HI
we have an scenario that every user just login to only one PC
user1 computer 1
user2 computer2
1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user
2-when set managed by for computer that never work .
how can i doing this ?
Thank you in advance
I am new to windows server 2012.
I previously use TMG on windows server 2012 r2 for blocking websites for active directory users. Now new server is on windows server 2012. I want to block websites for active directory users. I have to adapter on my server machine. Please guide me or any tutorial for this.
Thanks in advance
Hi,
I have two domain controllers that are windows server 2019. The first one is primary dc and second one is secondary(additional) dc. The problem is that I can't access to SYSVOL share folder of domain controllers from each domain controller and I'm prompted for credentials. And when I enter username/password I get "Access denied" error. Please Note, some of the clients can successfully connect to SYSVOL share folder. I did non-autoritative sysvol restore based on DFSR and I saw the following error:
Log Name: DFS Replication Source: DFSR Date: 4/26/2019 7:02:35 PM Event ID: 4614 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: AD-DC01.rsz.local Description: The DFS Replication service initialized SYSVOL at local path C:\WINDOWS\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner SRV-additional.rsz.local. If the server was in the process of being promoted to a domain controller , the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: 30DDCF9A-51E4-4610-A05A-E3C1A530A85D Replication Group Name: Domain System Volume Replication Group ID: 355A21AE-E72E-40F5-83B8-8FC9E05468B2 Member ID: 0B7EE151-3FF3-438F-BA71-4262143017F1 Read-Only: 0 Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="DFSR" /><EventID Qualifiers="32768">4614</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2019-04-26T14:32:35.612433700Z" /><EventRecordID>171</EventRecordID><Channel>DFS Replication</Channel><Computer>AD-DC01.rsz.local</Computer><Security /></System><EventData><Data>30DDCF9A-51E4-4610-A05A-E3C1A530A85D</Data><Data>C:\WINDOWS\SYSVOL\domain</Data><Data>SYSVOL Share</Data><Data>Domain System Volume</Data><Data>355A21AE-E72E-40F5-83B8-8FC9E05468B2</Data><Data>0B7EE151-3FF3-438F-BA71-4262143017F1</Data><Data>SRV-additional.rsz.local</Data><Data>0</Data></EventData></Event>
Hint: SYSVOL folder on both DCs is empty.
Any help would be appreciated.
Thanks for your efforts and time.
Best Regards
Hello
I have a 2008R2 DC running as a VM on Hyper-V 2012R2. The DC has all FSMO roles and is the PDC in my domain, there are two other DCs in the domain.
The DC will not synchronize with an NTP service and is currently 1m03s out vs. the correct time. When I attempt to manually update the time (W32tm /resync /computer:time.windows.com /nowait), I get the error message "The following error has occurred: The RPC server is unavailable. <0x800706BA>"
The DC is about 4 years old, it has never had a problem with time in the past. Looking back over log files, I think this may have started to happened on October 29th (when Daylight saving ends in the UK), but I've only just noticed some computers on the domain are inaccurate (others remain accurate tho, despite time-syncing to the DC).
So far my troubleshooting checks have been:
> Ensuring that it is not syncing with the HV hosts (this integration has been turned off for a long time)
> Watching the firewall logs to ensure the NTP traffic leaves the building (it does)
> Trying a different Internet connection with no outbound restrictions
> Trying different NTP servers
> Restarting the server
> Restarting W32Time service
> Turning the local firewall off
> Running "w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update" and restarting W32Time
I've run out of ideas! Does anyone have any further suggestions?
Many thanks
Paul
hello i have been trying to visualize a specific OU structure without exporting the information from exchange by using visio
is there a tool or a script that can pull the information into a CSV file or a text that can be imported into Visio ?
i want to pull personal information and who is the manager of that person
Greetings,
I am working as Infrastructure Engineer for Microsoft partner and currently working on a project for one of our customers to built AD, DFS and Exchange in DR site.
I am facing some issues for communication between main site and DR site for DFS and Exchange.
I need to be sure that no issue is related to AD sites and services setup.
Sites and services setup
Site1 (Azure Site): 1 DC (turned off)
Site2 (Main site): 2 DCs
Site3 (DR site): 1 DC
All domain controllers running Windows Server 2012 R2
How can i check that AD sites and services setup is valid?
Regards,
Hi all,
I'm planning to migrate one of my clients directory servers to windows server 2016. At the moments there is a mix of Server 2008R2 and Server 2012. Customer got 3 sites. 2 sites got separate VMS for root domain controllers and other site small site is replicating AD from one of the big sites i mentioned earlier. Forest and Domain functional levels are Server 2003.
I want to know what is the best approach in upgrading these servers? I want to migrate all these servers to newly installed servers. I'm familiar with that. Confusion is with the complication added by site replication and separate servers for root and local domains. This customer doesn't have Local exchange. File servers are already updated to 2016 and heavily depend on authentication.
Any ideas ?
Janindu Nanayakkara
Hi
If i install LDAPS certificate from digicert to implement LDAPS would that affect any existing infrastructure ? we have exchange 2016, sharepoint, file server etc. Appreciate your inputs
Thanks
I have issue with some domain users.
These users are not able to change their domain account password by alt+Ctrl+Del
They receive error as " Security database on server does not have computer account for this workstation trust relationship"
I have checked Secure connection with domain controller on the particular client but connection is healthy.
please help me to find out other reasons for this issue.
I have 5 domain controllers spread across 3 AD sites. all my FSMO role holder DCs are in single AD site.
