Forest Trust Relationships

May 14, 2019, 2:35 am

≪ Previous: Changing Local account passwords in bulk across multiple machines in Domain

Hello

In our Organization we have configure 2-way forest trust relationship between 2 forest domains(ForestA and ForestB) with Transitive mode "Yes", Name Suffix Routing is properly set.

When checking for the trust validation the next window appear:

While checking with nltest /dclist:DomainB also give a list of DCs in the DomainB.

ForestA contain two child domain child1.ForestA and child2.ForeastA. ForestB dont have child domain.

Adding account from ForestB to ForestA's Domain Local group is success. But when we are trying to add account from ForestB to the Domain Local group in child1.ForestA it gives an error window below:

P. S. Conditional Forwarders is configured properly, all FQDNs of DomainB resolves successfully

↧

AD Delegation

May 14, 2019, 2:15 am

≫ Next: Remove parent domain from NTDS

≪ Previous: Forest Trust Relationships

Dear All,

I did delegate a user to reset domain user passwords and modified their properties, he can do his tasks on majority of domain users but not for others. I did check those users and they'r member of a security group " technical support" which has the privileges to do remote desktop on domain computers and also member of domain computers. All members of that group are having admincount 1, and as my understanding even i remove this value it well added back after an hour. I did add that user to same group" technical support" and he's admincount 1 but still he can't reset any member of that group. Enable inheritance is disabled for those users as well, i did enable it but it disabled again. Is there is any way to let that user to reset all members on that group.

Thank You

↧

Remove parent domain from NTDS

May 14, 2019, 6:22 pm

≫ Next: ADLDS query

≪ Previous: AD Delegation

Hi,

I have a orphaned subdomain with 4 DCs (sub.root.local) (two of them as GC), where I can't contact nothing on parent domain (root.local). Previously, we had to delete all settings that pointed to sub.root.local in root.local, because they could not promote a new server to be Global Catalog. Now I'm having the same problem, but it's on my end. I successfully promoted two new DCs, but I'm receiving the following warning after running repadmin /showrepl

DSA Options: IS_GC
    WARNING:  Not advertising as a global catalog.
Site Options: IS_GROUP_CACHING_ENABLED

I was directed to use Microsoft Tool named AD Replication Status Tool and almost every test passed, except for this:

Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial 
attributes from source. This condition is normal if a recent schema change modified the partial attribute set.
The destination partial attribute set is not a subset of source partial attribute set.

The above test is a synchronization with DC=root,dc=local and it appears only in the olders DCs, that are Global Catalogs.

I'm thinking of using ntdsutil to remove the references to root.local, but I'm not sure if this would break my enviroment, since I didn't found any information about using ntdsutil to remove parent domain.

Please, if you do need more information I will be pleased to answer.

↧

ADLDS query

May 14, 2019, 8:24 am

≫ Next: Unable to Remove Child Domains (Windows 2008 R2 Functional Level)

≪ Previous: Remove parent domain from NTDS

First let me say that I have almost no experience with powershell. I know how to dump some code in to a .ps1 file to be run like a batch file. Here is what I'm trying to figure out.

We're going to be using an ADLDS attribute, "Description", to add data for which type of application someone uses on our site, and separate those applications with semi colons.

Example app1;app2;app3;app4

I need a script that will read this attribute and parse those apps in to variables, then execute something based on the variable.

Example: I need to see if a user has app2 in the user account description field, see if their account is enabled, and if their account is enabled, , pull them in to a csv file, then email that file to a distribution list.

So I end up with a csv file listing how many users have app1 or app2.

Any help is greatly appreciated.

here is a script that seems to work to pull some of that data from ADAM.

Get-ADObject -Server 'localhost:389' -SearchBase 'CN=Users,CN=WAP,DC=domain,DC=COM' -Filter 'description -like "*"' -properties DisplayName,lastlogontimestamp, description | select Name, description, `
@{Name="LastLogonTimeStamp";Expression={([datetime]::FromFileTime($_.LastLogonTimeStamp))}},`
@{Name="pwdLastSet";Expression={([datetime]::FromFileTime($_.pwdLastSet))}} | export-csv c:\temp\userauditlast4.csv -NoTypeInformation

This also pulls last logon timestamp, and last time password reset, which I really don't need.

