On active directory windows server 2008 machine, is it possible to create another profile on same machine with no any other permission ? It gives me error when i create such profile showing no log on on this machine.

My server needs to shutdown properly but i dont want to give access to my admin account. So that i want to create a profile for users,so tthey can access it and able to shutdown server. So on machine which has active directory domain controller is it possible to create another profile?

Thanks

I'm currently attempting to allow an administrator of a delegated OU (so, full-control in test and as-good-as in production to a specific OU, but not a domain admin), to trust computers for delegation to specific services on other computers. This particular case is in relation to exchange.

When he attempts to add a server on the 'delegation' tab, he can click the 'trust this computer for delegation to specified services only' and 'use any authentication protocol' radial buttons, and add the relevant service and computer, but receives an 'access is denied' when he attempts to apply.

As a domain admin I can do it just fine. According to these technet articles:

http://technet.microsoft.com/en-us/library/cc739764(v=ws.10).aspx

'or you must have been delegated the appropriate authority'

http://technet.microsoft.com/en-us/library/cc780217(v=ws.10).aspx

'To delegate this right, assign the Enable computer and user accounts to be trusted for delegationuser right to the selected individuals'

In detail here:

http://technet.microsoft.com/en-us/library/cc960177.aspx

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation

Suggests it may be possible to delegate this access without making him a domain admin? However when I tested a user with:

- full control to the server object

- full control to the the destination/trusting server object

- and the specified computer group policy setting applying to the selfsame user

- after a gpupdate,

the same access denied message is returned.

The reason I want to avoid needing domain admin credentials for this is that we have several delegated server and application teams in a single domain, ideally they should be able to configure their own servers to the fullest extent including settings like this, while being unable to touch other teams servers.

The closest related question involves setting delegation to any service, for kerberos only, which is a modification to user account control via vbscript:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/6bca3845-4587-4949-84e7-b0ad099f079d

This is probably less granular than required, and ironically even though my test user can read and write the useraccountcontrol attribute for the object in question according to 'effective permissions' from advanced security, the access can still not be configured through the AD delegation tab radial button 'Trust this computer for delegation to any service (Kerberos only)'. Trying to modify via ldifde returns:

Add error on entry starting on line 1: Insufficient Rights
The server side error is: 0x522 A required privilege is not held by the client.
The extended server error is:
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Please don't hesitate to let me know if I can clarify.

Cheers, Bruno

Hi,

What is the difference between the replication settings on Site Level and Server Level?

I have two RWDCs at Main Site one of the DC is on HyperV-VM and rest of the 7 sites are having an RODC each on HyperV-VM.

If i need to change the replication interval for all of these sites where should i modify the schedule on site level or server level?

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

I have looked up and down for the answer to this problem.

I was assigned the task of implementing an Active Directory environment for my Office workers. Server 2008 R2 and Windows 7 Pro.

I have Active Directory setup and functioning as it should. My goal for roaming profiles is to have each user's profile stored on the server (I assume that using Profile path when creating their account) and their profile Mapped to H: (On the same dialog). I also would like their profile directories redirected to the mapped location, which is under group policy editor. So far I feel I have done what I need to. Except I have this issue when a user logs on for the first time, .v2 is appended to the end of each profile directory, thus the profiles aren't being mapped as they need to be. 

What am I missing?

Note: I have seen this especially being an issue for those with legacy servers and clients (Older then Windows 7 and 2008) I am building a clean, new system from scratch using 7 and Server 2008 R2

Hi,

I have a hyper-V machine which has been set up the following way -

Hyper-V Host Machine
Machine Name - Computer1
IP - 192.168.1.2
Subnet Mask - 255.255.255.0
Default Gateway - none because this machine has no need to connect to the internet
Preferred DNS Server - 192.168.1.3
Roles Installed - Hyper-V

Hyper-V Guest Machine 1
Machine Name - Computer2
IP - 192.168.1.3
Subnet Mask - 255.255.255.0
Default Gateway - none because this machine has no need to connect to the internet
Preferred DNS Server - 127.0.0.1
Roles Installed - AD DS (and the dcpromo tool installed the DNS Server role alongside, and configured it)
Domain Name - mydomainname.com

Hyper-V Guest Machine 2
Machine Name - Computer3
IP - 192.168.1.4
Subnet Mask - 255.255.255.0
Default Gateway - (none for now, because there is no router or internet connection yet, but will be set to 192.168.1.1 after we buy the router and the connection)
Preferred DNS Server - 192.168.1.3
Roles Installed - (yet to install and configure the VPN role)

Hyper-V Guest Machine 3
Machine Name - Computer4
IP - 192.168.1.5
Subnet Mask - 255.255.255.0
Default Gateway - (none for now, because there is no router or internet connection yet, but will be set to 192.168.1.1 after we buy the router and the connection)
Preferred DNS Server - 192.168.1.3
Roles Installed - (yet to install and configure IIS)

All machines are running Windows Server 2008 R2.

