Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Backup AD and what have you done

$
0
0

We have multiple domain controllers. I wanted to ask how have you guys prepared for these.

DR: I guess you can have Multiple domain controllers spread across geo-locations in Azure or other datacenters.

Ransomware, Virus, accidental DNS deletion and so on: What have you done to protect from this. Lets say accidentally it affects your AD. Can you restore AD via VM checkpoint (might not be supported) or restore the VM. Do you have to take system state backups or so on. Do you have a DC in remote location that you only communicate so often with HQ. 

I want to make sure we are protected and see what have you guys done for your AD infrastructure. 

Please suggest.


John


LDAP VIP name configuration

$
0
0

Hi,

I have 3 sites UK,US,Germany each AD site contains 3 domain controllers so totally 9 domain controllers.

I want to create LDAP virtual name using 3 domain controller this should be done according to GEO region.

Three LDAP VIP name required to create LDAPUK.domain.com etc.,

So the application team can hardcode the nearest LDAP  VIP name for authentication and redundancy purpose.

If one LDAP server goes offline another LDAP server will respond the query help me to create VIP name in DNS

please assist with your answer.

Internet restriction on DC

$
0
0

I want to restrict internet browsing on domain controller. Already I'm following the Microsoft recommendation.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

Does it possible to restrict internet for DC alone. we have firewall in perimeter network.

We have configured strict firewall policy for our enterprise. I have read few article via windows firewall we can block internet access however windows firewall was disabled on DC. Normally every enterprise no body use windows firewall on DC.

Please assist with your answer whether internet block is possible in DC ?

 

Active Director Group Member Created by User

$
0
0
How can I determine who has created a member in a AD group?

OperatingSystemVersion Attribute Update

$
0
0

I have laptops which have their OS upgraded from 10.0 (14393) to 10.0 (16299). The computer object still shows the OperatingSystemVersion attribute as 10.0 (14393) and hasn't updated.

How do computers update their Active Directory computer attributes, such as OperatingSystemVersion? Also how often does the computer interact with their AD attributes?

Thanks

AD Replication issue - not creating replication partner with WS2016 DCs

$
0
0
  1. We are having WS2008R2/2012R2 DCs, and in the process of upgrading to WS2016 DCs (13 WS 2016 DCs upgraded till yet).
  2. Our older version DCs has inter-site replication partners with other AD sites, and we have 11 AD sites.
  3. Now, the issue is that our new WS2016 DCs can’t create replication partnerships with other AD Sites DCs.

We are using Infoblox DNS service. We checked and no replication issues found.

Any suggestion as in coming days we are going to demote older versions DCs?


    Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA

    FSMO roles and DC decommissioning

    $
    0
    0

    We are having WS2008R2/2012R2 DCs, and have upgraded to WS2016 DCs. Now we are planning to  move the FSMO roles to new DCs in our root and child domain. Root forest is empty, and child domain has all users/groups/app data.

    As we are planning to move all the FSMO roles in both domains (root forest & child domain). I already made  plan to first move all the FSMO roles in both env. and then start decommissioning the older DCs first root and then child domain, but manager said first move all the FSMO roles in forest and decommission the older DCs from root, then move moved all FSMO roles in child domain and do decommissioning. I said that their steps are neither advisable nor recommended way to do so, but they are keep insisting on it. If we do so and go by manager's way, it will impact our whole AD infra.

    Any article where the FSMO roles movement and decommissioning in this type of environment.

    Just wanted to confirm is it the possible way Manager suggested? I don't think so.

    Any thoughts on this?


    Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA

    2016 AD schema in mixed Win2008R2\Win2012R2 domain

    $
    0
    0

    Is having Windows 2016 AD schema in mixed Win2008R2\Win2012R2 domain supported?

    I am trying to find some official confirmation or a Microsoft document.


    User profile Service

    $
    0
    0

    Hi Team,

    In my environment we are facing below issue,out of 100 systems we are getting 15 systems  below error . please suggest me what changes i should made. I am using server 2019.

    Thanks in advance

    Bhaskar G R

    VM DC Resotre question

    $
    0
    0

    Hi Guy's

    The host server of my VM DC wont startup  after installing the server 2019 updates!!

    the good new is that I have moved all of the VMs from crashed Host to a different host and because we have 2 other  physical DC's I could get them all back online.

    Question:

    What is the Correct steps to bring the VM DC again online. please note that this VM DC has all of the FSMO roles.

    I did also copy the  VM DC  to the new hyper-v host ( like other Vm's) since last night we did not have any changes on the other 2 DC's maybe restting 2 passwords only.

    Can I start the VM DC on the new host and login and give it the same IP and bring it back online? I have not yet start the VM DC on the new host.

    Thanks


    Shahin

    Domain controller Implementation

    $
    0
    0

    I’m thinking about domain controllers implementation  for 100users.

    Azure and on-premise which is best place to put domain controllers.

    please give me your advice pros and cons.

    The security database on the server does not have a computer account for this workstation trust relationship

    $
    0
    0

    Hello there,

    Earlier on this morning I changed the name of my server. It used to have one of those default WIN-....... computer names, and I changed it to DC1. I restarted the server as I was prompted to, and now I can no longer sign-in to the local Domain Controller at all. There's nothing that I am able to do to access the User Interface. Users on workstations are able to connect to the Domain as normal. Only the server is having this problem. While trying to log-in, I am faced with this error message: "The security database on the server does not have a computer account for this workstation trust relationship." I have read online and this is normally fixed by reconnecting the computer to the domain however this isn't something that I am able to do as i can't access the machine at all.

