Hi
is there a possiblity to create GPO to enable WOL for clients in the domain. i have a SCCM server configured in the domain and there is a possibility through SCCM to enable the WOL , but i want to know if same can be done through GPO. can anyone give me opinion on this.
Roy
Hi All,
Been scratching my head for a while on the below issue. I have a previously working AD Connect setup syncing users and passwords into my Azure tenant. All working fine. I'm not adding a second forest to sync users from this domain. Added fine into AD Connect and the users are syncing OK, however password hash is not working - receiving the below error in event log;
Password hash synchronization failed for domain: xxxx.local, domain controller hostname: xxxx.local, domain controller IP address: 10.x.x.x. Details:I've updated AD Connect to the latest version, and have full connectivity between the AD Connect server and the above DC. I've also tried a service restart (AD Connect) and re configuring the setup, however all still the same, users sync fine but not the passwords - has anyone seen this issue or have any recommendations to try?
Thanks
Hi,
I have put this AD as I am not sure where to put this question.
I have a strange one happening right now. If I add a user to either a Domain Local or Global group and add the group to the local administrators group of a Server 2019 I cannot remote onto the machine using Powershell. I can RDP onto the machine just fine though.
If I explicitly add the user to the local administrators group of the Serve 2019 then I can remote onto the machine using PowerShell.
Any ideas why this may be happening?
Hi All,
We have one extra secondary domain controller 2008, which is still active but we are not using it so we want Demote that additional domain controller 2008 without losing shared folders permissions, because we have some shared folders on same server so we don't want to lose the share folders permissions. will all permissions remove if we demote the DC and rejoin the domain?
Regards,
Agha
I am trying to control "Domain Admins" group using restricted group settings in Group policy, The GPO is linked to Domain controller OU. Any user or group added to the Domain Admins group unattended, will be removed and only the Groups mentioned in the GPO will be added.
I am aware the GPO update in Domain controllers will happen every 5 mins, But when i was testing the above scenario things are not happening as expected. The unattended users/groups is getting removed with time taken from 17 mins to 3 hours 23 mins. Why the removal is not happening when the GPO is updated every 5 mins.
Can some one help me understand more on this.
Total DCs : 17
I am trying to apply the Computer based setting "Set time limit for disconnected sessions" I have it applied to an OU with a few servers. On the servers in RSOP I see its applied. I RDP to them disconnect and wait for the time (testing with 10 min) and 20 min later check and the session is not disconnected. Am I missing something?
Jason
I have a scenario for one of my client. To mange local administrator groups on all Servers. We have Servers OU and inside we have separate OUs for application. We have a GPO configured with Restricted Groups settings to remove all existing members and add only the members mentioned in the Restricted group settings (using members option). Everything work fine here.
Now there is a required to add a custom group to all servers under server OU with group name as <ServerName>-LocalAdmins. So i thought of using GPP Local group option and created a GPO and linked to child OU under Servers OU and specified a wildcard characters to refer the group name as %DomainName%\%ComputerName%_LocalAdmins in GPP Local users and Groups. This didnt work. I even tried to add the group with actual group name ServerName01_LocalAdmins no luck again.
I Could only see the groups specified in the GPO linked to Servers OU with restricted groups settings.
Can someone help why GPP is not getting applied.
Is it possible to make a Group policy apply to all computers in OU except ones in a group? I am trying this with the delegation settings of allowing read and apply group policy to "domain computers" and deny to a security group with specific PCs in it. The problem is its applying to all even the ones in the deny group.
Is this possible
Jason
I recently demoted a 2019 Server as a DC, after a month because I did not realize it was not compatible with the FRS replication in SYSVOL.
I knew I had a replication error I needed to track down and fix before migrating our SYSVOL file system to DFSR. Well that replication error was due to the fact that last year (Jan 2019) apparently when I stood up a Server 2012 R2 DC, somehow it defaulted
to DFSR during it's setup.
