We were getting some morphed folder couple of days back and we renamed both the file but replication was not happening for propagating the changes then we set D4 in one of the server so that other servers can take updates from this one only. Post doing the same below folders have been created and users are facing policy related issues. Need your help on urgent basis.
↧
Morphed folders are being created repeatedly.
↧
Time & Zone Syncronization
Hi Everyone,
I would like to have new machines joined to the domain to be picking the AD time and Zone. How do i enforce this?
I've also seen cases where some of the machines on the domain have varying time other than the one on my PDC.
Meshack
↧
↧
Setting up user with local administrator priviledges?
I'm running Windows Server 2003 and I am about to be creating 1012 users in my Active Directory domain. I need these user to have local Administrator rights on their computer but not be able to log in to the server. I thought about the builtin\Administrators
group but when I tried that out on a test account they were able to log in to the server. Is there a group I can add them to to do this? If not is it possible to create a group and give it the privileges I need? That way I could just create standard users
and add them to that group.
↧
User password changes from Windows 7 on a 2008 r2 domain takes approximately 5 minutes
Hi,
We have 3 domains in a forest, and users of one of those domains have been complaining that it's taking too long to change their passwords (5 minutes each change), and this is amplified by the fact we have a GPO for complex passwords and if they make a password
change which doesn't abide by the rules set in our password policy it takes 5 minutes to come back saying to try again. Some users have therefore been taking 30 minutes to change their password! I have setup a test account on a spare workstation
and confirmed this for myself.
They have a single domain controller at that office, and there's a secondary domain controller for that domain in another site. The DC in their office has the PDC emulator role, and the other 2 domain roles. The forest root DC is in another office, but don't think that makes any difference.
Things I've tried:
Reboot the DC
Reboot the workstation
SFC /scannow
DCDIAG
Forced replication using repadmin to ensure it was working ok - it was quite fast
Pinged the DC from the workstation <1ms
Browsed fileshares on the DC - all working correctly and fast
Checked the event logs, none are found which suggest anything is working incorrectly, and the security logs say kerberos is working correctly so we shouldn't be falling back to NTLM
DNS settings on client machines are good, same for the DC
DNS SRV records points to the correct local DC server in that site
nslookup reports DNS is working correctly too
I am stumped, oh, i've also done the usual and searched google for any answers but couldn't find any.
Please help!
Thanks
Jodey
Oh I should also say that this server is pretty fast, and there's only 8 people in that office, so it's not overloaded.
↧
Orphane domain controller after running ADRAP
After running ADRAP tools, it show one of domain controller is orphane. I would like to know how to remove it without any impact ?
↧
↧
logon failure: the target account name is incorrect
Hi
I am getting “logon failure: the target account name is incorrect” error when trying to add a computer to the domain
Office network runs on windows 2003 server and we have to DC both 2003. Client computers are xp and windows 7. This particular computer dropped out from the network and I removed it from the domain and trying to add this back on to the domain.
I have noticed few computers also getting random errors that they can’t access network share by name (\\servernaem\share) but they can access share by its ip (\\192.168.19.2\share) but when I restart then computer they are working fine.
I have a feeling that this is got to do with Kerbros security. I have seen few event log errors on the server they are
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 26/04/2013
Time: 10:17:01 AM
User: N/A
Computer: PERTHSRV2
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server perthadmin5$. The target name used was cifs/PERTHADMIN5.entpubperth.entertainmentbook.com.au. This indicates that the password used to encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (ENTPUBPERTH.ENTERTAINMENTBOOK.COM.AU), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 26/04/2013
Time: 8:24:47 AM
User: N/A
Computer: PERTHSRV2
Description:
The session setup from the computer NBDMLAP failed to authenticate. The name(s) of the account(s) referenced in the security database is NBDMLAP$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
hope you can help me with this.
Thank You
Kris
↧
Cannot promote server to DC
Hello,
I am having a few issues promoting a brand new 2012 Std server to a domain controller. The OS is freshly installed with (almost) nothing else installed or added.
I have installed AD DS from roles and features, and it installed successfully. When I run the deployment configuration I am experiencing two issues. The first, is I get a warning that says "DNS cannot be installed on this domain controller because this domain does not host DNS." There are two other domain controllers, both running AD integrated DNS. After some searching, I found threads where people added the DNS zone afterwards and it worked fine. ALso of note, when I first started the wizard, it said it was not able to install DNS, so I manually added the role. Hence the almost from above.
The second error I am experiencing is more critical. I am getting the error message "Verification of prerequisites for Active Directory preperation failed. The specified user does not have SeSecurityPrivilegeEnabled." It will not let me continue.
The account I am using is my domain account which is a member of Domain, Enterprise and Schema admins. Our domain domain and forest functional level is 2008 R2.
