Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Server 2012 R2 Start menu

August 8, 2019, 3:54 am
$
0
0

Hi, We have noticed a issue with Server 2012's start menu in that if you click start it opens the tiles, click an app it opens however if you want to open another copy of the app so you do the same thing it doesn't open the app again. It works fine from the desktop or other locations just not the start menu. I cannot find any articles or people with the same query as me. Is this expected behavior or is it a known bug? 

I have built a brand new vanilla build server as well as existing company server and I can replicate it on all of them

Search

Need help renew domain controller authentication certificate.

August 20, 2019, 9:38 pm
$
0
0
Need help renew domain controller authentication certificate. 

AD admin center not opening

August 16, 2019, 12:37 am
$
0
0

Hello All,

we are using win2012 R2 and DFL 2012R2, when tryging to open the AD admin center in DC, it gives error "cannot find available server in xXXXX domain that is running ADWS"

However ADWS services are running and i have restarted it

i have cheked in 3 DC and all 3 says same.

can you please advise.

regards

Aamir Masthan

NA

Lost of namespace server DFS

August 16, 2019, 2:34 am
$
0
0

Hi,

I had 2 DC 2008R2 were DFS namespace SERVER

These 2 DCs have been replaced by new 2016 DCs but the DFS namespace server roles has not been installed.

Now my DFS namespace are not reachable, i tried to install dfs namespace role on my new DCs, i can see my name spaces but when i add it to the DFS management snap in i can't browse.

I can see my namespace in ADSIedit




2019 Domain Controllers on same subnet

August 21, 2019, 2:13 am
$
0
0

I have a small office setup.

2 x Windows Server 2019 Domain Controllers:

  • HQDC01 10.0.0.1
  • HQDC02 10.0.0.2

Both are in AD Site: HQSite

Subnets assigned to this AD Site are:

  • 10.0.0.0/24 (all member servers inc. DCs)
  • 192.168.0.0/24 (all client PCs)

I have deployed a new 3rd Domain Controller:

  • HQDC03 10.0.0.3

I am creating a new second AD Site: ClientHQSite. and assigning the client subnet to this site with the intention of forcing client PCs to prefer this Domain Controller.

The DC Locator returns a list of DCs and uses a subnet lookup to identify the AD site the client is in and the preferred DC. 

Will this cause an issue in this setup as my 3rd DC is in the same subnet as the other DCs? I can re-IP my new DC to same subnet as client PCs if needed but my preference is not to.

Can Domain Controllers been on the same subnet but assigned to different AD sites?


Can AdminCount be set to 1 on any accounts in Active Directory

August 21, 2019, 2:13 am
$
0
0
Can AdminCount be set to 1 on any accounts to protect them even if they are not member of any privileged groups

Guru

How to manually remove a duplicate TRUST_ACCOUNT from active directory?

August 21, 2019, 3:55 am
$
0
0

Hi,

I have a user account in my AD which is a TRUST_ACCOUNT , and also is a duplicate, I mean it has DN in the form of :

CN={DomainName}$\0ACNF:{GUID},CN=Users,DC=XXXXXX,DC=com

how can I remove this object?

I tried to generate a fake trust and remove the trust (described here:https://www.privalnetworx.de/active-directory-interdomain-trust-account-phantom) but that could not delete the object.

I get Error:

ldap_delete_s(ld, "CN={DomainName},CN=Users,DC=XXXXXX,DC=com");
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x5 Access is denied.

Do I need Server CAL? (Not using RDP, AD, domain group etc.)

August 21, 2019, 4:49 am
$
0
0

We have licenses for our client Windows 8 desktops and 1 windows server 2012.

We have hosted a dot net application on the windows server with IIS. We are planning of using C# WinForms for a quick client side application. We are using MySQL database. About 12 users will be connecting to the IIS. Do we need to buy 12 CALs?

If yes, then we can change the client code to connect to a linux server instead. Then even though we are using winforms we wont be using any windows server resources. Then we wont need to by CALs, will we?

Search

This server is the owner of the following FSMO role, but does not consider it valid

August 21, 2019, 5:52 am
$
0
0

Hi,

What is this error i getting in the server. I did domote the server all FMSO role are currently mapped to this server only but still why i am getting this error?

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=ad,DC=Contoso,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

     

Thanks &amp; Regards, D.Nithyananthan.

Check empty attribute Active Directory

August 21, 2019, 6:36 am
$
0
0

Hello,

I met a problem in my script who, at first view is simple but I don't understand the result, I need to check for all enabled user wome attribute and if those attribute are empty then my scritp have to return them to me.

Here it is :

Import-Module ActiveDirectory

Get-aduser -filter {info -notlike "*" -and Enabled -eq $true} -properties info, name | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ info "

}

Get-ADUser -LDAPFilter "(&(!manager=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ manager "

}

Get-ADUser -LDAPFilter "(&(!matriculeRH=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ matriculeRH "

}

for the first one, the INFO attribute it works just fine but for the other it return me only one user while there is a lot more with empty attribute. 

