Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Server 2008 CertLog EDB log files have never been deleted - taking a lot of space

April 1, 2012, 6:08 pm
$
0
0

This is a Windows Small Business Server 2008 installation with all updates that I've recently taken over maintenance. I found the C: drive to have almost no space available. I took immediate steps to move / clear things and it seems to be mostly working well.

However, there is a lot of space taken up by log files in C:\Windows\System32\CertLog - 4.4 GB in 4227 files.  

The first of these files is edb00001.log last modified on 27th Jan 2010 - that's when the server was new.  It goes on edb00002.log, and so on.

I've had little luck Googling this. I've heard that these are related to Active Directory, but I don't know. I'm able to add/ change users in AD without issue.

I've heard they should be automatically purged, but obviously they haven't.  Clearly this issue was present when computer was new, preceding when disk space was low.

I've looked into System logs and seen no major issues. 

I've looked in Event Viewer at the Application and Services Logs - Directory Service - I see: 1) Warning 508 that it was slow to write updates. 2) Error 1168 Internal processing. 3) Also Error 482 - No space on disk.

Clearly, the space issue is resolved. Now how to deal with 4.5 GB of logs and giving AD a clean bill of health???

Search

How to make LDAP SSL call using DsBrowseForContainerW API

May 24, 2019, 8:12 am
$
0
0

Hi, 

I am using DsBrowseForContainerW( ) to load all container (OUs ) from given domain.

 Internally Its using LDAP Non SSL call to read data from domain controller. But I want to use LDAP SSL communication to read data  from Domain Controllers.

How can I achieve this. 

case-1 : ADsPath  = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab"   NOT working fine 

LDAP Non SSL port = 389

LDAP SSL Port = 636

Code :

DSBrowseInfo dsbi = new DSBrowseInfo();
dsbi.cbStruct = System.Runtime.InteropServices.Marshal.SizeOf(dsbi);
dsbi.pszCaption = caption;
dsbi.pszTitle = title;
dsbi.pszRoot =  ldapPath;
dsbi.pszPath = sResult;
dsbi.cchPath = 1024;
dsbi.hwndOwner = hwnd;

if (user != null && user.Length > 0)
{
dsbi.pUserName = user;
dsbi.pPassword = password;
dsbi.dwFlags |= DSBI_HASCREDENTIALS;
}
int ret = DsBrowseForContainerW(ref dsbi);

In case-3, its giving error as unable to connect to domain with given user name and password.

Please help me to solve the issue. How can achieve LDAP SSL communication by using DsBrowseForContainerW() api.

Thanks & Regards

Prasad

Sysvol FRS to DFS-R Migration issues 2008 R2

March 20, 2018, 6:47 am
$
0
0

Looking for some advice on the best way forward. 

I am in the process of completing a domain upgrade from Server 2008R2 to Server 2016. 
We currently have 4 DC's running on 2008R2 with a domain and forest functional level of Windows Server 2008 R2.

In the pre-upgrade stage, I am currently doing the Sysvol FRS to DFS-R Migration

Initially running the [dfsrmig /getmigrationstate] showed the [All Domain Controllers have migrated successfully to Global state ('Start'). Migration has reached a consistent state on all Domain Controllers. Succeeded.]
I then set this to Prepared [All Domain Controllers have migrated successfully to Global state ('Prepared'). Migration has reached a consistent state on all Domain Controllers.Succeeded.]

Upon running DFS Replication Health Report It shows 2 errors with event ID 6804 for 2 on the 4 DC's.
I have checked this further manually and found that the new SYSVOL_DFSR folder on the 2 errored DC's is smaller in size and number of files and folders than the other 2. I have also created a new test GPO and this is not replicated to any of the DC's in the SYSVOL_DFSR folder. It is, however, replicating fine in the SYSVOL folder on all 4 DC's.


Any advice on the best way forward or back on this to ensure the SYSVOL is replicating to SYSVOL_DFSR prior to the next steps of the migration and then domain upgrade?


2016 AD schema in mixed Win2008R2\Win2012R2 domain

May 22, 2019, 3:06 pm
$
0
0

Is having Windows 2016 AD schema in mixed Win2008R2\Win2012R2 domain supported?

I am trying to find some official confirmation or a Microsoft document.

