Hi.. all,
FRS:
How to check FRS replication?
How to monitor FRS replication?
How to find the error logs?
FRS advantage and disadvantage ?
DFS:
1. DFS advantage and disadvantage
2. DFS error logs path?
↧
1. FRS replication and 2 DFS replication
↧
last interactively sign-in timings
Can somebody explain the timings about the last login here? According to this, I checked in the event log. But there no any login event related to 7:08:20 AM for this
particular user. The user has login to the pc at 8.10am. I can see that event in the event log. But no events related to the 7.08am. What could be the reason for this ?![]()
↧
↧
restrict domain joining for particular windows 10 OS version
Hi Team,
How to restrict domain joining for particular windows 10 OS version like Windows 10 education.
Apart from windows 10 Enterprise edition need to deny other windows 10 OS versions.
Regards,
Yogesh
↧
Problem with AD replication
I have a 1 DC environment (no $ for a 2nd one).
It's on the fritz. Possible memory issue and/or possible windows corruption.
Anyway, I have a temporary box setup, joined domain, promoted to DC, forced replication via ad sites and services. Said it completed successfully.
New DC is a global catalog.
However, when the original DC goes offline, the new DC can no longer access AD users and computers, etc.
The new DC cannot access Netlogon either. I can connect using the original DC as the source but can't use the new DC as the source.
\\newdc\netlogon while on new DC doesn't work
\\olddc\netlogon while on new DC does work
Both DC's are 2012 R2 standard.
Thanks!
↧
Unicode character - complex password policy in AD
I got complexity enabled for user passwords in AD (Password must meet complexity requirement is Enabled)
Per the Microsoft article, the password allows are:
http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
I have been asked to provide hint to user what characters are allowed under the tag line above (unicode characters, what unicode characters are allowed to be part of user password?)
Thanks
Inderjit
↧
↧
Windows Server 2012 R2 SYSVOL folder replication
Hi All,
Recently I've come across to something I have never seen before. To be more precise on two Windows Server 2012 R2 domain controllers I found C:\Windows\SYSVOL\domain folder replicating between them by means of DFS Replication.
1) Should replication between domain controllers be performed by means of DFSR?
2) What if replication is disabled like on the screenshot?
Thank you.
↧
VM DC restore
Hi,
I am writing a document for a disaster recovery for our DC's.
We have 2 server 2019 Hyper-v hosts and each have 1 VM DC. we backup each DC with Backup exect and hyper-v agent.
My question is, How to recover the VM DC that has the 5 FSMO roles?
I understand becuase we using Hyper-v higher then 2012 and VM DC is also 2012 R2 we can just resore the VM DC and no issue with Generation-ID. is this correct? or we still have to do a non autherative resotre of the DC with FSMO roles?
Shahin
↧
Issue with LinkID on Linked Custom Attribute Pair in AD
Hi All,
I have a weird issue when creating a linked custom attribute pair in AD.
The process I am following is firstly create the forward attribute with the LinkID of 1.2.840.113556.1.2.50. This apparently auto generates the LinkID. Reload schema and create the back-link attribute using the OID of the forward attribute. This goes all OK apart from when I look at the attribute details, the link ID is a negative number. For example..
The forward attribute is
The BackLink attribute is
From all the information I have read, the forward attribute link ID should be positive even number and the back-link should be positive odd number.
I'm using powershell to create the attributes. Forward attribute script is..
$RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE")
# Retrieve the Schema naming context, the distinguished name of the Schema container in AD.
$SchemaNC = $RootDSE.schemaNamingContext
# Bind to the Schema object.
$Schema = [ADSI]"LDAP://$SchemaNC"
# Create object of class "attributeSchema" with common name "MyCompany-MyAttribute".
$NewAttr = $Schema.Create("attributeSchema", "cn=Test-SoftwareDeliveryPrimaryUser")
$NewAttr.Put("attributeID", "1.2.840.113556.1.8000.2554.1.1")
# Unicode string attribute, similar to the title attribute."
$NewAttr.Put("oMSyntax", 127)
$NewAttr.Put("attributeSyntax", "2.5.5.1")
$NewAttr.Put("isSingleValued", $False)
$NewAttr.Put("isMemberOfPartialAttributeSet", $False)
$NewAttr.Put("searchFlags", 1)
$NewAttr.Put("lDAPDisplayName", "Test-SoftwareDeliveryPrimaryUser")
$newAttr.Put("LinkID", "1.2.840.113556.1.2.50")
# Create the new attribute.
$NewAttr.CommitChanges()
# Assign optional attributes.
$NewAttr.Put("description", "Test AD attribute -Forward")
#$NewAttr.Put("rangeLower", 1)
#$NewAttr.Put("rangeUpper", 128)
# Update the new attribute.
$NewAttr.CommitChanges()For the Back link, I am using...
$RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE")
# Retrieve the Schema naming context, the distinguished name of the Schema container in AD.
$SchemaNC = $RootDSE.schemaNamingContext
# Bind to the Schema object.
$Schema = [ADSI]"LDAP://$SchemaNC"
# Create object of class "attributeSchema" with common name "MyCompany-MyAttribute".
$NewAttr = $Schema.Create("attributeSchema", "cn=Test-SoftwareDeliveryPrimaryUser-BL")
$NewAttr.Put("attributeID", "1.2.840.113556.1.8000.2554.1.2")
# Unicode string attribute, similar to the title attribute."
$NewAttr.Put("oMSyntax", 127)
$NewAttr.Put("attributeSyntax", "2.5.5.1")
$NewAttr.Put("isSingleValued", $False)
$NewAttr.Put("isMemberOfPartialAttributeSet", $False)
$NewAttr.Put("searchFlags", 1)
$NewAttr.Put("lDAPDisplayName", "Test-SoftwareDeliveryPrimaryUser-BL")
$newAttr.Put("LinkID", "1.2.840.113556.1.8000.2554.1.1")
# Create the new attribute.
$NewAttr.CommitChanges()
# Assign optional attributes.
$NewAttr.Put("description", "Test AD attribute -Backlink")
#$NewAttr.Put("rangeLower", 1)
#$NewAttr.Put("rangeUpper", 128)
# Update the new attribute.
$NewAttr.CommitChanges()Environment is a test environment consisting of a single Windows Server 2012 R2 Domain Controller
I could manually declare the LinkID, but I was trying to keep user error out of the equation and thus wanted to use the auto generated method. Anyone one know why I am getting a negative number as a linkID
Thanks for taking the time to read this
Steve
↧
How to Create a Domain Controller Accessible Without VPN
Hi All,
I am a newbie. Below is my query----
I need to create a domain controller running on azure. I want my client PC to be able to Ping it and get domain joined. I am not looking for a scenario that uses a VPN. I am simply looking for a scenario in which DC is having a Public IP and I should be able to domain join my PC to that domain.
I am using Windows Server 2012 R2 in Azure. I am using my Windows 8.1 PC as a client computer. I am not testing this for organizational purposes as I understand this is not a secure configuration as per company standards.
What all do I need? Multiple NICs? Public IP? Specific Port Numbers?
I need to start from the scratch. I am a newbie. Please help.
↧
↧
Change of Active Directory Password Policy - impact current users
Hi,
We have a single domain AD using 2003 and 2012 R2 DCs. We'd like to change our AD password policy from it's current state:
6 characters
90 days max age
No complexity
To:
8 characters
180 days
complexity
The question I have is will the settings kick in immediately or only upon password change or expiry? I just want to make sure I've assessed the user impact correctly. Any official statements from Microsoft would greatly help.
Thanks
↧
Domain controller virtualization
Can we virtuallize the windows 2003 domain controller? Is there is technet article available from Microsoft which can be referred?
↧
Domain Adding issue
When am adding a computer in our domain it shows an error like this "your computer could not be the domain.you have the maximum number of computer accounts you are allowed in this domain"
can you resolve this??↧
How to assign Admin Rights Only for their on Computers in Active Directory?
Dear Team,
Here i need 2 Helps from everyone
1>How we can assign the computer to particular owner for configuring admin rights?
Example : PC-1 should be assigned to John
2> How to configure admin rights only for their particular computer by using Active Directory Group Policy?
Example : PC-1 is used by John , so john should have admin rights on his PC, if john trying to login in to PC-2 he should not have admin rights on that PC
Waiting for the response
Regards,
Aghil
↧
↧
Find last login machine details for user
Hi,
Is there any command available to get the user's last login machine details. I have user's details and i can get the last login details from one script, but unable to find the last login machine details for that user.
Thanks in advance.
↧
Schema Mismatch
i was migrating my 2 DCs from windows server 2008 R2 to windows server 2016 , and after i have promoted the first server windows server 2016 domain controller .
when i run repadmin /showrepl it gave me an error "The replication operation failed because of a schema mismatch between the servers involved 8418"0x20e2" .
i have tried to follow this article "https://support.microsoft.com/en-us/help/2734946/troubleshooting-ad-replication-error-8418-the-replication-operation-fa" but it did not help , so is there any suggestions ?
