Hi all
Theres's an problem when a tried to add a any user to a new Specific Group (Member Of). In this case this group controls the user Web Access in my company. In my AD exists FilterWeb_Level1, FilterWeb_Level2..
etc
If I Add I a User to new group in "Member Of". For exemple Addinng in "FilterWeb_Level2" and Removing from "FilterWeb_Level1" it is always rolling back to "FilterWeb_Level1" same state.
Any suggestion to solve this ?
Thanks
Claudio Ferreira
Dear all,
I have the following topology:
Two domain controllers (windows server 2008 r2 ) and one cas/hub server and one mailbox server
We have to shut down the primary domain controllers for physical maintenance but before doing this I transferred the masters roles to the additional one ,then shutdown the domain controller but due to a failure in the hard disk of the domain controller I made a bare metal recovery then made a dcdiag and I found the following errors
please advuce
WIN-I1H2NPJ9ASV failed test DFSREventGents,
I'm trying to find a way to have a comprehensive list of objects related to a AD computer (or possibly its SID) in order that, before deleting that Computer Account, there will be no orphaned object with link to this Computer
For example, let's say i have a GPO with a security based filter pointing to a computer (the question here is not about whether or not is it a best practice). If i deleted the computer, i will be left with the SID when i look at this GPO
The same applies for a Security Group which this computer could be a member of. If i delete the computer account, the security group will have an SID instead
To prevent this, i would like to have command lines or a script which would search amongst all AD objects and find which one has a relationship with the computer account (or its SID) so that i can make some cleaning BEFORE deleting the computer account
Does that make sense to you ? Anyone has already found something to reach that goal ?
Thanks very much for your feedback
Hello there
So for a while now we have been using the "managed by" tab in Active Directory to keep track of who owns what computer.
Now the problem is that if we know which pc we want to find the user for its easy, but the other way around(User->pc) we have been using powershell to find, this is a bit of a hurdle and would be nice to just integrate in AD. So my question is: is there a way to add a tab on a user that has a list of pc's owned by that user (some have multiple pc's). In the same way the "member of" tab works.
Thanks in advance
Albert
I am looking to open port between 2 server that are behind firewall. I got the following link from the Microsoft site.
http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
However, if you check one of the section says
UDP Dynamic | Group Policy | DCOM, RPC, EPM |
I have a problem that is sort of opposite of what most people experience.
We have network with two AD sites, and a lot of subnets but all the subnets are assigned properly. we have 3 DCs in Site1 and 2 DCs in Site2. All DCs are Server 2016, Forrest and Domain Functional levels are also 2016.
Authentication works as expected, users are authenticated against the closest DC.
Replication is DFS-r and it works as expected. GPOs, scripts etc. are replicated within site(s) and between sites fast.
Problem is this:
when I login to client in Site1 and run dfsutil /pktinfo to check referrals for \\domain.name\SYSVOL i see only one DC from Site1 even though that site has 3 DCs and I see no referrals from Site2.
if i login to client in Site2 and run dfsutil /pkinfo i see only one referral for SYSVOL, which is DC from Site2, and no referral from Site1. Referrals are random and always from matching site.
we also use DFSn a lot and those referrals are as expected. when i check properties of the folder there are always names from the home site and two from the remote site no matter where i am looking at the shares. Only SYSVOL and NETLOGON show that behavior where clients get one and only one referral.
Another issue, which is probably related, if i am logged into Site1 and try \\DCfromSite2\SYSVOL i get "access denied" and vice-versa, if i am logged in in Site2 and try \\DCFromSite1\SYSVOL i get "Access denied". But i can access them vie \\...\C$\windows\SYSVOL so it is not permission issues.
i've spent days browsing internet but couldn't figure out solution.
Any help is greatly appreciated.
Hi,
I am having two different forest running in our infra. Forest A and Forest B. One of the application is part of Forest A. The users available under forest B wants to access the application with their domain credentials. We do not want to create any trust between them because the requirement is to access LDAP only.
How do i create a LDAP referrals between those forest to access LDAP?
Any help is highly appreciate.
hi all,
today tI found that replication was not occuring because of one of the objects can not be updates
as follow
ctive Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory
service.
Object:
CN=M M,OU=Users,OU=HD,OU=Technical Support,OU=Users,DC=mydoamin,DC=local
Synchronization of the directory service with the source directory service is blocked until this update problem is corrected.
This operation will be tried again at the next scheduled replication.
so I fix this solution making a defragment of the ntds database .but after that i run dcdiag and found
this warning in KCC what should I do about it
Event String:
The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest)
LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
Hello,
Our company has 4 Domain Controllers, 2 in each Datacenter. They've failed over to the secondary cutting off the 2 DC's in the primary site, one of which had all the FSMO Roles.