↧

Unable to Remove Child Domains (Windows 2008 R2 Functional Level)

May 2, 2019, 1:49 pm

≫ Next: Domain Controllers losing their SRV Records

≪ Previous: ADLDS query

Hi All,

I'm running into an issue when deleting (3) child domains on a Windows 2008 R2 functional level domain. The child domains have been severed for several years and the child domain DCs have been removed from the domain utilizing NTDSUTIL. When attempting to use ntsdutil: metadata cleanup > remove selected domain, I receive error: DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

Output:

metadata cleanup: select operation target
select operation target: list sites
Found 4 site(s)
0 - CN=site1,CN=Sites,CN=Configuration,DC=domain1,DC=com
1 - CN=site2,CN=Sites,CN=Configuration,DC=domain1,DC=com
2 - CN=site3,CN=Sites,CN=Configuration,DC=domain1,DC=com
3 - CN=site4,CN=Sites,CN=Configuration,DC=domain1,DC=com
select operation target: list domains
Found 4 domain(s)
0 - DC=domain1,DC=com
1 - DC=child1,DC=domain1,DC=com
2 - DC=child2,DC=domain1,DC=com
3 - DC=child3,DC=domain1,DC=com
select operation target: select domain 1
No current site
Domain - DC=child1,DC=domain1,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

After looking up the error, it appears it's due to the DomainDnsZones still being available. So I ran NTDSUTIL: partition management > list and have (10) naming contexts available, but I'm not sure which ones to remove.

C:\Windows\system32\ntdsutil.exe: partition management
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 10 Naming Context(s)
0 - CN=Configuration,DC=domain1,DC=com
1 - CN=Schema,CN=Configuration,DC=domain1,DC=com
2 - DC=domain1,DC=com
3 - DC=child1,DC=domain1,DC=com
4 - DC=child2,DC=domain1,DC=com
5 - DC=child3,DC=domain1,DC=com
6 - DC=DomainDnsZones,DC=child1,DC=domain1,DC=com
7 - DC=DomainDnsZones,DC=domain1,DC=com
8 - DC=DomainDnsZones,DC=child2,DC=domain1,DC=com
9 - DC=ForestDnsZones,DC=domain1,DC=com
partition management:

Do I remove the DomainDNSZones entries for the child domains I'm attempting to remove or do I remove all child domain records above?

↧

Domain Controllers losing their SRV Records

December 2, 2011, 1:17 pm

≫ Next: Bulk chang user's UPN SAMaccount proxy address

≪ Previous: Unable to Remove Child Domains (Windows 2008 R2 Functional Level)

When this issue was first discovered several months ago, nearly all domain controllers in the environment were “losing” their SRV records.

After extensive internal troubleshooting and research failed to present a remedy, a ticket with Microsoft Support was created (SR# 111071153777276). After a couple of weeks of troubleshooting and information gathering, it was determined that a combination of inconsistent DC configuration, frequent DNS Scavenging , Server 2003’s 24 hour refresh interval of SRV records, and a poorly designed site topology converged to cause the SRV records to disappear.

Microsoft Support Engineers recommended a group policy setting be implemented on all domain controllers to force the registration of SRV records every 60 minutes as opposed to Server 2003’s default of 24 hours, and to standardize the DC configuration across the domain.

Their recommendations, along with replication topology improvements, significantly reduced the number of domain controllers that “lose” their SRV records. However, there are still approximately 10 domain controllers (20%) that continue to lose SRV records without intervention (dcdiag, netdiag, restarting netlogon service, etc….). Note that it has since been discovered that these DC’s also lose their own Reverse Lookup PTR records.

The DC will create the SRV records on itself, however they get deleted with the next replication cycle. No replication errors are showing, and the DNS debug log leaves evidence of them being deleted at the same time replication occurs but doesn't give a reason.

All domain controllers are running Windows Server 2003 R2 SP2 Enterprise Edition, with a mix of 32 and 64 bit editions, and are relatively current with patches. Each DC/DNS server points to itself for primary DNS, and secondary DNS points to a remote AD DC/DNS server. The domain functional level is Server 2000 Native and the forest functional level is 2000. The FSMO roles are split between two domain controllers at the datacenter. There's a DC at each site with 30 or more users. All DC’s are global catalogs with the exception of the Infrastructure Master DC.

The WAN is a managed MPLS network, with connections ranging from 1.5M T1, up to 100M fiber for the datacenter and Cisco routers. All LAN hardware is “modern” Cisco 3750/2960/6513. Servers are connected to the LAN @ 1Gbs. We rarely have WAN or LAN issues.

“Domain.ad” is the only forward lookup zone, is AD integrated with dynamic updates allowed. Aging is set to 1 day no-refresh and 3 days refresh. There are AD integrated reverse lookup zones for all subnets with aging set to 1 day no-refresh and 2 days refresh. Scavenging runs on a 3 day cycle on only 1 DC/DNS server in the enterprise.

There isn’t anything that stands out as different with these 10 domain controllers, other than they lose their SRV and Reverse PTR records.

