Hello,
We have still a one DC running on Windows Server 2008 R2 Standard version 6.1. Since we already own Windows Data Center 2016 with SA we are planning to upgrade the DC and setting up a second DC in a Hyper-V virtual environment. Could you please let me know what would be the optimal approach to upgrade the 2008 DC and running the new VM as an ADC?
Your hints are very welcomed and appreciated.
regards,
MZK
Hai,
When I try to change a network user's password using ADSI's IADsUser->ChangePassword(), the server machine where my application is running is getting rebooted.
Few event logs related to the incident before the restart,
The log message are obtained when trying this in a Windows Server 2012 machine.
Any help would be appreciated as it seems a critical issue due to the reboot of the server machine.
Hi team,
Recently I had been asked to apply some GPOs to both Domain Controllers in order to improve security. I applied them and after restarting both Domain Controllers the LDAP protocol stopped working as we expected.
LDAP works if a Microsoft servers sends the query, but if we try to use LDAP from Linux it doesn't works.
Running Wireshark on one of the DC I've got the following messages:
LdapErr is the following:
LDAPMessage searchResDone(182) operationsError (000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580) [0 results]
messageID: 182
protocolOp: searchResDone (5)
[Response To: 7]
[Time: 0.000252000 seconds]
What else can be causing this LDAP behaviour?
Thanks in advance,
Will
Hello, I'm preparing for the 70-640 exam. In attempting to redirect the default domain computer OU, I entered the command redircmp "CN=CLIENTS,DC=contoso,CD=com". I get the error -unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least windows Server 2003.
I have verified that the forest and domain functional level are 2008 R2.
I cannot find any suggestions in any threads other than removing "protected from deletion" check box in objects tab of advanced view properties of the target OU (this does not fix the error in my case). Any other suggestions?
Hi!
What is the simplest way to upgrade a Microsoft Domain Controller from 2008R2 to 2019 version?
Should I migrate from version to version (ex: from 2008 to 2012, then from 2012 to 2016 and so on) or can I upgrade directly to the latest version?
Are DNS and DHCP services running on the same DC server is impacted during this upgrade procedure? Should they also under go a specific procedure during this upgrade?
tks!
Bruno
Hello,
I would like to seek assistance on how to track the service or application that is causing this event failed. I am seeing a lot of this error from multiple machines so I am expecting all are coming from the same services but I have do idea how to locate the exact service or application.
Failure Code is 0xE, Pre-Authentication Type: 0
Kerberos pre-authentication failed.
Account Information:
Security ID:
Corporate\service_account
Service Information:
Service: krbtgt\Corporate
Network Information:
Clients Address: ::ffff:10.125.**.**
Client Port: 64679
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0xE
Pre-Authentication Type: 0
Thank you in advance
Hi team,
Created a computer object in SQL OU of a particular domain , but after joining the windows 2016 to the domain , I am seeing 2 computer objects for the same server in Computers OU and one in SQL OU of that domain .
May I know the reason behind and I don't have rights to delete the created objects and what is the procedure to delete the duplicate object which is found in the Computers OU without disturbing the domain joined server?
Appreciate any help in this regard!
Thanks & and regards S.Swaminathan Live & and let others live!!!
Hi team,
I created two Forest with 1 DC in both. Checked Reverse Lookup zone is created. The issue I'm facing is with conditional Forwarders which is on entering the IP address, I'm getting "The server with this IP address is not authoritative for the required zone" . The other point is once Forwarder is created and when I open the conditional forwarder and then edit the record , there its working fine. So, I'm confused why its throwing this error , am I missing some configuration ?
Hi Support,
I am using ADFS 3.0 with WID database and now i want to plan to move ADFS on new hardware.
Can you share the best option and help me to share the backup and restore process.
Good morning,
I have two machines that I plan to put in a Hyper-V cluster. Since it is a small lab environment, one of the machines hosts a virtualised domian controller (the only one).Is it feasible to make the domain controller highly available? If the one machine goes down (during an update, or hardware change) the dc would automatically move to the other machine. I know that it is easier to install a second DC, but in the future I would like to implement it with other VMs.
Yep. It is making me nuts.
And no matter which anti-malware solution I try to use, I can find nothing.
I have login audit failures for user A coming from workstation C and user C coming from workstation F and user B coming from workstation E - you get the idea.
I have the Account Lockout Tool from Microsoft, as well as from ManageEngine and one from Netwrix too. And they all show the same things.
If we shut down Workstation C, then the same things just move to Workstation B, A, E, and F and so on. I have firewalled off the authentication and SMB ports, shut down services, closed programs, removed old user accounts, removed Windows Credentials, and
on and on and on for several days and I am at a total loss. I am ready to wipe the server and all of the machines. I have spent so much time trying to figure this one out it would have taken me less time to recreate the AD network anyway.
Any thoughts or ideas would be greatly appreciated.
Thanks
Christian Wentz President Network-iQ
hello,
Little help. New Windows 2019 server, old SBS 2011. Joined domain, started the process to complete domain setup, raised level from 2003 to 2008. Both servers are now DCs but the 2019 Server lists the Domain Masters as ERROR.
Event log: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.i traced one issue to an old/deleted account with inherited permissions. that's been removed. i'm unable to trace/find the others.
I've followed these steps.
2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts: a. Start -> Run -> RSoP.mscb. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c. User Right or Restricted Group with red X, the corrpnding GPO that contains problem policy is listed under column entitled "Source GPO". Note specific User Rights, Restricted Grps and containing Source GPOs that are generating errors.
ac
Hi,
we have multiple CAs in various sites. If a client or user requests a certificate, which CA will be addressed first? Which aspects is it dependent on or how can it be controlled which CA is used for autoenrollment?
We have some cases where the client/user of site A receives a certificate from a CA on site B, and not site A for example.
Hi,
I am getting Event ID 1005 - ADWS on domain controller 2016.
Detail :
Active Directory Web Services could not change its advertising state. The Netlogon service might not be running. Restart Netlogon and then restart Active Directory Web Services.Pls help me solve this problem.
Thanks and best your regard.
Hi,
I am working on Active Directory Risk Assessment program one of the recommendation is "Disable cross forest TGT delegation"
Here is the explanation provided by MS
Cross forest TGT delegation is currently allowed for one or more forest trusts. When full delegation is enabled for Kerberos on a server, the server can use the delegated ticket-granting ticket (TGT) to connect as the user to any server, including those across a one way trust. In Windows Server 2012, a trust across forests can be configured to enforce the security boundary by disallowing forwarding TGTs to enter other forests.
I entered the below command received the error message. Please assist.
I logged as domain Administrator
netdom trust AD.COM /domain:ABC.net /enabletgtdelegation:no
Access is denied.
The command failed to complete successfully.
Hi,
I have 10 DC located in multiple Geographical region.
I want to generate a report on sysvol and netlogon includes share and NTFS permission.
This report should be based on all domain controllers.
someone provide the script for me generate it.
There is so much information on Lastlogontimestamp but I still cannot find a definitive answer to this.
We have PingFederate SSO running to authenticate users. Ping is configured to authenticate with AD for SSO.
When a user logs authenticates with PING (or any other LDAP or SSO application) does this update the lastlogontimestamp?
I know there is an algorithm for this attribute.. but my real point is when a user DOES NOT do an interactive login and are authenticate via LDAP enabled application like Ping SSO, would that trigger an update to Lastlogon or lastlogontimestamp.
Thanks
C
-C-
We have single forest/single domain environment. We identified an issue that a domain joined laptop can connect to a home printer. We are looking for a way to prevent the laptop from connecting to non domain resources when it is off network. What are our
options?