Hi!
We currently have our domain with the ending .local, for example: "mycompany.local"
I, however, would like to change it to .org to match our Google domain, so they're both the same and it's easier for users to log in if they need to specify the domain.
If I were to change this (if I can), what things could it break? Is there a process of doing this to ensure it's a smooth transition?
Thank you! :)
I recently demoted a 2019 Server as a DC, after a month because I did not realize it was not compatible with the FRS replication in SYSVOL.
I knew I had a replication error I needed to track down and fix before migrating our SYSVOL file system to DFSR. Well that replication error was due to the fact that last year (Jan 2019) apparently when I stood up a Server 2012 R2 DC, somehow it defaulted
to DFSR during it's setup.
So, essentially I've been living with a SYSVol that has not been replicating properly between 3 DCs for about a year. What do I need to do to revert this one DC to FRS, so I can start out with all 3 DC replicating properly before the migration.
The DFS Management tool is active in server manager for this DC. There are no created namespaces, but under replication it shows C:\Windows\SYSVOL\domain for each of 3 DC's
Advise appreciated
UPDATE: I may not completely know what I'm talking about here. When I open powershell on all 3 existing DC,s as admin and type:
dfsrmig /getGlobalState, they all return "eleminated" suceeded. Does this in fact mean that the replication system is already indeed DFSR, and the problem is something else?
Hi,
We've just finished with DC migration to a new servers. Curently we have 2 Domain Controllers on Windows 2019, but we still have to raise Domain and Forest functional level which is on 2008 R2. Additionally, our Exchange server is on a version -
Exchange Server 2013 Cumulative Update 23 (CU23)-I would like to know if we could face any issues if we raise the domain/forest functional level to 2016?
-Since we still have some 2008 and 2008R2 servers. Could that raise of a domain cause any issues on those servers?
-Is it possible to do a rollback of a functional level on this version?
-If AD health is clean, is there anything else to be checked before the raise?
thank you in advance for your answer!
Dear Team,
If the user login into another system it should prompt User already login in another system, please logout and re-login .
Please help me out
Thanks in Advance
Bhaskar
Hi,
This is with regards to Microsoft Advisory:
Thus this mean implement either signing for windows client and servers or implement ldaps?
Applications using ldap are mixed, windows, Linux and other appliance.
Thanks!
Hello All,
We have 2016OS Domain Controllers in our Environment. Most of the Domain Controllers host DHCP server. Currently we have disbabled the Windows Firewall Services and we are not using firewall.
But we want to enable the Windows Firewall, I would like to know what kind of services/port which need to configure in Firewall rules to enable the DHCP Services.
Thanks HA
Hi
I have a strange problem with a Windows 2016 Server (workgroup) which cannot join the domain.
DCs are Windows Server 2016 running in VNet A in Azure.
These are 2 additional DCs. The Main DCs are on-premise.
The Server is also a Windows Server 2016 in VNet A in Azure
DNS settings are IP4 are fixed IP, DNS settings to the DCs in Azure.
When I try to join the domain (with the FQDN name, not the netbios name), I get immediately an error: cannot validate the name.
Looking into the netsetup.log file, there are ONLY 3 lines (for every unsuccessful try):
01/29/2020
16:47:06:320 NetpValidateName: checking to see if 'ABCDEF' is valid as type 1 name
01/29/2020 16:47:06:420 NetpCheckNetBiosNameNotInUse: for 'ABCDEF' returned: 0x858
01/29/2020 16:47:06:420 NetpCheckNetBiosNameNotInUse for 'ABCDEF' [MACHINE] returned 0x858
I have checked also all the TCP ports open for Domainjoin open with Telnet (all ok)
Now I have NO idea, where I can search for. Any helpful ideas?
Best regrads,
Lutz
History: I migrated a 2003 domain to 2012 R2 (2 DCs), now native. All was ok until my 1st reboot of the 2nd DC. It lost its ability to communicate w/the domain. I've demoted/removed it and am now on 1 DC until I can do some more testing. DNS is now clean and dcdiag give a clean bill. This has been running without issues for several weeks.
