After running ADRAP tools, it show one of domain controller is orphane. I would like to know how to remove it without any impact ?

Hi, eversince I've handled server editions of Windows, I just want to have a better understanding of Sysvol vs Netlogon. When I was still a lvl1 IT staff, a lot of our Systems Administrators always refer both Sysvol and Netlogon a place where you can place a script or batch file to run as soon as a domain user logs in.

I tried it myself by creating a virtual machine (Windows Server 2008 Enterprise) placed a batch or script file on netlogon and it did run. Place it on Sysvol, it did run as well.

Question is, what is the best practice for this? place it on Netlogon? or Sysvol? Does it run all valid scripts or batch files at the same time?

How do you validate if the script or batch file "did run" because in a split second, you wont be able to verify if the script or batch file did execute unless you check it out manually. i.e mapping of printers

Regards,

Hello.  I am trying to use the Active Directory Module for PowerShell on Windows Server 2008R2.  I want to create an AD account (without a mailbox) by using New-ADUser.  If I run the command when logged in as the built-in "Administrator" account it works.  But if I log in using another account that is a member of Domain Admins or even the local Administrators group, it fails with an "Access Denied" error.  I have verified that I can create an account manually using AD Users & Computers.  I did find a blog post on EggHeadCafe (http://www.eggheadcafe.com/software/aspnet/35260878/permission-problem-with-powershell-v2-active-directory-commands.aspx) that exactly describes my situation.  My problems are 1) I can't understand why this doesn't work, and 2) I wouldn't mind using the solution provided in the above post except that I don't know what permissions to give to new security group the author references. 

Can someone please help?

Stephane Poirier

I have newly deployed Windows 2012 Active Directory and my org. required to display "E-Mail address(others)"  in domain users general tab.

I go to mmc --> open Schema Mangement --> Select Attributes and found there "othermailbox" but how it will activate and will display on users General Tab. please help.....

I am a beginner and I try to implement client in Java for Active Directory. I would like to create and add a new user to AD. So far, I have written the following code:

import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

public class NewUser {

    public static void main(String[] args) {
        NewUser user = new NewUser("aaa", "bbb", "ccc", "mypass", "orgunit");
        try {
            System.out.print(user.addUser());
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }

    private static final String DOMAIN_NAME = "xyz.xyz";
    private static final String DOMAIN_ROOT = "abc.xyz.xyz"; // ?
    private static final String ADMIN_NAME = "CN=Administrator,CN=Users,DC=xyz,DC=xyz";
    private static final String ADMIN_PASS = "xxxxxxx";
    private static final String DOMAIN_URL = "ldap://xxx.xxx.xx.xx:389";


    private String userName, firstName, lastName, password, organisationUnit;
    private LdapContext context;

    public NewUser(String userName, String firstName, String lastName,
                   String password, String organisationUnit) {

        this.userName = userName;
        this.firstName = firstName;
        this.lastName = lastName;
        this.password = password;
        this.organisationUnit = organisationUnit;

        Hashtable<String, String> env = new Hashtable<String, String>();

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

        // set security credentials, note using simple cleartext authentication
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, ADMIN_NAME);
        env.put(Context.SECURITY_CREDENTIALS, ADMIN_PASS);

        // connect to my domain controller
        env.put(Context.PROVIDER_URL, DOMAIN_URL);
        try {
            this.context = new InitialLdapContext(env, null);
        } catch (NamingException e) {
            System.err.println("Problem creating object: ");
            e.printStackTrace();
        }
    }

    public boolean addUser() throws NamingException {

        // Create a container set of attributes
        Attributes container = new BasicAttributes();

        // Create the objectclass to add
        Attribute objClasses = new BasicAttribute("objectClass");
        objClasses.add("top");
        objClasses.add("person");
        objClasses.add("organizationalPerson");
        objClasses.add("user");

