I have read all of the documentation and TechNet blogs posts about the perils of multihoming a domain controller and I do trust that there is still an issue with this configuration. My issue comes from the fact that all of the documentation that
conveys this message all specify that the KBs are only pertinent to Windows Server 2003 and 2000, nothing stating that it is an issue with Server 2008. I need to prove this to my management before they set forth in a direction that I feel would be disastrous. Would it be possible for anyone to point me to more recent documentation that supports the aforementioned assertion? Thanks.
↧
Multihoming on a Windows Server 2008 R2 Domain Controller
↧
Password change problem at site with RODC
Error message when I try to change the password of an account that is in RODC site RODC
"There are currently no logon server available to meet the logon request "
-the RODC SERVER is VM managed WIth SCVMM
↧
↧
How could I know some user have right to change passowrd of some user ?
How could I know some user have right to change passowrd of some user ?
↧
Force FRS replication from a Windows 7 PC
Eventually we plan to migrate to DFSR sysvol replication, but for the time being we are still using FRS (still have a bunch of 2000 DCs).
I already found out you can't install ntfrsutil on a windows 7 PC.
I restarted the ntfrs service on the DC holding all master roles, then restarted the service on the DC I wanted to replication to, but sysvol replication did not take place (verified this by confirm a new GPO was not replicated to the sysvol folder on the other DC). I also completely reboot the DC I wanted to replicate to (if that would even make difference) which did not cause replication to take effect.
I want to be able to force sysvol replication on a whim without having to wait for our replication schedule to kick in.
How can I force ntfrs replication from my windows 7 PC?
↧
AD Notes Field - Pls Help with this Script
OptionExplicit
Dim strNotes, strFile, objFSO, objFile, strDN, objGroup
Const ForReading
' Notes to be added to all groups.
strNotes = "This is a test,"& vbCrLf &"This is only a test."
' Specify the file of group DN's.
strFile = c:\Scripts\Groups.txt
' Open the file for reading.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)
' Read each line of the file
DoUntil objFile.AtEndOfStream
strDN = Trim(objFile.ReadLine)
' Skip blank lines.
If (strDN <> "") Then
' Bind to group.
Set objGroup = GetObject("LDAP://"& strDN)
' Assign value to the info attribute (Notes).
objGroup.info = strNotes
' Save change in Active Directory.
objGroup.SetInfo
EndIf
Loop
' Clean up.
objFile.Close
This script gives error : Error at Line 5
Character 17
Error : expected "="
Can somebody please check and help out..
↧
↧
Revoke permissions from the ACL of all user objects within an OU
I need to revoke the explicit permissions assigned to Account Operators on all user objects under an OU but I cannot seem to find a way to do this on multiple objects. DSACLS works fine if I specify an exact object but I can't find a way changing all objects under an OU. Also tried to pipe the results of a dsquery to dsacls but it doesn't recognise the input.
Any help would be much appreciated
↧
LAN Issues when the WAN link is down - with RODC
Hi all,
I have a really strange issue. One of my customer site has a domain controller and additional domain controller in the Head Office. Branch offices has RODCs. There are 6 sites with head office and all the subnets are properly configured.
Head office and branch offices are connected through a VPN connection. VPN doesn’t have the internet facility. Therefore servers and clients configured using “route add” for the VPN connection. IPv4 properties window has the internet router as the default gateway.
Anyway, when VPN connection is up and running everything is ok. But, when VPN connection is down all the branch offices are unable to get even printouts from the shared printers and unable to access shared folders. This is really strange because when a user browsing the LAN by typing IP address there’s no need for DNS and gateway as well.
If we take a look at one branch office, their RODC has self IP address for the “Preferred DNS server” and head office DNS server IPs for the second and third. Clients are configured to use local RODC server IP address for the “Preferred DNS server”, Head office DNS server IPs for second and third, ISP DNS server IPs respectively.