After reading up on this problem online, I temporarily disabled the Windows Firewall on all machines.
The following protocols have been enabled on all network adapters - IP V4, File and Printer Sharing, Client for Microsoft Networks
All machines are able to ping one another - both by IPs, and by Machine Names.
However, Computer2 is unable to ping Computer4 by name. It can ping it by IP though.
All other machines can ping Computer2 both by machine name, and by the FQDN, along with being able to ping it by IP.


I have configured the domain controller on the AD DS role, but still whenever I try to add any machine to the domain, I get the error message in the thread title.
I've been through several threads on the same issue found on google, enabled/disabled a few things based on findings and recommendations, and then posted back my machine's current stats. And yet I still get the same error message, and am unable to join any machine to the domain. If I try joining a machine to the domain through a client computer - I get the above error message. If I try adding a computer through the Server Manager in the DC, it just adds a blank entry with the supplied computer name.

What gives?

P.S. (I know the first response will be to ask me to post the results of ipconfig /all, but my question is - does it give out any sensitive information? Because I have hidden my actual computer names and domain name for security reasons. This network is to soon become our live production network for our business.)

I am thining of resetting one domain user service account which is used for MIIS service.

I would like to make sure it is not used by any service and no negative impact.

If service account is used anywhere , is it possible to detect by eventlog ,or in some way ? 

Hello

i'm scoping a new site for my company it has a latency to it's nearest domain controller of 100-150ms the cost is a big issue so i don't want to put in a domain controller useless i have to.

I'm wondering what people think is a reasonable latency i've experienced 50ms beofre and it wasn't great but reasonable but i'm wondering if 100-150 is a bit much.

thanks for any advice on this.

Hi everyone,

I am very new to Active directory so please bare with me.

I have configured 2 domain controllers as a root domain as "x".local with IP's 192.168.132.2 and 192.168.132.3 with DNS setup as well.

I want to add an existing network on another subnet to a child domain directing from the root domain. This child domain i am configuring has an IP of 192.168.10.102 which is also the subnet of the network I want to add.

There is a firewall between the two domain controllers and I have allowed access through, and both controllers can see each other.

I have directed the DNS from the child domain to the root domain.

When i try and run dcpromo on the child domain controller to complete the AD setup and I try and connect to the root domain i get an error: "The wizard cannot access the list of domains in the forest. The error is: The network path was not found.

Let me know if you need any more detail.

Thanks,

IT Is life...

Hi everyone,

I am very new to Active directory so please bare with me.

I have configured 2 domain controllers as a root domain as "x".local with IP's 192.168.132.2 and 192.168.132.3 with DNS setup as well.

I want to add an existing network on another subnet to a child domain directing from the root domain. This child domain i am configuring has an IP of 192.168.10.102 which is also the subnet of the network I want to add.

There is a firewall between the two domain controllers and I have allowed access through, and both controllers can see each other.

I have directed the DNS from the child domain to the root domain.

When i try and run dcpromo on the child domain controller to complete the AD setup and I try and connect to the root domain i get an error: "The wizard cannot access the list of domains in the forest. The error is: The network path was not found.

Let me know if you need any more detail.

Thanks,

IT Is life...

