Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

printing take too long time to print after join to domain

January 24, 2020, 9:44 am
$
0
0
Hi everyone

after we created Active directory and joined computers to domain through internet (vpn connection) , printing on those computers take so long time to print by POS application (about 15 min) 

it looks like this app browse for printers before printing 
if that is right , is there anyway to prevent it to look for printer in Ad , and if not , what could be caused this delay problem ?

Search

Restore Domain or Forest using the Windows Server Backup Program

January 31, 2020, 8:50 am
$
0
0

Hi, I have a couple generic questions maybe someone can answer that will help clarify things for me.

We have a single domain and a single forest with three DC's.

I have full system state backups of the DC's and I think I understand the procedure on how to restore AD by CMD line using WBAdmin and NTDSUTIL.

My question is using the Windows Server Backup program to do a System State Recovery of AD. Is my assumption correct that you would use the Windows backup program to restore the System State and then you would still use NTDSUTIL to Restore the subtree in case of a domain? For example Restore sub tree “DC=Contoso,DC=com” in order to restore the entire Contoso.com domain? This is after you set it to be Authoritative of course. All the Windows backup program does in the recovery process is to replace the portion you would have had to do using WBAdmin.

Am I correct or am I not in that assumption?

Thanks for any help.


Domain Controller 2012 r2 somehow setup with DFSR - Our system is still FRS

January 30, 2020, 3:59 pm
$
0
0

I recently demoted a 2019 Server as a DC, after a month because I did not realize it was not compatible with the FRS replication in SYSVOL.

I knew I had a replication error I needed to track down and fix before migrating our SYSVOL file system to DFSR. Well that replication error was due to the fact that last year (Jan 2019) apparently when I stood up a Server 2012 R2 DC, somehow it defaulted to DFSR during it's setup.

So, essentially I've been living with a SYSVol that has not been replicating properly between 3 DCs for about a year. What do I need to do to revert this one DC to FRS, so I can start out with all 3 DC replicating properly before the migration.

The DFS Management tool is active in server manager for this DC. There are no created namespaces, but under replication it shows C:\Windows\SYSVOL\domain for each of 3 DC's

Advise appreciated

UPDATE: I may not completely know what I'm talking about here. When I open powershell on all 3 existing DC,s as admin and type:

dfsrmig /getGlobalState, they all return "eleminated" suceeded.  Does this in fact mean that the replication system is already indeed DFSR, and the problem is something else?


DCDiag SRV Record Errors

January 31, 2020, 8:28 am
$
0
0

I have a new DC that is failing dcdiag /test:dns /DnsRecordRegistration /s:dcp11.  Running nslookup on each record below returns correct data on any device.  DCP11 is a new DC and is first windows server in a new colo.  We are moving colos.  I am not sure where to go from here as the records exist, they resolve and I can physically see them.  A few things I have noticed, dcdiag /test:dns /DnsRecordRegistration /s:dcp11 does not fail if I run the cmd on any other DC. My sites were all correct at one time but a network engineer reIP our network and now all DHCP passes out 10.x.x.x/22.  We have 70 different sites so 10.2.x.x, 10.3.x.x, etc...As everything is in Colo, could this be the problem? 

Sites and Subnets
Colo 
10.0.0.0/8
192.168.0.0/20
192.168.0.0/24
192.168.32.0/24 - 192.168.254.0/24

Default-First-Site-Name blank
Deployment 10.0.252.0/23
MModal 10.0.251.0/24




Warning: 
Missing CNAME record at DNS server 10.2.1.3: 
08f909c1-35d6-49bf-b303-7a937a589acf._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Warning: 
Missing A record at DNS server 10.2.1.3:
dcp11.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.805c9604-0df6-466f-a0a1-95fb37b02b52.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kerberos._tcp.dc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.dc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kerberos._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kerberos._udp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kpasswd._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.Default-First-Site-Name._sites.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_kerberos._tcp.Default-First-Site-Name._sites.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.gc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Warning: 
Missing A record at DNS server 10.2.1.3:
gc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_gc._tcp.Default-First-Site-Name._sites.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: 
Missing SRV record at DNS server 10.2.1.3:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]

Error: Record registrations cannot be found for all the network


Query Regarding AD Security Best Practices

January 31, 2020, 11:16 am
$
0
0

I have to submit a report for one of my customers regarding AD Security Best Practices and Design Principles and best Architecture Design in relation to Forests, Domains, Trusts and Functional Levels.

