hi ,

 i as setting up symantec mobile management , for enrolling iOS devices i need to configure SCEP. can anybody help me.

Hi,

I have changed the ms-DS-MachineAccountQuota to 0 using ADSIEdit

and using GroupPolicy Editor added right "Add workstations to domain" to a user.

But when i try to add a workstation to the domain using that users credentials i am getting a message



regards, Faisal

HI,

    We are going to set up 2 branch office at different locations from our Main office.

Our Main office has

1. Single Forest, Single Domain with Active directory, DNS and DHCP installed with around 600 Users. OS level is Windows Server 2008 R2.

2. Additional Domain controller is installed in a Virtual Machine

3. 1st Branch is located 40 Kms approx from our Main Office and the 2nd Branch is located 20 Kms approx from our 1st Branch Office.

4. We are going to use 8 MBPS leased line (WAN Link).

5. Most of the Users in our Company will be working in Main Office and in both the Branch offices.

6. We Plan to have 1 engineer each at both the branch offices who should not be a domain admin.

Kindly suggest a design Plan.

My Question is:-

Can i install RODC at both the Branches or Should i install two child domains at the branch office or should i create two Sites and link it to our Main Office.

Any other design plans also welcome..

Thanks in  advance.

Hi All,

When checked our topology getting the warning for "Replication Latency Check".how to delete old "retired invocations" if have different way for delete operations, please help me.

because when started process (dcdiag /e /v > c:\dcdiag.txt) shown again.

NOTE: i already know, normally we can't delete these records... Isthere a different way ?