        // Assign the username, first name, and last name
        String cnValue = new StringBuffer(firstName).append(" ").append(lastName).toString();
        Attribute cn = new BasicAttribute("cn", cnValue);
        Attribute sAMAccountName = new BasicAttribute("sAMAccountName", userName);
        Attribute principalName = new BasicAttribute("userPrincipalName", userName+ "@" + DOMAIN_NAME);
        Attribute givenName = new BasicAttribute("givenName", firstName);
        Attribute sn = new BasicAttribute("sn", lastName);
        Attribute uid = new BasicAttribute("uid", userName);

        // Add password
        Attribute userPassword = new BasicAttribute("userpassword", password);

        // Add these to the container
        container.put(objClasses);
        container.put(sAMAccountName);
        container.put(principalName);
        container.put(cn);
        container.put(sn);
        container.put(givenName);
        container.put(uid);
        container.put(userPassword);

        // Create the entry
        try {
            context.createSubcontext(getUserDN(cnValue, organisationUnit), container);
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    private static String getUserDN(String aUsername, String aOU) {
        return "cn=" + aUsername + ",ou=" + aOU + "," + DOMAIN_ROOT;
    }
}

And there is the following error:

javax.naming.InvalidNameException: Invalid name: cn=bbb ccc,ou=orgunit,abc.xyz.xyz; remaining name 'cn=bbb ccc,ou=orgunit,abc.xyz.xyz' at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:86) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:49) false at javax.naming.ldap.LdapName.parse(LdapName.java:772) at javax.naming.ldap.LdapName.(LdapName.java:108) at com.sun.jndi.ldap.LdapCtx.addRdnAttributes(LdapCtx.java:902) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:783) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178) at NewUser.addUser(NewUser.java:98) at NewUser.main(NewUser.java:17) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

Anyone can help me? I have spent long time ti fix it but it still does not work.

Thank you in advance

when our RODC server Wan link down, users are not able to access shared resources and event id is below

Failed to cache a write referral list on Read Only DC. Error Value:
 1355 The specified domain either does not exist or could not be contacted.

Arvind

Hello,

I'm created a VPN between our UK and Spanish office and also created a 2 way trust and I can add users form both domains to folder permissions etc.  I now need to give users in the UK (IT admins) admin rights to the Spanish domain, but I just can't do it.  I've been looking a the AGDLP method and looked on google but I just can't seem to add the UK users to the Administrators group in Spain.  

Can anyone clear my cloudy brain and make this clear again?

Many thanks

Hi,

How to get to know who had changed the password of an AD User account on a specific time?

Thanks,

Noufal

Hey guys, 

I was trying to follow this tutorial:

youtube.com/watch?v=OG5K6B7hgRU

Everything was working fine up until the moment I joined the 2012 server to the domain of the 2003 server, and installed Active Directory on Server 2012 and promoted it. Everything seemed to go fine. Then starting from 18th minute of the video, going into Active Directory Users and Computers, following the steps to go into 'Operations Master' - as shown below [sorry can't post images yet]

Then when I went into Operations Master, It was supposed to show me that the current Operations Master was Server 2003 DC and ask me if I wanted to transfer to role to the 2012 server. However, It didn't and instead the option I got was transferring to the same server that also is the Operation Master, the 2003 server. 

I did manage to transfer the Domain Naming Operation Master on Active Directory Domains and Trusts to the 2012 server. However when I try to 'Change Active Directory Domain Controller', the server doesn't seem to list its own Domain Controller. I only see the 2003 server's domain controller listed.  As shown below [sorry appears I can't post links yet]:

(Please note: I am aware it does say Current Directory Server is the DC of the 2012 server. It does not list it. Also when I try to change Operations Master in Active Directory Users and Computers - it gives me error saying current operations master is offline.)

Thanks in advance.

About 5 weeks ago i built 5 Windwos server 2008 machines using SCCM. They are all added to my 2008 mixed mode domain.

one machien is ahving an issue where it drops connection to the domain. it has happened on two occasions and both times a reboot instantly fixes the issue. As this is now a productions server i would like to know root casue for the issue an how to stop it form happenenign again.

all serversa re patched to the latest level.

