Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Logon script doesn't run using GPO

November 14, 2019, 8:34 am
$
0
0
My DC is a Windows 2016 Server and the workstation is Windows 10. I am not able to get my logon script to work with GPO. The vbscript (for logon input) works fine when i manually click the button to "activate" the script. however, when I create a new GPO and it doesn't appear. The script is located on the DC on one of the local drives and in the SYSVOL folder. Because I want the script to only work when i an administrator is logging in I decided to place the file:

Option 1: User Configuration > Policies > Windows Settings > Scripts > Logon. then I clicked Browse in the "Add a Script"  box and click on the vbscript under "Scripts" and I left the parameter option blank. I've also created batch file which points to the vbscript and does the same thing.

Option 2: thing I did was tried to create a scheduled task: User Configuration > Policies > Control Panel Settings > Scheduled Tasks. I choose New > Scheduled Task. Then in the Pop Properties, I named task. Under RUN, i browse to either file .vbs or .bat and unchecked "enabled (scheduled task runs at a specified time)" and left all other fields blank. Under the "schedule" tab, I clicked on the drop down box and selected "At Logon". Then click "Apply" and "Okay".

I currently have my admin account and authenticated user listed as the accounts to apply the GPO to and it's being applied to an OU with one test machine

So after I tried both options, separately, I right clicked on the GPO to run "Group Policy Update". It says success. I run gupdate /force, log off and then log back in to see if it works. after 5 minutes it still hasn't popped up, so I reboot, but I get the same results. NOTHING.

I thought initially it was related to permissions, but it's not because I was able to create a GPO to create a folder if it didn't exist. This worked fine when I tested it with my account and machine. I don't think it's a firewall issue, because I was able to create the folder using the same machine and accounts and it worked fine. I also ran a script to test port 3389 to validate. 

I've ran out of ideas and not sure what it could be. Any assistance would be appreciated.
Search

two sites on the same subnet

November 13, 2019, 2:40 am
$
0
0
Hi, We are running one domain, contoso, on two separate sites. Each site has its own DC.
Both sites have stretched vlans and hold the same subnet. Is there a reason to create 2 different sites? Is this best practice?
Please advise.

Upgrade Step for Windows AD Server to Windows Server 2019

November 12, 2019, 8:29 pm
$
0
0

Hi all,

I need your help as my situation below,

Primary server:
Windows 2008 R2 Standard (Master)
AD CS
AD DS
DNS

Secondary Server:
Windows 2012 R2 Standard
AD CS
AD DS
DNS

Replication AD only from Primary to Secondary server.

We have bought Windows Server 2019 Standard for two and we plan to upgrade both server,

I have found lots of step to upgrade AD server for easy ways by adding the bootable Windows iso media and run adprep /forestprep.
But I am worry If some thing else messup the configuration and AD itself.

My Plan,

1: Upgrade windows 2012 to Windows 2019
2: After all done, I will start upgrade Windows 2008 R2 to Windows 2012 R2
3. An then start to Upgrade to Windows 2019

Question : Any step or prerequisite before i start upgrading ? (for example, AD might not working during installation or etc)

Thanks

Ashraf

server promoting problem

November 22, 2019, 11:55 pm
$
0
0
an error occurred while trying to configure this machine as a domain controller

Rename computer name of member server in RODC

November 26, 2019, 6:22 pm
$
0
0

I would like to rename computer name of member server which resides in RODC and it cannot contact RWDC, because RODC and it are in branch office site.

I am able to change the password of user in the member server but unable to change the computer name.

Error:

The following error occurred attempting to rename computer to "xxxx":

The specified domain either does not exist or could not be contacted.

profile last several minutes to load using remote desktop

November 8, 2019, 9:52 am
$
0
0

Hi to All,

I am doing remote desktop to a Windows 2016 server. After I successfully logon in the credentials window, my profile takes a while to load.

What troubleshooting do you recommend me to do?

Warm regards MeVs


AD replication problems

November 26, 2019, 4:10 am
$
0
0

Good day,

There are 3 domain controllers - PDC, SGLO-AD02, SZA-AD04. SGLO-AD02 - Performs the functions of the FSMO.

All three domains are in different locations, locations with PDC and SZA-AD04 are connected by VPN tunnels with location SGLO-AD02.

Replication between PDC and SGLO-AD02 works, replication between PDC and SZA-AD04 works.

Replication between SGLO-AD02 and SZA-AD04 works for a while after rebooting SZA-AD04. Sometimes it stops working after 5 minutes, sometimes it fails after a couple of days.

I used PortQuery to find the problem. Judging by the PortQuery reports, all ports and connections between servers work well, except for the LDAP request from SGLO-AD02 to SZA-AD04.

When replication does not work, the command

PortQry.exe -n SGLO-AD02 -e 389 -p tcp

executed on SZA-AD04 produces the necessary data.