This AM I get a call and users cannot log into the terminal server. I reboot it, but the problem persists. I then try to log onto the DC. I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use. I'm forced to do a power button shutdown and restart. After restart I can log in and everything appears to be good.
A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully. Then shortly after 5PM the system logs event 5823 (NETLOGON The system successfully changed its password on the domain controller
. This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ).
The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED) and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.
Can anyone shed some light on what possibly happened? Did the automatic change of the system password break AD because I only have 1 DC?
Preparing for the LDAP/s transition, I noticed some strange behavior that I can't explain. I used the ldp.exe tool to test these connections. I have successfully configured LDAP/s on port 636 as well as continuing to allow the standard non-ssl connections over 389. Here's the weirdness.. one of our domains allows the tree to be browsed without performing a bind after connecting. It only works if the connection is made over 636 (ssl), not if made over 389.
So to sum up, if I connect over 389 without ssl, then attempt to browse the tree, I get the expected:
"Error comment: In order to perform this operation a successful bind must be completed on the connection"
If I connect over 636 with SSL, I am able to add the tree and browse all nodes.
This is only happening in one of our domains, and it doesn't make any sense. There are no anonymous permissions delegated, but I can't see why that would even matter, since it only let's me browse when I'm connected via 636. Keep in mind I am not attempting a bind in either scenario. Thoughts?
I have tried to manually setup a hub and spoke toplogoy but Automatically Generated connections keep appearing.
We have 2 DCs across 3 main sites, and then 2 DCs in 2 remote sites each.
5 buildings. 2 DCs each.
Trying to make the baseline DC the HUB and make sure everything is syncing form there, as looking to reduce, restructure and replace with all 2019 Servers.
We have had several users call support saying that when they unlock their windows 10 computers and enter 3 bad passwords, they will receive account lock message but they are able to login right away with the correct password. Support was able to recreate this issue on the windows 10 machine. This behavior only occurs if the computer was locked and the bad passwords were entered at the ctrl-alt-del to unlock screen. This behavior could not be recreated on the window 7 machine.
Our policy is lockout after 3 bad passwords and unlock after 30 minutes. We have 4 DCs. One domain.
Any suggestions on how to troubleshoot this? Thank you for your help.
Dear Everyone!!
Please let's me ask some question relate to Sysvol DFSR on my domain.
Correctly my company have 3 DCs. DC1,DC2 is Head office and DC3 locate at DR office. we have setup new DC4 at DR office.
and i notices that DC4 no SYSVOL_DFSR. so what the issue on my DC4?
Noted:
currently we are separate the role
Schema master DC-1.domain.com.kh
Domain naming master DC-1.domain.com.kh
PDC DC-2.domian.com.kh
RID pool manager DC-2.domian.com.kh
Infrastructure master DC-2.domian.com.kh
Several users are experiencing problems running applications on network shares in the past few weeks.
One of the users is getting an error pop up: "The application was unable to start correctly (0xc0000006)". The others just see nothing happen at all when clicking on the application shortcut.
In all cases, two errors appear in the Application event log:
Event ID 1005
Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program
WinReport because of this error.
Program: WinReport
Additional Data
Error value: C00000C4
Disk type: 0
or
Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program
Sage 100 because of this error.
Program: Sage 100
With the same additional data.
Event ID 1000 shows the faulting applicationFaulting application path:
Faulting application path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe
Faulting module path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe
Faulting application path: \\newera\common\winreport\WinReport.exe
Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
This is affecting applications on several application servers: er-mas is Server 2008 R2, and newera, er-files and hf-dc are 2012 R2.
This is affecting one user directly on their Windows 10 PC, and several users running these applications from Remote Desktop servers that are running Server 2016.
Also the mapped drives are showing the following message if you manually go to the UNC path and try to run the application: "This file is in a location outside your local network", even though its a mapped drive on a server internal to our lan.
