Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

HOW CAN I LOCATE ALL GC'S

$
0
0

Hi I wish to know what the correct path I should type to allow the below to work: ?

1.  First I typed - 'repadmin.exe /options * IS_GC' - for current domain options - states 'repadmin running command /options against server pdc01.cognitive.local - unknown option "IS_GC"

2.  And second I typed - 'nltest /dsgetdc:corp /GC', so I typed - nltest /dsgetdc:cognitive GC' - which worked


Thanks! Mikey

Active Directory Sites and Services - single Site, value of adding subnets

$
0
0

Hello,

 We have a single AD site, which is in effect, 2 data centres in 2 different geographic areas connected by a stretched VLAN (i.e. layer 2 connectivity). All of our DCs and major infrastructure is located within these 2 data centres. We have a number of smaller offices and locations spread out throughout the country (around 100+ locations). In these smaller offices, we have a small amount of infrastructure (i.e. the odd SCCM Distribution Point). My question is, given we have a single AD site, is there any value in adding the subnets for each one of the 100 locations into AD sites and services?

If I did add the IP subnet, would there be any impact? We use SCCM, Azure and Exchange.

Thanks


GPO Access

$
0
0

Hi All,

I have only just noticed that I don't have access to the Edit option on some of the GPO I am responsible for in my Domain. For example I am a Domain Admins in the Domain and some of the GPOs I have noticed that the Edit option is greyed out. Cant remember this happening before.

Does anyone have any idea why this could be happening?

Active directory configuration between Private and public network

$
0
0

We have setup Active directory in public network and configured additional domain controller in our private network.. every thing is successful. When we create any user in the public AD it is not getting updated in the private ADC, but working in reversal.

When we tried to run sync commands it is saying that there is a dns issue..please let us know if we are doing any thing wrong and also let us know if we need to create any dns records..

our public domain name is xxxxx.com and this domain is mapped to public ip..

Different Passwords

$
0
0

Hello,

I'm looking for a solution with respect to 3 different domains that are there in our environment. Users across the domains have same usernames. Our security team suspects that the passwords are also same. They have asked us (AD Team) to explore out options where we can enforce different passwords for the domains. Is this a possibility? If so then what is the solution?

I'm open to feedback and solutions for this.


AnnasAhmedUmair, Mohammed

Disabled Account Gets Locked Out

$
0
0

We have an AD account that is disabled and has been for weeks.  We also have an account lockout policy.    Today there were bad password attempts logged and then the account was locked out.    My question is how does a disabled account get locked out?  We have tried to recreate this scenario by logging into the same disabled account with bad passwords to trigger the account lockout but all we see in the event log are logon failures because the account is disabled.   Under what circumstances would bad password attempts on a disabled account trigger an account lockout then?

AD repliation failing

$
0
0

Hi,

I have two locations connected through ipsec vpn. I installed one main DC in HO and another in BO, then i added a 3rd DC in BO and demoted the 2nd DC in BO. Now the replication between HO DC and BO DC is not working.

The below results are from BO DC.

C:\>repadmin /replsum
Replication Summary Start Time: 2019-09-07 22:21:05

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 HO-DC            04d.19h:23m:51s    5 /   5  100  (1726) The remote procedure
call failed.


Destination DSA     largest delta    fails/total %%   error
 BO-DC2           04d.19h:24m:11s    5 /   5  100  (1726) The remote procedure
call failed.


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - ho-dc.domain.local

GC replication from FSMO Server

$
0
0

Hello Team,

I need urgent help on AD replication. Current environment has 5 GC servers where one of the server "server1" has all the FSMO roles installed. I have to configure add one more GC server "Server6" which is not in direct communication with FSMO server. I can enable communication with Server1 which has FSMO roles installed for promoting server6 to AD but it will not be permanent. I want to understand if the communication is required from Server6 to Server1 only to promote AD or it requires in future as well? What will happen if Server6 is not in direct connection with server1? Server6 will communicate with server5 which is also a GC server for replication. 

Kindly suggest.



Linux Machines facing authenticating to the Active Directory

$
0
0

Hi

Linux Machines ( running docker ) are facing problem in completing the authentication to the Active Directory.

It gets authenticated and  <g class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="15" id="15">connection</g> is established after a brief period 

Any troubleshooting  for the two technologies - Ms windows and Linux ( which are not collaborating to work together )

Could there any filter on the active directory


Are there any C++/C# API's available to perform actions that can be done through DCDIAG?

Active Directory Domain Controller Issues:

$
0
0

Hi Experts: 

Can someone help us to determine what's the exact causes of this kind of issues? And what is the best practices to resolved it ? Please advise what's the best method for this 

Exact Issue encountered : 

Six (6) domain controllers experiencing replication issues

Client computers unable to authenticate because of “trust relationship” issue

Client computers unable to access servers due to DNS resolution issue

The session setup from the computer KDTW414 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW414$.  The following error occurred: Access is denied.
Remote Desktop Services has taken too long to load the user configuration from server \\KDTB008..***.*** for user administrator
Remote Desktop Services has taken too long to load the user configuration from server \\KDTB008..***.*** for user administrator
The session setup from the computer KDTW321 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW321$.  The following error occurred: Access is denied.
The session setup from the computer KDTW416 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW416$.  The following error occurred: Access is denied.
Access to drivers on Windows Update was blocked by policy
Access to drivers on Windows Update was blocked by policy
Access to drivers on Windows Update was blocked by policy

The session setup from the computer KDTW412 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW412$.  The following error occurred: Access is denied.