When I searched on this error, it said to ensure the account had Manage Auditing and Security Log privileges. The account is a member of the local admin group which is listed in the local policy. Of note, the policy was defined by a GPO with domain admins (and a service account) added in. While my account still should have had permission, I moved the server to an OU that blocks policy inheritance, ran gpupdate, and restarted. Still no luck. I also created a new user, added to the enterprise and schema admins, and am still experiencing this problem.
I seem to have exhausted all efforts, short of scrapping this server and starting over. I also did not try through PowerShell as I don't think it will produce a different result.
Really stuck on this, any help is much appreciated.
Thanks,
Chris
↧
SETSPN FQDN User Account name length question
SetSPN -S is failing with an error 0X00000525 - Unable to locate account XXXX
This seems to happen ONLY with accounts longer than 20 Characters - Is there a limitation on Account name length and search with SetSPN that is documented someplace? We are having to rename (trim the names of) a number of accounts to address issues with SetSPN and Kerberos due to these errors
↧
Failure to join the domain with the error
New Systems Windows XP machines failed to join new build machine to the domain belonging to a site. The site has a DC.
Getting the error…”Error occured attempting to join the domain XXXX. The system Cannot find the file specified”
During the course of troubleshooting we found that…DCDiag says…
Starting test: RidManager * Available RID Pool for the Domain is 1084604 to 1073741823
* XXX.YYY.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 935104 to 935603
* rIDPreviousAllocationPool is 935104 to 935603
* rIDNextRID: 935247
......................... XXX passed test RidManager
That means -> 935603 – 935104 =499 plus it says Next RID is 935247
But Event log showed…
Event 16642:- The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been
depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.
There is no other event showcasing this DC request for new RID POOL from RID master.
Due to the severity of the situation as event said to reboot the DC. I did and that fixed the issue.
I would like to know, if someone knows what caused this DC Behaviour???
↧
↧
Mirgating to Active Directory 2008
I have a Windows 2003 Server as my domain controller
Using the Windows 2008 Adprep folder I did all the prep for Active 2008. I then added a second domain controller on a Windows 2008 server. It joined the Domain with no problem. But when checking properties on both servers it still is listing a 2003 function level.
How so I get this to a 2008 AD function?
Thanks
Dave
Dave Kozlowski
↧
[powershell] change homedirectory to local path
Until now we used a network path for the homedirectory. Now we want use the default local path.
In the Active Directory Console, you can change the Option "Home Folder" from "Connect" (Network Path) to "Local Path" and then the client use the default user path.
Is it possible to set this option with powershell for all users?
greetings from bremen
pascal peters
↧
Demoting single domain controller in smal network to file server
We have a small network of with a mix of about 10 workstations, desktops Ethernet and a few laptops wireless and one 2003R2 domain controller. We want to demote the domain controller and just make it a file server. A few questions......what is the proper way to do this and what are the ramifications?
After backing up all files:
1. Should I remove each workstation from the domain first?
2. Then demote the domain controller?
3. What effect will this have on the installed programs on server?
4. Should I just wipe the server and clean install the OS and all programs?
Thank you
↧
How to use login service from ADFS in local web app
Hi all,
I need to change the login page of ADFS by special login page in my web app, but I can't find out a solution for this. In my pages, both user domain and user database can access, so that If only use ADFS we can only access by user domain. I try to find login services of ADFS to call in my web app but there is no one.
If any one has resolved this problem, please help me.
Thanks you so much
↧
↧
Title: Cross Forest Domain & Mailbox Migration from 2003 forest to 2008 forest, Ex2007 to Ex2010, after migration 2003 forest users want log on domain to their old domain @xyz.in
Hi All,
We need some clarification about Cross forest migration as well as mailbox
Forest 1:
Domain Name : abc.com
Domain & Forest Functional Level : windows 2008
Exchange 2010 for Mailing solution
SMTP : lastname.firstname@abc.com
Forest 2:
Domain Name : xyz.in
Domain & Forest Functional Level : windows 2003
Exchange 2007 for Mailing solution
SMTP : alias@xyz.in
My Job to migrate xyz.in domain user account and users mailbox to abc.com domain as well as exchange 2010 mailbox.
But Customer Requirement is After Migration of user and mails from 2003 domain forest, user want to login their computer using alias@xyz.in domain (log on domain).
For SMTP we will create secondary mail address but user login is our headshake.
As per our experience we can create additional UPN for xyn.in users and we will inform to users to log on computers using FQDN name of alias@xyz.in.
Is there any other way to achive this goal, kindly help me
I have Searched many of the them in the Bing as well as google but I could not able to find any solution for that.
Thanks is Advance.
Thanks & Regards, Kesa_Kara
↧
Active Directory Migration 2003 to 2008 R2
I am migrating a 2003 Active Directory Schema to 2008 R2
One Domain controller - nothing fancy
Will this have any affect on present Password policy?
Want to make sure everyone can log in when this is done and won;t have to change anything.
