Hi, is it possible to lock a computer to one specific login through AD?
Example, we have around 170 staff members and hundreds of different devices. Some of these devices are used for testing and we only want them accessible by the Testing user account.
Sorry in my question is too simple for here but I am only just starting to learn how to use AD.
Thanks in advance.
Hi Team,
I've got domain user that has add as local user at workstation - Eg mydomain\fivesoul. But when i need to delete it using commandline it show like this...
net user "mydomain\fivesoul" /DELETESo how i can delete it and if can i need it can delete many user in one commandline
Vic Abrahamian
Hi All,
We are facing some strange issue with our Active Directory built on windows server 2016.
User are not able to change their password when it is expired.
However, if we reset it from AD console and force to change at next logon, user are able to change their passwords.
but not able to change using CRTL+ALT+DEL.
Our Password complexity settings are as per the standards.
Enforce Password history = 12
Maximum Password age = 60 Days
Minimum Password age = 5 days ( i have also change it to 1 and 0)
Minimum Password length = 8
Password must meet complexity requirements = Enabled
Store password using reversible encryption= Disabled
Any help will be appreciated.
Thanks
Just removed our last 2003 DC from the domain and thought it would be a good time to upgrade FRS to DFSR prior to joining my first 209 Server into the domain. I was following the steps here which I've used many times in the past but never had an error.
https://www.mowasay.com/2017/06/guide-to-migrate-frs-to-dfsr/
The Domain Functional level is set to 2008R2 and OST08R2 is the only DC at the moment . After running "dfsrmig /setglobalstate 1" I get the error below whereas in the past it happens quickly without an error. What do I do next?
C:\Windows\system32>Dfsrmig /getmigrationstate
The following Domain Controllers are not in sync with Global state ('Prepared'):
Domain Controller (Local Migration State) - DC Type
===================================================
OST08R2 ('Start') - Primary DC
Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.
Hi,
I want to create two domain controller DC1 and DC2 in same domain ADDC.com , DC1 is primary DC and DC2 is secondary.
I want to create them in 2 different networks. All machines are Hyper-V VMs.
I want that the DC1 is connected to internal_switch1 and DC2 is connected to internal-switch2, but both are in same domain .
and the client machines will be connected to both the DCs.
please help me on that.
Hi everyone, I would like to add a Windows 2019 AD server to our Windows 2008 R2 AD DS environment. I have a question about FSMO roles.
1) Once I install Windows 2019 AD, do I need to transfer the FSMO roles or can I keep them on 2008 R2 for now. I would rather have a second 2019 AD in the environment before I transfer the FSMO. Any thoughts on this?
2) If anyone knows best practice or a recommended way of accomplishing this goal please advise.
Thank you
Vic Abrahamian
The process in which we create new computers on our domain is:
Go to our policy-free OU, create a new pc name and then, on the same initial screen, we click Change... and add a group under User or Group. This, for us, allows anyone in that group to manage that pc within AD.
Rather than manually add a pc and add the group, I am currently using MDT to join to our domain, but I want to auto-create the pc names as well, on the fly. I can do this, but I don't know how to add a GPO to automatically apply that specific group to the security properties of the pc.
For every single pc on our domain, if you look at the properties and choose Security, there is the group (because we've been manually adding it). I'd like, from the very top down, for that group to be part of the standard Security Group on every pc we have. I don't work in AD so I don't know how to apply this, but I'm hoping for a reply that will work.
Hi,
We have a domain controller windows server 2016 with 1 nic connected.
I would like to know what would happen if smb multichannel is disabled on the domain controller? I understand that it's purpose is chose nics to transfer data to.
Secondly what would happen if smbv3 is disabled in the domain controller? I have read that smbv2 and smbv3 are on the same stack and that disabling one will also disable the other.
Thanks in Advance!
Very simple setup. One domain controller (dc1) in abc.com. I'm curious what I need to do in regards to DNS that will allow me to add a new domain tree. I have followed the method for creating a domain tree here: http://technet.microsoft.com/en-us/library/cc770662(WS.10).aspx. Every time I follow those instructions I continually get errors about DNS and the new domain tree (xyz.com) doesn't create DomainDNSZones in DNS.
I have also tried to create an AD-integrated FLZ on dc1.abc.com and then manually configure a zone delegation for the new domain xyz.com. I add the server-to-be name and IP address in the delegation wizard. I get similar problems, complaints about DNS and the DomainDNSZones isn't shown in DNS on the new DC in xyz.com.
