We are implementing a mobile device management product called Airwatch. The product will require pre-approval to use and will be a prerequisite to being allowed to connect a mobile device to ActiveSync. Soon we will need to regularly disable ActiveSync for everyone who isn't on the 'approved' list, which will change over time. Currently this list is split up on multiple sheets within a single Excel workbook. Some sheets have a header and others do not, and the names are always in column A at this time. I would assume some how we need to add information to this source document which can be cross referenced to the domain account, and it needs to be able to be found by a non-admin.

I'm looking for the most efficient way to have a non-admin easily manage the approved list but also have it available in a format which we can use to regularly update a security group. Then we would have a scheduled task on the database server to disable ActiveSync for all and re-enable it for only those in the security group. I'm concerned about the gap between what is easy to maintain and readable for the non-admin and what they would need to do to generate the conversion for the security group file. We have a custom schema extension for all employees named EmployeeID which is unique per person but I don't know if we could reference that in the source file to build the membership.

I found this powershell code, but the friendly parameters are DN & SAMAccountname, which might be difficult for the non-admin to determine:

Import-CSV $file | % {$myGroup | Add-ADGroupMember -Members $_.Alias}

Keep all the names in one Excel sheet, and export to a CSV regularly? Other ideas?

Thanks!

Hey folks,

I had some weird issue in my environment . My environment w2k8 r2  and iis 7.5

We have single forest and multiple domain controllers,we  have  sharepoint web application running on IIS .  we have web application that  uses the IIS

to locate domain controller through netlogon to query users in AD.

Problem

  when there is issue with the particular DC1 it is stuck on to that DC1  untill we do IIS reset then it goes to another domain controller DC2.  

My question is what is IIS reset has to do with Web application moving   to different DC.? Since it should only do that when  netlogon service is restarted theortically

does IIS reset also restarts netlogon service .?  because by default netlogon keeps information of DC in its cache for 12 hours before it purges. let me know if needed more explaination

Hi

I have a setup with 2 domain controllers running Windows Server 2012

When accessing \\MyDomain\Netlogon from a workstation

Server1: I can access the share

Server2: I can NOT access the share

If I change the active DFS server in proberties on the share to Server1 I can successfully access the share.

If I locally on Server2 access \\MyDomain\Netlogon I can access the share, when looking at the proberties on the share I can only see the local server in the referral list. This is also the case in my other domains, so I think this is by design!

Any input is apreciated

Lars Laursen System Consultant

I have a FQDN that I would like users to access VIA an internal IP address, 192.168.1.2.  BUT if that user is connected to a public network, I would like them to use the public IP for the FQDN.  I am looking to do this change with my internal MS DNS server. (windows 2003 AD)  Do I need to create a new forward lookup zone to do this OR is there an easier way?  There are a bunch of public A records for the domain that are managed by an external DNS server and I wasn't sure if I add a lookup zone for it, the public A records wouldn't work until I added them to the newly created zone? And any future changes that are added to the external DNS would have to be added to the forward lookup zone as well?  Seems like a basic question, just wanted to be sure of the easiest way to implement it.

Thanks in advance

Hi,

I have a parent domain and 2 child domains. In my parent domain, I've installed TFS 2012 (although this is not about the software itself, but rather a resolution issue with AD). When I attempt to add a user on the child domain, which can be chosen from the location box, no entered user (e.g. Administrator) resolves to an AD object (i.e. get the message saying could not be found).

If I am trying to find a user in a child domain, is there any special AD or DNS setup that needs to be done?

Thanks

I am running a Domain controller on windows 2003 server with SP2 OS. I am getting  FileReplicaConn object values and the Authentications in Error counter values very high, where as there is no error in replication events. As per kb article 820326  there is some bug with OS and hotfix is available, but this applies to windows 2000 OS only. is there any twik or hotfix available to resolve the issue on windows 2003 OS as well ?

Hi,

it seems send as check box is delegated to users when you give them manage account permission on an OU

but this is not good and i do not want them to be able to use this and send email on behalf of that OU users in an exchange 2010 organization

but there is not a single check box for removing this entry (people with delegation should not be able to enable or disable this)

any way ?

i should add that i have used the .inf file to increase these rights to 70 but no separate setting for removing this is available

<cite>technet.microsoft.com/en-us/library/cc772784(v=ws.10).aspx</cite><a data-ci="srslc_0" data-desc="Appendix O: Active Directory Delegation Wizard File. Updated: ... Navigate to the \Inf folder. Back up the ..." data-slg="webres" data-sli="srsl_0" data-title="Appendix O: Active Directory Delegation Wizard File" data-url="http://technet.microsoft.com/en-us/library/cc772784(v=ws.10).aspx" data-ved="0CEMQ5hkwAA" data-vli="srslcl_0" id="srsl_0" role="button" tabindex="0">

Hi,

We have 3 domains in a forest, and users of one of those domains have been complaining that it's taking too long to change their passwords (5 minutes each change), and this is amplified by the fact we have a GPO for complex passwords and if they make a password change which doesn't abide by the rules set in our password policy it takes 5 minutes to come back saying to try again.  Some users have therefore been taking 30 minutes to change their password!  I have setup a test account on a spare workstation and confirmed this for myself.