<OLDEST RECORDS>
d1c12a94-c107-4e19-bd6e-ab1c164de8a4 @ USN    127075 @ Time 2004-01-05 14:32:55
cec09a5f-4c47-409c-a6f6-a2445fda6cea @ USN     57410 @ Time 2004-01-27 11:20:49
06cf1533-8a42-45d6-bab2-545cb93af648 @ USN     67863 @ Time 2004-01-27 16:30:46
4cdcc201-f321-4b2f-8e86-c038291ffc1c @ USN     77916 @ Time 2004-01-27 17:59:00
49f34b6d-b0ef-44e4-8686-81f33a9dfb23 @ USN     73881 @ Time 2004-01-30 10:50:35
93e534ef-6f81-45fb-a35b-eeb60557fd1b @ USN     75642 @ Time 2004-01-30 14:27:32
54798230-8cef-4ae4-b4e3-08ce287206b6 @ USN     82212 @ Time 2004-02-10 15:05:09
75d0a39f-ccaa-4235-b8ca-8bd43256fb71 @ USN    205698 @ Time 2004-02-22 18:37:49
0e4aa28f-0e4e-4662-858a-58a1a417eae4 @ USN    250300 @ Time 2004-02-24 22:46:00
ec71b109-5d59-48bc-8f31-0b1ae3d1f367 @ USN    194968 @ Time 2004-02-25 23:31:51
756d6b5b-67f5-4683-a4ee-1484f73c3440 @ USN    166330 @ Time 2004-03-13 21:46:04
627b98c5-eca3-4214-9d45-afe0368a1065 @ USN   2014519 @ Time 2004-03-13 22:59:18
7973940a-888c-4d50-aa6e-54b670964e26 @ USN   3308166 @ Time 2004-03-14 20:11:08
96771776-8b8d-49d3-b451-428fd3a99f23 @ USN   2011451 @ Time 2004-03-14 21:11:43
acd358de-284a-4bef-9424-2898722c5861 @ USN   3256746 @ Time 2004-03-14 21:11:57
06dc6f5b-3895-44c9-82ba-68f7512a6ffb @ USN   1995608 @ Time 2004-03-14 22:35:17
6a542a04-60c0-4d67-ab8c-76823fb22d1d @ USN   3257196 @ Time 2004-03-14 22:39:48
cc25b683-93de-475e-a5e2-9f7065f43e4c @ USN   1995964 @ Time 2004-03-15 02:34:54
913e1dbc-013d-4772-afbb-cb42026c7df2 @ USN   3258260 @ Time 2004-03-15 02:39:03
b38949b1-1917-4cf8-b8d5-e271dae756b7 @ USN   1909366 @ Time 2004-03-15 03:56:36
00e7e6ec-994d-4a19-b218-1ac005253c72 @ USN   3024120 @ Time 2004-03-15 03:57:01
a3a1d31f-d3cb-41e9-916c-8b483d5e8457 @ USN    233934 @ Time 2004-03-27 21:30:29
2b41ed3a-4e22-4f37-b937-3edd70b09653 @ USN    193464 @ Time 2004-04-07 12:54:36
cfbf4bb3-ef3c-4218-b7bb-6e9365929d7d @ USN    463076 @ Time 2004-04-23 00:59:21
179ba359-86e5-4953-aaa9-201b3a4ce257 @ USN    316004 @ Time 2004-04-27 13:37:33
f26b012b-1b51-4bf4-99a6-3ccae4d5b461 @ USN    688163 @ Time 2004-05-25 12:26:09
6e89423e-bdf2-44c5-90ef-a2dcd3712d3b @ USN   8929983 @ Time 2005-04-12 11:38:46
5c192f55-cd79-4243-bb9e-9e9462b07c10 @ USN   1282530 @ Time 2005-06-09 12:03:08
b684e998-fe8c-43b6-af75-d80a1333ec02 @ USN   4166092 @ Time 2005-07-23 15:14:26
f19d585e-530f-459a-83bf-f67963136345 @ USN   4871940 @ Time 2005-07-23 19:02:39
4c074d04-09ee-44f1-83f7-61940f1e4e32 @ USN    115706 @ Time 2008-03-20 20:46:34
97b07d1f-3356-4db2-bbd9-a41accd528f0 @ USN     68104 @ Time 2008-03-24 05:59:40
48a954ac-af01-4690-a9af-d78f80bbaa36 @ USN  31750034 @ Time 2009-09-04 02:26:45
2410ba1a-6e58-4e99-a659-a69441d863ac @ USN  19382718 @ Time 2009-11-18 02:42:01
890089df-2029-4316-887c-6a9b16ebba66 @ USN  87486838 @ Time 2009-11-18 11:18:56
4de9ba45-e886-4042-9ca2-e42d3d575151 @ USN  87423617 @ Time 2009-11-18 11:49:56
f1bbac1d-d049-4a93-892e-a5f261cd19a3 @ USN  87437608 @ Time 2009-11-18 17:36:12
bf84488c-7b98-4bcf-bc39-fb9dce42a0d3 @ USN     45439 @ Time 2010-01-08 14:16:16
533dac71-3ba3-40ec-9878-3095748bf70b @ USN  32341212 @ Time 2010-01-12 13:39:01
67f30258-b596-451c-aa91-410acf1c1f6e @ USN   1319872 @ Time 2010-01-12 16:07:30
bc09fd63-12ac-4571-9fb4-8d955abb1d1b @ USN  21523490 @ Time 2010-01-21 13:04:05
043bfe87-7d5f-4ed8-97c6-0cf9b3451f00 @ USN  20419802 @ Time 2010-01-21 14:24:57
aa7e2574-f7b0-42b1-850e-671f8afab080 @ USN  10690033 @ Time 2010-01-21 14:58:16
13c602c2-dc80-4de4-bfd5-2adb1b190f80 @ USN  14496431 @ Time 2010-01-21 15:42:00
8e7ee185-6f3b-4a0b-bf0b-ec22a91821e9 @ USN  17129464 @ Time 2010-01-21 17:15:16
f0ba29ed-ec86-4494-878c-f13082d567fe @ USN  16053697 @ Time 2010-01-22 13:12:20
718fd564-c513-45e8-858a-34daddffe585 @ USN  88705853 @ Time 2010-02-08 11:36:05
d1d6d7c7-4213-456c-bae1-c2d4f11b72df @ USN  23953670 @ Time 2010-02-08 14:19:03
3fa535a9-9194-40f4-8cc5-1b2320a524c9 @ USN  48652536 @ Time 2010-02-09 23:47:04
09c0ff54-6fef-4953-bd97-1b796ec9cc3a @ USN    477303 @ Time 2010-02-11 16:11:23
cd3d19d6-6e63-4364-871d-7f2d396f9560 @ USN   1950040 @ Time 2010-02-22 14:17:07
5652990b-669e-4603-acd3-a6c532b47178 @ USN  20530840 @ Time 2012-12-06 02:16:48
cb8647e7-78aa-44a1-a774-1a899eae8a2c @ USN  13762931 @ Time 2012-12-20 11:06:29
a83f99a9-5731-4a44-aef8-d8a05bef52e3 @ USN  22264021 @ Time 2013-01-08 23:36:53
c4b2dd1d-86fe-4728-be32-636980e1b07e @ USN  18232039 @ Time 2013-02-26 17:14:22
e13c60ac-1945-445f-8ee1-dec545a3f7e4 @ USN  14672698 @ Time 2013-03-05 19:59:18
cd55adc4-aa18-4cb6-b2af-3a079c467be5 @ USN  12354011 @ Time 2013-03-19 07:27:23
<CURRENT DC's>
ESB\TRESBVDC1                        @ USN    413039 @ Time 2013-07-15 11:15:10
ASR\TRASRPDC1                        @ USN    168476 @ Time 2013-07-15 11:15:32
GZT\TRGZTPDC1                        @ USN    182198 @ Time 2013-07-15 11:15:32
ADA\TRADAPDC1                        @ USN    220249 @ Time 2013-07-15 11:17:05
TZX\TRTZXPDC1                        @ USN    176160 @ Time 2013-07-15 11:17:05
NBE\TNNBEPDC1                        @ USN     90181 @ Time 2013-07-15 11:17:21
BJV\TRBJVVDC1                        @ USN    427470 @ Time 2013-07-15 11:17:35
ADB\TRADBVDC1                        @ USN    424262 @ Time 2013-07-15 11:17:38
DLM\TRDLMPDC1                        @ USN    204770 @ Time 2013-07-15 11:17:39
AYT\TRAYTVDC1                        @ USN    610558 @ Time 2013-07-15 11:17:55
GM\TRGMDDC1                          @ USN 108021737 @ Time 2013-07-15 11:21:22
GM\TRGMDVDC1                         @ USN   3712936 @ Time 2013-07-15 11:21:37
GM\TRGMDPDC2                         @ USN   4138569 @ Time 2013-07-15 11:21:56