Can anyone provide some links or documentation related to this and what all things to keep in mind while designing an AD in keeping with the best Security practices.

Thanks

Pallab Chakraborty

Disabling WSH and it's impact on Logon Scripts

January 31, 2020, 12:50 pm
$
0
0

Hi Everyone,

Sorry if this is the wrong forum but I have a question regarding the disabling of WSH (Windows Script Host) via GPO and the impact it would create for users that use logon scripts (.CMD/.BATCH only).

Long story short, we want to secure our environments against malware/ransomware/etc. and one of the recommendations that we have is disabling WSH. We use zero VBA scripts anywhere and the only .BATCH/.CMD files that we use logon scripts as well as a few robocopy scripts that we run; everything else is PowerShell.

Before anyone says it, yes we know we should be using GPOs to push folder access however we are in the process of converting our clients to do so.

Thanks for the help!

Understanding DNS root domains vs Active Directory parent/root domain

January 31, 2020, 2:03 pm
$
0
0
Hello, 

I'm currently learning about the active directory infrastructure and the domain name system. As I'm reading, I understood the root domain of an active directory to be the base level of a web address almost. For example, in www.google.com, the root domain would be google.com, and sub-domains would things like finance.google.com or sports.google.com. That made sense to me when i was trying differentiate between child domains and parent domains, but then when I'm reading about DNS I get confused again. DNS dissects an address such as www.example.com and says that 'www' is the hostname, the full address is the FQDN, and the root domain is the final period or '.'. That seems to contradict what active directory taught me about root domains. 

I'm also confused as to why active directory domains seem to be related to web addresses. Does this imply that every single web address is linked to an active directory? And when I try to get deep into the weeds as far understanding the large scale infrastructure of microsoft.com's or facebook.com's active directory, I get too confused to even know where to start. I would really appreciate some explanation as to the difference between domains, as referenced in DNS and AD, and also clarification as to whether or not a web address and a corresponding active directory domain are related. 

Stop Automatically Generated NTDS

January 22, 2020, 5:40 am
$
0
0

I have tried to manually setup a hub and spoke toplogoy but Automatically Generated connections keep appearing.

We have 2 DCs across 3 main sites, and then 2 DCs in 2 remote sites each.

5 buildings. 2 DCs each.

Trying to make the baseline DC the HUB and make sure everything is syncing form there, as looking to reduce, restructure and replace with all 2019 Servers.

Search

DNS NAME RESOLUTION SLOW

February 1, 2020, 11:19 am
$
0
0

Problem: Windows 2012 Server Hyper-V VM slowly has a delay in name resolution both internal and external. Example: If I ping office.com, or the local DC there is a delay of about 12 seconds before responding. If I ping the ip addressee directly the response is immediate. I first thought it is a dns problem however, nslookup resolves any request instantly. I also tried making host table entries which also are delayed. Rebooting tends to resolve the issue but the delay time slowly builds up to a point where Outlook will time out when connecting. This results in RDS users not being able to connect to Office365 Exchange server impacting business.

The environment is a VM Running on a Windows 2016 Hypervisor with 4 onboard gigabit network ports teamed to a single dynamic network card. 

Reducing AD tombstoneLifetime

January 28, 2020, 2:42 pm
$
0
0

Hi, if i reduce the AD tombstoneLifetime value do the tombstone object immediately get cleaned up, or do they still wait the default 180 days to be removed. Also what is the process that cleans up the tombstone object after the lifetime is expired?

Thanks

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

DSRM Password change

January 30, 2020, 8:10 am
$
0
0
Hi,

I have 2 DC let say dc1 and dc2.

I have set the different directory service restore mode password for my 2 DC. Due to security reason i don’t want to set same DSRM password for my dc's

I created 2 domain user account according to the dc name like dsrmdc1,dsrmdc2

whenever i am changing the password for above 2 dsrm domain accounts the same password want to be synchronized automatically to "administrator" account.

I did some research on my query but not able to achieve the goal.

Lot of article floating in the internet telling to configure a GPO for sync the password from domain account to administrator account that is suitable when we have single dsrm account scenario.

However i am using independent account on each dc.

