Power Shell script to get the manager for eah users and put them in a specific group

July 6, 2013, 9:37 am

≪ Previous: How to set Impersonation Permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces

I created a power shell scrip to get users and for each user get the manager and put him in a specific group but when I am trying to run it I got an error

$username=$Manager|Select-Object*-ExpandPropertyManager is equal null ?

$Users=Get-ADUser-Filter {Enabled-eq$true-andgweVfOpcoId-ne"0" }-SearchScopeSubtree-SearchBase"OU=Opcos,OU=MOSSUsers,OU=MOSS,OU=Sharepoint,DC=sharepdev1,DC=local"

foreach($userin$Users)

{

$Manager=$user|Get-ADUser-Properties*|SelectManager

if($Manager.Manager-ne$null)

{

$username=$Manager|Select-Object*-ExpandPropertyManager

$userstatus=Get-ADUser-Identity$username-PropertiesEnabled

if($userstatus.enabled-eq$ture)

{

$User=Get-ADUser-Identity$username-PropertiesMemberOf

$Group= (Get-ADGroup"Managers").distinguishedName

If ($User.memberOf.Contains($Group))

{

Write-Host"User is already a member of one of the Job Roles"

}

Else

{

Write-Host"User is not a member of any of the Job Roles"

Add-ADGroupMember-IdentityManagers-Member$username

}

Import-ModuleActiveDirectory

↧

Error running adprep /rodcprep

December 3, 2009, 2:49 am

≫ Next: Cannot Shutdown Old Domain Controller - New Domain Controller Not Recognized

≪ Previous: Power Shell script to get the manager for eah users and put them in a specific group

Hi,

I'm having an issue performing adprep that I think has been caused by a failed DC.

The infrastructure master role had to be seized from a failed DC and the meta data was cleaned up.

When running adprep /rodcprep I get the following error:

Adprep found partition DC=DomainDnsZones,DC=####,DC=com, and is about to update the permissions.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=DomainDnsZones,DC=####,DC=com.
LDAP API ldap_search_s finished, return code is 0x0
Adprep could not contact a replica for partition DC=DomainDnsZones,DC=####,DC=com.
Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep failed the operation on partition DC=DomainDnsZones,DC=redingtonpartners,DC=com. Skipping to next partition.

I have run DCDiag and get the following error yet the permissions are set:

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=ForestDnsZones,DC=####,DC=com

Finally I have run "ldifde -f Infra_DomainDNSZones.ldf -d "CN=Infrastructure,DC=DomainDnsZones,DC=####,DC=com" -l fSMORoleOwner"
which returns the infrastructure master role still seems to be assigned to the domain controller that failed and had the role seized from it, checking in Active Directory Users and Computers the Infrastructure master role is not assigned to the DC that the ldifde query returns.

How can I update or remove the erroneous entry so the adprep /rodcprep command will complete successfully?

↧

Cannot Shutdown Old Domain Controller - New Domain Controller Not Recognized

July 6, 2013, 11:10 am

≫ Next: server 2012 Domain Controller Logging event 2004, with error "crc check"...

≪ Previous: Error running adprep /rodcprep

I recently added a new domain controller (Windows 2008 R2) to a domain containing a single SBS 2003 server. I need to get rid of the original server (or at least any dependence on it) as it is quite old and no longer eligible for hardware support.

I moved all the the FSMO roles to the new server without issue. When the two servers are running there are no apparent issues with the domain functionality. When I shutdown the original server the domain still appears to funtion without issue. However, when I restart the new DC while the original DC is daown it does not come up correctly i.e. it doesn't recognize the domain, it has no DNS, and it is not seen by any of the Domain Computers as a DC. When I then start the original DC the problems go away. I'm thinking the problem is in DNS because I am seeing a couple of odd things in DNS.

Here's what I'm seeing in the DNS:

1) I noticed that when I open the DNS Manger on the new server and try and connect to the original DNS server the connection works fine. The reverse is not true. I can't connect to the new DNS server from DNS Manager on the original server.