Thank you very much ! 

My user account is getting lockout frequently from mac device

August 21, 2019, 7:18 am
$
0
0
I am looking for the steps what steps we can perform if user account getting locked from mac device

Issue with workstations domain membership

July 31, 2019, 1:29 pm
$
0
0

I posted a similar question a few weeks ago but eventually closed that question.  I had the issue come up again so I decided to post another question.  I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have).  Ever so often a workstation will seem to lose its connection to the domain.  I know that sounds odd because it is.  I first notice it if a user complains about their network drives go missing.  When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms: 
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable.  Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources.  For the most part everything works ok. 

It is like the workstation has partially lost its connection to the domain.

Resolution:  to resolve the problem I have been unjoining the computer from domain and then join it back again.  This corrects the problem for the time being.  However, it is happening randomly to my workstations and has happened more than once on a few of them.  I need to determine what is causing this.  Thanks for any help.

One more thing.  It has happened to my system at least twice.  My system is a laptop and I take it offsite to other company offices.  It seems like it has happened to me after I return to the main office and boot up here.  Not sure this matters.



Adding a New DC to an Environment with one good and one failed DC

August 21, 2019, 7:54 am
$
0
0

I am adding a new domain controller (2019) DC-03 to an environment with a working 2019 DC-02 and a failed 2016 DC-01.

When Promoting the new DC the prerequisites shows a warning: 

The replication partner: DC-02 shows replication errors. You should use repadmin.exe to identify replication error on the replication partner and resolve them before continuing the installation.

This error due to DC-02 not replicating to DC-01. I wanted to get DC-03 online before removing DC-01 forcibly just in case trouble came up. DC-01 runs but it was hacked, so I'm scared to run it long enough to demote it the normal way.

Question 1 Would it be safe to proceed with Promoting DC-03 with the replication errors? The errors are only because it did not replicate in a few days because DC-01 has been off. The last time DC-01 was up, the replication check showed no errors.

Question 2 If it is not safe, how can I remove DC-01 from the replication process without turning it on and without fully demoting it?

Question 3 If the previous questions are wrong, how should I proceed with one working DC (DC-02), a DC (DC-01) that has been hacked and turned off for days and a NEW DC (DC-03) that needs to be added? 

Suppressed SRV Record

August 20, 2019, 9:58 pm
$
0
0

Hi, we have suppressed SRV Record so that client machine won't go to that DC for authentication.Now, what i want to know that, after SRV Suppressed what are the parameters & time it takes to actually starts doing that.

Thanks!


Active Directory replication error -2146893022

August 21, 2019, 9:49 am
$
0
0

My Windows 2k8 AD Master server was recently hit with Ransomware. I restored an image of the server I had created using Windows Backup. Once the image was restored I used ntdsutil to seize the FSMO roles. Now I am getting a replication error when I try to sync the 2 DCs.

Dave

Search

question about modifying grouptype via ldif commands

August 20, 2019, 8:44 am
$
0
0

Hi. I had a question about changing the grouptype attribute via ldif commands/ldifde. I get this error:

Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x32 The request is not supported.
The extended server error is:
00000032: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

when I have this as my file data:

dn:CN=Marketingtest1,OU=Marketing,DC=wallracs,DC=com
changeType:modify
replace:groupType
groupType:-2147483646
-

Is one not able to change the grouptype via ldif commands? Please help. Thank you.

Certutil script

August 21, 2019, 1:42 pm
$
0
0

Hi folks,

Running Server 2016 R2 VMs hosting a three tier CA and need help putting together the certutil commands to:

 - Query the CA database

 - Locate all user cert objects associated with provided email address (A list of emails indicating owners of certificates to be revoked is provided daily.)

 - Revoke all certificates associated with a listed email address

 - Publish a base CRL for corresponding CA

 - Copy Base CRL to all CDP locations

Please let me know if more info is needed.

Thanks!

AD Custom field - View >> Advanced Features - Attribute Editor

March 7, 2017, 3:46 pm
$
0
0

Hi,

I created custom fields in AD and Added them to user class.

Now I'm able to see set and get this new attributes values in the  "Attribute Editor" tab ("View >> Advanced Features" Enabled) 

This only works for users I have on the "users" OU. With users I have create don other OU's the "Attribute Editor" tab is never displayed.

How can I resolve this issue? I really need to be able to read and write this new attributes

Help is really appreciated.

Thank you,

JD

Domain Controller demotion PDC roles transferred cannot demote

August 16, 2019, 3:24 pm
$
0
0

I have migrated the all the roles from the PDC on a 2012 datacenter to 2019 datacenter server successfully. 

However I tried to demote the server by powershell and using server manager and it seems... toasted. 

Powershell - i tried to force this too... same issue.