But

PortQry.exe -n SZA-AD04 -e 389 -p tcp

executed on SGLO-AD02 simply hangs and does not return anything.

If I restart SZA-AD04, the same command produces the necessary data and everything works for a couple of hours.

When replication between SZA-AD04 and SGLO-AD02 does not work, then all changes are still replicated to the PDC and then to the third domain controller.

Please help me deal with this strange situation.



RPC 1722 error

November 26, 2019, 12:03 am
$
0
0

Hi Experts,

We have following network topology.

We have Single Forest and Single Domain with Multiple Sites names as NRA, JRN, HO, DC and CHL. All sites have there local domain controller (Windows Sever 2012R2).

When i am running below command i am getting below error.

Command :

repadmin /replsummary

Error : 

Replication Summary Start Time: 2019-11-26 12:53:10



Beginning data collection for replication summary, this may take awhile:

  ............









Destination DSA     largest delta    fails/total %%   error

 ADC-CO-DOMAIN             04m:44s    0 /  10    0  

 CSJRN-ADC                 29m:26s    0 /  10    0  

 HO-ADC                    04m:14s    0 /  15    0  

 HO-DC                     02m:04s    0 /  20    0  

 JRN-DC                    57m:23s    0 /  10    0  

 NRA-DC           >60 days           10 /  20   50  (1722) The RPC server is unavailable.





Experienced the following operational errors trying to retrieve replication information:

          58 - NRA-ADC.csaplho.pk

          58 - chl-dc.csaplho.pk

          58 - NRA-DC2.csaplho.pk

Our Servers  (NRA-ADC, NRA-DC2) are not operational  and i will demote them in future however NRA-DC is operational but as mention above we are facing 1722 RPC network error.

Please guide us how can i resolve this error.

Search

DC 2019 - ERROR_NO_LOGON_SERVERS

November 25, 2019, 1:41 am
$
0
0

Hi,

I have a problem with a new Server 2019 Domain Controller. I have added it to an existing 2008R2 domain consisting of 2x Server 2008R2 and 1x Server 2016.

I noticed that the computers in the same (test-)site do not authenticate to this controller, but use one of the other (prod-) sites. When I try to run "nltest /query" the error "1311 0x51f ERROR_NO_LOGON_SERVERS" appears. For the other Production Domain Controllers, this command is successful.

Even then I execute "nltest /sc_query:<DOMAIN>" it says "0 0x0 NERR_Success". But only after I do a "nltest /sc_reset:<DOMAIN>" the "nltest /query" command is successful until the next restart.

The DNS points to the other domain controllers. All tests in "dcdiag" show that they were successful.

Thanks

Outlook Encrypt Error (CA change?)

November 19, 2019, 4:31 pm
$
0
0

So there is a lot here. Let me start with my direct current issue; My user is in Outlook 2016 using O365 in the cloud (mixed mode) and when he selects the options>encrypt>>then SEND he receives the following error;

Error: "Microsoft Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities."

Before this, he got a different error, that was solved by going to the certificate manager on his local computer, and requesting a 'user' cert. 

The REAL issue is that I am almost certain this is effecting all 200+ users I have, and I DO NOT want to go around to each and every one and have them all request a new certificate. 

Additional notes;

  • This used to work no user actions required.  I suspect the problem began when the old root CA was migrated and then turned off.
  • I had to "push" the new root CA through a GPO
  • The new root CA appears to be working, as if I request a cert, I get it, and it works.

BlankMonkey

Migrating a Certification Authority to a new server with a jailbroken Certificate and Private Key.

November 20, 2019, 9:09 am
$
0
0
<form action="https://www.reddit.com/r/activedirectory/comments/dz4hf5/migrating_a_certification_authority_to_a_new/?st=k37icx9o&sh=19d9a2f0#" class="usertext warn-on-unload" id="form-t3_dz4hf5bs0" style="margin:0px;padding:0px;font-size:small;">

I need to upgrade our domain controllers to Windows 2012 R2 and move the root CA. The Certification Authority is running on a Windows 2008 R2 Domain Controller. The Root CA is not exportable so running a backup on the Certification Authority is not possible. I read that a jailbreak will allow me to export the CA with the private key. The 2008R2 DC/CA is a physical machine, which I’ve made into a virtual machine. This VM I’ve kept offline. I was able to use the jailbreak on the CA and exported the Cert/Pri Key. I then deleted the Cert and imported back with the jailbroken cert and key. This then allowed me to successful run a backup on the CA. I then made a backup of the registry keys. On another test machine I was able to successful restore the CA. So it seems to have worked.

My question is can I trust my backup and restore?