So my question is,
With this excercise lasting for a few days, should we have the DC's in the second site seize the FSMO Roles?
And if seized, when the primary comes online will it automatically be moved back to the original Primary server?
Thanks
Hi to All
First of all
I have Active Directory and aditional Active Directory 2016
I have a Problem when I Join Any Client Computer to active Directory No Problem
But when I Tried to ping on its name , the DNS Not Know that computer
do I open DNS Manager==> there is no record
Tried it several Time
the computer added to active directory user and computer but there is no record in the DNS For that computer
why please Help
Regards
Hi team,
We are facing one user Locke out issue since long time.
As we observed, that user is login his account in multiple PC in our offices and and I want to find out the list of that PC hostname. is there any possibilities to take /generate this details from servers.
Thank you with anticipation.
Regards,
Khaleelur Rahman
when I use NSLOOKUP for a AD Domain (example:Domain1,example.com). I noticed some IP addresses listed are DCs that were decommissioned. any idea where these IPs come from, I checked the zone and I don't see these IPs listed.
Example:
Nslookup
Domain1,example.com
Some IP listed are DCs that were decommissioned.
If I lookup the SRV for the zone:
Set type=all
_ldap._tcp.dc._msdcs.Domain1,example.com
the correct DCs list returned.
Thanks,
Hi,
So this is our setup. We have 10 AD/DNS, 2 of which have their DNS Forwarders pointing to the other department's DNS server facing the internet. Now our security team called our attention because of DNS traffic from the two AD/DNS servers to public IPs, there are about 700 IPs that they want us to check. Now I have checked some of these IPs and they are legit coming from cloudflare, amazon, Microsoft, etc... My question is How do I respond to them and affirm the validity of these DNS traffic and I want also to know how the workflow of DNS query is.
Hi,
I want to create two domain controller DC1 and DC2 in same domain ADDC.com , DC1 is primary DC and DC2 is secondary.
I want to create them in 2 different networks. All machines are Hyper-V VMs.
I want that the DC1 is connected to internal_switch1 and DC2 is connected to internal-switch2, but both are in same domain .
and the client machines will be connected to both the DCs.
please help me on that.
Hi All,
I am trying to add a user with special security rights to the root node in active directory and receiving "Unable to save permission changes in <addomain>. An operations error occurred. I am logged in as Domain Administrator and tried it with a secondary domain administrator account. I am applying permissions via right clicking on the A.D Domain Name in ADUC, selecting properties, clicking on the security tab, adding the user, selecting the necessary permissions and click Apply.
Cheers
Website: http://gkm2solutions.com Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalilWeb Site | Blog | Twitter
Hi,
we recently renewed and published our Root CA CRL's. All is fine in adsiedit , we see the right next update date on LDAP and web location for Root CA CRL's. But when we try to open PKIVIEW.MSC it hangs indefinitely with an hour glass on expanding. Please provide what and where to check to troubleshoot the issue.
Trying to enable the AD DS Recycle bin, and it is failing with an error message (at end of post)
Going through the check list for enabling this feature, as well as numerous other posts from technet / Microsoft.
Forest Functional Level - ((get-adforest)) ForestMode:Windows2008R2Forest . Verified.
Credentials: My user is an Enterprise / Schema admin. I added it to Domain Admins specifically when this command failed as a test.
Running PowerShell as an Administrator (Elevated Privileges) :: or without, and it is the same result.
To double check the module load, import-module activedirectory has been run.
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target xyz.priv ((where xyz.priv is my actual domain)) there are no sub-domains. Also, entering the Distinguished name for the recycle bin feature has the same results.
WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=xyz,DC=priv' is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=xyz,DC=priv' if you proceed.
Enable-ADOptionalFeature : A referral was returned from the server at Line:1 char:25
+
Enable-AdoptionalFeature <<<< -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target xyz.priv
+
CategoryInfo : NotSpecified: (Recycle Bin Feature:ADOptionalFeature) [Enable-ADOptionalFeature], ADException
+
FullyQualifiedErrorID : A Referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature
Also - If I run just Enable-ADOptionalFeature it prompts me for -Identity, -Scope, -Target, and when supplied comes back with the same error.
I've tried this short hand, or with the full DN going as far as copying it from the atrribute set from Sites and Services. I even verified effective security permissions on the Recycle Bin Feature msDS object, and the configuration partition lists the object 'CN=xyz' crossRef properly when looking at it through ADSI edit.
Do I really have a typo somewhere, or process error?