Hi,
We are frequently having problem opening ADUC in our Windows 2012 Data Center Primary Domain Controller and getting the below error. The only way we can get it back is after restarting the server. The second DC is working fine which is Windows 2012 Std R2.
Any solution to this problem? We tried many things for troubleshooting but nothing worked.
Hello all
Please let us know how to delegate permission for User to modify UPN for user object in an OU.
regards
Aamir
NA
I'm new to this, so bare with me please...
We have contractors that have access to well everything until their contract ends. What I need to do is a bullet list of things, and if I can find a way to do it, it would be greatly appreciated.
Is this possible using the Active Directory Admin Center?
Hi,
How do I prevent ordinary users from querying ldap? We have an application which we had one account used for application to connect to AD Ldap. What we have noticed is that ordinary users can do query against ldap. Can we apply delegation so that ordinary users cannot do query? If so, what would be the permissions? If ever we apply these permissions will it prevent them from logging in to the domain controller or use some other services?
Thanks,
Janus
Current settings :-
Account Lockout Duration - 0 minutes
Account Lockout Threshold - 5 invalid login attempts
Reset account lockout counter after - 60 minutes
I understand with above settings the user will never get unlocked automatically but admins will have to unlock the account.
I'm just confused with the below statement from Reset account lockout counter after settings:-
"If Account lockout threshold is set to a number greater than zero, thisreset time must be less than or equal to the value of Account lockout duration"
As you see the reset time(60 minutes) in my settings is not less that or equal to the value of account lockout duration(0 minutes).Is that wrong or what will be the impact ?
Thanks
hi guys,
is it feasible to install active directory 2016 in an organization running active directory 2003 and 2008?
i am planning to migrate to 2016
many thanks
Hi ,
We recently faced a issue where some of the servers are not getting authenticated with their Gateway servers through Kerberos. So we received few alerts for heartbeat failure. When we check the status of the server, they were pingable and able to RDP.
we tried restarting the Microsoft Monitoring Agent service(MMA) but still the alert is not getting cleared from SCOM.
Here the environment is Parent and Child. for example: AAA.local is the Parent domain and bbbb.AAA.local is the child domain.
Servers in child domain have alerted as unable to authenticate Gateway server in Parent domain through kerberos
We are asked by the client to check Kerberos authentication between Parent and Child in the domain.
Following troubleshooting steps we performed:
1>We checked the Trust between Parent and Child domain, its getting validated. No errors.
2> We checked the PDC emulator of child domain, its showing no errors.
3>We checked few servers which alerted and no event found for the same at the time when alert got generated.
Looking for some advice/suggestion in this case. Please assist.
Hi,
Is there any way of using virtaul smart card when logging in with RDP besides doing that with tpm?
I have some flashback of some tool that could simulate smart card when logging with rdp.
Regards,
Hello Dears,<o:p></o:p>
We have to delegate permission to specific IT support account in specific organization unite which is belong to all IT support team to make enable and disable their account, I did all the steps for delegation control in the IT support OU but it is not working, because all the IT members are member in another security account to have permission to join computers to the domain.<o:p></o:p>
Kindly any solution appreciates.<o:p></o:p>
Hello team,
We are using one AD FTP account where it is getting "A user account was locked out" alerts every day.How to fix it?
----------------------
-----------------
Regards,
PR
Hello ,
We have DC but its SYSVOL folder and NETLOGON Folder not getting created.
As per Event log : 1753
I have checked as per support artical that required ports are Listening and all services are working.
I have also tried to reset that SYSVOL restiry from 0 to 1 but still folder is not replicated.
any help would be greate appicated.
The DFS Replication service encountered an error communicating with partner MYDC for replication group Domain System Volume.
Partner DNS address: MYDC.MYDCOMAIn.com
Optional data if available: Partner WINS Address: MYDC Partner IP Address: 20.3.200.103
The service will retry the connection periodically.
Additional Information: Error: 1753 (There are no more endpoints available from the endpoint mapper.) |
Thanks
Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.
Hi All,
I have gone through Knowledge Base Article: Q312862 and it did not resolve the issue, any input or suggestions is welcomed!
My goal here is trying to safely upgrade our domain controller to 2012 R2, if we can safely ignore this error then that's good enough for me.
TIA,
Ron
Starting test: VerifyReferencesWe have eight domain controllers being hosted by an external data center. The data center administrators requested a domain administrator account for their monitoring tools and to apply monthly Windows Update patches.
Question: Is there a set of permissions I can assign their account which will allow their monitoring and update tools to work without the full domain administrator assignment?
Thanks for your thoughts.
Can't open word doc because path is too long in Windows 2012.
Is it a normal behaviour or there is a fix for that?
Hello ,
We have 8 Domain controllers and all DCs sysvol folder is not replicating with each other including PDC.and
all DC 's DFS state is 2 = Initial Sync instead of Normal= 4 and all DCs are logged events as waiting initial sync
The "state" values can be any of the following: 0 = Uninitialized 1 = Initialized 2 = Initial Sync 3 = Auto Recovery 4 = Normal 5 = In Error |
How can I make all them to state to Normal.
Any help would much apricated.
Please see below screen shot.
Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.
Hello Team,
C:\Windows\System32\lsass.log size 45 GB and its not a doamin controller, please let me know if i can delete the log.
Ashok
Do we need to explicitly configure in GPO in order to make sure below events registered in event viewer when ever respective action happened? or by default this settings will exist?
| Event ID | Description |
| 1100 | The event log service has shutdown |
| 1102 | The audit log was cleared |
| 4704 | A user right was assigned |
| 4705 | A user right was removed |
| 4715 | The audit policy (SACL) on an object was changed |
| 4719 | System audit policy was changed |
| 4728 | A member was added to a security-enabled global group |
| 4729 | A member was removed from a security-ena-bled global group |
| 4771 | Kerberos pre-authentication failed |
| 4772 | A Kerberos authentication ticket request failed |
| 4773 | A Kerberos service ticket request failed |
| 4780 | The ACL was set on accounts which are mem-bers of administrators groups |
Hello,
Recently, I migrated groups from source to target domain including SID History. I'm planning to administer group membership in only the target domain. However, all resources are in the source domain. Source groups are applied on resource ACL in source domain.
If I add a non-migrated user (newly created in the target domain) into a migrated group in the target domain then
Question: Should the user be able to access resource (based on permissions granted to source group) in the source domain just via sidhistory because user token will have the sid of source group in sidhistory attribute of migrated group?
Kindly reply with explanation.
Thanks in advance
Alex Lee