I’m hoping that from here I will remove the CA role and demote the domain controller. I will then bring up a new 2012 R2 domain controller using the same name. After installing the Certification Authority role, I will run the restore. Does anyone see a problem with this? In the future I want to move to a standalone / subordinate. However we have lots of Remote Direct Access clients that use the existing certificate. They will need to be updated. I do not want to break anything before the holidays. My Immediate need is to get ride of the 2008R2 DC. This might cause my extra work in the future, but that’s OK. Any suggestions?

</form>

How to open a case to Microsoft for DFRS issie?

November 24, 2019, 6:08 pm
$
0
0
I am trying to select the right category in selecting the DFSR issue but seems like there is no category for DFSR. 

LDIFDE - export users and their memberOf attribute

November 25, 2019, 2:57 pm
$
0
0

Hi All

I am new to LDIFDE, I can now export/import users from my AD DS server to a standalone AD LDS server.  I have so far only exported/import, DN, objectclass, CN, givenname.

However I am not stuck, I add memberOf to my -l switch but the export file did not show anything.  If I open ADSIEDIT and go to my user and change the filter to "backlinks" (after googling!) I can see the memberOf attribute and the DN of the groups.  Is the fact the memberOf is a backlink have anything to do with why the memberOf attribute is not exporting.

I then intend to import it but will worry about how it is when I come to that.

Much appreciated.

P

Skype 2015: may not have a private key that is capable of key exchange or the process may not have access rights for the private key

November 18, 2019, 2:12 am
$
0
0

Version Skype 2015 Server version 6.0.9319.562 (CU10) / Windows Server 2012 Standard Edition

Today when I try to renew a Skype certificate on the PTchat server I’ve got this error message.

Skype for Business Server 2015, Persistent Chat could not start due to the following exception:

 at System.ArgumentException: It is likely that certificate 'CN=EUPGDSGCP021.xxx, O=xxx, L=xxx, S=xx, C=xx' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: Invalid provider type specified.

No way to start this service. certificat or SSL issue but where ?

 

All the informations are here

https://unifiedit.wordpress.com/2019/11/18/skype-2015-may-not-have-a-private-key-that-is-capable-of-key-exchange-or-the-process-may-not-have-access-rights-for-the-private-key/

lteruin@hotmail.com http://unifiedit.wordpress.com/

ADFS 2.0 support in Windows Server 2012

November 20, 2019, 4:57 am
$
0
0

We are planning upgrade active directory from 2008 to 2012. One of our application running with ADFS 2.0 at server 2008

Will there be any impact on migrating to forest level from 2008 to 2012 ?

  
Search

AD Migration Strategy

November 19, 2019, 6:56 am
$
0
0

One of my customer has recently bought another company and plans to migrate there Domains into there own AD. The source and target has single forest multi domain AD structure. We want to take this opportunity to simplify the AD structure by reducing as much domains possible without impacting the end user experience and of course with zero downtime. 

I am proposing them with with flat structure of going with single forest/single domain for ease of management, create OUs to accommodate child domains and apply password policies etc at the OU level (it is Windows Server 2008 R2).

I am reaching to larger community here, if there is any best practice document/blog available which can help me in this scenario mentioning all benefits of single forest/domain structure. or may be any best practice document for mergers and acquisitions scenario what I have mentioned above.

Thanks

how to create new user ldap active directory

November 19, 2019, 1:48 am
$
0
0

I am new for active directory. I am using windows server 2012 and I want create new users for ldap Active directory.

so, How to create new user in the ldap active directory. please help

Time difference of 1 minute between 2 DC's

November 22, 2019, 1:14 am
$
0
0

when ran DCDIAG /TEST:DNS /V /E /F:dns.log it shows the following :

Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         [DC1]DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         RPC Extended Error Info not available. Use group policy on the local machine at "Computer

         Configuration/Administrative Templates/System/Remote Procedure Call" to enable it.

         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.

         The clock difference between the home server <other DC> and target server [DC1]is greater than one

         minute. This may cause Kerberos authentication failures. Please check that the time service is working

         properly. You may need to resynchonize the time between these servers. 
         ......................... [DC1]failed test Connectivity

tried to syn the time on [DC1] by using w32tm /config /syncfromflags:domhier /update and restarted the time service but still same error 

Is it an issue if the time difference is greater than a minute ? (we have total 8 DC's) 

Please help

Time synchronization issue

November 27, 2019, 1:47 am
$
0
0

Hi,

We have many servers don't have the same time.

How we can fix this issue?

Protected Users group function over an AD Trust

November 26, 2019, 11:02 am
$
0
0

Hi everybody,

I am curious whether the protected users group works across an AD trust. Suppose we have two domains A and B. A trusts B and users from B sign in to machines of the domain A. Since the Protected Users group is a Global Group, users from B cannot be members of the protected users group in domain A. But they can be member of that group in their own domain B. However, does this have any impact on the logon in domain A? I.e. are the restrictions that the protected users group enforces also in effect if the users from B log on to machines in A?

Best regards

Jan

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>