1162Internal ProcessingInternal event: The Address Book hierarchy table has been rebuilt.
1863ReplicationThis is the replication status for the following directory partition on this directory server.   Directory partition: DC=ForestDnsZones,DC=******,DC=******   This directory server has not received replication information from a number of directory servers within the configured latency interval.   Latency Interval (Hours): 24 Number of directory servers in all sites: 1 Number of directory servers in this site: 1   The latency interval can be modified with the following registry key.   Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)   To identify the directory servers by name, use the dcdiag.exe tool. You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".

This is the replication status for the following directory partition on this directory server.   Directory partition: DC=ForestDnsZones,DC=******,DC=******   This directory server has not received replication information from a number of directory servers within the configured latency interval.   Latency Interval (Hours): 24 Number of directory servers in all sites: 1 Number of directory servers in this site: 1   The latency interval can be modified with the following registry key.   Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)   To identify the directory servers by name, use the dcdiag.exe tool. You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".


Homer Sibayan

Last Logon Date is showing future Date on few AD Computer object

$
0
0

Last Logon Date is showing future Date on few AD Computer object. The current month is October but the last long date and the last logon timestamp both are showing november date on few servers object. I checked on all the DC's all the DC's Timing are looking good time replication using repadmin also checked across all DC's time diffr is less than 30ms.

Any input will be highly helpful


vrnaveekr

Changed the SOA record for a zone to a different Server, but it keeps changing itself back again

$
0
0

can someone please help me with the following as it is driving me nuts

Using the DNS GUI in Windows Server 2012 R2 AD Domain with integrated DNS (standard setup)

When I open the properties of the SOA record for a zone (there is more than one DC in the domain but only one SOA record pointing to one of the DCs). There is a browse button next to the 'primary server' field. If I click on this and then browse to another server in DNS via the GUI and chose this as the new Primary Server, then apply the change (not errors) looks good until I close and reopen the DNS GUI (and or reboot the server) whereby when I look at the SOA record again it has gone back to the original server e.g. my change does not stick. I have also added a trailing . to the end of the FQDN name of the server (as it was there on the original field) however this made no difference

Does anyone know why the change is not sticking (I am logged in as enterprise admin)

The reason I want to change the SOA record is because I want to retire the server that holds the record at the moment.

Thanks all

CXMelga

Name of computer doesn't match name in Active Directory

$
0
0
Hi,

I've renamed computer and it seems there is a problem with this. Everything is ok apart of name in Active Directory Users and Computers.  The name there is still old, however when I open properties it seems to be in order as both, Computer name (pre-Windows 2000) and DNS name are correct. This is strange issue and I never had something before. Can somebody advise me what to do with this please? 

I don't want to remove computer from domain and add it again as this is not solution for me in this case, I want to find the reason, why something like that happen.

Kind Regards
Piotr

Best Practice in Setting up Active Directory in a shipping company

$
0
0

Hi Guys,

Would anybody know what is the best way to setup Active Directory in a shipping company. The scenario is that each ship must have its own domain controller.

What would be the best approach for this?

Thanks,

Lawrence


Lawrence


ADMT - SQL DataBase Upgrade

$
0
0

I am using ADMT 3.2 version and SQL is 2008 remotely. 

Our SQL Team is retiring entire SQL 2008 and asked me to use SQL 2014. 

What are the prerequisite that i need to take to give go ahead for this Database upgrade?? is ADMT 3.2 is compatible with SQL 2014??

AD Replication Status Tool

$
0
0

Good Afternoon, 

    Is there anyway for me to see what objects were replicated during the last cycle using ADRST 1.0 or would anyone know of an app that will do that? 

lastlogondate has a recent value; lastlogon attribute is unset or 0; how?

$
0
0

Hello,

I'm trying to find out - precisely - when a user authenticated.

I know "lastlogondate" | lastlogontimestamp is replicated but can be up to 14 days out of date; hence I need to query "lastlogon" on every domain controller.

I can and have done this; so far, so good.

Some users have the "lastlogondate" attribute, but "lastlogon" attribute is not set, or is 0.

How can this be?

If the user account is old, and it was authenticated [only] by a domain controller that has since been retired, then only that domain controller would have had that "lastlogon" attribute populated; all other domain controllers would only have lastlogondate.  I can accept this.

HOWEVER, I am seeing the "lastlogon" attribute unset, or "0", but the "lastlogondate" is recent (within a few days), but domain controllers have not been withdrawn in that period.

I can't explain this.  Any ideas?  I'm talking about a significant number - hundreds of users.

Thanks in advance.

Kind regards,

Anwar

The file system structure on the disk is corrupt

$
0
0

Dear all,

I run  2 domain controlers in windows server 2008 r2 and I have 4 exchange servers .(all are virtual machines)

one of the domain controllers which has all the master role has this error 

I noticed this error 

"The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume system"

it's happening while backing up through windows backup at 5:00 and through 3:00 pm while backing up with veam could you advice me please 

should I transfer master roles to the other domain controller , then run check desk or what should I do 

How to query in active users with multiple conditions

$
0
0

Hi All,

I am in the process of querying the inactive users with multiple conditions using power-shell.

can some one suggest what is the best method.Using powershell cmdlets or Powershell ADSI adapter?

Please advice.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>