On any one of these 10 DC’s, if I change the primary DNS server to any other DC/DNS than itself, it starts working just fine. The SRV records get created automatically by the 60 minute SRV record refresh interval, the reverse lookup pointer for the DC’s IP address gets created, and it survives replication for at least 48 hours. The problem only seems to be when the DC is pointing to itself for DNS.

I’m at the point of rebuilding one of them from scratch to see if it fixes the problem, but I’d rather avoid that if possible. Any ideas would be appreciated. If more information is needed/desired, just let me know.

Thanks

↧

Bulk chang user's UPN SAMaccount proxy address

May 9, 2019, 7:32 pm

≫ Next: last interactively sign-in timings

≪ Previous: Domain Controllers losing their SRV Records

HI Experts,

I really need your help:

we have many users in AD that their samaccount and upn doesn't match their email address. How can bulk edit their samaccount and UPN based on their email address.

thanks

Sky

↧

last interactively sign-in timings

May 13, 2019, 2:45 am

≫ Next: restrict domain joining for particular windows 10 OS version

≪ Previous: Bulk chang user's UPN SAMaccount proxy address

Can somebody explain the timings about the last login here? According to this, I checked in the event log. But there no any login event related to 7:08:20 AM for this particular user. The user has login to the pc at 8.10am. I can see that event in the event log. But no events related to the 7.08am. What could be the reason for this ?

↧

restrict domain joining for particular windows 10 OS version

May 10, 2019, 4:34 am

≫ Next: Problem with AD replication

≪ Previous: last interactively sign-in timings

Hi Team,

How to restrict domain joining for particular windows 10 OS version like Windows 10 education.

Apart from windows 10 Enterprise edition need to deny other windows 10 OS versions.

Regards,

Yogesh

↧

Problem with AD replication

May 8, 2019, 11:33 am

≫ Next: Logon Server

≪ Previous: restrict domain joining for particular windows 10 OS version

I have a 1 DC environment (no $ for a 2nd one).

It's on the fritz. Possible memory issue and/or possible windows corruption.

Anyway, I have a temporary box setup, joined domain, promoted to DC, forced replication via ad sites and services. Said it completed successfully.

New DC is a global catalog.

However, when the original DC goes offline, the new DC can no longer access AD users and computers, etc.

The new DC cannot access Netlogon either. I can connect using the original DC as the source but can't use the new DC as the source.

\\newdc\netlogon while on new DC doesn't work

\\olddc\netlogon while on new DC does work

Both DC's are 2012 R2 standard.

Thanks!

↧

Logon Server

May 14, 2019, 11:52 pm

≫ Next: Event ID - 4015 : The DNS server has encountered a critical error from the Active Directory.

≪ Previous: Problem with AD replication

Hi All,

I have noticed recently after the SET command in CMD that my laptops LOGONSERVER is a Domain Controller server not in the same location as the laptop. For example my laptop is located in HQ but the Domain Controller logon server is in a different office some miles away.

Sites and Services are all setup as per Microsoft recommendation e.g. most of the Satellites sites DC's connect and replicate to DC's in HQ. I would have thought that the machines would pick up their closest DC but that does not seem to be the case here.

Can someone explain how a client machine gets a LOGONSERVER when logging onto a domain.

Any information would be greatfully received.

Regards.

↧

Event ID - 4015 : The DNS server has encountered a critical error from the Active Directory.

May 15, 2019, 2:06 am

≫ Next: Enable Remote Desktop access for Domain user

≪ Previous: Logon Server

Hi,

My RODC showing the following event.

"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

But DNS service is ok and AD is functioning properly. So why this type of event is created and how can I solve the error?

Or, is this error avoidable??

Thank You,

Mosharrof

↧

Enable Remote Desktop access for Domain user

May 15, 2019, 9:05 pm

≫ Next: update samaccountname and upn based on email

≪ Previous: Event ID - 4015 : The DNS server has encountered a critical error from the Active Directory.

On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

Any suggestions please?

↧

update samaccountname and upn based on email

May 15, 2019, 5:37 pm

≫ Next: How to add Windows 2012 R2 as new domain controller in the existing Windows 2008 R2 domain.

