Hello,
What is the replication encryption method is used in Active directory 2008 & 2012 ?
And what is the used Protocol is it RPC/TCP ? also in windows server 2012 too ?
Please Explain if you would.
Thanks
Daoud Ghannam
↧
Active Directory Replication Security ?
↧
active directory federation farm primary server is 2008 R2 standard and secondary is 2008 r2 enterprise
active directory federation farm primary server is 2008 R2 standard and secondary is 2008 r2 enterprise now I have a problem with the secondary always giving me 503 service not available , so do I have to have the same version for bother nodes i.e. standard
↧
↧
NO_CLIENT_SITE messages
I was setting up subnets in ad sites&services in preparation for putting in a dc in a remote location. I was given a list of subnets by the network admin, and he left one out but also gave me a 206.x.x.x subnet. I was under the impression that 206 addresses were external and wonder if that why I am not able to add this to the subnets in sites and services?
In the event log, there are entries:
05/13 10:49:41 domain: NO_CLIENT_SITE: servername 206.#.#.# which I assume is because I don't have a site definition matching this information?
↧
sysvol error
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
Ahmed Zidan Network Administrator
↧
Certificate Revocation Check Failed
Hi,
We have Enterprise CA in our Environment with Offline Root CA and Online Sub-CA. Everything is working fine. The CRL got expired yesterday and we have published the CRL from Root CA by bringing it online. When the users are trying to take RDP of servers which are configured to use certificate for RDP they are getting the error "A revocation check could not be performed for the certificate"
This is only happening when taking RDP from Windows 7, Windows 2008 PC's but from Windows XP there is no error.
Please suggest if there is issue with CA CRL publication or there is some other issue. How can we do CRL health check for CA. The CA servers are Windows 2003 Enterprise.
↧
↧
RPC Server Not available error while opening Active Directory console
Hi,
I have 2 domain controller and around 5 RODC, all running windows 2008 R2.
On remote site when ever i try to open active users and computer console i am gets below error.
"Naming Information Cannot be located because RPC server is unavailable"
But if keep trying 2,3 times it start working but after some time again same error.
I have run the AD best Practice analyzer tool as well as other AD & DNS commands but there is no error.
AnyOne faced this issue???
↧
DCDiag Error Enterprise Read-only Domain Controllers doesn't have Replicating Directory Changes access rights for the naming context:
I'm trying to cleanup our domain to eliminate errors and warnings when running DCDIAG and other tools. Following is one problem I had and the associated resolution:
Running DCDIAG on any of our domain controllers (all are Windows Server 2008 R2) resulted in the following error:
Starting test: NCSecDesc
Error OURDOMAIN\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
DC=ourdomain,DC=com
Verifying the Problem:
Using Active Directory Users and Computers (ADUC) and navigating to \Users, verify the existence of a Security Group called "Enterprise Read-only Domain Controllers". In our case, that group already existed. Exit ADUC.
Using ADSIEDIT, right-click on Naming Context "DC=ourdomain,DC=com", choose "Properties", click the "Security" tab and verify that "Enterprise Read-only Domain Controllers" shows in the "Group or user names" pane. In our case, that group was missing.
Resolution:
In ADSIEDIT, click the "Add" button, type the group name "Enterprise Read-only Domain Controllers" and click "OK". Next, highlight "Enterprise Read-only Domain Controllers" in the "Group or user names:" pane and then scroll down in the "Permissions:" pane to find "Replicating Directory Changes". Enable (check) the box in the "Allow" column to the right of "Replicating Directory Changes" and Press "OK".
Exit ADSIEDIT and re-run DCDIAG. This solved the problem in our case.
↧
URGENT- gpupdate /force FAILS on domain member having OS Windows 2008 R1 and domain controller with Windows 2008 R2
Hi All,
I am having Windows 2008 R2 DOMAIN CONTROLLER after modifying the GPO settings in the domain controller , I am trying to update the GPO setting by using tool gpupdate /force command
My domain member PC having OS Windows 2008 R1 where i am running gpupdate /force
After running command getting below error information.
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to read the file \\[serverName]\SysVol\XXXXXXX\Policies\{B001ED39-4DA5-448E-BDFC-F33A8C33DC30}\gpt.ini from a domain controller and was not successful. Group
Policy settings may not be applied until this event is resolved. This issue may
be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.
