Hi, I am using windows time service to serve time internally to Moxa switches and firewalls in my system. Externally, my PDC is synchronised
to a time server. Currently, tapping the message between my PDC and time server, I notice that the stratum level of my PDC is '0'. May I know how the stratum level can be customised or configured?
↧
w32tm - Stratum Level
↧
gpupdate/auto-enroll for Logon Type 5
I need a auto-enrolled (i.e. auto-renewed) certificate for a domain account that is running a service account. Because the user only logons as a service (logon type 5), no group policy processing is done. Because no group policy processing is done, auto-enrollment is not effective.
Does anyone have a workaround how to auto-renew certificates for a domain user that is only logging on as a service?
Thank you!
↧
↧
why do we have msds-cloudextensionattribute1 Attribute on windows 2008r2 domain level
Hi All,
we are assessing the move to Office 365 and we were just wondering that we have msds-cloudextensionattribute1 in our 2008r2 environment available, as it states that this attribute was not available before server 2012.Could it be that Exchange 2010 SP3 added
this attribute to our AD schema?Any ideas? Thank you very much.
↧
AD Design and Recommendation
Hi,
We have several DC's (WS 2016 with ADDS and DNS Installed) running on several different sites and I have to prepare a rationalization document.
So any suggestion how can i rationalize also i do have the AD site topology diagram.
Please help me on this to prepare and compare accordingly so that i can give the recommendation.
Thanks,
Roshan Kumar
↧
Please help
I have tried everything i cant find the hyper-v nor the rsat settings i have even tried to download the rsat i know i have hyper drive because it pops up but has no settings in the tab i have been to features and everything please help
↧
↧
OU control delegation VS full control of a machine inside such OU
hi guys,
a newcomer trying AD here,
I try to figure out how, if possible at all, one can make a user who is not Domain Admin nor any type of Power user but has delegated control over an OU, an Administrator of a computer which is located inside such OU?
I thought that it would just boil down to the delegation, but inasmuch as that user who has gotten the delegated control can create machine account (here is another thing which surprises me, that machine account was created outside of the OU, inside default"Computers" during join operation on the client machine - is that normal?) does not seem to have Admin controll over the machine itself.
Is making a user a member of "Domain Admins" the only way of having that user able to fully manage a machine in AD OU?
many thanks, L.
↧
Need Powerhell script to delete multiple users from Active Directory
Hi
I am looking for powershell script to delete multiple users from AD. Basically users are located in different OUs, I have list of user samaccount names. I want to put in csv file and delete them using powershell.
in script domain name should be mentioned, so that it will be clear for me I am running the script towards the domain.
Please don't give me links to read and learn kind of reference links. I am purely looking for powershell script.
Appreciate your help..
↧
Forest Trust between 2016 and 2003 functional level
Hi all,
We are doing a takeover on a Customer's plattform that currently has an AD on 2003 FFL/DFL.
However all the DCs are on 2008R2 OS.
Now, we're building a new platform for them, where we are going to deploy a new Forest on 2016 OS and 2016 FFL/DFL.
Obviously, they want us to create a Forest Trust between both ADs, until we can de-provision the old one.
Anybody know about limitations/Issues on this scenario? I mean, I've been searching on MSFT official documenation regarding Functional levels and I only can find DC OS compatibility, but nothing regarding Trust compatibilities or issues.
Furthermore, does anybody know about issues between these OS versions. Maybe something related with SMB protocol?
Thanks a lot in advance.
↧
Create certificate for Chrome
Dear all,
Anyone know how to create a self signed certificate with Windows Server 2008 R2 AD CA that meet the requirement for Chrome, it kept reporting Subject Alternative Name missing.
↧
↧
Active Directory User Attribute - businessRoles
Dear,
In Active Directory, I went through the user attributes and find an interesting attribute I never used before.
The "businessRoles" and the "businessCategory".