2) When I ran dcdiag it gives me the dcbyguid error of the SRV not being registered but it look in DNS Manager the domain shows up. However, the guid differs from the domain guid I get when I open ADSIEDIT.

I'm a bit stumped.

Oh, I should also mention that I added a file server role to the new DC with DFS. Is that a potential problem?

↧

server 2012 Domain Controller Logging event 2004, with error "crc check"...

February 13, 2013, 1:59 am

≫ Next: Can I postpone or defer replication of objects during a Server 2012 Domain Controller promotion?

≪ Previous: Cannot Shutdown Old Domain Controller - New Domain Controller Not Recognized

Pretty new domain, and domain controller, running server 2012 as a Hyper-V VM.

Getting this error when it reboots. I have done a chkdsk, thinking maybe the vhdx file is corrupt in some way. Have also checked the system log for events talking about file corruption. Nothing.

The disk in question has 10+ GB free, so disk space is not an issue. I ran dcdiag /q /a & it told me that DFSR has logged events in the last 24 hours, but nothing else. AD seems to think everything is cool.

Not sure what to look at next... Thanks for any pointers/help.

The DFS Replication service stopped replication on volume C:. This failure can occur because the disk is full, the disk is failing, or a quota limit has been reached. This can also occur if the DFS Replication service encountered errors while attempting to stage files for a replicated folder on this volume.

Additional Information:
Error: 23 (Data error (cyclic redundancy check).)
Volume: 0F55C346-589F-11E2-93EB-806E6F6E6963

↧

Can I postpone or defer replication of objects during a Server 2012 Domain Controller promotion?

July 7, 2013, 4:49 am

≫ Next: What to do with a worker thread in the OnStop method in a basic Windows service?

≪ Previous: server 2012 Domain Controller Logging event 2004, with error "crc check"...

Hello,

In 2008 R2 and earlier, I was able to defer the replication of objects to a new Domain Controller I was promoting into a Forest/Domain. Can I still do that with a Server 2012 Domain Controller promotion? I dont see the option to do that on the promotion screens.

I have approx 4 million objects to replicate and I would like to promote 'some' to my new DC to ensure replication is working, but then would like to promote the rest after reboot during normal replication.

Thanks for your help! SdeDot

↧

What to do with a worker thread in the OnStop method in a basic Windows service?

July 7, 2013, 5:21 am

≫ Next: Create an user account when Primary Domain Controller is offline

≪ Previous: Can I postpone or defer replication of objects during a Server 2012 Domain Controller promotion?

Hi

I have a basic Windows service which performs some tasks, which are executed periodically in an endless loop: "ExecuteServiceWorkerMethods()".
I am starting the endless loop via a worker thread from the OnStart() method as below:

OnStart(string[] args)
{
workerThread = new Thread(ExecuteServiceWorkerMethods);
workerThread.Name = "ServiceWorkerThread";
workerThread.IsBackground = false;
workerThread.Start();
}

Now I am wondering what to do with the worker thread in the OnStop() method?

My endless loop looks like this:

private void ExecuteServiceWorkerMethods()
{
while (!serviceStopped)
{

DO WORK....

while (servicePaused)
{
Thread.Sleep(sleepTimeMillisecondsWhileServicePaused);
}
Thread.Sleep(sleepTimeMillisecondsWhileServiceNotStopped);
}
}

Remember this is all very basic. I just want to be able to start and stop my Windows service.

↧

Create an user account when Primary Domain Controller is offline

June 22, 2013, 10:01 am

≫ Next: How to migrate Exchange2003 to Exchange2012?

≪ Previous: What to do with a worker thread in the OnStop method in a basic Windows service?

Hi,

I have two Domain controllers in a domain, DC1 and DC2. DC1 hold all the FSMO roles.

I shut down DC1, and then create a user account using DC2.