Follow the procedure below to fix Microsoft Active Directory database problems (corrupted Active Directory due to e.g memory issues/disk problems): 1. Reboot the server and press F8. Choose Directory Services Restore Mode from the Menu. 2. Check the physical location of the Winnt\NTDS\ folder. 3. Check the permissions on the \Winnt\NTDS folder. The default permissions are: Administrators – Full Control System – Full Control 4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared. 5. Check the permissions on the Winnt\Sysvol\Sysvol share. The default permissions are: Share Permissions: —————— Administrators – Full Control Authenticated Users – Full Control Everyone – Read NTFS Permissions:—————– Administrators – Full Control Authenticated Users – Read & Execute, List Folder Contents, Read Creator Owner – none Server Operators – Read & Execute, List Folder Contents, Read System– Full Control Note: You may not be able to change the permissions on these folders if the Active Directory database is unavailable because it is damaged, however it is best to know if the permissions are set correctly before you start the recovery process, as it may not be the database that is the problem. 6. Make sure there is a folder in the Sysvol share labeled with the correct name for their domain. 7. Open a command prompt and run NTDSUTIL to verify the paths for the NTDS.dit file. These should match the physical structure from Step 2. To check the file paths type the following commands: Start a command prompt NTDSUTIL Files Info The output should look similar to: Drive Information: C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb) D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb) DS Path Information: Database : C:\WINNT\NTDS\ntds.dit – 10.1 Mb Backup dir: C:\WINNT\NTDS\dsadata.bak Working dir: C:\WINNT\NTDS Log dir : C:\WINNT\NTDS – 30.0 Mb total res2.log – 10.0 Mb res1.log – 10.0 Mb edb.log – 10.0 Mb This information is pulled directly from the registry and mismatched paths will cause Active Directory not to start. Type Quit to end the NTDSUTIL session. 8. Rename the edb.chk file and try to boot to Normal mode. If that fails, proceed with the next steps. 9. Reboot into Directory Services Restore mode again. At the command prompt, use the ESENTUTL to check the integrity of the database. NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is usually more reliable. Type the following command: ESENTUTL /g “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be different in some cases. The output will tell you if the database is inconsistent and may produce a jet_error 1206 stating that the database is corrupt. If the database is inconsistent or corrupt it will need to be recovered or repaired . To recover the database type the following at the command prompt: NTDSUTIL Files Recover If this fails with an error, type quit until back at the command prompt and repair the database using ESENTUTL by typing the following: ESENTUTL /p “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: If you do not put the switches at the end of the command you will most likely get a Jet_error 1213 “Page size mismatch” error. 10. Delete the log files in the NTDS directory, but do not delete or move the ntds.dit file. 11. The NTDSUTIL tool needs to be run again to check the Integrity of the database and to perform a Semantic Database analysis. To check the integrity, at the command prompt type: NTDSUTIL Files Integrity The output should tell you that the integrity check completed successfully and prompt that you should perform a Semantic Database Analysis. Type quit. To perform the Semantic Database Analysis type the following at the NTDSUTIL Prompt type: Semantic Database Analysis Go The output will tell you that the Analysis completed successfully. Type quit and closes the command prompt. NOTE: If you get errors running the Analysis then type the following at the semantic checker prompt: semantic checker: go fix This puts the checker in Fixup mode, which should fix whatever errors there were. 12. Reboot the server to Normal Mode. If any of these steps fail to recover the database the only alternative is to perform an Authoritative System State restore from backup in Directory Services Restore mode. For more information, please refer to the following articles: 315136 HOW TO: Complete a Semantic Database Analysis for the Active Directory http://support.microsoft.com/?id=315136 265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation http://support.microsoft.com/?id=265706 258007 Error Message: Lsass.exe – System Error : Security Accounts Manager http://support.microsoft.com/?id=258007 265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory http://support.microsoft.com/?id=265089 315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command http://support.microsoft.com/?id=315131 BR – Frank

Hi

how can remove DFS from RODC server?

without touching Active directory settings.

any comment will appreciate.

Arvind

We are facing problem for which we haven't found remedy. Problem is that on two of four domain controllers Netlogon service is registering IP address from Backup NIC even dynamic updates are disabled on network interface, also HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{Interface_ID}\ "DisableDynamicUpdate"=dword:00000001.

Tested with nltest.exe /server:DC1 /dsgetdc:company.com and only situation when backup ip address isn't registred is when backup nic is disabled.

In a network environment with Windows SBS 2003 domain controller, other than completely replace the domain, I am trying to setup a backup domain controller with the Windows Server 2012 Standard.

Here's the error I am getting:

"ADPrep execution failed --> System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning"

Below is the abstract from the ADPreg log file:

I am scratching my head...Where shall I start with solving this problem?

Hello,

Il would like to server in DMZ to allow users to authenticate with their AD accounts.

This server does not need access to AD DS (internal VLAN) :

- AD DS => DMZ OK
- DMZ => AD DS NOK

After discussion, I opted for AD LDS with a sync by ldifde (RODC must communicate with AD DS).

I created multiple instances (for testing) following different howto (Microsoft website and other). Ex : http://technet.microsoft.com/en-us/library/cc753447%28v=ws.10%29.aspx

Therefore, I want to exportmyADusers in AD LDS.

I make import with ldifde : ldifde -f MyFile.ldf -s MyAD:389 -m -b AdminDomain Domain Password

Or simply : ldifde -f MyFile2.ldf

No problem! Export is ok. But import... no...