I have collected the DCDIAG command log shown below.
Starting test: DFSREvent
The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x80001396
Time Generated: 05/16/2013 17:20:03
Event String:
The DFS Replication service is stopping communication with partner AA1-PPP for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 1726 (The remote procedure call failed.)
Connection ID: 01F8AF14-216F-4ACF-B672-C74D3E6CC9EB
Replication Group ID: 27813EB4-951D-4EEB-8EBC-DDC376415DD4
Time Generated: 05/16/2013 17:23:05
Event String:
The DFS Replication service failed to communicate with partner AAA2-PPP for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
Partner DNS Address: AAA2-PPP
Optional data if available:
Partner WINS Address: AAA2-PPP
Partner IP Address: 372.66.22.11
The service will retry the connection periodically.
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 01F8AF14-216F-4ACF-B672-C74D3E6CC9EB
Replication Group ID: 27813EB4-951D-4EEB-8EBC-DDC376415DD4
-------------------------------------------------------------------------------------------------------------------
Request to suggest for the reason for issue and any solution quickly. Waiting for quick reply.
Vivek
Vivek
↧
Windows server 2008 unable to recieve promote from win2k12 or win 2k8 r2 only win 2k8
This was the error when i tried to join win2k12 to DC on win2k8
"ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: No Such Object. Server extended error: 8333. Server extended message: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match
of:
'CN=Schema,CN=Configuration,DC=domain,DC=com'.
ADPREP was unable to modify the default security descriptor on object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=domain,DC=com.
[Status/Consequence]
Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130505210218 directory for more information."
-repadmin /showrepl all fine
-check object version its 56
Need Help thanks before
↧
↧
Administrators Active Directory Report
Good evening,
How can I generate a administrators users report in active diretory?
Thank you very much.
↧
Old Domain Showing up in "Domain and Trusts"
My domain environment is Windows Server 2008
When I open "domains and trusts", and look at the properties for my domain, I see an old domain (long gone) listed there.
Attempting to "delete" it, results in an error:
"Windows cannot obtain the trust information for domain xx.xxx.xxx. Either the domain is unavailable or its trust information no longer exists. If the trust information does not exist, you should remove the trust. Do you want to remove the trust?"
selecting yes presents another error:
"A trusted-domain object cannot be found for the trust to domain xx.xxx.xxx. The trust may have been removed by another user."
I looked in ADSIEdit --> Default Naming Context --> my domain --> CN=System
I do not see any reference to the old domain there
I ran the following command:
netdom query trust
Here I see a reference to the old domain and a status of "not found"
If I connect to netdom and look for domains, I don't see the old domain referenced for me to remove.
Does anyone have some suggestions on how I could get this old trust removed?
When users login to the domain, the old domain still shows up in the drop down box, and I am having a hard time getting it to go away! Thanks in advance for your suggestions!
↧
How to set "msDS-MaximumPasswordAge" to "Password never expires" with PowerShell
I am trying to set the "msDS-MaximumPasswordAge" to "Password never expires" by PowerShell. Actually this is done with a command like this:
New-ADFineGrainedPasswordPolicy ... -MaxPasswordAge "365.00:00:00"
In this example the passwords would expire after 365 days, but I want it to never expire.
If I configure this policy with adsiedit.msc, I can use the term "(never)" successfully. The same is true for LDIF-Import, where the promising value is "-9223372036854775808" (I8-Format).
I cannot find any helpfile or other source where the wanted value is mentioned. If I analyse a configured PSO (with the desired value already set) with "Get-ADFineGrainedPasswordPolicy" the returned value is "00:00:00", but it's not possible to set this value. At least: I am not able to do it successfully.
Thanks in Advance, T.
↧
Copy group memberships from specific user to another user with powershell?
Hi All
I need to copy group memberships of from specific user to another user with powershell? But we cant Quest or Any snap ins. How can we do?
↧
↧
fRSMemberReference attribute doesn't match CN name.
Hi,
Running a FRSDiag check I got the ERROR This server's "Member Ref" property for the SYSVOL volume does NOT seem to be correct!!! for one of the Domain Controllers within a w2k3 domain.