So, essentially I've been living with a SYSVol that has not been replicating properly between 3 DCs for about a year. What do I need to do to revert this one DC to FRS, so I can start out with all 3 DC replicating properly before the migration.
The DFS Management tool is active in server manager for this DC. There are no created namespaces, but under replication it shows C:\Windows\SYSVOL\domain for each of 3 DC's
Advise appreciated
UPDATE: I may not completely know what I'm talking about here. When I open powershell on all 3 existing DC,s as admin and type:
dfsrmig /getGlobalState, they all return "eleminated" suceeded. Does this in fact mean that the replication system is already indeed DFSR, and the problem is something else?
I have a windows server 2019 I stoof up a couple months ago as the newest DC in our AD infrastructure. I took it down because I mistakenly thought we were still using FRS for file replication. Now that my research is done and because we are in fact using DFSR, I want to re-promote it. When I demoted this server, I never took it out of service completely, so there should be no problem with duplicate ad computer objects, etc.
I noticed though that even though the demotion was successful , and as far as I can tell all meta data in AD is clean, there still exist a SYSVol folder, and who knows what else.
Should I / Can I remove the SYSVol file (and anything else) prior to re-promoting this DC?
Are there any known problems with re-promoting a DC that never left AD?
Should I just delete this VM and create a new one with a new Hostname?
Thanks in advance for the advice
Hi all,
I'm having a terribly difficult problem to solve, trying to understand lockout issues with Windows 7 Ultimate. I have done vast amount of research on the topic, but to no avail, none of the suggestions seem to apply.
The environment is a private network in which the computer in question does not join the domain. One issue is that users must vary authentication between domain services and local computer services -- i.e. if they want to map a network drive or connect to MS Exchange Server through Outlook, then they must authenticate with their DOMAIN account. If they want to install software they must authenticate with the LOCAL ADMIN account. There are several local accounts on the computer, including administrator accounts. This computer is not connected to the internet. It is regularly updated though with Microsoft and other application security patches. It is also significantly locked down from a security perspective.
Users that experience the issue all SEEM to have one common denominator in that they are using the "Switch User" function to switch between various user accounts. This could be a factor of locking out one account and switching to the next or could actually be part of the root problem.
The users report that "ALL ACCOUNTS HAVE BEEN LOCKED OUT". I did not even know such a state was possible unless you single-handedly went through each account and failed with the password three times.
Is there a known issue in Windows 7 Ult that will trigger the account to be locked out because of switching users? Or anything that could lock out ALL accounts?
Please help this problem does not seem to go away. It is the single greatest failure in the system right now.
Dear All,
I need to migrate Active directory from 2008r2 standard to 2012r2 standard in Hyper-v of 2012r2 standard server.
I have created two virtual Machines in hyper-v and one new private virtual switch and connect both virtual Machines to that switch.
VM1-2008R2-IP: 192.168.2.2
VM2-2012R2-IP: 192.168.2.1
dns: 192.168.2.2
Both machines are pinging to each other.and they are on the same network.
previously 2008r2 domain server was on diifferent network and its ip was 192.168.1.206. it was migrated from 2003 server
2008r2 is still working on dedicated physical machine on the subnet of 192.168.1..... . I created the VHDX file of server and run on hyper-v.
I have also created new zone of 192.168.2... network and also created new pointer to 192.168.2.2 in reverse lookup zones.
when i tried to join 2012r2 server which is installed in physical machine to existing domain on network of 192.168.1..... . it joined but on hyper-v with different network it shows error: can not complete this funtion.
Please help and suggest me. What should i do to reslove this error.
can any one help me on this.
Hello all,
I have inherited a Server 2012 Essentials environment at a customer's, and I am currently trying to migrate to Server 2019 Standard. From all I read it should be a normal procedure except for leaving the FSMO roles up to the last minute. I checked that sysvol
replication was on DFSR and then introduced the new DC. Regular AD replication is fine (repadmin reports all DCs up to date). However, sysvol was not being replicated and I went to check deeper.
