Hi,
I have two different domains and the CIO is thinking to join both domains in one, with a different name of these.
I would like to know the advantages and disadvantages of this and, how to do the integration.
Can anybody help me or give any link with this information?
Thanks in advance.
Regards.
The Environement: I have a notebook in active directory and a domain user. The connection to DC is only available after the login process (when the WLAN-connection is established). This give us some elegant simplifications to fix a notebook
to one user. We prepare the notebooks over LAN, log on the correct user and disconnect LAN. After this it is not possible for another user to login because there is no logon-server available.
The Problem: When I change a group membership of the user on the AD, this change is never committed to the (ad-)user on notebook.
gpupdate didn't work: The GPs are updated after the network change when user is logged in - all settings are taken directly or at next logon, but the group membership is still the same.
some tries with klist didn't work: Tickets are created, purged and recreated, the group membership is still the same.
I read the group membership with an PS-Script around the statement:
[System.Security.Principal.WindowsIdentity]::getCurrent().Groups
If I make a DNS Zone forest wide, would all the DC in the forest be able to edit the DNS zone.
Hi,
I need to replace my current DC with new one and I want to degrade current DC to backup (second DC).
My current DC is:
- Windows 2003 SP2 x86, language: PL
- Domain functional Level: 2003
- Forest functional level: 2003
- AD schema version: 47
My new DC is:
- Windows 2008 R2 SP1 x64, language: EN
My plan is: promote new DC as additional DC for an existing DC, transfer FSMO, DHCP, etc...
But during promotion I have an error:
On current DC I executed adprep32.exe (from install CD of Windows 2008 R2) with /domainprep option but I had errors:
Adprep was unable to modify the security descriptor on object CN=IP Security,CN=System,DC=main,DC=domain,DC=local. [Status/Consequence] ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE). Adprep encountered an LDAP error. Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=System,DC=main,DC=domain,DC=local' . Adprep was unable to update domain information. [Status/Consequence] Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
Could this be due to differed language versions on current DC and new DC?
Hello, have a few questions regarding moving from a 2008DC to a 2012DC. This is my first time adding/replacing DCs, so trying to make sure I have taken care of everything.
What I've done so far:
Is this the correct process and does it sound like there are any steps I've missed?
When doing the DCPromo on 2008DC, it gave me an error "failed because is not the last AD DC in the Domain", which I was able to get around by using the /forceremoval switch. Is that normal? I figured it would allow you to demote a DC once a new one was built, or did I do something wrong here?
Which brings me to the next part, there are a ton of references left pointing to the old DC, mainly in DNS, which I've gone and deleted them all following this guide:
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/
Should I just go ahead and delete the object in ADUC?
Should I also delete the "DC08" object in AD Sites and Services?
Thanks for any help folks!
Most Domain Controllers are now Windows 2012
Forest and Domain functional level is Windows 2008 R2
---
Trying to dcpromo a Windows 2008 R2 domain controller down to member server and during dcpromo got a message:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition
DC=ForestDNSZones, DC=<domainname>,DC=org to
Active Directory Domain Controller \\DCNAME.domainname.org.
"The directory service is missing mandatory configuration
information, and is unable to determine the ownership of floating
single-master operation roles."
---
Running DCDIAG on the server - NCSecDesc fails
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
One of the TechNet articles says that adprep /rodcprep from Windows 2008 R2 needs to be run and would eliminate the NCSecDesc fail error.
Can I still run adprep /rodcprep even after Windows 2012 domain controllers have been added to the domain (which I understand changes the schema during insertion of Windows 2012 domain controller)?
What options do I have to resolve getting the Windows 2008 R2 domain controller dcpromo'ed down to member server?
Thanks,
F.Palacio
In Microsoft Forum, They Put SID for Groups object will not change. If it is so, why they included sIDHistory attribute in the groups properties?
Reference: http://technet.microsoft.com/en-us/library/cc961625.aspx
Hello,
I have one new forest and site up and running.
this single site has one DC (ws 2012) with AD, DHCP, DNS, file, AC CA. Direct access and vpn (wizard walkthrough and working) with subnet 10.10.0.0 / 16
this site is de main office and has an fix public IP, and is behind a ISP managed Router. (the ports and protocol for VPN & direct access are forward to the WS2012 server) I can connect from a public network with vpn to this site. These and the new site
have no "hardware VPN tunneling hardware" so I want to us the RRAS in the WS2012 to accomplish this.
In "sites and services" I have created for the moment 2 sites one with the subnet 10.10.0.0 /16 (main office) and renamed "default site" to the appropriate name
and one with 10.11.0.0 /16 for the new site and give it a name.
then I installed de new WS2012 in the main site en promoted it to be also a DC and dhcp and dns,
so it would receive a computer certificate an domain policy of the first DC in de main office.
No I want to take de new WS2012 out to de new site (with public changing ip (I have Dyndns for that)) this network is also behind a ISP managed modem/router/nat device. I will also look to forward the necessary ports and protocol and connect it to the main private subnet with the vpn site-to-site function of the ws2012 server. that's where I am stuck. I have look over the internet and found numerous examples to connect a site-to-azure but not site-to-site with the native ws2012 software. I think I have to bring op the vpn tunnel before I can do al the other settings like AD replication, DFS file replication .. ...
I have working with AD for the past 8 years but never used site and services ...