Hello there,

once we create new user, its getting automatically own network share. This is to give them backuped space on a networ to save their work etc... The problem is, that once the user leaves (account us removed), the network share remains. There is no automated process to remove the share after the acount in AD is deleted. How can i design this process? I though about a scheduled script, which would compare the users names in AD against the users names on a disk, but im not sure if this would be the best way.. Can you please let me know how to deal with this..?

Thank you.

Ok I have an odd problem, I have just created two fresh server 2012 installs... no updates, nothing just straight out the box. they are called dc1 and dc2.

dc1 has the active directory role installed and is promoted to a DC, the wizard installs DNS etc... all the defaults. domain name is test.local, reboots and can log in fine

dc2 is then joined to the domain, has the active directory role installed, reboots, then promote it to a second domain controller. DC1 holds the FSMO roles, I want to demote DC1 to ensure DC2 takes over, so I transfer the FSMO roles to DC2, demote DC1 it gives me a warning about the domain and forest dns zones partitions (I select remove to proceed with the wizard), I run the fixfsmo.vbs script on DC2 to check if the domain and forest dns zones partitions are now being held by DC2 and the script reports back that it is... all looks smooth.

BUT... when I go to log into DC1, it now gives me the message "there are currently no logon servers available to service the logon request" yet the IP address of the DC1 network adapter is pointing to DC2 (and itself but that's second in the list) if DC2 is now the role holder for everything, and has DNS installed (all by the wizard) why cant I log in?

Thanks

Steve

Hi everyone,

Here is the story. I have 2 domain controllers, 1. pv-dc01 and 2. pv-dc01rep(replica). The software that I have used for the servers is the server 2012 evoluation. Now as u may know, before activating this software I needed to disjoin the domain controllers. So I did that. 

First I did it to pv-dc01rep. THe procedure was good. Now after I demoted pv-dc01, I couldn't rejoin it again! I've tryed to add the domain controller to an existing domain and got the following message: Verification of replica failed. Failed to examine Active Directory forest. The error was: Expected value ridMasterDSA.parentDN not found.

Can anyone please help me with this? THanks in advance!

