I have a GPO that is installing software to computers on my network. I would like to delete this GPO as I no longer need the software installed but I do not want the policy to be reversed and my software uninstalled from the computers that it is
already on.
↧
Can I disable a GPO without the settings being reversed?
↧
Windows Server 2012 inplace upgrade from Windows Server 2008 Standard R2
While installing Windows Server 2012 R2 Standard, the system does a compatibility check and informs that it needs to run adprep.exe . On checking with Windows Server 2012 R2 under sources folder there is no file ADPREP.exe and on looking at WS 2008
cd drive it has a folder named ADPREP.exe and when I try to run it it comes out NETAPI dll error. I am not able to instal the WS 2012 R2. please let me know.
↧
↧
Create a security group in AD for ( 10 machines which should allow the logged users ( local admin rights ) )
Hello Folks,
I need to create a security group for 10 computers in AD, Which ever users logons to those machines he should have full logon rights.
Appreciate the feedback
Thanks !
↧
My last and only DNS server crashed
Hi all,
As I said in title, my last and only DNS server crashed. Now I have a server with Windows Server 2012 R2. It's the only one Active Directory server in my domain. There's even a Microsoft Exchange installed on this server, but I can't find out what is the
version because the Exchange Toolbox does not open. Actually, nothing works.
I installed the DNS role on this server and created the primary zone, but the checkbox "Store the zone in Active Directory" is grayed out. I tried the command "ipconfig /registerdns" but it didn't work.
My question is: Is it possible to add a new DNS server in my domain when there is no more DNS servers?
Thanks in advance. I really need help.
↧
HYPER-V Replica Error 0x80090303
Hello,
I'm facing an error with HYPER-V Replica.
I have 2 clusters Primary and DRS. All configurations are made and replica brokers are configured on both clusters! But when I need to start a machine replication from Primary cluster to DRS I get error like screenshot.
If I want to replicate from DRS to Primary works OK !
↧
↧
exports users info
Hi Experts
I have display names in CSV file in the below format.
Names
Tim A
Rob V
i want to import this csv file and get their userprincipalname,samaccountname, email address, office location and export them to csv file, experts please help with the syntax.
I have display names in CSV file in the below format.
Names
Tim A
Rob V
i want to import this csv file and get their userprincipalname,samaccountname, email address, office location and export them to csv file, experts please help with the syntax.
↧
Client Workstations - Group Policy Objects not applying
We already open all this ports on our AD environment going to the 2nd AD Domain, but we would also like to identify which ports should be open, going to client workstations.
Apparently both of our AD Environment is on seperate location:
Current Setup of Domain & Client Workstation:
AD Domain 1: (Primary) Located at City 1
AD Domain 2: (Secondary) Located at City 2
Client Workstations: Located at City 3
Connection use is via firewall policies to connect to the primary domain on different location.
Port Description Port Details
LDAP TCP -389
LDAP SSL TCP - 636
Kerberos TCP - 88
DNS TCP - 53
LDAP TCP - 389
LDAP (Secure) TCP - 636
RPC / Replication TCP – 135
DFSN, NetBIOS Session Service, Net Logon TCP - 139
Global Catalog TCP - 3268
Global Catalog (Secure) TCP - 3269
Authentication, Trusts and Group Policy
Kerberos Password Change TCP - 464
DFSR, File Replication TCP – 5722
Replication, User / Computer TCP - 49152-65535 (are this port range required to be open ranging from 49152 up to 65535?)
What are the risk in opening all this ports? as we need to justify on the audit team each port with risk that will be needed for the ad policies to work properly.
Appreciate if you can help me on this case.
↧
GPO not applying to windows 7 clients
a GPO is not applying to windows 7 clients ,creating an issue where users without domain admins cannot administer the clients. We have mixed 2008 R2 and 2016 domain controllers, with functional level 2008. This issue may have been around a long time, we only noticed once we revoked domain admin from some users. The idea was, existing GPOs would give them local admin rights. Unfortunately, the GPO with local admin , is not being applied.
RSOP tool shows it is not being applied.
also found this in the RSOP.
an error in the system log:
Log Name: Application
Source: Group Policy Scheduled Tasks
Date: 03/01/2020 13:29:52
Event ID: 8194
Task Category: (2)
Level: Error
Keywords: Classic
User: SYSTEM
Computer: TRN-ECO-013
Description:
The client-side extension could not apply computer policy settings for 'DSK Standard {B749D50F-EEA7-4BAD-8F3D-875EACAB6EC7}' because it failed with error code '0x80070003 The system cannot find the path specified.' See trace file for more details.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Scheduled Tasks" />
<EventID Qualifiers="34305">8194</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-01-03T13:29:52.000000000Z" />
<EventRecordID>177307</EventRecordID>
<Channel>Application</Channel>
<Computer>TRN-ECO-013 </Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>apply</Data>
<Data>computer</Data>
<Data>DSK Standard {B749D50F-EEA7-4BAD-8F3D-875EACAB6EC7}</Data>
<Data>0x80070003 The system cannot find the path specified.</Data>
</EventData>
</Event>
Also found in
\\trn-eco-013\c$\Windows\security\logs\winlogon
Error 13: The data is invalid.