Let say dsrm1 account password want to sync with dc1 administrator account

Let say dsrm2 account password want to sync with dc2 administrator account

How to create scheduled task via according to my requirement

Do I need to create independent task on task scheduler ? Please assist.   




Need to purchase Exchange Server CAL if AD CAL exist

February 2, 2020, 12:19 am
$
0
0

Hi

I have Windows Server with 50 user CALS and want now to add an Exchange Server 2016 to the same domain. 

Do I need also to buy 50 Exchange Server CALs?

Does not the 50 CALs for the AD Server be enough?


KDC Error Messages when Rebooting Domain Controller

January 27, 2020, 9:09 am
$
0
0

I'm getting some messages on my DC's, but it only seems to happen right after a reboot.  My environment has two domain controllers, both running Windows Server 2019 core.  When I reboot either of the two the servers, I'm often seeing the error messages shown below which appear moments after the server comes back up.

What is causing these error messages to appear after DC reboots?

Both DC's have no other roles.  Both DC's have about 23 GB of free space.  The servers are using between 75%-85% memory (3GB allocated).  Small environment less than 100 users.  Both servers passed all DCDIAG.exe tests, with the exception of the syslog test, which references the errors in this post, as well as a DCOM message and WinRM service not listening for WS-Management requests.

----------------------------------------------------

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          1/27/2020 8:39:12 AM
Event ID:      7
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCNAME2.domain.local
Description:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was 懀�嚎䍉㳛䫪 and lookup type 0x100.

----------------------------------------------------

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          1/27/2020 8:39:12 AM
Event ID:      7
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCNAME2.domain.local
Description:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was san and lookup type 0x0.


Rename Active directory

February 2, 2020, 2:38 pm
$
0
0

Hi,

Can we rename a domain controller ?

Promt Login

January 27, 2020, 2:55 am
$
0
0

Dear Team,

 If the user login into another system it should prompt User already login in another system, please logout and re-login .

Please help me out

Thanks in Advance

Bhaskar

Search

BuiltIn Administrators groups in Domain Controller feature?

February 2, 2020, 8:22 pm
$
0
0

Hello, 

I have noticed got others members in BuiltIn Domain Administrator group in our domain controller except of Domain Admins and Enterprise Admin. Possibly it has been added by previous AD administrator. I just wonder how powerful members inside this group. As i know we shouldn't touch this group.

I have read few article about differences between builtin administrator group and domain admin, and i can say members in builtin Administrators group can be admin for Server and computer which already joining domain.

But one thing im not sure, is it member of this group (BuiltIn Domain Administrator group in domain controller) can manage Domain Controller feature like create user, manage GPO and add DNS? 

Thanks

DFSR not working Event_ID 6104

January 2, 2020, 5:08 pm
$
0
0

So setting up a new AD server to replace an existing but having problems getting it to sync so i can turn the old server off.

Event viewer has:

The DFS Replication service failed to register the WMI providers. Replication is disabled until the problem is resolved. 
 
Additional Information: 
Error: 2147749889 (1001)

Please note i have already tried to mofcopy and regserv32 the things in system32\wbem and this has not helped in anyway same exact error in event viewer.

verification of outbound replication failed. unable to locate replication source domain controller

January 30, 2020, 1:20 am
$
0
0

currently our environment has 3 DCs .

primary DC ,

1st PDC is windows server 2012 standard ( not R2 ),

2nd DCs windows server 2012 standard ( not R2 ) and

3rd Dc is windows server 2008 R2 standard.

we are planning to upgrade to windows server 2016 DC and for the first step I was trying to promote it to a domain controller but not successful .

when I tried to run the prerequisite check in dcpromo promoting it as a domain controller from PDC  the error said not able to find the PDC.

>>> verification of outbound replication failed unable to locate replication source domain controller <<<

But when I tried the prerequisite check with my 3rd Dc ( windows server 2008 )the prerequisite was passed.
but I was not able to promote it from there because the 3rd 2008 server was not PDC.

Wake On Lan through GPO

February 3, 2020, 3:45 am
$
0
0

Hi

is there a possiblity to create GPO to enable WOL for clients in the domain. i have a SCCM server configured in the domain and there is a possibility through SCCM to enable the WOL , but i want to know if same can be done through GPO. can anyone give me opinion on this.

Roy

Restricting Account operator from enabling and disabling the user id.

February 3, 2020, 1:46 am
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>