Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Machine Cert Deleted After Auto Enrollment

$
0
0
Once a machine has used auto enrollment to get a machine cert for client auth what happens if someone deletes the certificate? In my testing it looks like the machine will not auto enroll a new cert. Is that expected? If so how can I force the machine to get another certificate?

BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo


Active directory replication stopped to RODC sites

$
0
0

Hello,

The active directory replication between our RODC sites are suddenly stopped with below error codes.

Error Code: 1256
Message: Replication error 1256 The remote system is not available

Error Code: 1396
Message: Replication error 1396 Logon Failure The target account name is incorrect

But in AD configurations we have not done any changes recently. The writable DCs are replicating without any issues. Please help me to fix this issue.

 And below is the error throwing when seeing the properties of server in AD sites and services.

Thanks,

Prabu

Server 2012 Users cannot delete files that they have full access to

$
0
0

We have users that RDP into our server that is running Windows Server 2012 R2. Users have full access to files within their user folder, but are prompted for administrative privileges when they attempt to delete a file from their desktop.

I am not certain the problems are related, but I also noticed that I am unable to set up one drive within my user folder. When I attempt to do so I get the following error:



The drives are NTFS.

Folder Redirection in DFS Namespace

$
0
0

I'm having hard time figuring this out.

I deployed a DFS Replication environment. Also I want to deploy folder redirection using gpo. 

I want user's Desktop, Documents and Downloads redirected to the DFS

My configuration:

1. I created a security group named sgUserProfile. Then added users to the group

2. Under the shared folder ( target folder of DFS ) I created folder named User Profile. In that folder's security I added sgUserProfile with:

  1. Traverse Folder
  2. List Folder
  3. Read Attributes
  4. Read Extended Attributes
  5. Create folders

   (Folder Structure is : Network_Share > User Profile)

3. I created a gpo for folder redirection.

When I login to the client pc. The user's username is created in the User Profile folder but the Desktop, Download and Documents where not redirected.

In which part of the configuration  I made mistakes?

Thanks in Advance.

DFS namespace problem on disc mounted to NTFS folder

$
0
0

Hello

We map disc not like letter (D:\ etc), but use Mount to NTFS folder. When I create DFS namespace at this disc (for example c:\storage\DISC1\test_DFS) and perform restart of service DFS (or restart server), we could observe new folder with strange symbol in name (겱Test01). 

And new folders coming in every next service restart. We are sure it is bug in DFS namespace.

Preview of this issue below.

Is there a chance to resolve this problem?

Zdenek


Zdenek Mozis

What does Delete Computer Accounts permission do?

$
0
0

Greetings,

   We have an OU with computer accounts in it.

   I gave someone the following permissions on that OU:

Permission: Delete Computer Accounts

Applies To: This object and descendant computer objects

  With these permissions they CANNOT delete computer accounts within that OU.

So I gave them the following permissions:

Permission: Delete

Applies To: Descendant computer objects

This works!

Which begs the question - what does the Delete Computer account permission allow you to do exactly? Cause it certainly doesnt allow you to delete computer accounts!

Thanks

David Z

question about ad lds authentication in workgroup and replicated from active directory

$
0
0

Hello,

I have an application which is designed to use directory services for authentication and its network is not controlled by our organization..

I would like to know if I can deploy an ad lds instance which contains only a small part of user accounts allows to use this application and should be synced periodically with the actual active directory database,

I would like to know if it is possible and if there is any online manuals for that,

Thank you

Errors with Windows 10 joining our domain

$
0
0

Hello, 

I have been getting an error when joining new Windows 10 computers to our domain (for this post let's call it "company.local"): "Changing the primary domain dns name of this computer to "" failed. The name will remain "company.local". The error was: The specified domain either does not exist or could not be contacted.

it was addressed in an blog post 

https://blogs.technet.microsoft.com/instan/2012/01/14/changing-the-primary-domain-dns-name-of-this-computer-to-failed/<o:p></o:p>

Saying that this used to be a bug with a hotfix for Windows 7.

Is the bug back in Windows 10?

Thanks for your time!


LDAPS and Server Name Indication (SNI) support

$
0
0

Hi,

When searching topics about Windows Server and SNI support, the results often lead to articles related to SNI support in IIS.  I have questions about SNI in Windows Server as relates specifically to LDAPS.  For example:

  1. In which server version was SNI first supported for LDAPS?
  2. For whichever version is the answer to question #1 - from that point forward - is it REQUIRED that a client use SNI extension during SSL handshake for LDAPS?
  3. If YES to question #2, is it possible to selectively turn that requirement ON/OFF?

Thank you,

DaveC

The Policy engine did not attempt to configure the settign. For more information, see %Windir%\security\logs\winlogon.log on the target machine

$
0
0

Hello All,

We have one domain with default domain controller policy and other custom GPO. Both have certain common settings, Custom GPO is above the DDC policy in link order.

Any common settings between DDC policy and custom GPO,  Custom GPO should take the precedence as per the link order.

Currently it is applying the settings as per the link order precedence, However, we are getting a red mark in RSOP  with the below errors details.