Error converting %SYSTEMROOT\SYSTEM32\COMMAND.COM.
↧
cross forest dfs ?
I wanna konw if it is possible to deploy dfs share across mutiple forest domain ?
I have three forest domain
- ucda.com
- ucdb.com
- ucdc.com
They are all single forest , beacuse I find that dfs cannot cross forest domain from Microsoft docs ,so I really wanna know for sure if it is right that dfs cnnot cross forest domain.
Thank you very much.
Please help.
↧
↧
Strange "reset password" behavior
Hi there,
we have a root domain (i.e. company.de) with some subdomains (i.e. lab.company.de & prod.company.de). Our admins (they are all created in prod.company.de) have the right to reset passwords in the subdomain (lab.company.de).
When the admins are using the dsa.msc console search feature and select "Find [Users, Contacts, and Groups] in [Entire Directory]", they are not allowed to reset the password of users in die lab.company.de domain.
Error message: access denied
When the same admin uses "Find [Users, Contacts, and Groups] in [lab.company.de]", he is allowed to reset the password without any error message.
Works as design or bug? Couldn't find further informations about this strange behavior.
↧
Cannot enable TLS for LDAP
My configuration (php 5.6, apache 2.4, Windows 10)
I use ldap_start_tls() function. I have add root cert to C:\OpenLDAP\sysconf\certs.
ldap.conf:
TLS_REQCERT demand
TLS_CACERT C:\OpenLDAP\sysconf\certs\root.pem
ldap_start_tls() return warning:
Warning (2): ldap_start_tls(): Unable to start TLS: Connect error
What's wrong, why function does return warning?
Thanks
I use ldap_start_tls() function. I have add root cert to C:\OpenLDAP\sysconf\certs.
ldap.conf:
TLS_REQCERT demand
TLS_CACERT C:\OpenLDAP\sysconf\certs\root.pem
ldap_start_tls() return warning:
Warning (2): ldap_start_tls(): Unable to start TLS: Connect error
What's wrong, why function does return warning?
Thanks
↧
Domain Controller 2016 priority not work
Hi Support,
We have some Windows 2008R2 DC and prompting Windows 2016 DC. We configure the "LdapSrvPriority" in registry to limit user will not contact target DC. It works on Windows 2008R2 DC. User only contact the priority 0 (by default) DC, they will not contact the higher value DC.
After we prompt a Windows 2016 DC and configure the same setting, we found that user still connect to the new 2016 DC. We checked the values is updated in the DNS already.
Do the priority setting is not available on Windows 2016 DC?
Thanks
Chong
↧
Renew Code Signing Certificate same key?
Currently have an internally issued code signing certificate that expires next year 2021. We want to stay ahead of this and renew the certificate now, a year ahead, but aren't quite sure on some of the specifics here.
I don't see a real need to renew with a new key, but if we renew with the same key, will the old version of the certificate still continue to work? Or will everything need to be resigned immediately? We want to avoid this if possible and allow everything that was previously signed to still operate at least until the original expiration.
We would need to issue the certificate through GPO as well, but will this create two entries in the GPO for the same certificate, or will it simply update to the new expiration date? We don't want confusion to be created when looking at the certificate store as to which is the correct one.
↧
↧
Rename old 2008R2 DC and give new 2016 DC the old one's name & certificate
Hello,
I am planning to upgrade a domain that has DCs running 2008R2 to 2016 this weekend. One of the DCs has an TLS /SSL certificate and I want to keep using this cert that has the FQDN of the old DC on one of the new 2016 DCs. My plan is to rename the old DC from DC1 to DC1_OLD (using netdom, as outlined in the link below) and rename the 2016 machine to DC1 and promote it, and then install the certificate I exported. My question is if I use this process with I have problems with duplicate SPNs or any other things, because I am reusing the old name on a new machine. So in summary:
1.) export DC1 cert on 2008R2 machine
2.) rename the 2008R2 DC from DC1 to DC1_OLD
3.) rename new server to DC1 & Promote it to be a DC
4.) install exported cert on the new 2016 DC1
↧
Active Directory synchronization
Hi Folks,
I have several DC's divided over two sites;
Site 1: DC1, DC2, DC3
Site 2: AZ-DC1, AZ-DC2
When I take a look in AD Sites & Services the replication between the sites and the DC's is configured like shown in the screenshot below....