They have a single domain controller at that office, and there's a secondary domain controller for that domain in another site.  The DC in their office has the PDC emulator role, and the other 2 domain roles.  The forest root DC is in another office, but don't think that makes any difference.

Things I've tried:

Reboot the DC

Reboot the workstation

SFC /scannow

DCDIAG

Forced replication using repadmin to ensure it was working ok - it was quite fast

Pinged the DC from the workstation <1ms

Browsed fileshares on the DC - all working correctly and fast

Checked the event logs, none are found which suggest anything is working incorrectly, and the security logs say kerberos is working correctly so we shouldn't be falling back to NTLM

DNS settings on client machines are good, same for the DC

DNS SRV records points to the correct local DC server in that site

nslookup reports DNS is working correctly too

I am stumped, oh, i've also done the usual and searched google for any answers but couldn't find any.

Please help!

Thanks

Jodey

Hello,

This will probably be a little long, so I am sorry in advance, but I have been working on this for hours now and can not come up with a solution.

First I will start by saying we had some power outages happen back to back today.  We have 2 DNS servers, both of which are normally on a battery backup, and generator.  One of these was moved to another location for maintenance, and never moved back so it was not on a battery backup.  I did not know that this morning.

The first sign of an issue was a couple of staff were not able to connect to the internet, and when they restarted their computers they were not able to log onto their end client computers, and when I went to one of them I was not able to log on either. It was showing up as a problem with the domain on that end client machine, so I tried to reconnect it to the domain, and it told me that it could not locate an ADDC server to authenticate my credentials. At first I thought a switch did not come back up, because not all of our buildings have backup power.  After checking all of them (took me about an 2 hours) I found that I was wrong.  I went back to the computer and same problem.  Evidently what happened is while the power blinked off on one domain, the other was in the middle of a scheduled restart, so neither one of them would come back up.  

I have searched for a solution for a majority of the day, and now night and am still at a loss.  First I tried to redirect all of the NTDSUTIL options to point back at the initial domain server (dc3).  Then when, when that did not work, I tried a couple of other things in that area of the forum to try to get one of them back up and running because I felt as though that would get the other back up and running if I set them back up to look at each other.  When I tried to log on the the other DC (DC4), it would not even see the network, because it is on a Hyper V machine, and the machine that it is on can not locate DC3.  The DHCP is on the same Hyper V machine, on another server.  The last thing I tried was to disable the reg setting to make the DC3 start up without trying to sync with the other server.  I am at a loss now, and I am leaving it up to anyone who thinks they can help me.  

Thanks in advance for your time, Cory R. Platt

Hi.

I want setup Active Directory on my server. First I tried to do it in local network with one .local domain.
It worked very good. But I need it on the Internet so I can join from other computer and network.

One note. I'm little new and I use it for learning purpose and to try something.
So - Can I use one .tk or anyother domain (because I don't want to pay for it now) or any other like that ?
That will help me too much and I want to try that.

There is a problem when I want to setup it asks me for DNS delegation.
When I tried, I used install DNS becuse I must (there isn't option do deselect it), and dont know
how to setup delegation. Problem is that I setup all (I tried many times) with delegation, without delegation and much other things
but I cant join domain from one XP VM. Please help me! What I need to change in domain panel or/and
in DCPromo ?

Sorry Im confused, I worked yesterday whole day and got confused.

First Is it possible and what I need to change on domain to work ?

Thank you very very much.

Hi,

I have a situation in which certificates are being automatically created, without any one is actually issues a request for them. I have a single root CA server in a domain environment, and it is configured with administrator's approval of the certificates . It looks like this:

What are all these requests?? How can I stop them from being created?

Thank you very much!

Lena.

Hi,

Disclaimer - Bit of an AD noob so forgive me if I am using the incorrect terminology!

In our domain, there are currently 3 DC's. Two in our default-site, and another one in an additional site. All of the these are read/write DC's. Is this a good idea or will it lead to issues? From my limited knowledge and what I have read on the net, I thought it would be best practice to have 1 R/W DC and the rest as RODC's.

We are currently experiencing issues with domain members losing their trust relationship with the domain and some other random authentication issues. Rejoining computers to the domain fixes it, only to have the same computer lose it's membership again.

Am I barking up the wrong tree, or is our configuration potentially going to cause issues?

Thanks,
Gary

Edit: grammar

I have a root domain (call it a) and two child domains (call them dev.a and services.a) (fqdn is a.s.local but I'm abbreviating).

dev.a is a single domain with 2 DCs. However, if I go to Active Directory Sites and Services, it has all the domains in the entire forest from the root domain and including all child domains. Is this correct?

In addition, if I do repadmin /replsum, the domain is trying to replicate with services.a and a (the root domain). It should only be replicating within itself.

