Hi I wish to know what the correct path I should type to allow the below to work: ?
1. First I typed - 'repadmin.exe /options * IS_GC' - for current domain options - states 'repadmin running command /options against server pdc01.cognitive.local - unknown option "IS_GC"
2. And second I typed - 'nltest /dsgetdc:corp /GC', so I typed - nltest /dsgetdc:cognitive GC' - which worked
Hello,
We have a single AD site, which is in effect, 2 data centres in 2 different geographic areas connected by a stretched VLAN (i.e. layer 2 connectivity). All of our DCs and major infrastructure is located within these 2 data centres. We have a number of smaller offices and locations spread out throughout the country (around 100+ locations). In these smaller offices, we have a small amount of infrastructure (i.e. the odd SCCM Distribution Point). My question is, given we have a single AD site, is there any value in adding the subnets for each one of the 100 locations into AD sites and services?
If I did add the IP subnet, would there be any impact? We use SCCM, Azure and Exchange.
Thanks
Hi All,
I have only just noticed that I don't have access to the Edit option on some of the GPO I am responsible for in my Domain. For example I am a Domain Admins in the Domain and some of the GPOs I have noticed that the Edit option is greyed out. Cant remember this happening before.
Does anyone have any idea why this could be happening?
We have setup Active directory in public network and configured additional domain controller in our private network.. every thing is successful. When we create any user in the public AD it is not getting updated in the private ADC, but working in reversal.
When we tried to run sync commands it is saying that there is a dns issue..please let us know if we are doing any thing wrong and also let us know if we need to create any dns records..
our public domain name is xxxxx.com and this domain is mapped to public ip..
Hello,
I'm looking for a solution with respect to 3 different domains that are there in our environment. Users across the domains have same usernames. Our security team suspects that the passwords are also same. They have asked us (AD Team) to explore out options where we can enforce different passwords for the domains. Is this a possibility? If so then what is the solution?
I'm open to feedback and solutions for this.
AnnasAhmedUmair, Mohammed
We have an AD account that is disabled and has been for weeks. We also have an account lockout policy. Today there were bad password attempts logged and then the account was locked out. My question is how does a disabled account get locked out? We have tried to recreate this scenario by logging into the same disabled account with bad passwords to trigger the account lockout but all we see in the event log are logon failures because the account is disabled. Under what circumstances would bad password attempts on a disabled account trigger an account lockout then?
Hi,
I have two locations connected through ipsec vpn. I installed one main DC in HO and another in BO, then i added a 3rd DC in BO and demoted the 2nd DC in BO. Now the replication between HO DC and BO DC is not working.
The below results are from BO DC.
C:\>repadmin /replsum
Replication Summary Start Time: 2019-09-07 22:21:05
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
HO-DC 04d.19h:23m:51s 5 / 5 100 (1726) The remote procedure
call failed.
Destination DSA largest delta fails/total %% error
BO-DC2 04d.19h:24m:11s 5 / 5 100 (1726) The remote procedure
call failed.
Experienced the following operational errors trying to retrieve replication info
rmation:
58 - ho-dc.domain.local
Hello Team,
I need urgent help on AD replication. Current environment has 5 GC servers where one of the server "server1" has all the FSMO roles installed. I have to configure add one more GC server "Server6" which is not in direct communication with FSMO server. I can enable communication with Server1 which has FSMO roles installed for promoting server6 to AD but it will not be permanent. I want to understand if the communication is required from Server6 to Server1 only to promote AD or it requires in future as well? What will happen if Server6 is not in direct connection with server1? Server6 will communicate with server5 which is also a GC server for replication.
Kindly suggest.
Hi
Linux Machines ( running docker ) are facing problem in completing the authentication to the Active Directory.
It gets authenticated and <g class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="15" id="15">connection</g> is established after a brief period
Any troubleshooting for the two technologies - Ms windows and Linux ( which are not collaborating to work together )
Could there any filter on the active directory
Are there any C++/C# functions that are provided by Microsoft? Microsoft has provided several API's for Directory Service functions, I'm looking for something like that.