Uninstall-ADDSDomainController : Verification of prerequisites for Domain Controller promotion failed. Failed to
detect component binaries.
At line:1 char:1
+ Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPart ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Uninstall-ADDSDomainController], TestFailedException
    + FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.64,Microsoft.DirectoryServices.Deployment.PowerSh
   ell.Commands.UninstallADDSDomainCommand

dcpromoui.log 

cpromoui C80.F5C 086A 20:23:15.039         Enter RegistryKey::GetValue-DWORD GCByDefault
dcpromoui C80.F5C 086B 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 086C 20:23:15.039         result = true
dcpromoui C80.F5C 086D 20:23:15.039       result = true
dcpromoui C80.F5C 086E 20:23:15.039     Enter ReadAllowIscsiFlag
dcpromoui C80.F5C 086F 20:23:15.039       Enter GetConfigFlag AllowIscsi
dcpromoui C80.F5C 0870 20:23:15.039         Enter RegistryKey::Open Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
dcpromoui C80.F5C 0871 20:23:15.039         Enter RegistryKey::GetValue-DWORD AllowIscsi
dcpromoui C80.F5C 0872 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 0873 20:23:15.039         result = true
dcpromoui C80.F5C 0874 20:23:15.039       result = false
dcpromoui C80.F5C 0875 20:23:15.039     Enter SetEncryptedAnswerFileOption AdministratorPassword
dcpromoui C80.F5C 0876 20:23:15.039       Enter AnswerFile::SetEncryptedOption AdministratorPassword
dcpromoui C80.F5C 0877 20:23:15.039     Enter ValidateAnswerFile
dcpromoui C80.F5C 0878 20:23:15.039       Enter AnswerFile::Validate
dcpromoui C80.F5C 0879 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswords
dcpromoui C80.F5C 087A 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswordReaons
dcpromoui C80.F5C 087B 20:23:15.039     Enter State::GetValidationWarnings
dcpromoui C80.F5C 087C 20:23:15.039     Info: Active Directory Domain Services Setup

dcpromoui C80.F5C 087D 20:23:15.039     Enter Start
dcpromoui C80.F5C 087E 20:23:15.039       Info: Validating environment and parameters...
dcpromoui C80.F5C 087F 20:23:15.039       Enter InitFunct
dcpromoui C80.F5C 0880 20:23:15.039         Enter State::GetMode NORMAL
dcpromoui C80.F5C 0881 20:23:15.039         Enter CbsGetUpdateInstallState
dcpromoui C80.F5C 0882 20:23:15.039           The category is 0
dcpromoui C80.F5C 0883 20:23:15.039           Enter FindRoleInfo
dcpromoui C80.F5C 0884 20:23:15.039             Enter CheckIsServerCore
dcpromoui C80.F5C 0885 20:23:15.039               It is not on server foundation
dcpromoui C80.F5C 0886 20:23:15.039               HRESULT = 0x00000000
dcpromoui C80.F5C 0887 20:23:15.039           Enter GetUpdateName
dcpromoui C80.F5C 0888 20:23:15.039           Enter GetPackageName
dcpromoui C80.F5C 0889 20:23:15.054             Unable to find identity string for package name Microsoft-Windows-ServerCore-Package
dcpromoui C80.F5C 088A 20:23:15.054           Failed to retrieve the parent package name
dcpromoui C80.F5C 088B 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088C 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088D 20:23:15.054       performed state 1, next state 37
dcpromoui C80.F5C 088E 20:23:15.054       Error: Failed to detect component binaries.
dcpromoui C80.F5C 088F 20:23:15.054       Enter State::GetHadNonCriticalFailures
dcpromoui C80.F5C 0890 20:23:15.054         bHadNonCriticalFailures = false
dcpromoui C80.F5C 0891 20:23:15.054     Enter State::UnbindFromReplicationPartnetDC
dcpromoui C80.F5C 0892 20:23:15.054     Exit code is 64
dcpromoui C80.F5C 0893 20:23:15.054   Exit code is 64
dcpromoui 974.13C 044E 20:46:25.201 closing log

64=install ad services????

I tried via the gui... 

I cannot get past the server selection window as I cannot select the server (that I am logged into)

Error message.......

The request to list features available on the specified server failed.
Unable to obtain the feature list.
The specified package is not valid Windows package. Error: 0x800f0805

Welcome to my world!!!!!!!!!!!!

darren hitchen


I have a question about adding a security group to all computers on the domain...

August 9, 2019, 11:27 am
$
0
0

The process in which we create new computers on our domain is:

Go to our policy-free OU, create a new pc name and then, on the same initial screen, we click Change... and add a group under User or Group. This, for us, allows anyone in that group to manage that pc within AD.

Rather than manually add a pc and add the group, I am currently using MDT to join to our domain, but I want to auto-create the pc names as well, on the fly. I can do this, but I don't know how to add a GPO to automatically apply that specific group to the security properties of the pc.

For every single pc on our domain, if you look at the properties and choose Security, there is the group (because we've been manually adding it). I'd like, from the very top down, for that group to be part of the standard Security Group on every pc we have. I don't work in AD so I don't know how to apply this, but I'm hoping for a reply that will work.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>