Hello,

We're using the process outlined in the Migrating SYSVOL to DFS Replication whitepaper (http://go.microsoft.com/fwlink/?LinkId=150375) to migrate from FRS to DFS-R in our Windows 2008 domain.  All our DCs (11 total) are Windows 2008 SP2 servers (not R2).  We kicked off the commanddfsrmig /SetGlobalState 1 on the PDC emulator.  The process copied the SYSVOL correctly to all the DCs. 

When it attempted to create the replication links, it never completed to thePrepared state.  If I run the dfsrmig /getglobal state, this is what returns.  It has been hung in this state for a few days.

The following Domain Controllers are not in sync with Global state ('Prepared')

Domain Controller (Local Migration State) - DC Type
===================================================

AD1 ('Start') - Writable DC
DC1 ('Preparing') - Primary DC
DC2 ('Preparing') - Writable DC
DC3 ('Preparing') - Writable DC
DC4 ('Preparing') - Writable DC
DC5 ('Preparing') - Writable DC
DC6 ('Preparing') - Writable DC
DC7 ('Preparing') - Writable DC
DC8 ('Preparing') - Writable DC
AD2 ('Waiting For Initial Sync') - Writable DC
DC9 ('Waiting For Initial Sync') - Writable DC

The server in question is AD1.  AD1 is in the same site as DC1.  Below is an entry from the Ddfr log on AD1. 

20130622 07:20:53.576 5768 SYSM   606 [ERROR] Migration::SysvolMigrationTask::Step [MIG] Failed Migration task. Error:
+ [Error:997(0x3e5) Migration::SysVolMigration::Migrate migrationserver.cpp:1220 5768 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::StepToNextStableState migrationserver.cpp:1291 5768 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::Prepare migrationserver.cpp:1451 5768 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolFolder migrationserver.cpp:2716 5768 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolUtil::GetLsaDnsDomainName migrationserver.cpp:5448 5768 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolUtil::GetLsaDnsDomainName migrationserver.cpp:5421 5768 W Overlapped I/O operation is in progress.]

I also noticed this error in the log:

20130622 13:05:04.445 1600 CXML  2716 [ERROR] Config::XmlReader::ReadVolumeConfig Failed to Open() rKey:System\CurrentControlSet\Services\DFSR\Parameters\Volumes Error:[Error:2(0x2) BaseRegKey::Open regkey.cpp:165 1600 W The system cannot find the file specified.] 

The registry container above does not exist, although it does on DC1.

On DC4 (a DC in another site), I see the following in the logs.  This appears to be the "overlapping I/O operation in progress"