≪ Previous: Enable Remote Desktop access for Domain user

HI Expert，

I really need your help.

we are using windows server 2016, and our AD users' Samaccountname and UPN are not the same as their email address. Now We'd like to bulk edit users' samaccount name and upn based on users' email address using the following CSV file.

this table describe the current situation

sAMAccountName	UserPrincipalName	Emailaddress
LMing	LM@domain.com	Li.Ming@domain.com
WYi	WY@domain.com	Wang.Yi@domain.com
HJiu	HJ@domain.com	He.Jiu@domain.com

the following is what I want to achieve

sAMAccountName	UserPrincipalName	Emailaddress
Li.Ming	Li.Ming@domain.com	Li.Ming@domain.com
Wang.Yi	Wang.Yi@domain.com	Wang.Yi@domain.com
He.Jiu	He.Jiu@domain.com	He.Jiu@domain.com

Because I am very new to powershell and script. Anyone has suggestions are highly appreciated .

Regards,

jianggai

↧

How to add Windows 2012 R2 as new domain controller in the existing Windows 2008 R2 domain.

May 14, 2019, 4:52 am

≫ Next: Azure AD Connect - Which Is The Authoritative Side?

≪ Previous: update samaccountname and upn based on email

In our environment we had three domain controller as single forest and all the servers on windows 2008 R2, one is located at branch office in different region, two at Head Office among which one is PDC. Additional DC has crashed today ( Hardware failure), now i am planning to have Windows 2012 R2 DC on new Hardware. kindly suggest the best practice to achieve this. kindly note i had Wins and Certification authority also on the crashed server.

↧

Azure AD Connect - Which Is The Authoritative Side?

May 12, 2019, 10:52 am

≫ Next: Revert dfrmmig state from. Eliminated to start. Pls tell me. How to revert the state.

≪ Previous: How to add Windows 2012 R2 as new domain controller in the existing Windows 2008 R2 domain.

We recently activated SSO using the Azure AD Connect tool and it appears that only the local AD is authoritative. In other words, if I change a password in the O365 Admin, it does NOT sync with the local AD, so there's no longer any SSO. However, if I change it in the local AD, itdoes sync to the cloud. Have I got something misconfigured or is the sync only one way by design: from Local > O365?

Art Cabot Director, Information Technology Sizemore, Inc.

↧

Revert dfrmmig state from. Eliminated to start. Pls tell me. How to revert the state.

May 7, 2019, 9:50 pm

≫ Next: Restoring Deleted Active Directory Object

≪ Previous: Azure AD Connect - Which Is The Authoritative Side?

Regards, Sadanand Velechi

↧

Restoring Deleted Active Directory Object

May 11, 2019, 10:29 am

≫ Next: How to restrict access to certain attribute in Active Directory for Global Address List ( Outlook)

≪ Previous: Revert dfrmmig state from. Eliminated to start. Pls tell me. How to revert the state.

Dear Support,

Can we restore Active Directory deleted object without restarting Domain Controller. If yes, Please share the details to perform the same.

OS : Windows Server 2008

R!t@$#

↧

How to restrict access to certain attribute in Active Directory for Global Address List ( Outlook)

May 10, 2019, 6:34 am

≫ Next: Object Delete notification is not coming when LDAP_SCOPE_SUBTREE is used

≪ Previous: Restoring Deleted Active Directory Object

He would like to add some personal employee information in Active Directory which should be accessible by only a few users in Outlook GAL on their phones. At present all telephone numbers , mobile phones are available to everyone when you search for a user via contact list on an iPhone. Once we add employee's home address we want only a few people to have access to that info when they search for the same person/s via GAL on their mobile or desktop outlook contact list.

Richard Ojel...

↧

Object Delete notification is not coming when LDAP_SCOPE_SUBTREE is used

May 1, 2019, 2:54 am

≫ Next: Server 2019 Directory issues

≪ Previous: How to restrict access to certain attribute in Active Directory for Global Address List ( Outlook)

Hi,

I am using LDAP change notification control to receive notifications of changes in Active Directory using the guidelines indicated in the following link:

https://docs.microsoft.com/en-us/windows/desktop/ad/example-code-for-receiving-change-notifications.

Change notifications about (Insert and Update) are coming fine but delete notification behavior is not consistent between using LDAP_SCOPE_ONELEVEL and LDAP_SCOPE_SUBTREE.

If I set the base object to be root of naming context then no matter whether LDAP_SCOPE_ONELEVEL or LDAP_SCOPE_SUBTREE is specified I always get all three types of notifications (Insert, Update and Delete).

However, If I use any other container (such as Users) or Organization Unit (OU) as a base object then using LDAP_SCOPE_ONELEVEL always returns all three types of notifications (Insert, Update and Delete) but using LDAP_SCOPE_SUBTREE level ONLY returns (Insert and Update) notifications but does not send Delete notifications.

Above tests were run against both Active Directory as well as AD LDS separately and the behavior is consistent.

Just wondering if it is an expected behavior or if I am missing anything. Any help would be greatly appreciated.

Thanks,

Nasir

↧