    Can't PING domain AD DC

    $
    0
    0

    Hi Friends,

    I have a DC with 2 Network Adapters (2 IP) of different network and 2 IPs of respective network on Client PC. I am able to ping both the IPs of DC from client PC but if I am pinging domain name the nit is being resolved to only 1 IP. Although both IPs are appearing in DNS zone on DC.I have tried disabling the 1 adapter card to which domain name was pinging, after that I started getting RTO. 

    Why domain is not resolving to the other IP ?? 

    No Computer in Directory Users and Computers list

    $
    0
    0

    Hello,

    I am trying to add an organizational unit to the active directory I created on my Virtualbox with windows server 2016. However, I realize that there is no computer in the active directory computer list on my DNS domain (Server Manager > Tools > AD Users and Computer > domain > Computers). I did set up ADDS, DNS and DHCP through server manager. Changed the Network settings, changed the system name. Every possible thing has been tried, but I fail to understand why there is no computer in the active directory computer list on my DNS domain. The Domain name and the full computer name (Name.DomainName.com) does show up in the system properties. Please help me out.

    Thank you


    Domain controller virtualization

    $
    0
    0
    Can we virtuallize the windows 2003 domain controller? Is there is technet article available from Microsoft which can be referred?

    Unable to create user accounts until DC is restarted

    $
    0
    0
    We have experienced 3 times lately where we have been unable to create user objects in Active Directory.  The first two had the same errors.  I'm not sure if the third one is related or not.

    I have 4 DC's, two in each of two sites.  One of the Domain Controllers, DC1, has all the FSMO roles  They are all Windows 2012 R2, but the Domain and Forest Functional Level is at Windows 2008 R2 until later this week.  We have a single domain forest.  We have about 650-700 actual users, so even with shared and special user ID's, we probably have less that 2000 user objects.  Not a large Active Directory structure.

    While I first noticed the problem when working in Exchange, this is an AD problem.  Almost 6 weeks ago, I suddenly was unable to create a user account when trying to create an Exchange mailbox.  The error in Exchange was "Exchange couldn't find any usable connections to the Active Directory server DC1.domain."

    In the System log on DC1, there were numerous Event ID 16642 error events from Directory-Services-SAM:
    “The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.”  After finding very little about troubleshooting this error, I restarted DC1.  Once DC1 came back up, I was able to create user objects again.

    Early last week, I experienced the same thing with the same errors.  I restarted DC1 again, and again I was able to create objects normally.

    I was off last Friday, but received an email from a colleague that we were again unable to create user objects.  They restarted DC1 and were able to create users again.

    I looked through the Event logs on DC1 and did NOT find the Event ID 16642 from Directory-Services-SAM.  I did not find anything in the Application or System log that looked like an explanation for this inability to create users on Friday morning. This time, I looked at the Directory Service log and saw error Event ID 1519 repeated many times: 
    "Internal Error: Active Directory Domain Services could not perform an operation because the database has run out of version storage." 

    I saw a Microsoft blog about version storage at "https://blogs.technet.microsoft.com/askds/2016/06/14/the-version-store-called-and-theyre-all-out-of-buckets/".  This blog discussed increasing the maximum size of the version store, but it related the need for this with information that would be found in error Event ID 623.  DC1's log does not contain Event 623.

    Unfortunately, the Directory Service log went back only a few days, so I could nor look for what might have been in there during the time frame of the first two instances of being unable to create users.

    Can anyone offer me any help with what I need to do to prevent this situation from recurring?

    Thank you very much for your help with this.

    Directory Server for Windows Domain

    $
    0
    0

    I connected to synology AD via rsat tools for windows 10 ( www.youtube.com/watch?v=7EIO-nEIAY4 ) but I have a problem with the message "A Processing error occurs with the use of this domain controller." the base domain controller and try again." support.microsoft.com/en-us/help/2979923/processing-error-occurred-when-you-detect-status-of-active-directory-i I do not understand what to enter in "HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ Hostname."


    Home Folders does NOT map on Initial Logon Using ADUC Settings

    $
    0
    0

    I do have Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon (enabled)

    All switches have Portfast enabled

    All GPO are processed fine.

    On few users (same user on ANY different device) will not map home drive that is in profile

    It just simply is not there. But "set" shows:

    HOMEDRIVE=U:
    HOMEPATH=\
    HOMESHARE=\\server.domain.local\Stafffile\Users\UserInQuestion

    So it should be there. But no matter what, it does not happen.

    Only way I can do is Loopback GPO with GPP but there I can even specify %HOMESHARE% and it maps perfectly fine.

    Been all over the Internet, trying to figure that one out, but simply can not

    Maybe somebody has any idea?

    Seb

    AD - Onsite Replicate users to a Trusted secondary domain

    $
    0
    0

    I am trying to replicate users from our primary domain to a external trusted domain. The applicatication we are installing does not work with a trust and will only authenticate if its attached directly to the ou the users are in. We would like to avoid managing 2 user sets but we do need seperate domains. 

    Thanks 

     

    Read Only Domain Controller: Delegation of AD tasks vs hardware management

    $
    0
    0

    Hello,

    If I understand correctly, when we talk about RODC there is a clear distinction between delegating AD tasks and delegating somebody to manage hardware on RODC?

    So if f.e I wanted to delegate creating of accounts to a person, I'd go and use delegation wiz:

    But on another hand, if it comes to server management(hardware) I'd need to delegate it from Managed By tab? Am I on target or missing something???

    Viewing all 31638 articles
    Browse latest View live


    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>