When the connection to the writable DC is down, RODC is unable to login itself. It says “There are no logon servers available to service the logon request”. But we have added domain administrator to the “Allowed RODC Password Replication Group”.
Please advise me on this regard and instruct me how to resolve above issues.
Thank you,
Thisaru.
↧
very very basic questation about replication global catalog
Hi a have questataion about replicating global catalog...
we have organization with one domain and 20 domain controlers connected with wan .
how work global catalog ? I mean that global catalog in the only one domain is only view to domain partition . Is not replicated , no replication data , is only view to replicated data . it is true ?
With multidomain forest is replicated only data from other domain , domain data is again only view to regulary replicated domain partition ..... ok ?
thanx for answer
Falcon
↧
Cross forest authentication with local resources
Hi,
I'm working on a project and in our test environment, we're running into some challenges and wondering if it's at all possible with what we're trying to do.
In our scenario:
ForestA (windows 2008 R2), we have Remote desktop farm (rdsfarm), a file server, roaming profile, and home drive provisioned through GPO. When ForestAusers connects to rdsfarm, they have a roaming profile and home drives on the ForestA file server.
ForestB (windows 2008 R2), AD users
* One way trust between ForestA (trusting) and ForestB (trusted) *
* Setup routing name suffixes across forest on ForestA domains and trust with ForestB domain (@forestB.com)
*ForestA user account, changed logon name DNS suffix to @ForestB.com
Goal: We have users that have two AD accounts, one in ForestA, one in ForestB. These users with multiple AD accounts would like to use their ForestB logon credentials to get to ForestA resouces (roaming profile/home drive) through rdsfarm.
Issue: With the current one way trust setup, when a ForestA user logons to rdsfam using ForestB credentials, they get a local profile instead of ForestA profile (roaming/home drive).
Let me know if its clear and what we're trying to do is even possible.
Thanks!
↧
↧
Active Directory Sites and Services choosing wrong site
We have had our AD setup using site and services for 6 months without any problem, but now I am upgrading our vpn and that is causing Site and Services to show the machines in the wrong office. We were running a vpn between the two cisco routers we had in each office, the new vpn is using openvpn.
Basically if I am on the cisco vpn everything operates as expected. As soon as I switch to the openvpn connection the machines all think they are in the other office. If I run nltest /dcgetsite it shows the other site, the logon server shows the correct local server and when I do DNS lookups it goes through the local server correctly. When I do a dns lookup of the domain it resolves to the local server.
Now if I just disconnect the vpn between the offices everything resolves to the correct site but as soon as it is back up the machines all think they are in the other office again.
In site and services I have the subnets of the openvpn connection and each local subnet pointing to the correct site.
At this point I am at a complete loss and can't figure out what to do and I have not seen or heard of someone experiencing a similar issue. I am thinking it is some sort of routing issue but I have not been able to find too many details on how the site and services actually work to pick the correct site other then the machine's subnet.
↧
Deny Read access to System OU at root of domain to a computer potential impact
Hello,
I have an application that does a sync with AD to import the OU structure. It uses the server's machine account (computername$) to do the sync. I need to prevent it from syncing certain OUs which are not needed in the application. The application does not have any methods for exclusions in the sync. I have tested doing exclusions by denying read access to the computername$ account within a given OU's security settings in ADUC. That appears to work. One of the OUs I need to prevent from being sync'd is the System OU at the root of the domain. If I deny read access to the computername$ account of the server to the domain System OU, what impacts would that have to the server? Would it not be able to read/apply group policies? Any other impacts?
Thanks,
Joe
↧
Is there any way I can find no of client computers in a active directory site.
I need to know the number of client machines in a site(AD site). I do not have acccess to the DHCP servers. I can see the subnet and find out how mane ip has been assigned to the site. But I need real time numbers of computers logging in those sites?
↧
Cross Forest authentication issue Event ID 4625 and Netlogon logs
I have three forests, Forest A Forest B and Forest C.
Forest C is new, Users in Forest A have never been able to authenticate.