The Policy engine did not attempt to configure the settings. For more information, see %Windir%\security\logs\winlogon.log on the target machine

Kindly Suggest 


Disable the option of User Must Change Password at Next Login only for a group of users while resetting the password of users in an OU

$
0
0

Grayed out the option of User Must Change Password at Next Login only for a group of users like HelpDesk while resetting the password of users in an OU but by default should be enabled

Windows 2008 R2 Active Directory Domain

Using pwdLastSet we have made the option grayed out while resetting the password of users in an OU but we need to enable the option and then grayed out for selected group while resting the password of users in an OU

Any ideas on how we shall achieve the above



Event ID 5014 ( Error: 9033 - Error: 9036 )

$
0
0

Dear All, 

We did migrate our domain controller from 2012 r2 to 2016, and we did migrate from FRS to DFSR, all sys folders "policies ans scripts"are replicated fine but there is an warning message in event viewer:

5014 (  The DFS Replication service is stopping communication with partner DC3 replication group Domain System Volume due to an error. The service will retry the connection periodically) , Additional Information: Error: 9033 (The request was cancelled by a shutdown) , Additional Information: Error: 9036 (Paused for backup or restore) . 

Our DCs design:

Site1: DC1 - DC2

Site2: DC3 - DC4

DC1 having the warning id 5014, DC3 doesn't have it. I did run health check from DFS management and there is no error. I did backup AD manually "NTDSUTIL", I did check sysvol folder for all policies and scripts and they are updated and i even created a .txt file inside policies folder and replicated with the other DC "from DC1 to DC3". We are not running any backup at this time. Currently DFS management contains all DCs with their sysvol folders only, no other shared folder are created yet. I found the following link to disable TCP off loading but i didn't find that key and im not sure if i have to create a new key:

https://social.technet.microsoft.com/Forums/ie/en-US/01dc55f1-ff54-4c25-aca4-6122f0f654c5/dfs-event-id-5014?forum=winserverDS

Any advice.

Thank you

User profile migration on new domain server - same domain name

$
0
0

Hi, 

Due to a recent ransomware attack, my ADDS domain server has been compromised recently. So I am recreating a new ADDS server with domain controller and DNS role. On the new server, the domain/forest/netbios name all are same as the old one. Then I created the user with exactly same full name and same password assigned. 

Now, when I try to login to the domain user on another computer, it creates a new user profile instead of going to the existing profile. Example is the previous user profile was like manjurul.NPOLY, but instead of going to the existing profile on the existing desktop machine (I had to rejoin on the new domain by leaving out of domain to workgroup then again joining the new domain, because it was giving a trust relationship failure issue). So a profile was created named manjurul.NPOLY.000 with completely new desktop, new browser profile everything new. 

So what i did was, I used the tool ForensiT ProfWiz tool to merge both the old and new profile, then I get back to the required old profile on Windows 10 desktop. there were no data loss, however I had to sign in again on all the services and all the website on Edge/Chrome sites like gmail, facebook, etc. 

For one to few machine it looks okay, ProfWiz does the tricks, however I have several 100 of machines which I need to bring to new domain server, and recreating or merging profile on each of them looks a tedious tasks. Is there any option to migrate automatically or any option so that a new profile does not get created instead goes directly to the old existing profile? 

Note that, the server is a Windows Server 2008 R2, all users are using Windows 10 pro, and no roaming profile is configured. 

Regards, 

Abdullah

Extract AD permissions

$
0
0

How to extract AD permissions from current AD environment? Is there any script/command available to extract the report?

Thanks in advance.

Trouble With Active Directory Replication, Netlogon and Sysvol creation

$
0
0

Hi

I have 1 Windows 2008 Enterprise Server (Not R2) let's call it (Server A), and 1 Windows 2008 Server R2, let's call it (Server B).

I have added Active Directory to Server B, and everything seems to have gone well, however the Netlogon and Sysvol folders that are usually created, are not there. Replication errors are occurring.

We see errors on DNS, but that seems to be configured fine. We have removed and added Active Directory twice.

Any help would be appreciated




need to install a package through GPO

$
0
0
need to install a package through GPO, Can you please guide me ?

Verification of Directory Paths Failed - Does Not Point To Physical Drive

$
0
0

Hello,

I have installed Windows Server 2012 R2 on a temporary server because we are retiring old servers and have to have a Temporary Domain Controller. The server has an SSD installed. When installed AD DS on the server, I can not install because an error appears:"Verification of directory paths failed. The path does not point to a valid hard disk." I know many companies can run Windows Server on an SSD but I do not have a hard disk drive installed on the server. I have even tried plugging in an external HDD and pointing to it to store the directory files, but it will not accept that. Any ideas on why the server is being so stubborn? 

Thanks,

Connor

AD Disabled Computers

$
0
0

Hi Guys,

Looking for some DSquery commands that I am able to use inside of Active Directory. Basically, a query that shows computers that have not been logged into the domain for a certain period of time or are disabled.

Can anyone help please.

Regards.

AD Attributes -Object class posixaccount and posixgroup

$
0
0

Hi,

Was trying to integrate an application for which object class posixaccount and posixgroup is required. 

1-Was not able to trace this attributes to user or groups (searched in "attribute editor" Tab for user and groups) where to find this attribute other then the schema editor(Already exist).

2-We have also configured an user custom attribute which I do not find in user's attribute editor, How do I add it(options with out using ADSI editor)

Rgs,

Sntsh.


during DC promotion, will DNS attempt to respond to clients with an empty database?

$
0
0

Hello Everyone!

I am in the process of progressively life-cycling my domain controllers that are also DNS servers with active integrated zones. 

During the life-cycle process we demote the original DC and DNS, and then promote a new DC and DNS with the same name and IP. This for the most part avoids many changes like firewall rules, configuration changes to DHCP scopes and other stuff.

However, as my workstations and servers are currently configured with the DNS of the original domain controllers I will be life-cycling, I want to know if during the DC promotion process (we install DNS at the same time), will DNS start responding to clients (before full replication is completed) with an empty database or incomplete zone replication? If so, this could cause some downtime issues!

Does anyone know if this is an issue?

Best regards

Ernie Prescott


Ernie Prescott

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>