Need to create user account with user's password reset permission only

May 25, 2019, 1:58 pm
$
0
0

I need to create user account (or service account) and this user should permitted to change users password. only that option need to be created. So is there any option to enable this. what are the GPO should assigned to the user. I'm looking for the support for this. 

Thank You

how to prevent reuse of account names

May 25, 2019, 5:55 pm
$
0
0

The goal here is to prevent accounts from being created with the UPN of an account that existed in the past.  So if employee A leaves in 2015, that account ID should never be used again.  Is there a secure way of creating an empty, permanent account with no license that would successfully block new users from using the same name when they create their accounts?

Ronald Proschan

Ron Proschan

AD Delegation

May 14, 2019, 2:15 am
$
0
0

Dear All,

I did delegate a user to reset domain user passwords and modified their properties, he can do his tasks on majority of domain users but not for others. I did check those users and they'r member of a security group " technical support" which has the privileges to do remote desktop on domain computers and also member of domain computers. All members of that group are having admincount 1, and as my understanding even i remove this value it well added back after an hour. I did add that user to same group" technical support" and he's admincount 1 but still he can't reset any member of that group. Enable inheritance is disabled for those users as well, i did enable it but it disabled again. Is there is any way to let that user to reset all members on that group.

Thank You

Upodating root certificate

May 26, 2019, 4:05 am
$
0
0

Hi all,

I have a Private certificate authority installed on domain controller of windows server 2008 R2.

This certificate authority is used to issue certificates for exchange 2010.

The root certificate is about to finish on 7/18/2019.

My concerns are what will happen to the issued exchange certificates When updating the The root certificate.

Keep in mind exchange certificate will expire  on 18 July 2019 too

If I updated the root certificate now , what wil happened to the issued certificate of excgange 2010

In other words :

What is the appropriate sequence for updating the CA root certificate taking into account that exchange 2010 certificates hve to be valid and running .

Search

LDAP VIP name configuration

May 19, 2019, 6:11 am
$
0
0

Hi,

I have 3 sites UK,US,Germany each AD site contains 3 domain controllers so totally 9 domain controllers.

I want to create LDAP virtual name using 3 domain controller this should be done according to GEO region.

Three LDAP VIP name required to create LDAPUK.domain.com etc.,

So the application team can hardcode the nearest LDAP  VIP name for authentication and redundancy purpose.

If one LDAP server goes offline another LDAP server will respond the query help me to create VIP name in DNS

please assist with your answer.

Domain controller virtualization

May 21, 2019, 3:27 am
$
0
0
Can we virtuallize the windows 2003 domain controller? Is there is technet article available from Microsoft which can be referred?

CA not updating revocation list of superseeded CA certificates

May 23, 2019, 5:20 am
$
0
0

Hello,

I have a Enterprise Sub-CA running on Server 2012R2. The root is an offline CA. I have a history of 6 CA certificates (0-5) of which 4 & 5 are revoked. There are still many valid certificates issued by certificate no. 3 in the field. The problem is, that the CA is not issuing revocation lists for certificate no. 3 anymore and therefore I'm getting certificate errors. The CA is issuing revocation lists for ca certificates no. 0,2 and 5 though. I don't mind no. 1 as there were no certificates issued by this certificate, but I have to have revocation lists for CA certificate no. 3. The revocation lists are not issued automatically or if triggered by hand.

Any idea?

Thanx

__Leo

How to assign Admin Rights Only for their on Computers in Active Directory?

May 21, 2019, 5:10 am
$
0
0

Dear Team,

Here i need 2 Helps from everyone

1>How we can assign the computer to particular owner for configuring admin rights?

Example : PC-1 should be assigned to John

2> How to configure admin rights only for their particular computer by using Active Directory Group Policy?

Example : PC-1 is used by John , so john should have admin rights on his PC, if john trying to login in to PC-2 he should not have admin rights on that PC

Waiting for the response 

Regards,

Aghil


FSMO roles and DC decommissioning

May 22, 2019, 12:28 pm
$
0
0

We are having WS2008R2/2012R2 DCs, and have upgraded to WS2016 DCs. Now we are planning to  move the FSMO roles to new DCs in our root and child domain. Root forest is empty, and child domain has all users/groups/app data.

