Preventing Child to Child replication

July 19, 2013, 1:49 am

≫ Next: SPN management of Managed Service Accounts

≪ Previous: Server 2012 restrict active directory dynamic ports

hi all,

we have a Single Forest consisting of about 30 Child Domains.

the Design is to Service the Exchange and Lync for all Child Domain Users

we have 30 Separate Sites too

but in relation to Routing of Network and Firewall Designs Child Sites Do Not have Access to each other so there is no Route from Child 1 to other Childs.other Childs are same.

In AD Replication i see Child Contexts cannot be synced to other Childs.is there any way to preventing child to child replication ? can i set to only replicate from Root Domain ?

Can you Guys please help me on this ?

Kind Regards

↧

SPN management of Managed Service Accounts

July 18, 2013, 9:00 am

≫ Next: Password change problem at site with RODC

≪ Previous: Preventing Child to Child replication

Hi,

Managed Service Accounts has two main benefits, first, simplified password management (so clear), and the second one, SPN management.

Exactly (an overview description will be enough), what are the main Service Principal Name management benefits of MSA?

Thanks in advance

↧

Password change problem at site with RODC

July 17, 2013, 6:55 am

≫ Next: Suggestion on default AD Schema attribute for internal use

≪ Previous: SPN management of Managed Service Accounts

Error message when I try to change the password of an account that is in RODC site RODC

"There are currently no logon server available to meet the logon request "

-the RODC SERVER is VM managed WIth SCVMM

↧

Suggestion on default AD Schema attribute for internal use

July 20, 2013, 9:38 am

≫ Next: Administrator Password Chnage

≪ Previous: Password change problem at site with RODC

Hello,

Can anyone suggest the use of an attribute in the default AD Schema for 2003-2012 systems which isnt used much and is up to 22 'text' characters in length? Scrolling through the schema attribute list and looking trying to find this manually is tedious. Anywhere I can search for the answer to this question?

Thanks for your help! SdeDot

↧

Administrator Password Chnage

July 21, 2013, 1:42 am

≫ Next: Intra Forest Migration Using ADMT

≪ Previous: Suggestion on default AD Schema attribute for internal use

Good Day,

I have domain environment and i am using a built-in administrator account for all the administrative tasks across the domain.The password which i am using for this account is very old and is known to a lot of people.

I need guidelines to do an impact analysis and change the password without any issues to come up.

There are a lot of server for which we are using the same administrator account.

Thank You

Regards

Abdul Wajid

↧

Intra Forest Migration Using ADMT

July 20, 2013, 11:29 am

≫ Next: I accidentally deleted a computer account from Active Directory how can i recover those computer account without disjoint client computer from the server?

≪ Previous: Administrator Password Chnage

Im in a process of migration users and computers from child domain(same forest ex. child.contoso.com) to the primary domain controller(Ex:contoso.com) I need to clarify the below mentioned points before i do the migration. The main target is to demote the child domain after the migration is done.

OS : Windows server 2008 R2

For this scenario im going to use ADMT tool to migrate user objects.

I would like to know whether the folder permission also applied to the same user after migrate the user to the new domain?

How can i transfer the SID history for the particular user since i cannot see any SID tab in the ADMT tool.

How can i change the client pc domain names which has been added to the child domain. There are about 500 pcs to add to the primary domain(newdomain)

Thank you
Partner

↧

I accidentally deleted a computer account from Active Directory how can i recover those computer account without disjoint client computer from the server?

July 20, 2013, 11:51 am

≫ Next: Intra Forest Migration Using ADMT

≪ Previous: Intra Forest Migration Using ADMT

I went to Active Directory users and computers and accidentally deleted all the computer account from the computer folder.

Is possible to recover all those computer account without manually go to each client computer to disjoint and re-join to domain controller in windows server 2003?

↧

Intra Forest Migration Using ADMT

July 20, 2013, 11:12 am

≫ Next: Cleaning up FRS Sysvol Morphed Folders without Rename

≪ Previous: I accidentally deleted a computer account from Active Directory how can i recover those computer account without disjoint client computer from the server?