20130622 07:28:14.421 6996 SYSM   606 [ERROR] Migration::SysvolMigrationTask::Step [MIG] Failed Migration task. Error:
+ [Error:997(0x3e5) Migration::SysVolMigration::Migrate migrationserver.cpp:1220 6996 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::StepToNextStableState migrationserver.cpp:1291 6996 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::Prepare migrationserver.cpp:1451 6996 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolMigration::CreateJunctionPointsForDfsrSysvolFolder migrationserver.cpp:2716 6996 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolUtil::GetLsaDnsDomainName migrationserver.cpp:5448 6996 W Overlapped I/O operation is in progress.]
+ [Error:997(0x3e5) Migration::SysVolUtil::GetLsaDnsDomainName migrationserver.cpp:5421 6996 W Overlapped I/O operation is in progress.]
20130622 07:28:54.546 6996 DOWN  3991 [ERROR] DownstreamTransport::EstablishSession Failed on connId:{937D492E-1DDE-4D2B-84DA-C2CF6C0E79A4} csId:{B0B9BA3F-2BAC-4630-B8C5-F81324281F0D} rgName: Error:
+ [Error:9027(0x2343) DownstreamTransport::EstablishSession downstreamtransport.cpp:3984 6996 C A failure was reported by the remote partner]
+ [Error:9028(0x2344) DownstreamTransport::EstablishSession downstreamtransport.cpp:3984 6996 C The content set was not found]
20130622 07:28:54.546 6996 INCO  3722 InConnection::RestartSession Retrying establish contentset session. connId:{937D492E-1DDE-4D2B-84DA-C2CF6C0E79A4} csId:{B0B9BA3F-2BAC-4630-B8C5-F81324281F0D} csName:Source
20130622 07:28:54.546 6996 INCO   850 [WARN] SessionTask::Step (Ignored) Failed, should have already been processed. Error:
+ [Error:9027(0x2343) InConnection::EstablishSession inconnection.cpp:3813 6996 C A failure was reported by the remote partner]
+ [Error:9027(0x2343) DownstreamTransport::EstablishSession downstreamtransport.cpp:4005 6996 C A failure was reported by the remote partner]
+ [Error:9027(0x2343) DownstreamTransport::EstablishSession downstreamtransport.cpp:3984 6996 C A failure was reported by the remote partner]
+ [Error:9028(0x2344) DownstreamTransport::EstablishSession downstreamtransport.cpp:3984 6996 C The content set was not found]
20130622 07:29:40.271 6788 MEET  1294 Meet::Install Retries:11 updateName:server.ini uid:{9CCB9278-4DB8-47EC-87F6-4BFFE06F4BBC}-v330196 gvsn:{E718094C-BCD5-42FE-9947-644AB028EDC8}-v128559317 connId:{B45EA904-73B7-47EC-AE48-B8CFE7790AB7} csName:Source updateType:remote
20130622 07:29:40.271 6788 MEET  1314 Meet::Install Retry RDC download as Raw. updateName:server.ini uid:{9CCB9278-4DB8-47EC-87F6-4BFFE06F4BBC}-v330196 gvsn:{E718094C-BCD5-42FE-9947-644AB028EDC8}-v128559317 connId:{B45EA904-73B7-47EC-AE48-B8CFE7790AB7} csName:Source
20130622 07:29:40.271 6788 MEET  5915 Meet::LocalDominates Conflicting gvsn:{9CCB9278-4DB8-47EC-87F6-4BFFE06F4BBC}-v784668 updateName:server.ini uid:{9CCB9278-4DB8-47EC-87F6-4BFFE06F4BBC}-v330196 gvsn:{E718094C-BCD5-42FE-9947-644AB028EDC8}-v128559317 connId:{B45EA904-73B7-47EC-AE48-B8CFE7790AB7} csName:Source
20130622 07:29:40.271 6788 DOWN  4747 [ERROR] DownstreamTransport::RawGet Failed on connId:{B45EA904-73B7-47EC-AE48-B8CFE7790AB7} csId:{B0B9BA3F-2BAC-4630-B8C5-F81324281F0D} rgName:update:

Is it possible that another DFS-R problem is keeping our DFS-R migration from occurring??

Thank you.

I have an issue, I am in a computer Lab and I created a sequence of names in the domain. Once I created and assign a user on all computers. After some days I as administrator couldn't install or login to that computer showing wrong password. But the user can log in. 

I don't know what is the issue I thought I was because of duplicate names in the AD and I change the name some time it works sometimes not. And now more computer having the same issue. 

Hi everybody,

i have a general question to the SID-History / netlogon technologies in a cross forest environment during a migration.

We have the following situation:

• We already have migrated a lot of domain local groups to the target domain (using SID-History).
• We have share on a fileserver, which is still member of the source domain, with some of these (sourcedomain-) local groups in the ACL.
• Now in the target domain we created a new user and put him into the migrated domain local groups, corresponding to the source domain local groups appearing in the share ACL.

Now the following behaviour occurs:

• The user logs on to a computer in the target domain with his newly created account and tries to access the mentioned share. He gets an "access denied" message.
• But if we change the scope of the migrated groups from "local" do "global", it works.
• Furthermore, if we migrate the user with SID-History too, it works as well, even if the scope of the migrated groups stays "local".

Our expection was, that the newly created user should get access to the share in the source domain, because in the ACL are only groups, which SIDs should be in the Access Token of the user (via the SID-History) independent from the group scope.

Is this behaviour by design? Are we missing something?

Could someone explain the technical background of this behaviour?

This would be very appreciated. Many thanks in advance.

Best Regards

Manuel

Hello,

This is with respect to RODC setup in a remote site,
I have installed a RODC in the remote site (without any credential caching) all the administration is done from the central site.

Also installed the RODC pack kb944043 v5 on all the clients and windows 2003 servers, situation is whenever i do a nltest from any of the client\server n remote site it was still pointing to the Windows 2003 servers instead of RODC , later i set the registry value (AutoSiteCoverage to 0) which fixed the issue of 2003 servers but then with nltest the the central 2008 servers Writable DC's where showing up.

Ideally should the nltest show the site \ dc where the client is member of ??