Is this configured correctly, or do I have to configure this in a different (better) way?
↧
Active Directory - Unnest AD groups from nested AD group
i have written code to unnest AD group members from AD groups
# to give the count of child groups
ChildGroupCount = Get-ADGroupMember -Identity $group| measure | select -ExpandProperty count
# to give members details in AD group
Get-ADGroupMember Grandparent -Recursive
I need help to find the cmdlet we use to unnest AD groups from AD group.
suresh arasu
↧
DFSR sysvol replication issue Event 5008
Hi ,
I have 4 DC which is 2012 R2 located as below.
HQ - AD1
HQ - AD2 (FSMO all roles)
Site 1 = AD3
Site 2 - AD4
Having an issue with AD4 which is in site 2 for group policy sysvol folder sync. we have around 36 GP and all folder (Sysvol policy) are available in other DCs except on AD4. There is no issue with AD object sync.
AD replication works fine with out any issue.
I can see Event ID 5008 for DFSR and dcdiag of AD4 is followed below.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = AD4
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\AD4
Starting test: Connectivity
......................... AD4 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\AD4
Starting test: Advertising
......................... AD4 passed test Advertising
Starting test: FrsEvent
......................... AD4 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... AD4 failed test DFSREvent
Starting test: SysVolCheck
......................... AD4 passed test SysVolCheck
Starting test: KccEvent
......................... AD4 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... AD4 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... AD4 passed test MachineAccount
Starting test: NCSecDesc
......................... AD4 passed test NCSecDesc
Starting test: NetLogons
......................... AD4 passed test NetLogons
Starting test: ObjectsReplicated
......................... AD4 passed test ObjectsReplicated
Starting test: Replications
......................... AD4 passed test Replications
Starting test: RidManager
......................... AD4 passed test RidManager
Starting test: Services
......................... AD4 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00002720
Time Generated: 01/10/2020 18:30:00
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0001B77
Time Generated: 01/10/2020 18:30:07
Event String:
The VMware Tools service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
A warning event occurred. EventID: 0x00001796
Time Generated: 01/10/2020 18:31:00
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0x00002720
Time Generated: 01/10/2020 18:35:03
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0001B5E
Time Generated: 01/10/2020 18:36:02
Event String:
The ScRegSetValueExW call failed for FailureActions with the following error:
......................... AD4 failed test SystemLog
Starting test: VerifyReferences
......................... AD4 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : HCL
Starting test: CheckSDRefDom
......................... HCL passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... HCL passed test CrossRefValidation
Running enterprise tests on : Test.com
Starting test: LocatorCheck
......................... Test.com passed test LocatorCheck
Starting test: Intersite
......................... Test.com passed test Intersite
↧
↧
Conversion of Domain Controller from Evalualtion version to licensed
I have a domain controller running on 2016 Datacenter Evaluation version and the license is left only for few days now.
I want to make it licensed since the DC is critical (Production DC in a multi - domain environment)
I have searched some forums and found the command ""DISM /online /Set-Edition:ServerEdition /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula" to make it licensed. However it says conversion is not possible on domain controllers.
My question here is, if I run the command, will it throw any error message and abort or will it corrupt the AD Database?
What will be the impact? I don't want to test by running the command since it is in production.
Also any other solution to this problem would highly appreciated.
↧
DNS IP Naming
Hi Guys,
We have a split opinion regarding the IP Addressing of our Domain Controllers. Basically, I have always been taught (Rightly or Wrongly) that when completing entries in the Network Card the option "Use the following DNS server addresses: should always be populated with the Domain Controller that you are on. The Alternate DNS server entry should be the Domain Controller that it directly replicates to. Is this the proper way to configure Domain Controller DNS entries.
Some admins seem to think that any DC in the Domain could be input in any of the entries? I am not so sure and needed some guidance.
Regards and thanks for any help in this matter.
↧
AD Trust Selective or Forest Wide Authentication
Hi Everyone
I have a question regarding AD Trust
We have a single forest with mutiple domain which have and incomming trust with another domain
The trust is set up like this
*Forest Trust
*Domain Wide Authentication
But as we do not want users from one of our child domain being able to access resources in the other domain i was wondring how this can be resoloved
First i though of using selective authentication but this require to musch administrative work i guess. Is there any way to still use domain wide authentication and prevent access from the childdomain
↧