Question

Ask A New Question

Intra Forest Migration using ADMT

Asked by: maheshckl

Dear Team,

↧

Cleaning up FRS Sysvol Morphed Folders without Rename

July 20, 2013, 8:31 am

≫ Next: Repair or replace domain controller

≪ Previous: Intra Forest Migration Using ADMT

Hello All
I am Mahesh
Currently I am in process of migrating FRS Sysvol to DFSR Sysvol. However I have one problem.
I have so many morphed folders (some are empty) underneath Sysvol\Policies\GPO_Guid\_NTFRSxxxxxxxx
I got MS article http://support.microsoft.com/kb/328492 to remove Morphed folders.
Since My environment has more than 100 2008 R2 domain controllers, I don't want to follow above article as It involves some downtime during clean-up.
Let me know if I can just delete those Morphed folders from Sysvol ? OR
let me know if I can directly go for SYSVOL FRS to DFSR Migration and Can DFSR take care of Morphed folders
Request your expert advice please.
Thanks in advance
Mahesh
mahesh1000@gmail.com

↧

Repair or replace domain controller

July 21, 2013, 7:09 am

≫ Next: AD LDS Windows Principals - authenticating fails with ldp.exe

≪ Previous: Cleaning up FRS Sysvol Morphed Folders without Rename

Hi all

I had a problem migrating a dc from one server to another and now I have several active directory errors in the event log. The cause of the problem, I think, was that during the transfer, the old dc came back on and ran until the new one (an image of the old one) came up. At one point both dc were online simultaneously.

We have two sites and each site has a single dc.

One of the errors is event id 2092:

This server is the owner of the following FSMO role, but does not consider it valid.......

"Operations which require contacting a FSMO operation master will fail until this condition is corrected."

The other errors are kcc replication problems.

I realize I haven't given much detail so feel free to ask for what you need, but here is the question I have, what is the best solution?

1) would it be better to seize the FSMO roles to the other site's dc and demote the one that is bad and then bring it back up?

2) or should I use DSRM to attempt to repair the broken dc

3) or build a second dc in the same site as the bad dc, seize the FSMOs, then demote the bad dc?

Thanks!

Todd MacQueen MCTS, CEH, CHFI, Security+

↧

AD LDS Windows Principals - authenticating fails with ldp.exe

July 16, 2013, 1:19 pm

≫ Next: DirSync

≪ Previous: Repair or replace domain controller

I am able to authenticate native AD LDS users in the Readers role successfully using ldp.exe and my app. Now I want to test Windows Security Principals. So on my LDS box I created a local Windows user under computer management. Then I add the windows user to the member attribute of the Readers role. From another box I run ldp.exe and connect to my lds box. When I try and do a simple bind using servername\username, I get:

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 2030, v1db0

Error 0x8009030C The logon attempt failed

I am certain that the password is correct. Also the LDS server is not on a domain. What am I doing wrong? As I said I can use the same method to authenticate my LDS users.

Thanks,

leo

↧

DirSync

July 21, 2013, 8:18 am

≫ Next: Bitlocker - permission for deleting computer with bitlocker key

≪ Previous: AD LDS Windows Principals - authenticating fails with ldp.exe

I'm looking for some help here. I Need to test Notes Migration to Exchange 2010 on premise. and i am looking for Dir-sync tool. Can i use windows azure dir- sync .http://technet.microsoft.com/en-us/library/jj151800.aspx .or do I need to install FIM ?

↧

Bitlocker - permission for deleting computer with bitlocker key

July 19, 2013, 6:11 am

≫ Next: Server 2012 restrict active directory dynamic ports

≪ Previous: DirSync

Hello,

I'm in process of delegating permissions in our Active Directory. I found problem when i try delete computer with bitlocker key using non-Domain Admin account. It's not possible, I got error stating not enough permission.

Of course I added Create/Delete Computer permission but its not enough for such computers. Regular computer without any child object can be deleted successfully.

Do you have any idea what I need more to be able to delete computer with bitlocker key?

Thanks in advance.

