Hi.. all,
FRS:
How to check FRS replication?
How to monitor FRS replication?
How to find the error logs?
FRS advantage and disadvantage ?
DFS:
1. DFS advantage and disadvantage
2. DFS error logs path?
↧
1. FRS replication and 2 DFS replication
↧
Active Directory Domain Services Configuration Wizard Script
Hello,
When installing AD, almost at the end one gets a script, the so called active directory DSC script. One can even see it script. is it somehow possible to see this script after closing the ADDS configuration gui?
many thanks.
↧
↧
Event ID - 4015 : The DNS server has encountered a critical error from the Active Directory.
Hi,
My RODC showing the following event.
"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."
But DNS service is ok and AD is functioning properly. So why this type of event is created and how can I solve the error?
Or, is this error avoidable??
Thank You,
Mosharrof
↧
Replication access denied
Hi Support,
We have two Windows 2012 Standard DCs.
We did not make any recent changes.
When checked replication today we have seen the below error
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\AD1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6
DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1
DsBindWithCred to localhost failed with status 5 (0x5):
Access is denied.
The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.
Please let me know how do I troubleshoot this.
↧
Active Directory Migration
About AD domain migration, the source environment is 2008R2 and the target environment is 2016. Can I use ADMT to migrate in both versions?
↧
↧
question about SYSVOL Replication from FRS to DFSR
I only have 2 DCs with win server 2008, and the rest are 2016.
and I need to migrate sysvol replication from FRS to DFSR, I wonder if I can postpone this migration till I demote all the DCs with win server 2008.
dcdiag does not show any specifc issue, only the following:
Base Object:
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
which can be fixed with migrating to dfsr as explained here?right?
https://support.microsoft.com/en-us/help/2512643/dcdiag-exe-e-or-a-or-c-expected-errors
not sure what type of issue might happen while migrating sysvol?
↧
domain form 2008 to 2012
when i transfer domain i transfer all of the 5 role
C:\Users\administrator.bbb>netdom query fsmo
Schema master pdc2012.bbb.AC
Domain naming master pdc2012.bbb.AC
PDC pdc2012.bbb.AC
RID pool manager pdc2012.bbb.AC
Infrastructure master pdc2012.bbb.AC
The command completed successfully.
but dcdiage show
Running enterprise tests on : bbb.ACTest omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\2008-ADD.bbb.AC
Locator Flags: 0xe00031fc
PDC Name: \\pdc2012.bbb.AC
Locator Flags: 0xe000f1fd
Time Server Name: \\2008-ADD.bbb.AC
Locator Flags: 0xe00031fc
Preferred Time Server Name: \\2008-ADD.bbb.AC
Locator Flags: 0xe00031fc
KDC Name: \\2008-ADD.bbb.AC
Locator Flags: 0xe00031fc
......................... bbb.AC passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... bbb.AC passed test Intersite
why gc and time server on 2008 domain?i cant delelte 2008 when diasble network card 2008 my domain down
↧
Microsoft AD - SQL server integration for desktop login
Hi Microsoft Team, We are facing an issue which is as follows: 1. We have a SQL based user management system. 2. Now, we are planning to getting AD enabled for our production. 3. The challenge is to see if for a desktop login, we can have the Active directory (AD) talk to the non-AD source like SQL for user authentication / authorization. We will need your help here in checking the technical feasibility of this. Please let me remind you that this is a non-cloud based infrastructure. Also, wanted to check if this is possible with a RADIUS configuration with AD (for desktop login).
↧
move the users/groups/service account along with permission from one forest (domain xyz.com) to another forest (Domain abc.com)
We are looking to move the users/groups/service account along with permission from one forest (domainxyz.com) to another forest (Domain abc.com)
We have one-way trust between abc.com to xyz.com domains. Users/Groups and service account exist in xyz.com and accessing the resources ofabc.com (like file server (share folder), Citrix profile (Roaming, Terminal and folder redirection).
All user’s data exist in abc.com domain. Hence looking to move the Users/Groups/Service account and computer account into ABC.com domain without losing access to existing resources.
As of now users is accessing the resources in ABC.com as below.
1- Workstation is joined to xyz.com (which need to be move inabc.com)
2- Users login to xyz.com domain (users exist inxyz.com and configured the profile path (Roaming, Terminal, and redirected folder via group policy as\\abc.com\dfs\...........)
3- Users login to Citrix server (All Citrix servers/fileserver/Storage is inABC.com) and access their resources.
Looking some guidance here for seamless movement.
↧
↧
Azure AD Connect - Which Is The Authoritative Side?
We recently activated SSO using the Azure AD Connect tool and it
appears that only the local AD is authoritative. In other words, if I change a password in the O365 Admin, it does NOT sync with the local AD, so there's no longer any SSO. However, if I change it in the local AD, itdoes sync to the cloud. Have I got something misconfigured or is the sync only one way by design: from Local > O365?
Art Cabot Director, Information Technology Sizemore, Inc.
↧
Windows Server 2012 R2 SYSVOL folder replication
Hi All,
Recently I've come across to something I have never seen before. To be more precise on two Windows Server 2012 R2 domain controllers I found C:\Windows\SYSVOL\domain folder replicating between them by means of DFS Replication.