However I notice that DC2 will use longer period (around 30 seconds to a minute) to create a user account.

May I know is this normal? Thanks.

↧

How to migrate Exchange2003 to Exchange2012?

July 7, 2013, 8:50 pm

≫ Next: How to migrate Windows2003 AD to Windows2012 AD?

≪ Previous: Create an user account when Primary Domain Controller is offline

Client using Office2003 and WindowsXP with SP3.

↧

How to migrate Windows2003 AD to Windows2012 AD?

July 7, 2013, 8:48 pm

≫ Next: KDC errors in event log

≪ Previous: How to migrate Exchange2003 to Exchange2012?

How to migration Windows2003 AD to Windows2012 AD?

Any concern after migration had done that all client still using WindowsXP with Office2007 version?

After that Exchange2003 also migrate to Exchange 2012, Any recommend.

↧

KDC errors in event log

July 7, 2013, 10:47 am

≫ Next: Can some body helps to understand AD migration from windows 2003 to Windows 2008?

≪ Previous: How to migrate Windows2003 AD to Windows2012 AD?

We are getting a bunch of errors below on our window server 2003 DC. We are not seing these on our window server 2008 R2 DC. What can we do to resolve it The account specified are 90% windows 7 computers generating this error.

Event ID 27, Source KDC

While processing a TGS request for the target server krbtgt/TT.belltel.com, the accountTT-6JJ9QN1$@TT.belltel.comdid not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 -140.

↧

Can some body helps to understand AD migration from windows 2003 to Windows 2008?

July 7, 2013, 11:38 pm

≫ Next: Adding Domain Controller fails with error "ADprep execution failed --> system.componetModel.Win32Exception (0x80004005):

≪ Previous: KDC errors in event log

Can some body helps to understand AD migration from windows 2003 to Windows 2008 using QUEST tool?

↧

Adding Domain Controller fails with error "ADprep execution failed --> system.componetModel.Win32Exception (0x80004005):

July 8, 2013, 12:03 am

≫ Next: can't set IRM configuration in Exchange 2010 .

≪ Previous: Can some body helps to understand AD migration from windows 2003 to Windows 2008?

i'm at a loss for this one. I just added a Server 2012 box to a network. The current environment is SBS 2003 and i'm looking to migrate away. However I have tried to raise the 2K12 box to a domain controller I am hit with this error:

Adding Domain Controller fails with error "ADprep execution failed --> system.componetModel.Win32Exception (0x80004005): A device attached to the system is not functioning

I have tried running adprep manually in the CLI and when I do I get this error:

Adprep encounted a win32 error. error code:0x5 error message: access is denied.

I am logged in as a user who is a enterprise admin and Schema Admin.The domain and forest functional levels are at windows 2003. DNS looks good. DCdiaq run on the server 2003 box reports no issues. A/V disabled on 2003 box. any thoughts ??

↧

can't set IRM configuration in Exchange 2010 .

July 7, 2013, 11:11 pm

≫ Next: Root CA Certificate expires & new renew on Windows 2008 R2 Server

≪ Previous: Adding Domain Controller fails with error "ADprep execution failed --> system.componetModel.Win32Exception (0x80004005):

Hello ,

I have an issue with Exchange Server 2010 sp1 dusring run the following cmdlet

Please advice ,

↧

Root CA Certificate expires & new renew on Windows 2008 R2 Server

July 8, 2013, 12:26 am

≫ Next: No SYSVOL_DFSR on newly added Domain Controller

≪ Previous: can't set IRM configuration in Exchange 2010 .

We are using windows 2008 R2 Server & configured our Primary DC as our Certificate Authority. we are using the Exchange 2010 & Lycn 2010 , Sharepoint 2010.

i had recently noticed that our Root CA Certiificate was expiring on october 2013. kindly help me to renew our ROOT CA .