Forest C has a one way non transitive trust with a domain in Forest B
Forest C has a one way transitive forest trust with Forest A.
Time is sync'd between all forests, trusts have been validated, sids are enumerating properly on all objects which can be viewed in Domain Local groups and the foreign security principals.
Users in Forest A have been permissioned on devices in Forest C
Users in Forest B have been permissioned on devices in Forest C
Users in Forest B can authenticate to resources in Forest C, users in forest A generate the below error when attempting to access the same resources. IN this case it is an RDP session that is attempting to be initialized.
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: Computer.In.Forest.C$
Account Domain: Domain.In.Forest.C
Logon ID: 0x3E7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: UserInForestA
Account Domain: Domain.In.Forest.A
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000018B
Sub Status: 0x0
Process Information:
Caller Process ID: 0xb0
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: ServerInForestCwhereResourcesArePermissioned
Source Network Address: 10.10.10.10
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Net Logon logging is turned up, results for the log are below. I didn't see anything glaring in there.
07/17 13:16:50 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Entered
07/17 13:16:50 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Returns 0x0
07/17 13:16:52 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Entered
07/17 13:16:52 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Returns 0x0
07/17 13:16:54 [MISC] [544] DsGetDcName function called: client PID=1576, Dom:DomainInForestA Acct:(null) Flags: RET_DNS
07/17 13:16:54 [MISC] [544] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/17 13:16:54 [MISC] [544] NetpDcGetName: DomainInForestA using cached information ( NlDcCacheEntry = 0x000000AB4AA546F0 )
07/17 13:16:54 [MISC] [544] DsGetDcName: results as follows: DCName:\\DCinFOrestA.DomainInForestA DCAddress:\\IPV6AddressDCAddrType:0x1 DomainName:DomainInForestA DnsForestName:ForestA Flags:0xe00031fc DcSiteName:NameofDCsite ClientSiteName:NameOfClientSite
07/17 13:16:54 [MISC] [544] DsGetDcName function returns 0 (client PID=1576): Dom:DomainInForestA Acct:(null) Flags: RET_DNS
07/17 13:16:54 [MISC] [2556] DsGetDcName function called: client PID=4, Dom:DomainInForestC.Some.Domain.Path Acct:(null) Flags: IP KDC
07/17 13:16:54 [MISC] [2556] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/17 13:16:54 [MISC] [2556] NetpDcGetName: DomainInForestC.Some.Domain.Path cache is too old. 8224062
07/17 13:16:54 [MAILSLOT] [2556] NetpDcPingListIp: DomainInForestC.Some.Domain.Path: Sent UDP ping to IPV6Address
07/17 13:16:54 [MISC] [2556] NlPingDcNameWithContext: Sent 1/1 ldap pings to DCinForestC.DomainInForestC..Some.Domain.Path
07/17 13:16:54 [MISC] [2556] NetpDcAllocateCacheEntry: new entry 0x000000AB4AB36260 -> DC:DCinForestC DnsDomName:DomainInForestC..Some.Domain.Path Flags:0x73fd
07/17 13:16:54 [MISC] [2556] NlPingDcNameWithContext: DCinForestC.DomainInForestC..Some.Domain.Path responded over IP.
07/17 13:16:54 [MISC] [2556] NetpDcGetName: DomainInForestC..Some.Domain.Path using cached information ( NlDcCacheEntry = 0x000000AB4AB36260 )
07/17 13:16:54 [MISC] [2556] NetpDcDerefCacheEntry: destroying entry 0x000000AB4AB426A0
07/17 13:16:54 [MISC] [2556] DsGetDcName: results as follows: DCName:\\DCinForestC.DomainInForestC..Some.Domain.Path DCAddress:\\IPV6Address DCAddrType:0x1 DomainName:DomainInForestC.Some.Domain.Path DnsForestName:DomainInForestC.Some.Domain.Path Flags:0xe00073fd
DcSiteName:Default-First-Site-Name ClientSiteName:Default-First-Site-Name
07/17 13:16:54 [MISC] [2556] DsGetDcName function returns 0 (client PID=4): Dom:DomainInForestC.Some.Domain.Path Acct:(null) Flags: IP KDC
07/17 13:16:54 [SESSION] [1200] I_NetLogonGetAuthData called: (null) DomainInForestC (Flags 0x1)
↧
↧
AD Authentication process.