For the businessCategory I found documentation but I don't find anything for the
businessRoles attribute. As far as a know I never did do a schema extension with that attribute so it has to be a native attribute.
Can anyone help me using this attribute?
Sincerely,
Yehudi Bosmans
↧
Confusion about CALS
Hello,
First off, I apologize if this in in the wrong thread. In my opinion, this forum does not provide enough options in their drop down list for topics. Licensing doesn't even exist.
I would like clearer definition of the Microsoft RDS CAL. I see this referring to licensing a User or a Device the right to access a remote apps server (Formally Terminal Services). This has also lead to some confusion about whether or not a User or Device Cal is required simply to access any Windows Server remotely such as a System Admin would. Clearly , these are not the same acts, but most posts do not differentiate.
Also if you know, What are the general requirements For CALs in an enterprise environment? For example, If you have a CAL for every device accessing the domain controller(s), is that sufficient for each Device on the domain, or to we require additional Cals
for the same devices accessing say print services, etc. I know RDS would be the exception.
Thanks for the info.
↧
Changing DHCP settings in a fail-over cluster
Hello,
We have followed this guide and have two DHCP servers in load sharing mode not split scope.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831385(v=ws.11)
Now when we go and manage scope items in DHCP are the changes supposed to replicate between the two servers?
↧
Import DNS records from a .csv or .txt file
Hi All,
Is there any way we can import the DNS records in the existing zone? I know there is a way do import it while creating the Zone from the .dns file. But want to know is there any after created the zone.
↧
↧
Cannot fetch memberOf attribute information with ldp.exe
Hi there,
At a directory service, some user's "memberOf" information cannot fetch with ldp.exe. Step below,
1. Add a new user with "Active Directory Users and Computers"
2. Assign some group to the user
3. Fetch the user information with ldp.exe
At step 3, I cannot fetch "memberOf" attribute like below.
Dn: CN=Test User,OU=staff,DC=example,DC=com cn: Test User; codePage: 0; countryCode: 0; displayName: Test User; distinguishedName: CN=Test User,OU=staff,DC=example,DC=com; givenName: Test; name: Test User; objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com; objectClass (4): top; person; organizationalPerson; user; objectGUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx; objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx; primaryGroupID: 513 = ( GROUP_RID_USERS ); sAMAccountName: test.user; sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT ); sn: User; userPrincipalName: test.user@example.com;
I can modify existing users attribute. However, a new one is not.
How can I find a cause of the problem and fix it?
Regards,
↧
Authentication (Login or challenge) has failed
Dear All,
Recently we have started facing issues while logging to server
Authentication (Login or challenge) has failed
We have 3 DC. All are replicating fine , so far I have seen any replication Errors.
One one of affected server getting
he Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rjopsvpwflmap01$. The target name used was RJOPSVPWFLMAP01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (ROYALJETGROUP.COM) is different from the client domain (ROYALJETGROUP.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
I have reset the SPN also from DC
Replicated the DC, still the same issue
Just to update we have PAM software installed on the servers (Centerfy)
Please help me to get this sorted out.
↧
how to protect administrator password from reset in active directory??
how to protect administrator password from reset in active directory??
↧
w32tm - Stratum Level
Hi, I am using windows time service to serve time internally to Moxa switches and firewalls in my system. Externally, my PDC is synchronised
to a time server. Currently, tapping the message between my PDC and time server, I notice that the stratum level of my PDC is '0'. May I know how the stratum level can be customised or configured?
↧
↧
Verification of replica failed.
Hello,
How are you? When im trying to add a new domain controller I received the following error:
Verification of replica failed. The specified domain [DomainName] is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated.
Any ideas?
What kind of impact I will have?
Thanks in advance
↧
Mass Edit in Active Directory
Hello Everyone,
I been researching on how to mass edit in the Telephones tab field Home but couldn't find anything, only editing in general tab. I want to be able to change all users to one specific number and also add another number in the other tab.
I eventually will want to change the IP phone field as well as the other field.
