Hi ,
We want to remove inactive users from our AD, we have windows 2008 r2, can you suggest the best and the recommended methods from MS
↧
which is the best option to remove inactive users in AD
↧
Cannot ping and/or lose connectivity to some 2008r2 servers
Hi,
We have a bunch of 2008r2 servers that on occasion we cannot ping from certain domian PCs (Win7 Professional). DNS on the servers that we can't ping is set as expected and the Firewall is off.
One thing we notice is that on some of the PCs that we cannot ping the problems servers - the return address will time out and the hostname is resolved to IPV6.
If we reboot the problematic servers i can eventually ping again (say 10 mins) and the servers that were returning an IPv6 address will now return an IPV4 address and all works.
Some people say to turn off IPV6 on your servers but not MS according to the following article.
http://technet.microsoft.com/en-us/network/cc987595.aspx
Anyone know why this is as we’re losing connectivity to serversso is a big issue!
↧
↧
Custom Attributes monitoring that are no longer in use in Active Directory
We have several custom attributes in Active Directory that should no longer be in use.
We looking for a native solution to detect any system which may still be reading from, or writing to, these attributes.
Could we able to detect any activity via any native solution on a given set of attributes (including reads), and produce a monthly report with reads/writes reported on a per-system basis including details such as host name, IP address and credentials used?
We looking for a native solution to detect any system which may still be reading from, or writing to, these attributes.
Could we able to detect any activity via any native solution on a given set of attributes (including reads), and produce a monthly report with reads/writes reported on a per-system basis including details such as host name, IP address and credentials used?
↧
Not all Active Directory DNS Servers will resolve a new DNS record
Problem: Not all Active Directory DNS Servers will resolve a new DNS record. A new CNAME or A record is added to the DNS of one server and even after replication time allotment the other DNS servers cannot resolve that new record. This seems to be intermittent as sometimes a new DNS record resolve as expected from all DNS server. These are new records and are not subject to tombstoning yet.
Environment: Many cross site Domain Controllers using Active Directory Integrated DNS (secure only), mostly 2008 R2 servers with a few 2003 R2 servers, Forest/Domain Function levels at 2003. This is the main forest DNS zone replicating to all DCs in the forest.
Troubleshooting:
At first it was suspected it was a replication issue, but after using ADSIEdit and connecting to dc=forestDNSZones,dc=********,dc=*** a dnsNode instance was found for each problematic DNS record on every domain controller. It just wasn’t getting published to the DNS service. Digging a little deeper, it was found that these new dnsNode instance security permissions only included permissions inherited from the Zone and did not include the “Default Security” permissions of the dnsNode class as defined by the Active Directory schema.
Workaround:
Opening the Advanced Security settings for the problematic dnsNode instance in ADSIEdit and clicking “Restore defaults”, which applies all the schema defined default security permissions as well as the inherited permissions from the hosting zone, will allow that DNS record to be published to the DNS service. This ‘fixes’ the issue for that one broken DNS record, but has to be done each time these DNS records do no publish
Root Cause: Not Found!!
What would cause the schema defined default security permissions to not apply to ‘some’ new dnsNode instances causing those DNS records to not publish to the same servers DNS service?
↧
Orphaned printer queues
Hi
I have a problem that I have been trying to resolve, and am not having much luck so far - hopefully someone has an idea.
In my infrastructure I have a bunch of printer queues that are published in AD, but they are orphaned as the printer server that they were associated with died unexpectedly, and we did not have chance to remove these published queues in print manager.
If a user tries to add a new network printer, via the directory, an error is thrown that the printer cannot be connected to (obviously)
Now I know that the printer pruner service that runs in AD should clean these queues as the print server is no longer available. But this is not happening.