As there is no credential caching when RODC is forwarding the authentication requests to Writable DC will there be any slow response in the logon process provided wan is up.

-Shravan 

Hi Guys

I have a Cisco ASA with a remote user VPN doing LDAP authentication against a Windows Server 2012 Domain Controller. I have set tonnes of these up without any problems when connecting to a Windows Server 2008 DC, and have not had to change much on the server - just ensure that there is an account that the ASA can use to run LDAP queries against the DC.

On my new 2012 server, it looks like the authentication from the ASA is being rejected because its trying to use simple LDAP authentication. Is this not allowed in Server 2012? I can see that the correct credentials are coming through on my Wireshark capture, but the server rejects them stating that they are invalid.

I know that the account works as I can log on from a domain-joined machine with the same credentials that the ASA uses. I have also ensured that the ASA account has the correct permissions. 

If simple LDAP binds are not allowed, and I cannot or should not enable them, should I use LDAP-over-SSL? This setup is for a small customer without a PKI infrastructure, so I'd have to install a root CA on the domain controller and use it to manage all of the certificates etc.

Otherwise, if anyone is able to point me in the right direction for setting up kerberos (sasl-mechanism) with the ASA, then i will happily give that a go, but I havent had much luck googling it so far.

Really appreciate any responses. Thanks for your time.

Jon

I have script which i have edited and i tried to run it from my machine(Windows 7) which has AD and permission for me to add and remove student user manually. I have a few question, do i need to run the script in the Domain controller server or could i just do it from my pc? secondly do you have any clue why im having this error below. Next, how do i change the path where the CSV. file is located(now its in C:windows\system32)? Thanks

My PSscript

Import-Module ActiveDirectory
$Users = Import-Csv -Delimiter ";" -Path ".\userslist1.csv" 
foreach ($User in $Users) 
{ 
    $OU = "OU=StudentOU,OU=UplandsSchool,DC=uplands,DC=com" 
    $Password = $User.password
    $Detailedname = $User.firstname + " " + $User.name
    $UserFirstname = $User.Firstname
    $FirstLetterFirstname = $UserFirstname.substring(0,1)
    $SAM =  $FirstLetterFirstname + $User.name
    New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $user.firstname -Surname $user.name -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path $OU 
}

Error message

PS C:\Users\cdoss> C:\Users\cdoss\Desktop\ADProject\Source4\UserCreate.ps1
New-ADUser : The server is unwilling to process the request
At C:\Users\cdoss\Desktop\ADProject\Source4\UserCreate.ps1:11 char:15
+     New-ADUser <<<<  -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -GivenName $user.firstname -Surname $user.name -AccountPassword (Con
vertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path $OU 
    + CategoryInfo          : NotSpecified: (CN=Carlson MILL...=uplands,DC=com:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : The server is unwilling to process the request,Microsoft.ActiveDirectory.Management.Commands.NewADUser

hi

we got a new dc on 2012, we have 2 dfs namespaces hosted on two 2008r2 dcs

if i try to access these from server 2012 i get wrong parameter on each folder...same via \\domain.fqdn and \\domain...

if i try to access the servers via ip i can access the namespace folder but on every link i got network path not found

tracing via netmon shows that smb error status_path_uncovered occured if i access via ip..

dns is working correct, weird is also that if i view the propertys via \\domain of the dfsnamespace it looks like a normal share also on the target links, no dfs tabs are shown, we have the same setup on other domains an there the dfs tabs are shown if i browse from server 2012 to the namespace...

i insert a netmon trace the block below appears if i click a folder and get wrong parameter, maybe someone whats wrong on this i can access all dfs link targets using there real fqdn all is accessible but nothing via dfs path

thanks harald

We are trying to create a standalone instance of AD LDS on a member server, and any help/advice you could give us would be appreciated.