For the Home number all users will be identical. IP phone, each person will have their own phone number and extension in the other field.
↧
NTFRS & DFSR sysvol issue.
Hi I hope someone could help me out here, I have a client with a rather tired old Windows Small Business Server 2008 box that I am trying to migrate the FSMO roles over to a newer piece of hardware running Server 2016, the secondary DC has been DCPROMO'd and brought online. But the SYSVOL never sync'd properly and I have been unable to complete the migration.
I'm going to include the dcdiag outputs of both in the hope someone can get me pointed in the right direction.
Old DC
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER01
* Identified AD Forest.
Done gathering initial info.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SERVER01
Starting test: Connectivity
......................... SERVER01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SERVER01
Starting test: Advertising
......................... SERVER01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER01 failed test FrsEvent
......................... SERVER01 failed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER01 passed test DFSREvent
......................... SERVER01 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER01 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER01 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER01 passed test NCSecDesc
Starting test: NetLogons
......................... SERVER01 passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER01 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER01 passed test Replications
Starting test: RidManager
......................... SERVER01 passed test RidManager
Starting test: Services
......................... SERVER01 passed test Services
Starting test: SystemLog
......................... SERVER01 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : dwdomain
Starting test: CheckSDRefDom
......................... dwdomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... dwdomain passed test CrossRefValidation
Running enterprise tests on : dwdomain.local
Starting test: LocatorCheck
......................... dwdomain.local passed test LocatorCheck
Starting test: Intersite
......................... dwdomain.local passed test Intersite
New DC
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DW-DC-01
* Identified AD Forest.
Done gathering initial info.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DW-DC-01
Starting test: Connectivity
......................... DW-DC-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DW-DC-01
Starting test: Advertising
Warning: DsGetDcName returned information for
\\SERVER01.dwdomain.local, when we were trying to reach DW-DC-01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DW-DC-01 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DW-DC-01 passed test FrsEvent
......................... DW-DC-01 passed test FrsEvent
Starting test: DFSREvent
......................... DW-DC-01 passed test DFSREvent
Starting test: SysVolCheck
......................... DW-DC-01 passed test SysVolCheck
Starting test: KccEvent
......................... DW-DC-01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DW-DC-01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DW-DC-01 passed test MachineAccount
Starting test: NCSecDesc
......................... DW-DC-01 passed test NCSecDesc
Starting test: NetLogons
......................... DW-DC-01 passed test NetLogons
Starting test: ObjectsReplicated
......................... DW-DC-01 passed test ObjectsReplicated
Starting test: Replications
......................... DW-DC-01 passed test Replications
Starting test: RidManager
......................... DW-DC-01 passed test RidManager
Starting test: Services
......................... DW-DC-01 passed test Services
Starting test: SystemLog
......................... DW-DC-01 passed test SystemLog
Starting test: VerifyReferences
......................... DW-DC-01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : dwdomain
Starting test: CheckSDRefDom
......................... dwdomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... dwdomain passed test CrossRefValidation
Running enterprise tests on : dwdomain.local
Starting test: LocatorCheck
......................... dwdomain.local passed test LocatorCheck
Starting test: Intersite
......................... dwdomain.local passed test Intersite
dcdiag /test:verifyenterprisereferences
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DW-DC-01
* Identified AD Forest.
Done gathering initial info.
Trying to find home server...
Home Server = DW-DC-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DW-DC-01
Starting test: Connectivity
......................... DW-DC-01 passed test Connectivity
Starting test: Connectivity
......................... DW-DC-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DW-DC-01
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the
following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object: CN=DW-DC-01,OU=Domain Controllers,DC=dwdomain,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the
following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object: CN=DW-DC-01,OU=Domain Controllers,DC=dwdomain,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... DW-DC-01 failed test VerifyEnterpriseReferences
Same result on both servers.
I have some more errors I can post up should you guys need more context.
Thanks in advance.
↧