which is another domain??

I am trying to take the IFM file created using ntdsutil IFM full (includes sysvol) from production AD domain then import it into a test domain(different domain then the production domain.)  

Assuming that I have already created a test domain with one DC can I copy his IFM(installation media folder) from the production DC to a test DC?

dsk

Linux Servers in AD DNS - Linux servers are getting an age in AD DNS

April 1, 2013, 10:53 am
$
0
0

My environment is: 2003 Functional level Domain and Forest

Domain controllers are a mix of 2008 R2 and 2003 (Mostly 2008 R2)

Client servers are a mix of 2003, 2008 R2, and a mix of Linux flavors.

Zone is AD Integrated with Non-secure and Secure dynamic updates enabled.

In an attempt to cleanup a zone that has not been scavenged for over five years I did the following:

  1. Enabled aging on the zone level for a month to allow the records to update their time-stamps
  2. After a month scavenging was turned on at the server level (single server that was SOA for the zone)

The problem occurred when Linux boxes with out of date time-stamps started to get scavenged. In total there were only about 12 active A records for Linux servers that got scavenged inappropriately, out of 1300 that were scavenged.

So my issue:

First off these servers are static, why are they getting timestamps? The answer is not that someone set them to age from the scavengeall command, that is not the case here. We have tested and even new Linux servers added to the domain with a static record, regardless of the many ways to add Linux servers to the domain ALWAYS get a timestamp added to them when they show up in AD DNS.

Even if they have a timestamp despite being static records shouldn't they have gotten timestamp updates (dynamic updating is on after all)?


More info:

Adding static A records manually for the Linux servers works fine.

These are often using Samba as the OS

Every windows server was updating perfectly and non of them were scavenged inappropriately. So DNS is working fine in general, it's just the way it handles these Linux boxes. 

I've had to turn scavenging back off  and would like to turn it back on but need to figure this beast out. Essentially how can I get Linux to show up in DNS as a static record?

Forest LDAP Query seeing all sub domains

April 2, 2013, 7:01 am
$
0
0


Hi there,
Does anyone know if the following scenario is possible?
I have a domain Forest A has two sub domains, say domain x and y (two way trust) and are replicated.
root:dc=domain,dc=com
child 1: dc=x,dc=domain,dc=com
child 2: dc=y,dc=domain,dc=com

I want to be able to do an ldap query from root domain with scope as subtree but only need results from the root domain. When I am trying to search it is giving all records from the forest.

ex: searching for user1 under root
result should be : cn=user1,ou=people,dc=domain,dc=com
  
  should not be :cn=user1,ou=people,dc=domain,dc=com
cn=user1,ou=people,dc=x,dc=domain,dc=com
cn=user1,ou=people,dc=y,dc=domain,dc=com

Thanks
Search

Active Directory error 1168 on W2K8R2

April 3, 2013, 5:28 am
$
0
0

Hi all,

I have 3 domain controlles in single domain in a single forest: 2xW2K8R2 and 1xW2K3R2. Forest functional level is Windows 2003. All FSMO roles holding one of W2K8R2 domain controllers that displays this error in period of 2-4 days:


Internal error: An Active Directory Domain Services error has occurred.
 
Additional Data
Error value (decimal):
6
Error value (hex):
6
Internal ID:
1240101


I was try to diagnose problem, but "dcdiag /q" command display no errors, and "repadmin /replsum" command also not display errors or fails in replication.

Any ideas?


Server not accessible, but still running fine

March 28, 2013, 6:59 am
$
0
0

Hi all,

We have had this same issue now with two of our Hyper-V host servers.  The The symptoms are that when RDPing to the machine it asks for credentials, but then throws the error :
Remote Desktop Connection
---------------------------
Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem occurs again, contact your network administrator or the owner of the remote computer.
---------------------------
When you try connecting via the Hyper-V manager, you get the error "RPC Server unavailable.  Unable to establish communications bettween ..."

I can connect all of the other remote tools to it (event viewer, server manager, services) and can see the following:

In the event viewer there are a multitude of errors, I'm guessing all with the same root cause:

GPO

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:

a) Name Resolution failure on the current domain controller.

b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

DCOM

DCOM was unable to communicate with the computer <DPM Backup server> using any of the configured protocols.

NETLOGON - Looks like the worst and maybe root cause?

This computer was not able to set up a secure session with a domain controller in domain D01 due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

I can see that the service "Remote Procedure Call (RPC)" is started.  Restarting it makes no difference.  The RPC Locator service isnt started, but don't think this is an issue.

The DNS servers that are configured are the DCs and there are certainly fine for all our other servers and clients.  The time is indeed out of sync, but I think this is more because it cannot establish a session with the DCs, which are the NTP servers.  All of the guest machines are fine and running perfectly.

Like I said at the start, this has happened to another of our servers, suggesting that this is maybe a wider AD issue.  In the case of the first server, a restart solved the symptoms.  However, this second server is a bit more of a pain to restart and I want to sort out the root cause.

thanks in advance.

Two Forest 2003. Upgrade DC on one Forest to Server 2012

April 3, 2013, 3:17 am
$
0
0

We have two forests (A,B). Forest trust exists. Forest Level Windows 2003 on both. Forest B is a resource forest.

We're going to upgrade Forest A DC Servers to Server 2012 (not domain and forest level):

1) Add new servers x64 with server 2012 OS.

2) Promote these servers to DC. So, I need to run:     "adprep /forestprep"   + "adprep /domainprep"  + "adprep /domainprep /gpprep"

3) Move AD roles. Remove old DC Servers 2003.

At this moment....

A) I suppose that I can add 2008 DC Servers, not??  (I need to test DC Server 2012. If it fails, I'll install DC Server 2008)

B) Any issue with forest B?

strange error from AD when using powershell

April 1, 2013, 3:01 am
$
0
0

hey guys, im trying to add UPN suffixes to AD-Forest, and im using the below command for that.

Import-Module activedirectory
Set-ADForest -Identity domain.com -UPNSuffixes @{Add="demo23.com"}

now the problem  sometimes im getting the below error.

Set-ADForest : Insufficient access rights to perform the operation
At line:1 char:13+ Set-ADForest <<<<  -Identity "domain.com" -UPNSuffixes @{Add="demo23.com"}+ CategoryInfo          : NotSpecified: (Microsoft.Activ...gement.ADForest:ADForest) [Set-ADForest], ADException+ FullyQualifiedErrorId : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management
   .Commands.SetADForest

Now, the above error comes occasionally.. 

i was able to actually execute the powershell cmdlets peacefully, then all of a sudden it throws teh above error for teh same user on same machine, and on same powershell console.. 

im totally blank here. can any help help me with this strange error.

Edit:

Just now i have been able to reproduce the error. What i did was to log off from the domain controller and then after logging back and running the same command, im getting the same error.



Global Catalog Server

April 3, 2013, 7:49 am
$
0
0

Hello,

We run a 2008 R2 Active directory environment with Exchange 2010 Sp1.  Every DC is a global catalog server.  Currently we have a new ticketing system the queries the global catalog for AD authentication.  My manager would like to configure this to use SSL.  What is the Global Catalogs default port and SSL port?  If I configure SSL in this scenario do I risk breaking anything else...?

Thank you,

Viewing all 31638 articles
Browse latest View live
Search