Hello all,
I was after a bit of final advise on the following.
We were in the process of moving from FRS to DFSR, which we wanted to do before adding in 2016 DCs.
We have x2 2008 r2 servers and x2 2012 r2 all the health checks etc passed.
My question is after following various guides I cannot find a concrete answer to the following.
We moved to the 'prepared' state a couple months back but due to unconnected things we put a hold on the move. Now we want to finish off i wanted to confirm what the next stage does.
FRS and DFSR has different files now since new scripts policies etc have been created,deleted,edited since the initial movie to the prepared state.
If we run the cmd on the PDC to the redirected state does it copy all the modifications done in frs since to the outdated dfsr folder?
Or do we need to preform one of the following (based on articles i have come across)
mainly robocopy sysvol to get the latest files or revert back to start state and redo the prepared state ?
Thanks for the help!
I'm currently an intern at a company which uses a single Windows Server 2012 R2 DC. They make use of a Active Directory structure which includes both the employees of the company and external partners/clients that need an AD account in the domain.
The current situation is that we want to hide the partners/clients OU objects, such as users, from the employees because we dont want the names of our partners/clients to be visible for every employee in the company. This means that employees cant find the specific partners/clients when they use the "net user /domain" or "net group /domain" command or search in file explorer for these specific AD objects.
I've tackled the problem that you cant find users with "net user /domain" by denying "List Content" for all the employers on the specific OU advanced security setting for the partners/clients. But this does not fix the problem when an employee searches for a specific Global Group with "net group <groupname> /domain". The partners/clients will still show as "Members" of that specific group.
My question is: Is there a way in the Windows AD Users and Computers to hide the partners/clients objects totally from the employees? This includes the "net" command and every other way of searching for AD objects in Windows clients.
Hi All,
With March 2020 quickly approaching, we want to set LdapEnforceChannelBinding to 1 on our domain controllers - so that we can hopefully log when clients that don't support channel binding connect to our domain controllers.
Do the domain controllers log when clients that don't support channel binding try to connect? We want to be able to report back to service owners if their software wont work when we set LdapEnforceChannelBinding to 2.
Are there logs? Do I have to enable them? Where do I look to find these logs?
Hopefully my question makes sense. Thanks very much!
Good Morning all,
I was after a bit of advise on the following.
We have been doing major housekeeping of group policy and cleared down over 400 GPOs down to around 100.
I have noticed however the folders of these policies in sysvol\policies still exist some are, policy unique ID with blank contents. Some have subfolders within there policy which are then blank.
My question is do these old policies which were deleted from the group policies objects section a couple of weeks ago now, do they automatically cleanup / correct themselves or is there some long laborious task that needs to be performed to remove each one. So only valid policies remain in sysvol
Thanks
Hello all,
As my question tells everything but still I will use an example to explain.
I have a group name 'Group1' which is having password reset on a user named "user1". Inside that group, there is my controlled user named "attacker1". Now when I tried to change the password of the "user1" it shows access denied. Now what am I missing here? What should I try?
Thanks and regards
Hi,
We are about to switch our O365 federated backend from "other" to AD. As we already are federating the domain via another solution, all users already have unique ImmutableIds and causes problems with we try to enable AD sync.
Are there any concerns to re-use the existing ImmutableIds in AD? The existing ids are a simple numeric sequence starting from 1000 and then + 1 for each user.
The migration path would be easier for us, as it would allow us to test other features before we fully switch the federation over to our AD FS.
<style></style>Currently we have 3 Domain Controllers running our Active Directory. One is running Windows Server 2016 and two are running Windows Server 2012 R2. Our domain functional level is at 2012 R2 and we need to keep it at that for a while longer. We also just purchased two new domain controllers that we are ready to setup and add into our environment.
We need to get the two new ones up and running before I can upgrade the two that are running 2012 R2. Can I install Windows Server 2019 on the two new ones? Will it work to have domain controllers running 2012 R2, 2016, and 2019?