I've read that to remove additional domain controllers not needed from sites and services is to do metadata cleanup or expand these DCs from sites and services, right click NTDS Settings and then delete (which basically brings up the warning about deleting metadata). However, these DCs are still functional and must not be decommissioned completely (if this is what happens). I just need to remove from them from the topology - how can I do this?

Thanks

I am in the process of moving an Active Directory 2003 to Active Directory 2008 R2

Only one DC adding adding a new Server 208 R2 then using that for the upgrades

Going to do this overnight

My question is, will this affect users at all?

Thanks

Dave

Dave Kozlowski

Hi,

We're in the process of moving from 2003R2 AD to 2008R2, so have been dcpomo'ing 2008R2 machines to DC's. We've noticed that while the dcpromo is replicating data to the new DC we're given a count of of Distinguished Name (DN) values that may be a cause for concern, and it's going up quite fast. Quoting the Active Directory Domain Services Wizard for the last DC we promoted:

The wizard is configuring Active Directory Domain Services. This process can take from a few minutes to several hours, depending on your environment and the options selected.

Replicating data DC=our,DC=domain,DC=com: Received 91107 out of approximately 110823 objects and 24515 out of approximately 3107427 Distinguished Name (DN) values...

When we promoted the DC before it (a couple of weeks before this one) it was "approximately2759185 of Distinguished Name (DN) values", so its gained just over a third of a millionDistinguished Name (DN) values in a couple of weeks (approximately) with no significant gain in objects.

So, I guess my questions are:

1. What exactly is the Active Directory Domain Services Wizard counting as "DistinguishedName (DN) values"?
2. Does 3.1 Million DistinguishedName (DN) values sound disproportionately high in a directory of 110823 objects?
3. ...if it does sound disproportionately high, where should I look or what steps can I try to track down "extra"Distinguished Name (DN) values the directory may have?

I tend to think of objects having DN's, but what else has them?

Hello

i use allot

 dsquery user -inactive 4 -limit 500

Problem is that output gives me OU="DisabledUsers" so i need to exclude it.

is it possible?

thx

loza

We had two W2K3 DC's in production on a Class C network, installed two new physical servers, W2K8 R2 on a Class B Network, and each has it's own Class C.  Kept the DC_OLD01/02 servers online for a few weeks to make sure that while we re-IP'd static network devices to the new IP range, they'd still be accessible via VLANs on the Cisco switches.  Then physically removed them from production.

Production servers (reported from DC_PRODUCTION01, AD Domains and Trusts):

Name: DC_PRODUCTION01, Site: Default-First-Site-Name, DC: GC, DC Version: W2K8 R2, Status: Unavailable

Name: DC_PRODUCTION02, Site: Default-First-Site-Name, DC: GC, DC Version: W2K8 R2, Status: Online

Name: DC_OLD01, Site: Default-First-Site-Name, DC: GC, DC Version: W2K3, Status: Unavailable

Name: DC_OLD02, Site: Default-First-Site-Name, DC: GC, DC Version: W2K3, Status: Unavailable

Operations master: DC_PRODUCTION01 Current FFL: Windows 2000 Current DFL: Windows Server 2003

AD Sites and Services:

Subnets:  DC_PRODUCTION01's IP (x.x.x.x/17), DC_PRODUCTION02's IP (x.x.x.x/17), DC_OLD01's IP (x.x.x.x/24), DC_OLD02's IP (x.x.x.x/24)

I'd like to remove the /24 IPs from the ADSS system (the two physical servers are no longer even on the network) and upgrade the FFL and DFL to W2K8 R2 on DC_PRODUCTION01.

There are no plans to go backwards (W2K3) as there are no physical W2K3 DCs in the network.

The DC_PRODUCTION servers are already in production had dcpromo and adprep (I belive), and have been online for 3 months now.

Which get's raised first? FFL or DFL?  Or does it matter?  I know I need to remove DC_OLD, from Change Active Directory Domain Controller...

The only other servers in this production environment are two DFS servers (connected to iSCSI SANs) and a SQL server (All running W2K8 R2 OS).  No Exchange or Lync servers in production (those are hosted offsite).

DHCP/DNS is configured correctly as well and production client PCs are all pointing to the DC_PRODUCTION01.

Any other best practices before raising the FFL and DFL?  It should be a fairly smooth upgrade, correct?  FFL first/second?

Hey anyone,

My place of work has been having some troubles with authenticating users for an off-site program that uses our domain credentials. We have a single Active Directory domain consisting of just two DC's. One DC is a physical box and the other is a virtual machine running on VMWare (both Windows Server 2008R2). 

When credentials are put in for this program, they are passed from the workstation to a server that hosts the program. The server then runs a check against our domain controllers to authenticate the users. This is the point where everything stops. Through some testing we have found that if we take our virtual DC offline, our physical DC will go ahead and answer the queries and therefor authenticate the user. When we turn the virtual DC back on, we find that BOTH reply to the query simultaneously with an ldap failure.

We have tried to think about what the real issue is, whether it be a misconfiguration or a networking error, but cannot seem to come up with a real solution. If anyone can shed some light on the situation or give me some more ideas it would be deeply appreciated. We are tired of putting bandages over bandages to make things work.