As we are planning to move all the FSMO roles in both domains (root forest & child domain). I already made  plan to first move all the FSMO roles in both env. and then start decommissioning the older DCs first root and then child domain, but manager said first move all the FSMO roles in forest and decommission the older DCs from root, then move moved all FSMO roles in child domain and do decommissioning. I said that their steps are neither advisable nor recommended way to do so, but they are keep insisting on it. If we do so and go by manager's way, it will impact our whole AD infra.

Any article where the FSMO roles movement and decommissioning in this type of environment.

Just wanted to confirm is it the possible way Manager suggested? I don't think so.

Any thoughts on this?

Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA

Internet restriction on DC

May 22, 2019, 10:14 am
$
0
0

I want to restrict internet browsing on domain controller. Already I'm following the Microsoft recommendation.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

Does it possible to restrict internet for DC alone. we have firewall in perimeter network.

We have configured strict firewall policy for our enterprise. I have read few article via windows firewall we can block internet access however windows firewall was disabled on DC. Normally every enterprise no body use windows firewall on DC.

Please assist with your answer whether internet block is possible in DC ?

 

Active Director Group Member Created by User

May 22, 2019, 2:41 am
$
0
0
How can I determine who has created a member in a AD group?
Search

AD LDS - Create new application partition

May 21, 2019, 10:48 am
$
0
0

Hello!

I have two 2 AD LDS instances in one configuration set and I am trying to create a new application partition. I am following an MSDN article (unfortunately I can not provide the link here, I do not have enough karma) which describes this process for Active Directory. Now for the instance that was the first in the set all works perfectly but when I am trying to create another application partition on the second server (create a domainDNS object) it gives me "Unwilling to perform" error.

My guess is that it has something to do with the first server being Naming Master. In case of Active Directory the document says that we need to bind to the server where we would like to create a partition with the delegation option to "allow the domain controller to contact the Domain-Naming FSMO role holder". The problem is that I could not find such an option for the ldap_connect function which I am using to connect to AD LDS servers.

Any help would be great, thank you.

Best Practices for AD Site configuration

May 21, 2019, 8:00 am
$
0
0
I have been trying to find a document from Microsoft for the Best Practices for AD Site configuration.  We have about 20 sites and multiple DCs at most of them.  A coworker wants to setup each DC in each site to replicate back to the DataCenter DCs.  In each site there is one DC set to replicate to the DataCenter then the other DCs in the site replicate from that.  From what I understand that this the correct configuration as it cuts down on replication traffic since only 1 dc in each site is doing intersite replication.

Replication access denied

May 12, 2019, 6:11 am
$
0
0

Hi Support,

We have two Windows 2012 Standard DCs.

We did not make any recent changes.

When checked replication today we have seen the below error

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\AD1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



DsBindWithCred to localhost failed with status 5 (0x5):

    Access is denied.

The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

Please let me know how do I troubleshoot this.

Is Windows Server 2008 Directories Services failover transparently?

May 23, 2019, 6:22 pm
$
0
0
Hi experts,
  I need to patch a Windows Server 2008 for CVE-2019-0708(Remote Desktop Services Remote Code Execution Vulnerability).

Here is my problem. Is Windows Server 2008 Directories Services run like DNS services, that's to say,
If I shutdown one server, the active session/connection/transaction/application will automatically connect to another active server, so there is no planned downtime required.

Or is it like SQL Server AlwaysOn, that's to say, it runs in Active/Passive mode, If I shutdown one Primary replica, all active sessions will be terminated and reconnect to secondary replica after a few seconds. I HAVE TO schedule a planned downtime to install hotfixes.

Sorry, I thought about using google but I just could not figure out what keywords should I use.
Also, maybe this is more like a client-side/application-side question? Is it depend on client-side application, like SAP application servers or Visual Studio/dotNet application custom codes?

If possible, please show me a Microsoft official documents/links, thanks a lot.
PS: I try it before, it seems to failover transparently but I need to double confirm because our SAP runs 24/7 and minimize unexpected downtime is vital.

2008 to 2019

May 26, 2019, 8:31 pm
$
0
0

I am getting ready to install a new server with WS2019 standard from an older WS2008 standard. It's our AD/DC and standard file server. Running DNS and DHCP.

What am I getting myself into? Not much information out there, almost everything I have found is for 2008r2, not what I have.

Anyplace to start would be highly appreciated!

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>