When the server drops comm to the domain the follwoing happens;

unable to browse to any networks hares

domain accounts in the local admins groups show as SIDS

GPO processing fails

unable to authenticate to any services the server is running

all WMI queries fail

following events are logged;

Log Name:      System
Source:        NETLOGON
Date:          01/05/2013 06:59:20
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     

Description:
This computer was not able to set up a secure session with a domain controller in domain XXXXX due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          01/05/2013 11:13:03
Event ID:      1053
Task Category: None
Level:         Error
Keywords:     
User:          XX

Computer:      XX

Description:
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

I have done the following troubleshooting while in the dropped comm state;

checked date and time: all ok

check dns look ups. i can ping all domain controllers by name, i can ping external websites

there are no errors in the application log

only errors in system log are the above netlogon one (RPC server service , which is started in services.msc, but unable to bounce as it its greyed out) and GPO related errors

After i bounecd the servers and serviecs resumed, no errors in event log.

at this point i ran some secure channel tests

nltest /scquery:domainname - PASSES

nltest /query - PASSES

netdom verifiy computrname - PASSES

nest time the server drops comm to the domain i will run these tests againa dn post results.

are there any other tests i can run, or any suggestions as to why this happens.

Thanks

Hello!

We have an issue with resolving dns name or our domain, lets say, mycompany.com

In the domain there are around 100 sites, geographically spread. The DC\DNS servers are windows server 2003 r2, the clients are windows xp, DNS zones are active directory integrated, Round Robin, Netmask ordering are enabled.

The issue: when I ping mycompany.com from the XP clients the answer is everytime different DC\DNS server ip address. E.g.

H:\>ipconfig /flushdns

H:\>ping mydomain.com

Pinging mycompany.com [2.2.2.2] with 32 bytes of data:

and so on.

1.1.1.1, 2.2.2.2 servers may be quite far from the site of the client with huge latency

If I ping mycompany.com from the servers (W2K3 R2) the answer each time is the ip address of the DNS server which actually provides the answer(the "closest" DC\DNS to the server)

I assume that in the normal circumstances it should be like this:

1) DNS client sending a request to the closest DC\DNS server (the server in the same AD site) to resolve mycompany.com to ip address

2) The DNS server should answer with the ip of itself (and it actully does if I perform request from W2K3 servers)

Could you please advise the reason why DNS servers answer to clients with everytime different ip addresses? And how to fix it?

I have recently introduced 2 new WDCs into my internal site.  I have an edge network that has an RODC in it.

Since the introduction of the the WDCs I am getting the following error:

The Knowledge Consistency Checker located a replication connection for the local read-only directory service and attempted to update it remotely on the following directory service instance.  The operation failed.  It will be retried.
 
Additional Data
Connection:
CN=RODC Connection (FRS),CN=NTDS Settings,CN=RODC01,CN=Servers,CN=<edge site>,CN=Sites,CN=Configuration,DC=<domain>,DC=com
Remote Directory Service:
CN=NTDS Settings,CN=WDC02,CN=Servers,CN=<internal site>,CN=Sites,CN=Configuration,DC=<domain>,DC=com
 
Additional Data
Error value:
Insufficient access rights to perform the operation. 8344

If I open up ADSIEdit and check CN=RODC01,CN=Servers,CN=<edge site>,CN=Sites,CN=Configuration,DC=<domain>,DC=com, I see 1 nTDSConnection object.  The fromServer attribute on this object is set to WDC03.  If I do a repadmin /showrepl on RODC01, the replication partner comes back with WDC02 (which is the update the RODC is trying to make).  So the two values do not match, which is no good at all.  When I introduced the new WDCs the site topology/replications must have changed, as there are events about removing the existing replication link and creating a new one in Directory Services event log.

Shouldn't the RODC be able to update its own nTDSConnection object?  I'm pretty sure I can just update the fromServer attribute manually and the error will go away, but what happens when the replication topology changes again?  This error will come back I would imagine.  Any ideas?

Thanks SUBBU.T

Not sure if this falls under AD or Exchange, but I'm posting here first.