↧
Domain Controller Failed Test Advertising
Hi Guys,
I have created a secondary (backup) domain controller and successfully managed to promote it. However, It doesn't contain netlogon directories. On running DCDIAG command, I get the following output.
Notes:
The current primary DC is running Windows Server 2003 with Server 2003 forest functional level. (Name - pdc, pdc.domain1.com)
My new server with errors is on Windows Server 2012 R2 (DC01, DC01.domain1.com)
-----------------------------------------------------------------------------------------
Microsoft Windows [Version 6.3.9600](c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.domain1>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC01
Starting test: Connectivity
......................... DC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC01
Starting test: Advertising
Warning: DsGetDcName returned information for
\\pdc.domain1.com, when we were trying to reach DC01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC01 failed test Advertising
Starting test: FrsEvent
......................... DC01 passed test FrsEvent
Starting test: DFSREvent
......................... DC01 passed test DFSREvent
Starting test: SysVolCheck
......................... DC01 passed test SysVolCheck
Starting test: KccEvent
......................... DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC01 passed test MachineAccount
Starting test: NCSecDesc
......................... DC01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC01\netlogon)
[DC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DC01 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC01 passed test ObjectsReplicated
Starting test: Replications
......................... DC01 passed test Replications
Starting test: RidManager
......................... DC01 passed test RidManager
Starting test: Services
......................... DC01 passed test Services
Starting test: SystemLog
......................... DC01 passed test SystemLog
Starting test: VerifyReferences
......................... DC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain1
Starting test: CheckSDRefDom
......................... domain1 passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain1 passed test CrossRefValidation
Running enterprise tests on : domain1.com
Starting test: LocatorCheck
......................... domain1.com passed test LocatorCheck
Starting test: Intersite
......................... domain1.com passed test Intersite
Please assist.
↧
Promote and Demotre Domain Controllers Bulk Way
Hello All,
I'm in the process of migrating Windows Server 2008 to 2016 domain controllers I have about 30 servers to migrate, i want to know if it is possible to promote and demote domain controllers remotely and in a bulk way.
Thanks!
Alejandro
↧
↧
DNS Forwarders
Hi, I'm hoping someone can help with this question regarding DNS Forwarding:
I have an AD domain with 8 DNS servers across the country mix of (Win 2k8 R2/2012 R2/2016 servers).
- 3 x Read Only (Secondary) DNS servers
- 4 x Master DNS servers
The 4 x Master DNS severs are:
- AD integrated zones
- Dynamic Updates = Secure Only
- Aging and scavenging is setup and working
I want to reduce internet traffic so that only 1 or 2 DNS servers are configured with my ISP DNS servers as forwarders or root hints. Do I need to configure all the other DNS servers in the domain with the IPs of the 2 DNS servers I configure for External ISP DNS or root hints as Forwarders in order for them to resolve external sites?
DNS1 - confirgured for ISP DNS or root hints
DNS2 - confirgured for ISP DNS or root hints
DNS3 - Set DNS1 & DNS2 on the forwarders tab?
DNS4 - Set DNS1 & DNS2 on the forwarders tab?
DNS5 - Set DNS1 & DNS2 on the forwarders tab?
DNS6 - Set DNS1 & DNS2 on the forwarders tab?
DNS7 - Set DNS1 & DNS2 on the forwarders tab?
Any help would be appreciated.
↧
Best Practices for AD Site configuration
I have been trying to find a document from Microsoft for the Best Practices for AD Site configuration. We have about 20 sites and multiple DCs at most of them. A coworker wants to setup each DC in each site to replicate back to the DataCenter
DCs. In each site there is one DC set to replicate to the DataCenter then the other DCs in the site replicate from that. From what I understand that this the correct configuration as it cuts down on replication traffic since only 1 dc in each site
is doing intersite replication.
↧
AD LDS - Create new application partition
Hello!
I have two 2 AD LDS instances in one configuration set and I am trying to create a new application partition. I am following an MSDN article (unfortunately I can not provide the link here, I do not have enough karma) which describes this process for Active Directory. Now for the instance that was the first in the set all works perfectly but when I am trying to create another application partition on the second server (create a domainDNS object) it gives me "Unwilling to perform" error.
My guess is that it has something to do with the first server being Naming Master. In case of Active Directory the document says that we need to bind to the server where we would like to create a partition with the delegation option to "allow the domain controller to contact the Domain-Naming FSMO role holder". The problem is that I could not find such an option for the ldap_connect function which I am using to connect to AD LDS servers.
Any help would be great, thank you.
↧