I have followed the instructions as per the Microsoft Technet site and everything seems to work correctly up to the point of running the following command:-

Ldifde –I –f solutions4it.ldf –c –DC=X DC=******,DC=****,DC=****,DC=***,DC=uk –j c:\windows\adam

This returns the following error log file:-

Connecting to "****-***.****.****.****.uk"

Logging in as current user using SSPI

Importing directory from file "solutions4it.ldf"

Loading entries

1: cn=Account-Name-History,cn=Schema,cn=Configuration,DC=******,DC=****,DC=****,DC=***,DC=**

Entry DN: cn=Account-Name-History,cn=Schema,cn=Configuration,DC=******,DC=****,DC=****,DC=***,DC=**

changetype: add

Attribute 0) objectClass:attributeSchema

Attribute 1) attributeId:1.2.840.113556.1.4.1307

Attribute 2) ldapDisplayName:accountNameHistory

Attribute 3) attributeSyntax:2.5.5.12

Attribute 4) adminDescription:Account-Name-History

Attribute 5) adminDisplayName:Account-Name-History

Attribute 6) schemaIDGUID: UNPRINTABLE BINARY(16)

Attribute 7) oMSyntax:64

Attribute 8) systemFlags:16

Attribute 9) systemOnly:FALSE

Add error on entry starting on line 15: No Such Object

The server side error is: 0x208d Directory object not found.

The extended server error is:

0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

               'DC=****,DC=****,DC=***,DC=**'

0 entries modified successfully.

An error has occurred in the program

Thanks

Hi,

We have 10 sites in our domain environment, All the sub-nets mapped to the respective sites. But when i ping domain.local from Site 1, It's randomly resolving to other sites domain controller IP's which is only accessible through domain controller. My IP subnet is mapped to Site 1 but why it's going to other site's. Same happening for other sites as well.

Is there any way to resolve this ? Please provide the solution for this.

Regards,

Vijeesh

We have an existing AD Integrated PKI running on Windows 2003. We are looking to migrate the Domain to Windows 2012 DCs but wanted to know if we need to migrate the PKI first or if it can be left in place on 2003. None of the current DCs have certificate services installed on them.

Thanks.

Thanks for any help given !

I have configured my server 2008 r2 box with AD and Dns etc to enable rd web access and remote app running.

My users can login to the RD Web access screen through IE using the credentials I gave them in AD but when the select the app and connect they get 'The remote computer could not be found. please contact your helpdesk about this error.'

what I find really strange is I have 3 other box's the exact same that all offer different apps to users but this one will not play ball. I also have ports 88, 135, 139, 389, 445, 464 and 593 disabled to give a clearer picture

Thanks again



Hi,

I have Windows Server 2008 Enterprise and have 2 Domain Controllers in my Company:

1. Primary Domain Controller (PDC)
2. Additional Domain Controller (ADC)

My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred(5) FSMO Roles from (PDC) to (ADC).

Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).

Finally I want it to move back the (FSMO Roles) from (ADC) to (PDC) to get UP and operational my (PDC) as Primary. (Before Disaster my PDC had 5 FSMO Roles).

Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?

In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.

Example like (FSMO Roles Distribution between both Servers) should be……. ???

1. Primary Domain Controller (PDC) Should contains:????
   • Schema Master
   • Domain Naming Master
2. Additional Domain Controller (ADC) Should contains:????
   • RID
   • PDC Emulator
   • Infrastructure Master

Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.

I will be waiting for your valuable comments.

Regards,

Muhammad Daud

Hi

I've just performed a test as I've suspented recently that users were able to log into laptops whose computer account had been deleted.

Basically The test I performed was to create a new Windows 7 VM and join it to our domain. I then logged in as myself to create my profile and make sure domain users could log into it. I then turned the VM off and deleted its computer account. After that I turned the VM back on, and logged in using a test user domain account which hadn't logged in before and therefore wasn't logging into a cached profile.

I'm obviously finding it difficult to understand (as well as very worrisome) that users would be able to log into computers on our domain which don't have computer accounts. From my understanding, when a user logs into a computer, the computer first sends it's username and password to a DC for authentication, and then only if those credentials are authenticated will it pass the users credentials to the DC. So how can the computer be being authenticated when it doesn't have a computer account? Maybe I just misunderstood when I did my AD certification.

Also all this work was done within the same AD site, so site-to-site replication times don't factor in it.

Approximately 3 years ago we brought our network management in-house, having had it previously managed by the now bankrupt 2e2. When we were being managed by them, without us knowing, they changed our user password policy so that users could have a password of 0 characters, no lock-out policy, etc (basically setting a password policy where users didn't actually need a password). We have obviously fixed this and brought in a much stricter policy. I'm suspecting they may have done something with the computer policy but I don't know where to verify that.

Any help would be much appreciated.

David