Regards

Arek

↧

Server 2012 restrict active directory dynamic ports

July 20, 2013, 5:57 am

≫ Next: Windows 2012 Domain Controller Upgrade Question

≪ Previous: Bitlocker - permission for deleting computer with bitlocker key

Hello,

Has anyone encountered issues with restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012? I have followed the added the typical registry entries as described below but I still see my RDS gateway in the DMZ trying to communicate to my internal DC over other ephemeral ports (49158). I have rebooted the DC after the registry changes and still no effect. Are the reg entries the same in 2012? Any help would be appreciated. Thank you

Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: 49152 (This value needs to be specified in decimal format)

Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: 49153 (This value needs to be specified in decimal format)

Eddie Espino | Secure Data Solutions | Miami, Florida | Microsoft Partner

↧

Windows 2012 Domain Controller Upgrade Question

July 22, 2013, 4:44 am

≫ Next: Move Branch domain to Primary DC

≪ Previous: Server 2012 restrict active directory dynamic ports

Hello all,

Just doing some planning for our first 2012 DC for our forest/domain.

We've decided to achieve the upgrade by doing the following:

1. Demote and remove one DC in our Root Domain

2. Demote and remove one DC in our Child Domain

3. Rebuild both servers as Windows 2012

4. Promote one DC into the Forest Domain - Thereby performing the ADPrep /ForestPrep and /Domain Prep

5. promote one DC into the Child Domain - Thereby performing the ADPrep /Domain Prep

6. Run ADPrep /DomainPrep /GPPrep manually in both the Root and Child Domains

Can anyone see anything fundamentally wrong with this procedure? I've been using http://msmvps.com/blogs/mweber/archive/2012/07/27/upgrading-an-active-directory-domain-from-windows-server-2008-or-windows-server-2008-r2-to-windows-server-2012.aspx as a guide to this. It suggests using an Enterprise Admin account to promote the DC in the Forest Domain, I presume the same account will be fine to promote into the Child Domain as well?

Any other "gotchas" I should be aware of?

↧

Move Branch domain to Primary DC

June 30, 2013, 3:14 am

≫ Next: How to set a password in AD LDS by code

≪ Previous: Windows 2012 Domain Controller Upgrade Question

Dear Sir,

There is a requirement for moving branch domains to primary DC and then will be deployed an ADC in primary Site. What are the limitations and consideration when moving? Also if you can provide me the steps that would be highly appreciated.

Server Operating systems are windows server 2008R2

I have attached the Diagram herewith.

http://social.technet.microsoft.com/Forums/getfile/303359

Thank you

Partner

↧

How to set a password in AD LDS by code

July 22, 2013, 3:27 am

≫ Next: Last Logon and Password expires - difference

≪ Previous: Move Branch domain to Primary DC

HI All

I am new to AD LDD

I have following query:

How to set a password during creation of user programatically
how to authenticate that use programatically

↧

Last Logon and Password expires - difference

July 22, 2013, 5:54 am

≫ Next: Restoring AD LDS

≪ Previous: How to set a password in AD LDS by code

we have Main Dc and child DC in this scenario we are pulling reports of "last Logon" and "PasswordExpires". we are finding the difference that "last Logon" is greater than "PasswordExpires" so can you please suggest what may be the issue here and what is the best practice.

DC - windows 2008 R2

↧

Restoring AD LDS

July 22, 2013, 6:34 am

≫ Next: Error while doing Domain Rename. Error : dsbindwithcred to dc failed with status 1722 The RPC Server is unavailable

≪ Previous: Last Logon and Password expires - difference

Hi There,

I have struggling to get AD LDS restored on a different server.

I follow the process as per the documentation, but receive an 0x8000500d error. "The directory property cannot be found in cache in ADSI Edit when trying to connect to the instance on the new server.

I have gone through all the documentation and cannot find any help on this one.

Please assist.

Thanks

Marcile

↧

Error while doing Domain Rename. Error : dsbindwithcred to dc failed with status 1722 The RPC Server is unavailable

July 22, 2013, 3:14 am

≫ Next: Error joining domain - The service cannot accept control messages at this time

≪ Previous: Restoring AD LDS

Due to some reason i want to rename my domain. I have used rendom.exe tool to do this. Please find below steps which i followed

Step 1. rendom.exe /list

i have got Domainlist.xml file i have renamed DNS Specific Application Directory Partitions and NetBIOSname

Step 2. rendom.exe /showforest

i have got new forest description

Step 3. rendom.exe /upload

Upload successful.

Step 4.Repadmin.exe /syncall /d /e /P /q DC

here i got error dsbindwithcred to dc failed with status 1722 The RPC Server is unavailable. I am upable to rendom.exe prepare also

Please Help

Rajith.

↧