I have a query about the ideal timeout set before if a user is unable to communicate with the nearest available domain controller before it starts searching for alternate dc for authentication
↧
Domain and Trust
Please.
Whe i open the Domain and Trust console and i try to set a new Trust relationship this button is grey an disable but all options are grey too, i can´t set a description for example.
Why it could be??.
How can i enable this option??
Maykoll
↧
dynamically linked auxiliary class and ADUC issue
Hi,
I have just extended an 2008 based active directory schema in a lab environment with a single domain controller.
the goal was to add a new dynamically linked auxiliary class and assign it to specific users in the domain.
I did every thing by the book including allowing updates to the schema using the registry key, creating new auxiliary class under the top level, and create new attribute and associate it with the newly created class.
all went fine without any errors (I restart AD services as well as the DC itself), I then opened ADUC and added the new class to specific AD user, again without any erros. however, when I closed ADUC and reopen it , displayed the properties for the user and clicked the attribute editor tab to see the new attribute, the table screen is empty (it was fully populated with all the default attributes before the change).
when I create a new user everything is in order , but I experience the same behavior each time I add the class to the objectclass attribute?
any deas?
Thank you,
Gad
↧
Sites and Services Subnet Overlap
Hi, During a domain migration I lead here, I ended up hard coding in the registry all workstations Site name in the registry because the automatic option was not working when a machine would land in the target domain causing very slow authentications. Since then we've moved to a new office building and our Network team has issued new IP subnets for all the floors. We recently discovered that there is subnet/site overlap with a sister company and I'm not sure what kinds of problems we might experience.
The help desk isn't getting slammed with calls that might lead one to see the obvious issue and apparently the subnets in question are RFC1918 (whatever that means I'm not a Cisco person). Re-IPing the floors here is a lot of work for the network team so they are looking for a way out.
I do a lot with AD GPOs but Sites and Services is not managed by us so I'm wondering what kinds of problems to look out for.
Thanks,
MG
↧
↧
como puedo tener un segundo controlador de dominio en una red diferente
Hola
Tengo Exchange server y Shared Point 2010 en un servidor que esta ubicado en USA , este server esta unido al dominio y se autentica con el controlador de dominio mediante una VPN el problema es que el DC esta en Colombia y cuando se cae Exchange y Shared Point dejan de autenticar a los usuarios
mi pregunta es
si puedo tener un segundo controlador en USA que cuando se caiga en Colombia este tome su lugar
Gracias
↧
Files transferred from other systems mark as Hidden with check box grayed out. How do I fix this?
We are working on switching all Hyper-V hosts from Windows Server 2008 R2 to Windows Server 2012. Unfortunately, all folders transferred from Server 2008 R2 to 2012 are getting marked as "Hidden" on the destination location. The Hidden box is grayed out and I have not been able to change it via command line.
Why is Server 2012 marking files as hidden?
How do I fix it?
How do I keep all future transferred folders from being marked Read-Only and Hidden?
↧
AD Recycle Bin, Recycle object lifetime
Hi,
can anyone explain ¿how to recover a item that is "logically" located in the Recycle Object Lifetime?
What is the purpose of this lifetime if I can not recover the object?
Also, the major part of the attributes of the object are mangled, but this attributes are link-value attributes, non-link-value attributes or all of them.
Thanks
can anyone explain ¿how to recover a item that is "logically" located in the Recycle Object Lifetime?
What is the purpose of this lifetime if I can not recover the object?
Also, the major part of the attributes of the object are mangled, but this attributes are link-value attributes, non-link-value attributes or all of them.
Thanks
↧