Want this to be seamless and painless.
Thanks
Dave Kozlowski
↧
Hijacked DC Name
One of our (now ex) technicians mistakenly renamed a workstation the exact same name as our DC that holds FSMO roles. Then, realizing his mistake, renamed the PC. The result is our DC was renamed in AD Users and Computers but the DC still has the old name. When we try to log into the DC we predictably get the message “The security database on the server does not have a computer account for this workstation trust relationship”. I read through many articles about the error but this exact situation seems unique to us.
So far to remedy the situation we have taken these steps: Changed the renamed DC attributes in AD to the old name (GUIDS still won't match); logged on to another DC and seized the FSMO roles; powered down the renamed DC; removed all DNS entries; added the IP address to a spare NIC in the new FSMO role holder; altered the settings in DNS to allow DNS queries on the new FSMO holder (so machines looking for a DNS server would be routed to one able to handle the request).
My question is threefold: (1) did we shoot ourselves in the foot by having another DC seize the FSMO roles?; (2) is there any way to salvage the renamed DC without a complete rebuild? (3) If we do need to rebuild the server what steps, outside of deleting the orphaned DC attributes from AD, do we need to take?
Any insight will be appreciated.
↧
Restoring Accesss of A Domain Admin User
Hi,
We have a Domain Admin User in our AD .Whose Security Groups access has changed lately. It's like someone has removed his access to certain groups. Like to know is there a way to restore his previous access.
Regards,
Prraaddeep
↧
↧
New Active Directory Site for remote office, or stick to just one site?
New Active Directory Site for remote office, or keep in same site/domain? Scenario:
- Physical (main) Site 1 – West coast
- Two AD servers (Windows 2008 R2 Standard)
- Domain.com
- 192.168.100.x/24
- fiber internet connection
- Two AD servers (Windows 2008 R2 Standard)
- Physical (branch office) Site 2 – East coast
- One AD server (Windows 2008 R2 Standard)
- East.Domain.com
- 192.168.200.x/24
- comcast internet connection
- One AD server (Windows 2008 R2 Standard)
*The following references to “sites” are not AD “Sites”, just referencing physical locations only.
Site 1’s DNS servers are replicating to each other. There is a persistent VPN tunnel (2 Cisco ASA 5510’s) connecting the West coast with the East coast. The East coast server was not joined to the Domain.com domain (for whatever reason). Instead a sub-domain
was created (east.domain.com) and its FQDN is server.east.domain.com.
We are wondering if it would be better to demote the server on the East coast and simply join it to domain.com, because with the way it is set up now, there is no “domain.com” DNS zone on the East coast’s DNS server – only east.domain.com.
Also, what would be the correct IP addresses to have on each DNS server’s FORWARDER tab? In the past I have always put the ISP’s IP address (or any public DNS server like 4.2.2.2 or 8.8.8.8 – anything but another “internal” IP). At Site 1 both DNS servers
are set up with OpenDNS, but on Site 2, its Forwarders are pointing to the two internal IP addresses of the AD servers at Site 1. I changed Site 2’s Forwarders to OpenDNS, and suddenly no one at Site 2 (the branch location) could access resources at Site 1
by DNS name (i.e. Http://servername). Does this mean “Active Directory Sites and Services” is set up incorrectly? Because there is no domain.com Forward Lookup Zone in DNS at Site 2 with Site 1’s DNS records, I was afraid this would happen. I am not too familiar
with AD Sites and Services, but in DNS on Site 2, shouldn’t domain.com be a child node within east.domain.com?
All of the resources that this company uses are located at Site 1. Site 2 is simply a branch office with one server and a printer, with a bunch of users who constantly access resources at Site 1 via VPN. There may be a time however, that Site 2 will be just as large as Site 1, so I’m thinking it would be better to get “AD Sites and Services” running properly rather than demoting/dcpromo’ing Site 2’s AD server into domain.com.
↧
How to Prioritize Logon Server Selection
Here's the Situation
I have 4 Domain Controllers in my Domain, at 2 different sites, on two different subnets,
dc1 192.168.1.100/24
dc2 192.168.1.101/24
dc3 192.168.2.100/24
dc3 192.168.2.101/24
how do I set it up that computers on my 192.168.1.0 Network Don't use the domain controllers on the 192.168.2.0 Network?
↧
Simple Cloud app to test/demo with Active Directory Federation Services 2.0??
I recently inherited an ADFS 2.0 Farm that was previously working with a cloud app as a test, but the vendor de-provisioned it. I'm hoping to find a relatively simple app in the cloud I can test ADFS against. I know I can test local but I'm also looking for "demo" value and the ability to confirm functionality of the netscalers that were leverage instead of ADFS proxy roles.<o:p></o:p>
I'm not a coder, more of an IDM person if that helps.<o:p></o:p>
Thanks!<o:p></o:p>
↧