Regards

Jagadeesan.S

Jags

↧

No SYSVOL_DFSR on newly added Domain Controller

January 4, 2013, 2:26 am

≫ Next: Windows 2012 AD - Reconnecting an Outdated Domain Controller

≪ Previous: Root CA Certificate expires & new renew on Windows 2008 R2 Server

Hi,

Have a W2012 Domain in which sysvol replication has been migrated to SYSVOL DFSR replication a long time ago (in W2008-R2) and worked well.

I now added a new domain controller (W2012) and there is no SYSVOL_DFSR folder but a SYSVOL folder on this new DC. The new DC tries to replicate using NTFRS and tried to access the SYSVOL folder on other DC's (which do not exist). DFSRMIG.exe reports correctly being in "eliminated (3)" state.

Every other AD partition replicate fine (AFAIK).

Is there something to do about this? Is this normal behavior?

Thanks.

Thomas.

↧

Windows 2012 AD - Reconnecting an Outdated Domain Controller

June 26, 2013, 4:23 am

≫ Next: How to delete a died server 2003 R2 Domain Controler?

≪ Previous: No SYSVOL_DFSR on newly added Domain Controller

My setup is as follows:

Site A has one Windows 2012 Domain Controller called AVHDCADC01

Site B has one Windows 2012 Domain Controller called AVHDCBDC01

AVHDCADC01 has all FSMO Roles, is a Domain Controller and is working correctly.

AVHDCBDC01 has been turned off for a significant period of time, and now it has been turned back on, AD is not working - the last successful replication occurred in February, so I'm imagining some kind of Tombstoning has occurred, but I'm really not sure about this so I was hoping someone could point me in the right direction.

I am confident the IP configurations are correct, running the command "repadmin /showrepl * /errorsonly" on AVHDCBDC01 gives the following results:

C:\Users\Administrator.AVH>repadmin /showrepl * /errorsonly

Repadmin: running command /showrepl against full DC AVHDCADC01.avh.local
LDAP error 82 (Local Error) Win32 Err 8341.

Repadmin: running command /showrepl against full DC AVHDCBDC01.avh.local
DCB\AVHDCBDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c82a3f12-fc7f-4ef0-85ed-03874a7ed446
DSA invocationID: 97b14a6f-198a-4997-8b2c-de068fcf70f3

==== INBOUND NEIGHBORS ======================================

DC=avh,DC=local
DCA\AVHDCADC01 via RPC
DSA object GUID: 20653dd3-54ec-413d-8337-6c3c89a3414f
Last attempt @ 2013-06-26 10:59:47 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
56 consecutive failure(s).
Last success @ 2013-02-16 09:04:46.

CN=Configuration,DC=avh,DC=local
DCA\AVHDCADC01 via RPC
DSA object GUID: 20653dd3-54ec-413d-8337-6c3c89a3414f
Last attempt @ 2013-06-26 10:59:47 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
56 consecutive failure(s).
Last success @ 2013-02-16 09:04:46.

CN=Schema,CN=Configuration,DC=avh,DC=local
DCA\AVHDCADC01 via RPC
DSA object GUID: 20653dd3-54ec-413d-8337-6c3c89a3414f
Last attempt @ 2013-06-26 10:59:47 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
56 consecutive failure(s).
Last success @ 2013-02-16 09:04:46.

DC=DomainDnsZones,DC=avh,DC=local
DCA\AVHDCADC01 via RPC
DSA object GUID: 20653dd3-54ec-413d-8337-6c3c89a3414f
Last attempt @ 2013-06-26 10:59:47 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
56 consecutive failure(s).
Last success @ 2013-02-16 09:04:46.

DC=ForestDnsZones,DC=avh,DC=local
DCA\AVHDCADC01 via RPC
DSA object GUID: 20653dd3-54ec-413d-8337-6c3c89a3414f
Last attempt @ 2013-06-26 10:59:47 failed, result -2146893022 (0x8009032
2):
The target principal name is incorrect.
56 consecutive failure(s).
Last success @ 2013-02-16 09:04:46.