Hi,
I have a problem with access to DFS using name space \\domainname\dfs\share using Excel, Word or other Office applicartions. The shared drive is mapped usiong groupo policy and I can navigate through the shared drive using explorer without any problems.
I can access share direcly from server \\dfs-01\shared without any problems. We have 280 users but not all of them have this problem (it's around 20-20 of them) .
If I use my DA account the problem dosn't exists and I can open Excel or Word files without any problems. Can you please help?
Regards,
Jan
Team,
In our environment Primary AD was running in 2008 SP@ and we have introduced a 2012 server as a secondary AD server , after added the server , we have moved all the FSMO rules to the new server (Win2012) , but the Sysvol not showing in the new server.. kindly help on this.
There was a recent divestiture and we are in the process of amalgamating systems under a single domain
Based on the requirement from the Department of Energy listed below:
"Ensure individuals will have access to the controlled information governed by
Part 810 only as needed for their responsibilities and that they will not have access to classified information, or
information deemed to be sensitive nuclear technology, while employed by company"
Is there away to grant a system administrator access through ADUC so that they can do everything they need in a specific region (Canada / US) without allowing them access to commercially sensitive data or classified information? ACL's and security groups
should be suffice correct?
Some of the "Administrators" duties would include:
ADUC administration (limited capacity, group management, adding servers, login scripts, powershell), Troubleshooting, Backup and Restores, SCCM administration, Networking, Software Installations, VMware, configuration management, Server deployment, among
a few others.
Could the forest be setup the following way to enable this based on the model below?
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-model
Also a rough non-biased opinion, this is a smaller company1000 employees, how long would this take to configure and setup?
Ok here is a strange one. This is happening on both virtual and physical DCs. Demoting to member server eliminates the problem. DCDiag shows everything is good.
After reboot, the DCs in our child domain won't always allow you to log in to the console(Master domain doesn't have any users)
If the network is not present, you can log in using cached creds.
It started a long time ago before I started working here, I thought I had fixed it with patching, but it impacts 2012r2 and 2016 (our domain is at 2008r2 currently, I just retired our old 2008r2 DC)
It was working fine until I had to force remove the last 2008r2 server from the DC pool, well at least it appeared it was.
Symptoms: Once rebooted ram spikes at max, vm reboots a bunch, and eventually stabilizes. ram still at 100%
If I reboot with network disconnected, everything starts up fine.
I've run dcdiag until I'm blue in the face looking for anything,
Hi,
I have noticed these two accounts and the OU, I have never created it, so what program has created this ?
The ServerAdmin is also part of Domain Admins group.
This is a Windows 2016 domain, containing Windows standard servers, but I know one guy installed a Essentials version once (removed now), and I am wondering if this could have been created then....
I want to delete these accounts, but need to be sure.
Any suggestions ?
/Regards Andreas
Hello,
While investigating the cause of the event 13508 (The File Replication Service is having trouble enabling replication from DC to DC2 for c:\windows...) I got confused with the following facts:
1)
Q1: How it's possible to display the replication from DC to DC2 as working from the DC2's point of view and as in the error state from the DC's point of view? How DC can show there's the error replicating from DC to DC2 if this successfull replication can be seen on DC2, especially when NO errors can be seen on both servers after runningrepadmin /showrepl?
2)
Q2: Although DC is the owner of all roles it believes some partitions have never been replicated - how does it correlate with no errors in therepadmin /showrepl output above?
3) Furthemore, almost non-functioning DC2 (missing sysvol and netlogon share don't allow it to be "a real dc") believes it holds one of the roles (I tried to remove DC2 and got this error):
Q3: How can these two screenshots exist simultaneously???
Thank you in advance,
Michael
Guys,
In a lab, when having a trust relationship between 2 dc's, do i need to add the second DC in the sites and services parts of AD?
Also, when i would like to replace the second DC with its own domainname9the other company) through a RODC in the domain of DC1, but i want the active directory structure, shared folder,... available at the second DC migrated, how should i do that?
many thanks in advance
We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.
netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No
PowerShell command that fails:
Get-ADGroupMember "account operators" -Server otherdomain.local
dsget variant of it that works:
dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members
Error:
Get-ADGroupMember : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. At line:1 char:1+ Get-ADGroupMember "account operators" -Server otherdomain.local+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Full error:
Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter) at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup Member(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR outine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
Hi,
Looking for some guidelines to merge three domains into single domain in the same forest.
Any one have experience with this, please share your experience.
Thanks in advance.
Hi,
Currently have domain three domain controllers (DC1, DC2, DC3), with the FSMO roles spread across DC1 & DC2. DC1 & DC2 are located in site A and DC3 is located in site B. Due to misconfiguration of the network, DC3 wasn't able to communicate with DC1 or DC2 for quite some time, resulting in the tombstone lifetime being as reached i.e. 180 days. As far as i understand, the DC3 is essentially unrecoverable now because of this. What are my options here to get DC3 removed from the domain completely, added back to the domain and promoted to a DC?
1. Restore network communication is, demote DC3 so it's just a member server then re-add to the domain and promote to dc?
2. Force removal of DC3 from the domain and perform metadata cleanup then re-add to the domain and promote to dc?
What makes things worse is DC3 is also a print server which I would like to remain intact. By performing these action, I presume that any computers establishing a connection with DC3 will be broken and will need to be rejoined to the domain?
Looking for some input for a clean resolution to my problem.
Cheers