SYSVOL looks complete, junction points are good, state of DFSRMIG is "eliminated" so DFSR should be used. Now the new DC is waiting for initial sync, and the old DC shows no errors, but it seems the sysvol folder is simply not a known replicated
folder on that system.
As sysvol is basically healthy, I did a backup of the files and tried the steps in this article:
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo
It goes well up to the point where I should see event 4602 in the DFSR event log of the authoritative DC after doing the dfrsdiag pollad. Checking withwmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
on the old DC (of course after reverting the ADSI changes) I get "No instance(s) available". I found that this problem can occur when the DFSR database is corrupt after disk problems, but neither have I found any indication of this (there should be a warning 2213 or such in the event logs, but there isn't) nor am I able to "ResumeReplication" on any of the GUIDs I found in the DFSR config (in System Volume Information). I tried the folder GUID, the replication group GUID as well as the volume GUID, but each attempt only reports "no instances available".
Further checking the DFSR config files is seems as though the Replication group is known, I can also see it in the DFSR console. Running a health report there I get the message which basically says the same as "no instances available", namely that the folder is not in a replicated state on the original DC.
Now I am faced with a decision to either try to repair the state of the original DC or (without being sure this is possible) force the new DC to just skip initial sync and let me seed the sysvol manually. So I have two questions and I really hope anyone can help me out here.
1. Is there any obvious solution I am missing in my attempt to repair the DFSR on the old DC?
2. Can I force the new DC to skip initial sync by making it authoritative? Then just copy the sysvol contents where they belong? Has anyone tried this on a completely new DC? I am wondering about the implications here and how to go about sharing the SYSVOL and NETLOGON as those are not shared right now, of course.
Thanks everyone in advance!
Claudia
Hi,
We want prevent domain administrators to connect on workstation due to security reason.
how we can prevent domain administrators to access on workstation?
Hi,
I have move that Computer to new OU which need to show the legal message and I have created GPO to enforced this GPO. When I push down the GPO update, I received error message below:
"error code 8007071a. the remote procedure call was cancelled"
According to the URL http://jaredheinrichs.com/how-to-fix-8007071a-the-remote-procedure-call-was-cancelled.html I have allow related RPC services from firewall as well.
Any others reason which cause the policy failed apply to that specific OU.
Regards,
Shiro
Recently encountered a situation where I was unable to log onto a 2012R2 and a 2016 member servers while the DC was shutdown. I had to use the local Admin account.
I have never noticed this before. I always thought the Domain credentials were cached.
Is this normal?
Thanks >> Joe
Dear All,
I want to move CNO of workstations should be disable if no logon for 90 days and move them into disable CNO and keep them for 90 days to be deleted
Could anyone help me on this?
Hi,
I've installed a local (Windows Server) certification autority (CA), in my active directory. I've used the CA to grant a personnal certificate to my users to encrypt and sign mail within my organisation. A certificate request is issued by the user and the CA accepts and delivers a personnal certificate to the user. Then the user can configure Outlook to use the certificate.
It usually works but the problem i got is, when the pc of the user dies and is replaced, i can't export the already issued certificate to the user. The user is forced to request a new certificate, which works with new emails but older ones cannot be read, because they are encrypted with the old one.
Is there a way to recuperate the old certificate from the CA and to reinstall it on the client PC?
Thanks
Luc
Hello. Have an issue where our primary domain owner server starting booting to a blue screen. Code is 0xc00002e2.
If we select DSR mode, it will boot to safe mode but dcdiag shows all kinds of problems. Not exactly sure the next best steps. Do I try and fix the problem which I am having trouble figuring out exactly what that is? Should we do a "role" seizure? ... Which I have never done and a little nervous what might happen. Is there a rebuild routing that might find/fix issues with AD?
Any assistance would be greatly appreciated...
thx !