I've read around that maybe I'm supposed to create a stub zone on the root DC and point it to the new DC before running dcpromo on the new DC. Is this correct? If so, should it be AD-integrated? Should it be replicated through the forest or just the domain?
TIA.
Hi,
I've seen some people create domains with a .local suffix and I was wondering why?
I know that the domain is non routable, so it's probably as the name suggests local only. Therefore to my understanding it can't be looked up externally and it is private from the internet. But, I tend to create my forest with a routable tld like .com so that it matches with my public registered DNS name.
The problem with .local is that what happens if you want to use directory sync, or have your users use a .com suffix later on?
Is it not prudent these days to just use a public .tld suffix when creating your forest? I even think that this is recommended in the ADDS Wizard.
Thanks
Hi
In our infra we have 4 X Windows 2016 Domain Controllers with 2 DCs in main datacenter and rest 2 in remote DC. The Main DC will be down for 10 hours. We plan to move all the FSMO roles to one of Domain Controllers in remote site and once we complete the activity, we will move all FSMO roles back to same Domain Controller. Is there anything should be taken care during this FSMO migration?
Thanks in advance
LMS
A new Active Directory domain is being configured. There is a stand-alone, offline root CA. There are multiple subordinate enterprise CA's. All CDP's are configured appropriately. The Web Enrollment feature has been configured on each subordinate CA with an HTTPS binding using a domain certificate issued by that subordinate CA. A certificate template has been configured for remote desktop connections and a GPO has been created for domain computers to use it.
On an off-domain workstation, the root CA has been installed to Trusted Root Certification Authoritiesin both the Current User and Local Computer stores. The subordinate CA's have not been installed to any store.
When navigating in Internet Explorer to the CertSrv application of a subordinate CA, there is no certificate error. Viewing the web server certificate shows a healthy chain; the root, subordinate, and web server certificates are all displayed in the certification path.
Remote desktop connections to computers on the domain prompt a certificate issue about being unable to perform a revocation check. Viewing the RDP certificate indicatesWindows does not have enough information to verify this certificate. It shows that it was issued by the subordinate CA. The certification path only shows the RDP certificate with a status ofThe issuer of this certificate could not be found.
Why is the subordinate CA not found for the RDP certificate? Was something missed during configuration of the certificate template that exposes more information about the chain?
Hello,
I am reading some articles where you can change the AD DNS suffix to all the users, but not finding what I am looking for: Changing the domain name, hence also changing the DNS suffix if I am not mistaken.
I would need to change my domain name from .net to .com
Is that possible? All I am finding is how to change the DNS suffix to all the users or to a specific set.
Thanks in advance.
Luis Olías.
I recently upgraded my site Domain Controller to Server 2008 R2. I now have experienced several instances where users are notified that their passwords have expired but when the attempt to change them they receive a pop-up that says access is denied. This was not the case when the DC was Server 2008 and I can't find a solid answer why this has started happening. I've searched all over technet and other resources on the web and either haven't been able to refine my queries adequately or have no idea what to search for. Are there policy changes in 2008 R2 that I missed that might be causing this? Is there something I can set for user accounts that allows them to change their password after expiry?
I am looking for a solution to monitoring LDAP queries. I need to find a solution that uses monitors LDAP queries.
I was reading this blog "Domain and DC Migrations: How To Monitor LDAP, Kerberos and NTLM Traffic To Your Domain Controllers" that will not work for the solution I am looking for.
I need something that I can get a report from, and I need it in real time or something in semi-real time with a report. I was reading an article about being able to monitor using (SPA) Server Performance Analyzer. I was hoping someone could tell me if I can configure a good solution using SPA or if there was something else I can use.
So, so everyone understands, I do not want to use a third-party solution. It needs to be native and preferably able to use SQL server. I can write a report out to gather the information from a report server
Any thoughts, ideas... suggestions... would be appreciated.
Hi Support,
I want to create one one delegate permission, user have the permission to manage one OU and join client pc on domain & change the client pc network adapter settings.
I don't want to allow admin roles to any one of the users. Please help to share the permission.
Hi All,
When i run the below command against schema database, I could see few deleted DSA entries and these DC's were removed some time back but still exists in this result. Is it normal one or need to cleanup from somewhere?
repadmin /showvector /latency
Also could see two GUID entries as well. Hope these GUID entries are belongs to old DC's.