If I open up the RRAS console I do not find where I can define the vpn tunnel with the endpoints and subnet, if I use the remote access wizard I (with is for client connection not for site to site) I do not find a option to configure site-to-site...
both servers have 1 NIC, this setup is for a non profit social enterprise, and this way I can manage al the user en clients from on domain, and there is a possibility to share document to each other instead of using Googles drive or drop box, :( in the future there is one main office and 6 sub sites across town, no it is really hard to manage everything because all the client are in different workgroups with one NAS device per location :-(. Changing to Azure is no option here there is no funding for that, I can get cheap licensing and hardware because thy are registered as "social ware VZW".
can any help me with setting up this Forest wit sites across town, and for the easy configuration one domain name is adequate for the forest, so I do not think I need sub domain names, unless this is necessary of a technical point of view (direct access for the site clients, replication, .... ), or are there some partners that can teach me this on site ? (Belgium -West-Flanders ) I can pay a small amount if necessary.
I would appreciate faze by faze help,
if any info is still missing pleas give me a sign.
Thank you very, very much.
(sorry for my grammatical errors I am native Dutch speaking )
I have created and LDS standalone instance (on a box not in a domain) and am able to authenticate LDS native users with a simple bind using ldp.exe 3.0 or my app. Now I have added windows principal (local user acct) to the member attribute of the readers role. I cannot bind to it using ldp.exe and have put in on another thread. I also am not able to bind to the configuration partition using ADSI Edit (from another machine) as follows:
Start > ADSI Edit
right click ADSI Edit > connect to...
name: StandAlone
Select a well known: Configuration
servername:50000
Advanced
Specify credentials
I have tried both servername\username and just username here
pw
check simple bind (I have also tried unchecking)
OK
Then it keeps asking for creds.
I know the creds are correct because I can use the same creds to bind to the Schema partition using ADSI Edit and I can also rdp to the lds box using those creds.
I am running ADSI Edit Version: 6.1.7601.17514 on Windows Server 2008 R2 Enterprise. The LDS box is running R2 Standard.
What is wrong?
Thanks.
leo
Hi,
We have a domain, and 3 domain controllers. and all DCs are Windows Server 2012 OS.
DC01 and DC02 are in one site and DC03 is in another site.
DC02 is a role box
on DC03 we are getting below error message while running dcdiag command
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC03\netlogon)
[DC03] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC03 failed test NetLogons
and net share result:-
Share name Resource Remark
-------------------------------------------------------------------------
C$ C:\ Default share
D$ D:\ Default share
E$ E:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
The command completed successfully.
Please suggest..
Thanks in Advance
Abhishek
Have creatd a standalone server , added a couple of primary zones, but I can't get this to reslove anything but 'A' records. Nothing like MX records come back. All that is returned are a list of root servers.
This server is not recursive, I'm just trying to resolve what is in the local zones.
Could it have anyhting to do with Global QueryBlock List? I have disabled it.
Thanks
MJK
What happens when an active directory server were to get turned off by accident for 6 months. After 6 months the DC get turned back on and it is out of sync from the other DCs. Since it is passed the default tombstone of AD, replication will occur or try
to occur. Will the 6 month dc that was turned off, replicate the missing changes or try to replicate the missing changes that the other DCs dont have but itself has causing stale records or will the other DCs try to update it with all the new information?
Second question is related to AD Replication. I ran the command
repadmin /showpostmail /latency DC=va,DC=postmail,DC=com and it showed me SIDS below instead of showing me the site link and DC name. The entries are expired, but just trying to understand what they are doing their and if they will harm anything
if I leave them or will they eventually disappear automatically.
c992b4e5-4bb9-4183-a9d3-57c82c4a6e6f @ USN 135422 @ Time 2012-01-26 18:48:58
8cce4140-02d9-4c05-94y4-80235eeae424 @ USN 131209 @ Time 2012-02-17 19:59:56
Internal error: An Active Directory Domain Service error has occurred.
Additional Data
Error value (decimal):
-1032
Error value (hex):
fffffbf8
Internal ID:
160207ce
Task Category: Internal Processing
The error message has appeared on the system the last 5 days. Any suggestions for solving it?
I have to enable the Check Box in Active Directory 2008 R2, "Allow inheritable permissions from parent to propagate to this object" on all Users of about 300.
We have about 50 OUs.
I try to apply the Scripts Mentioned here:
It not seems to work.
What is the Exact way to apply these scripts in 2008 r2.
is there Program to achieve this goal?
Hello,
I have seen other threads relating to this issue, but nothing has yet solved my problem.
All my servers are Windows Server 2012
So far, I have a DC for Domain.co.uk
I am trying to create the child domain int.Domain.co.uk
The main error that I receive when using ADDS config wizard, is:
Verification of outbound replication failed. Error reading the options property of the NTDS settings. Unknown error (0x8000500c)
Also, when on the 'Deployment Configuration' page of the wizard, when I click the Parent Domain Name 'Select...' button, and it prompts me to select a domain in the forest, the only thing that is available to select is a long string of numbers. Example - '01 363 747 838 292 28 298 363 363 767 35 536 367 67 678 687'.
So far I have attempted to turn off the firewall, have the child DC joined onto the domain, re-enabled recursion on the parent DC ...
Any help appreciated :D
Thanks
Hello,
Has anyone encountered issues with restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012? I have followed the added the typical registry entries as described below but I still see my RDS gateway in the DMZ trying to communicate to my internal DC over other ephemeral ports (49158). I have rebooted the DC after the registry changes and still no effect. Are the reg entries the same in 2012? Any help would be appreciated. Thank you
Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: 49152 (This value needs to be specified in decimal format)
Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: 49153 (This value needs to be specified in decimal format)
Eddie Espino | Secure Data Solutions | Miami, Florida | Microsoft Partner