1) Should replication between domain controllers be performed by means of DFSR?
2) What if replication is disabled like on the screenshot?
Thank you.
↧
Should Hybrid joined computers allow login with UPN first
Hi, I'm looking to understand if hybrid domain joined computers should be able to logon with the users UPN in the first instance when no direct line of site to an on premises domain controller.
We have examples at our organisation where a user is permanently based offsite and we wish to send them a brand new computer that they have not logged onto before. Currently we either ask them to come collect the computer and log onto it before taking it away or we set them up with a local account (really want to move away from this option).
We have implemented hybrid domain joined computers as we cannot move away from group policy at this stage but none of our hybrid domain joined computers allow UPN login when no line of site to a domain controller. Is this normal behaviour?
Note: UPN logon does work if line of site to a domain controller and with locally cached username.
↧
Getting 4776 Events Saying Account does not exists on IIS server
Hi Guys,
We have been getting 4776 Events (status with 0xc0000064)on our IIS server stating that the account does not exists for multiple users.
But AD accounts is actually exists and not issues with AD accounts as well.
In Same server I can see Successful logon events for same users, don't understand why its happening
Please help me on this...
Successful logon event 4624 for same user account on same server
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: xxxxxxxxxxx
Account Name: xxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Logon ID: 0x2d7af6a6e
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: xxxxxxxxxxxx
Source Network Address: xx.xx.xx.xx
Source Port: 58480
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
↧
↧
VM DC restore
Hi,
I am writing a document for a disaster recovery for our DC's.
We have 2 server 2019 Hyper-v hosts and each have 1 VM DC. we backup each DC with Backup exect and hyper-v agent.
My question is, How to recover the VM DC that has the 5 FSMO roles?
I understand becuase we using Hyper-v higher then 2012 and VM DC is also 2012 R2 we can just resore the VM DC and no issue with Generation-ID. is this correct? or we still have to do a non autherative resotre of the DC with FSMO roles?
Shahin
↧
LDAP connection on Domain Controller
Hi,
Is there any tool/method to find the incoming LDAP connection for the specific Domain Controller. Also confirm is it possible to extract these data from logs rather than real time?
Thanks in advance.
↧
VM DC Resotre question
Hi Guy's
The host server of my VM DC wont startup after installing the server 2019 updates!!
the good new is that I have moved all of the VMs from crashed Host to a different host and because we have 2 other physical DC's I could get them all back online.
Question:
What is the Correct steps to bring the VM DC again online. please note that this VM DC has all of the FSMO roles.
I did also copy the VM DC to the new hyper-v host ( like other Vm's) since last night we did not have any changes on the other 2 DC's maybe restting 2 passwords only.
Can I start the VM DC on the new host and login and give it the same IP and bring it back online? I have not yet start the VM DC on the new host.
Thanks
Shahin
↧
How to add Windows 2012 R2 as new domain controller in the existing Windows 2008 R2 domain.
In our environment we had three domain controller as single forest and all the servers on windows 2008 R2, one is located at branch office in different region, two at Head Office among which one is PDC. Additional DC has crashed today ( Hardware failure), now i am planning to have Windows 2012 R2 DC on new Hardware. kindly suggest the best practice to achieve this. kindly note i had Wins and Certification authority also on the crashed server.
↧
↧
Domain controller Implementation
I’m thinking about domain controllers implementation for 100users.
Azure and on-premise which is best place to put domain controllers.
please give me your advice pros and cons.
↧
Object Delete notification is not coming when LDAP_SCOPE_SUBTREE is used
Hi,
I am using LDAP change notification control to receive notifications of changes in Active Directory using the guidelines indicated in the following link:
https://docs.microsoft.com/en-us/windows/desktop/ad/example-code-for-receiving-change-notifications.
Change notifications about (Insert and Update) are coming fine but delete notification behavior is not consistent between using LDAP_SCOPE_ONELEVEL and LDAP_SCOPE_SUBTREE.
If I set the base object to be root of naming context then no matter whether LDAP_SCOPE_ONELEVEL or LDAP_SCOPE_SUBTREE is specified I always get all three types of notifications (Insert, Update and Delete).
However, If I use any other container (such as Users) or Organization Unit (OU) as a base object then using LDAP_SCOPE_ONELEVEL always returns all three types of notifications (Insert, Update and Delete) but using LDAP_SCOPE_SUBTREE level ONLY returns (Insert
and Update) notifications but does not send Delete notifications.
Above tests were run against both Active Directory as well as AD LDS separately and the behavior is consistent.
Just wondering if it is an expected behavior or if I am missing anything. Any help would be greatly appreciated.
Thanks,
Nasir
↧
Changing Local account passwords in bulk across multiple machines in Domain
We have a local admin account on all of our workstations that we use with our remote software to login. The Problem is that that same account on all of the workstations has had the same
password for years and some of the users now have it and could possibly login locally. How can I change the password for this local user account so that it resets on all of the machines in Bulk rather than me going to each machine individually and resetting
it? If it cannot be done through a GPO what would the powershell command be to reset the password for the same local account in bulk on over 200 machines?
Support analyst
↧