https://docs.microsoft.com/en-us/windows/win32/ad/directory-service-functions
Hi Experts:
Can someone help us to determine what's the exact causes of this kind of issues? And what is the best practices to resolved it ? Please advise what's the best method for this
Exact Issue encountered :
Six (6) domain controllers experiencing replication issues
Client computers unable to authenticate because of “trust relationship” issue
Client computers unable to access servers due to DNS resolution issue
| The session setup from the computer KDTW414 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW414$. The following error occurred: Access is denied. | ||||||
| Remote Desktop Services has taken too long to load the user configuration from server \\KDTB008..***.*** for user administrator | ||||||
| Remote Desktop Services has taken too long to load the user configuration from server \\KDTB008..***.*** for user administrator | ||||||
| The session setup from the computer KDTW321 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW321$. The following error occurred: Access is denied. | ||||||
| The session setup from the computer KDTW416 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW416$. The following error occurred: Access is denied. | ||||||
| Access to drivers on Windows Update was blocked by policy | ||||||
| Access to drivers on Windows Update was blocked by policy | ||||||
| Access to drivers on Windows Update was blocked by policy | ||||||
The session setup from the computer KDTW412 failed to authenticate. The name(s) of the account(s) referenced in the security database is KDTW412$. The following error occurred: Access is denied.
| ||||||
| This is the replication status for the following directory partition on this directory server. Directory partition: DC=ForestDnsZones,DC=******,DC=****** This directory server has not received replication information from a number of directory servers within the configured latency interval. Latency Interval (Hours): 24 Number of directory servers in all sites: 1 Number of directory servers in this site: 1 The latency interval can be modified with the following registry key. Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) To identify the directory servers by name, use the dcdiag.exe tool. You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>". |
Homer Sibayan
Last Logon Date is showing future Date on few AD Computer object. The current month is October but the last long date and the last logon timestamp both are showing november date on few servers object. I checked on all the DC's all the DC's Timing are looking good time replication using repadmin also checked across all DC's time diffr is less than 30ms.
Any input will be highly helpful
vrnaveekr
can someone please help me with the following as it is driving me nuts
Using the DNS GUI in Windows Server 2012 R2 AD Domain with integrated DNS (standard setup)
When I open the properties of the SOA record for a zone (there is more than one DC in the domain but only one SOA record pointing to one of the DCs). There is a browse button next to the 'primary server' field. If I click on this and then browse to another server in DNS via the GUI and chose this as the new Primary Server, then apply the change (not errors) looks good until I close and reopen the DNS GUI (and or reboot the server) whereby when I look at the SOA record again it has gone back to the original server e.g. my change does not stick. I have also added a trailing . to the end of the FQDN name of the server (as it was there on the original field) however this made no difference
Does anyone know why the change is not sticking (I am logged in as enterprise admin)
The reason I want to change the SOA record is because I want to retire the server that holds the record at the moment.
Thanks all
CXMelga
Hi Guys,
Would anybody know what is the best way to setup Active Directory in a shipping company. The scenario is that each ship must have its own domain controller.
What would be the best approach for this?
Thanks,
Lawrence
Lawrence
I am using ADMT 3.2 version and SQL is 2008 remotely.
Our SQL Team is retiring entire SQL 2008 and asked me to use SQL 2014.
What are the prerequisite that i need to take to give go ahead for this Database upgrade?? is ADMT 3.2 is compatible with SQL 2014??
Good Afternoon,
Is there anyway for me to see what objects were replicated during the last cycle using ADRST 1.0 or would anyone know of an app that will do that?
Hello,
I'm trying to find out - precisely - when a user authenticated.
I know "lastlogondate" | lastlogontimestamp is replicated but can be up to 14 days out of date; hence I need to query "lastlogon" on every domain controller.
I can and have done this; so far, so good.
Some users have the "lastlogondate" attribute, but "lastlogon" attribute is not set, or is 0.
How can this be?
If the user account is old, and it was authenticated [only] by a domain controller that has since been retired, then only that domain controller would have had that "lastlogon" attribute populated; all other domain controllers would only have lastlogondate. I can accept this.
HOWEVER, I am seeing the "lastlogon" attribute unset, or "0", but the "lastlogondate" is recent (within a few days), but domain controllers have not been withdrawn in that period.
I can't explain this. Any ideas? I'm talking about a significant number - hundreds of users.
Thanks in advance.
Kind regards,
Anwar
Dear all,
I run 2 domain controlers in windows server 2008 r2 and I have 4 exchange servers .(all are virtual machines)
one of the domain controllers which has all the master role has this error
I noticed this error
"The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume system"
it's happening while backing up through windows backup at 5:00 and through 3:00 pm while backing up with veam could you advice me please
should I transfer master roles to the other domain controller , then run check desk or what should I do
Hi All,
I am in the process of querying the inactive users with multiple conditions using power-shell.
can some one suggest what is the best method.Using powershell cmdlets or Powershell ADSI adapter?
Please advice.