Source: DCA\AVHDCADC01
******* 56 CONSECUTIVE FAILURES since 2013-02-16 09:04:46
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.

I have found the following post, http://technet.microsoft.com/en-us/library/replication-error-2146893022-the-target-principal-name-is-incorrect(v=ws.10).aspx

But I am unsure if this is relevant to what I'm trying to solve, and if it is, which commands I should actually run!

I really don't want to have to rebuild the domain controller so this is my last shot before I resort to that.

Would greatly appreciate any help.

↧

How to delete a died server 2003 R2 Domain Controler?

July 8, 2013, 1:30 am

≫ Next: Netlogon errors 5805/5723

≪ Previous: Windows 2012 AD - Reconnecting an Outdated Domain Controller

Hi all,

Today is a bad Monday for me.

I have three HP Server, they all install AD integration with DNS, and DFSN + DFSR.

They named this

fs01 (Win2K3 R2 Good, FSMO, AD integration DNS, DFSN, DFSR)
fs02 (Win2K3 R2 Server Hardware Died, AD integration DNS, DFSN, DFSR)
fs03 (Win2K8 R2 Good, AD integration DNS, DFSN, DFSR)

now the fs02 is hardware died, I can't boot to it anymore.

So, on the DFSN and DFSR side, how do I safe delete this fs02 server? And what is it step on this case (since it will can't access anymore)

On AD Integration DNS side, how do I safe delete this DC on the AD record and DNS?

On my case, delelete the died fs02 DC first or del the DFSN+DFSR service first on step?

Any experience user with detail KB or suggestion as welcome.

↧

Netlogon errors 5805/5723

July 8, 2013, 3:07 am

≫ Next: AD help.

≪ Previous: How to delete a died server 2003 R2 Domain Controler?

Hi all,

I am seeing lots of netlogon errors daily (event id: 5805,5723) on a few DCs for a particular computer account. The error message seem to indicate the machine has failed to establish a secure channel connection with one of the DCs and may need to be re-added to the domain. I've googled the issue and people mention to rejoin the computer to the domain, BUT I can't seem to find this machines in AD (on any DC).

I read somewhere this is the result of machines not being syspreped properly before imaging them, therefore they have duplicate SIDs (our software team used to make images without properly syspreping machines). So, my dilemma is that since the computer account of the offending computer is deleted, I can't even use a program like Sid2username to find out what the SID is to see if I can find any duplicates SIDs on the domain (that are causing these netlogon errors. Is there any way around this? Fed up of these netlogon errors on the DCs.

Thanks in advance for any help.

↧

AD help.

July 3, 2013, 9:34 am

≫ Next: While adding Windows 2008R2SP1 dc to existing Windows 2008 Active directory infra getting Schema mistmatch error.

≪ Previous: Netlogon errors 5805/5723

Hi all,

one forest which includes one empty root domain and one child domain (servers and users are located here)

there are multiple sites (site1-site8) and only corp site has root domain controllers. So, at corp site, child domain controllers are forwarded to root domain controllers in the DNS. at other sites, child domain controllers' DNS forarders are configured to use each site's internet provider's DNS servers.

Now, I need to promote one member server to child domain controller at site 8 and I use the site7's DNS server to promote and it seems hung. I do not know the reason why and could it be due to the DNS forwarder that is forwarded to external DNS server at site 7 since there is no root domain controller? Does promoting child domain controllers need DNS forwarder to root domain controller?

Thank you.

↧

While adding Windows 2008R2SP1 dc to existing Windows 2008 Active directory infra getting Schema mistmatch error.

July 8, 2013, 3:08 am

≫ Next: Metadata cleanup and Site & Service Replica remove

≪ Previous: AD help.

Replication of application directory partition DC=ABC,DC=com from source 5a44a547-1d71-471f-880f-c82c24f4bbba (DC01.ABC.COM) has been aborted. Replication requires consistent schema but last attempt to synchornize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..

↧