So, I've noticed in AD that we've got a handful of user accounts that are disabled but msExchUserAccountControl is still 0 eventhough userAccountControl is 2. Not every account we disable behaves that way, but some do with no apparent pattern. We use this attribute in searches via LDAP from a external application so we've been getting unexpected results.

So, I'm wondering:

1) What's the difference between the 2 attributes? I can change the LDAP search if they have the same meaning.

2) Is there any affect or issue that this may cause? In particular, from a security standpoint, does this mean that the mailbox is still somehow accessible eventhough the AD account is not?

3) Any way to fix / prevent it from happening?

I couldn't find anyone with the same problem so hoping someone here has some insight.

Thanks.

FYI, AD 2003 functional (mixed 2003 & 2008R2 DCs) + Exchange 2007

Hello,

As per Neo Yu suggestion I am posting this thread hear

We are using Office 365 exchange online (p1) plan from last 6-8 months.

Our setup is like one forest and in that 4 child domain with additional domain controllers

What we have observed is when primary DC from any child domain goes down because of any reason

Outlook/OWA is not get authenticated for that Child domain controller users only

Is there any way we can setup like if any primary/secondary domain controller goes down next available DC of same child domain should authenticate?

Generally in In-house SharePoint and other in-house applications are authenticating that way only if first goes down start authenticating from next available DC

 Please suggest if there is any configuration required, detail steps will be great help

Regards,

Swapnil

Regards, Swapnil Jain

Hi all,

I need to change the login page of ADFS by special login page in my web app, but I can't find out a solution for this. In my pages, both user domain and user database can access, so that If only use ADFS we can only access by user domain. I try to find login services of ADFS to call in my web app but there is no one.

If any one has resolved this problem, please help me.

Thanks you so much

I used to do meta data cleanup of dead DCs via ntdsutil, but read the newer ADUC has this integrated into it.

The problem is that I can only do it while consoled into a dc. When I connect to a DC via servermanager and try to delete a DC it tells me "the specified module cannot be found".

If I console into a DC and try to do the same thing (delete a DC in ADUC) it works without issues.

We have a small network of with a mix of about 10 workstations, desktops Ethernet and a few laptops wireless and one 2003R2 domain controller.  We want to demote the domain controller and just make it a file server.  A few questions......what is the proper way to do this and what are the ramifications?

After backing up all files:

1. Should I remove each workstation from the domain first?

2. Then demote the domain controller?

3. What effect will this have on the installed programs on server?

4. Should I just wipe the server and clean install the OS and all programs?

Thank you

I recently upgraded my workstation from XP SP3 to Win 7 x64 SP1.  I use MMC to connect to 3 different domains (2 are running 2008 and the third is running 2003) that I manage in the office.  After changing to Win 7, I can no longer connect to AD users and computers for one of the domains.  I am still able to connect to the 2K8 domains, but the one that I'm having an issue with is a server 2003 DC.  When attempting to connect to the 2003 DC using AD users and computers, I get an error message stating:

"The domain example.com could not be found because:
Logon failure: unknown user name or bad password."

This started happening after upgrading my OS from XP to Win 7 and I have not been able to connect to the 2003 domain since the upgrade.  I have been using RDP to connect to another XP box that I have and I am able to connect to AD users and computers without any issues on the XP machine.  I am trying to figure out what needs to be done in order for me to be able to connect to the 2003 domain from my Win 7 workstation.  I know my account is good since I am able to connect to all 3 domains when using XP, but I can only connect to the 2008 domains (using AD U&C) from my Win 7 workstation. 

I found a forum post on tomshardware.com to change a setting in the local security policy (www.tomshardware.com/forum/10828-63-cannot-access-domain-controller#9602624) but that did not resolve my issue.  I hope someone else has run into this issue and has a resolution because it is very inconvenient for me to have to remote into another workstation so I can connect to AD U&C instead of just using the Win 7 workstation to manage all 3.  Any help would be greatly appreciated. 

If you have any other questions or comments please let me know and I will answer them as best I can.

Thank you in advance for your assistance.