I don't get any error after running a dcdiag /v, there's no FRS issues and no events (Warings nor Errors) from the domain controllers logs.
I saw that error by change when running a routine AD health check.
These are the values that don't match:
CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=MyDC03,OU=Domain Controllers,DC=MyDomain,DC=com
fRSMemberReference: CN=MyDC04,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=tragsa,DC=es
I'm not aware of the existence of Domain Controller MyDC04 within the domain.
Let me ask you a few questions about this mismatch:
1. Why FRS service is workin without issues in spite ot he wrong value for the fRSMemberReference attribute?
2. To sort this out, it's enough by changing back the fRSMemberReference value?
3. Do I have to change back the value for the object CN=MyDC04,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MyDomain,DC=com?
4. Could I audit this change anywhere?
Thank you.
↧
Trusts over 3 domains
Hello,
Question about a trust between 3 domains. If I have domain A B and C, domain A has a trust with both B and C. Will this give B and C access to each other or do they need to setup a trust relationship as well?
Thanks,
Frank
↧
DNS issue
Here is my question,
I will like to know why when I perform a nslookup on server1.east.test.com. It uses my DC (DC1.east.test.com) to perform a name lookup of server1 (146.142.43.249). But its telling me that server1.east.test.com is located in east.test.com domain. But when I go to my dns server inside of east.test.com there is no host record for this name or ip address.
But when I go to test.com I find this host record located on its dns server inside of test.com. My question is why does it says that its located inside of east.test.com when I perform a nslookup and its not on my dns server.
Note. Server1 believe is a NAS storage appliance. Also I am domain admin only for east.test.com and not test.com.
↧
Policy to track Domain User idle time
Hi,
Someone help me to logging domain users lock and unlock time. I want to export the results also. Please tell me how to do this.
Thank you,
Sathish
↧
↧
w32tm /query /status Access is denied. (0x80070005) from elevated prompt
I am in the process of decomissioning the 2008 DC so I have moved all FSMO roles to another DC. The old DC is getting time from the newly promoted PDC as are the domain clients it seems.
I have gone through this below more times than I should have needed, the info is clear and it seems to work. however I still get an error from an elevated cmd prompt.
C:\Windows\System32>w32tm /query /status
or
C:\Windows\System32>w32tm /query /configuration
The following error occurred: Access is denied. (0x80070005)
pushd %SystemRoot%\system32
.\net stop w32time
.\w32tm/unregister
.\w32tm/register
.\sc config w32time type= own
.\net start w32time
.\w32tm/config/update /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org",0x8/syncfromflags:MANUAL /reliable:yes
.\w32tm/resync
popd
Why am I not able to run a query on the PDC with an elevated cmd prompt and I do have domain rights in all the right areas! I have never had this problem before.
Thanks, Charlie
↧
UPGRADED SERVER 2008SP2 to SERVER 2008R2 SP1: error Naming information cannot be located because: this operation returned timeout period expired
I upgraded the PDC from server 2008 wsp2 to server 2008R2 wsp1.
Did the adprep commands to foresta dn domain prior to installing the upgrade. After reboot it has the following symptoms:
1. Takes a long time after logon saying: please wait for Group policy client then applying user settings for 30 minutes.
2. After that it shows error Active direcotry domain services: Naming information cannot be located because: This operation returned because the timeoput period expired. Contact your system administrator to verify that your domain is properly configured and is currently online.
What went wrong?
↧
AD and standalone DNS
Hello, all
We are testing to implement AD into our environment. One of the requirements is to continue using the standalone DNS/DHCP servers (server 2000). So we setup Server 2012 AD role (without DNS). From online posts, we then setup DNS service role and point its DNS setting to itself. On the standalone DNS server, we create a SRV record for the our domain.
The client is set to look at the standalone DNS. When we tried joining the client, we receive this error:
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "canby.k12.or.us":
The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.OUR_DOMAIN
In the AD server, we don't see an entry for _msdcs. How do we create this entry manually? or can we? Besides from the SRV record on the standalone DNS, do we need any additional settings? Any settings on the AD DNS?
Thank you very much in advance for any advices
↧