With ldifde -i -f MyFile1.ldf -s localhost -m -b AdminDomain Domain Password says SAM Logic can't be activated for importn.

So I removed -m option : ldifde -i -f MyFile1.ldf -s localhost -b AdminDomain Domain Password

Whether it's with this command or with : ldifde -i -f MyFile2.ldf -s localhost orldifde -i -f MyFile1.ldf -s localhost:PortNumber or ldifde -i -f MyFile1.ldf -s ServerName

The error is always the same (in french) :

Connexion à « localhost » en cours
Connexion en cours en tant que « AdminDomain» dans le domaine « Domaine en utilisant
 SSPI
Importation de l'annuaire à partir du fichier « MyFile1.ldf »
Chargement des entrées.
Erreur d'ajout sur l'entrée commençant à la ligne 1 : Attribut inexistant
L'erreur du côté serveur est 0x57 Paramètre incorrect.
L'erreur serveur étendue est :
00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operati
on, data 0, v1db1
0 entrées modifiées.
Une erreur s'est produite dans le programme
Aucun fichier journal n'a été écrit. Afin de générer un fichier journal,
spécifiez le chemin d'accès au fichier journal à l'aide de l'option -j.

My file :

dn:DC=contoso,DC=com
changetype:add
objectClass:top
objectClass:domain
objectClass:domainDNS
distinguishedName:DC=contoso,DC=com
instanceType:5
whenCreated:20130705085059.0Z
whenChanged:20130410143950.0Z
subRefs:DC=DomainDnsZones,DC=contoso,DC=com
subRefs:DC=ForestDnsZones,DC=contoso,DC=com
subRefs:CN=Configuration,DC=contoso,DC=com
uSNCreated:8745
dSASignature::xxxxxxxxxxxx==
uSNChanged:11100000
name:contoso
.....

If I follow this howto : http://technet.microsoft.com/en-us/library/cc731759%28v=ws.10%29.aspx#BKMK_4

I have a similar error :

***Calling Add...
ldap_add_s(ld, "cn=testproxy,o=MonDomaine,c=fr", [2] attrs)
Error: Add: Attribut inexistant. <16>
Server error: 00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1
Error 0x57 Paramètre incorrect.

PS : sorry for my English!

Hello all,

I have 2 forest (F1 & F2) and i have created 2-way trusts between them.

- Forest wide authentication

- Ability to access shared folder between the two forest.

I want name resolution between the two forests. So i want to create a secondary zone on F1 for F2 and a secondary zone on F2 for F1.

- I have already added forwarders on each forests (F1 , F2)

- i have set zone transfer for each corresponding zone.

Issue:

- When creating the secondary zone and while specifying the Master server...i'm getting the below error (same error on the DNS servers in each forest)

"The server with this IP address is not authoritative for the required zone."

I have tried lots of stuffs to resolve this error but ends up with the same error.

Your inputsss will be highly appreciated.

Hi Guys,

Please let me know is there any way i can get a Windows NT 4.0 Server, Enterprise Edition download link.

Thanks and regards

Apu Pavithran

Hi Technet,

Last night I followed Microsoft Documentation to install the Directory Services role and then promoted a Server 2012 (Data Center) server to a Domain Controller in my environment.  The role installation completed normally, and I was able to complete the promotion and reboot.  Following a reboot, everything seems to be working 100% normally - but when opening Server Manager I noticed something strange:

Server Manager still says that I need to Promote the server to a Domain Controller.  Even after additional reboots it still says this.

Meanwhile, Directory Services seems to be working perfectly on the server, and it's replicating correctly to all other DCs in my environment.  No errors in event log on this server, or on other DCs in my environment related to this server.  I am able to connect to AD Users and Computers on the new DC as well as other directory services snap-ins and they seem to be working properly as well - changes made using the snap ins on this server replicate to my other DCs and vice versa.  

Specifics:
New DC:  Server 2012 Data Center Edition, current Windows Updates.
All other DCs:  Server 2008R2 SP1
DFL:  2008
FFL:  2003
All FSMO roles still on one of my 2008R2 DCs

At this point I'm not sure what to do except ignore this and chalk it up to a bug, but would love to hear from anyone else who has seen and perhaps resolved this, or from MS themselves for suggestions.  I haven't been able to find any accounts from other people with this issue.  I suppose I could run the promotion from server manager again and see what happens, but I'm hesitant to do this as everything appears to be working, and don't want that to result in damage / corruption / other issues in my existing AD Structure.

Any assistance with this would be greatly appreciated.

Keith Kelly
Systems Administrator
Easter Seals UCP NC
keith.kelly@eastersealsucp.com