I have been into the DC GPO, and enabled the pruning service (even though "not configured" is enabled)
I have reduced the time and number of retries before the printers are pruned
The printer server is not in ADUC
I have looked through our ADUC with ADSIEdit, and the server is not listed anywhere, so I cannot remove the queues via ADSIEdit
The server is not in DNS or DHCP reservations
I cannot add the printer server in printer manager
Other fix's MS provide include making sure that the pruner has permissions to the printer queue - but I cant do this, as the propertied don't open, as the object does not really exist.
It looks like the objects are in the AD database somewhere, but I have no idea where, or how to remove them.
Domain functional level : 2003
4 x AD DC's
1 x Printer server
1 x dead printer server which has caused this issue
Thanks in advance if anyone has any ideas of where to go.
Warren
↧
↧
Certificate Authority
We currently have a 2008 R2 Standard enterprise root CA. My goal is to convert this to a standalone CA so that I can take it offline, and install a subordinate enterprise CA. Is this possible? How can it be accomplished without negatively impacting existing certificates in the enterprise root CA?
↧
Windows 7 not recognize domain network
Dear All,
I have 2 Windows 2008 R2 DC setup at the production site with windows 2003 functional level. However, I found that when windows 7 client connect with static ip. It can not be able to recognize the domain network which cause any domain service, DNS lookup and other service fail. I have disable windows 7 firewall, ipv6 and add the domain suffix to the DNS.
Please kindly advise what would the possibility issue?
Many Thanks
Best Regards,
Elroy
↧
Get-Movestatus by users active directory attribute
Hi all,
for monitoring of Mailbox Migration I have to check an attribute called 'msExchMailboxMoveStatus' in active directory. I try to get a powershell script which can read the email addresses of users from a csv file. The script should writte the results in a txt or csv file. How can I do that?
I've got a VB script here as an example for this job.
The powershell script will start like this:
Import-ModuleActiveDirectory
#from a csv file
$USERS =Import-CSV C:\Temp\USER-LIST.csv
$USERS|Foreach{Get-ADUser $_.SAMAccountName-Properties*|SelectSAMAccountName, mail, XXXXX}|Export-CSV-Path C:\Temp\USERS-ATTRIBUTES.csv
Thanks for any help,
Soheil
↧
DSADD user - How to add user when you have a comma in the DN?
Trying to do a mass import of users into AD using the DSADD command. Our company's Naming convention for the object's CN is "Lastname, Firstname". So the command looks like:
DSADD user "CN=Lastname, Firstname,OU=Users,OU=XXX,OU=Accounts.DC=...
So DSADD fails with: Value for 'Target object for this command' has incorrect format.
I've tried to use an escape key "\," hoping that it might work. I tried single quotes just around the name the CN value, but no success.
Any suggestions?
↧
↧
Frequentky trus trust relationship between the member server and the primary domain failed?
Hello,
In my domain, one of the member server trust is broken for two times in last one month. At the time of trust failure, if i go into AD and check for Computer i account i cannot find it ! its is getting deleted.
After i Dis join and join from domain, account will be created in AD and will get authenticated without any issue.
Affected machine (Member server) is a virtual machine.
Could anybody tell why this is happening again and again and the same time account is getting deleted in AD.
Any fixes or known issues?
Regards,
DJ
↧
Demoting Domain Controller
I have installed a new 2012 Server to take over from my existing 2003 server, I have added new server to the domain, moved all fsmo roles, everything has replicated fine to the new server. I have made sure all PC are using the new server as their DNS server. I have taken the tick out of the box to make sure the old server doesn't think it is a Global Catalog. I have made sure the old server isn't in the DNS as a NS.
I run netdom query fsmo in command prompt and everything is pointing at the new server.
When I try and demote the old server it says it can't, because it can't see any domain controllers on the network.
If i turn off the old server the new server loses everything in Active Directory Users and Computers because it can't find the domain controller and some of the network shares stop working.
Confused.
↧
Active Directory Services unable to start
Main Domain Controller DC1 is down, it was in tombstone life time, existing domain controller DC2 was not properly transfered fsmo roles To DC2 Like Schema Master, Domain Master these two roles are not transfered. Present DC2 is not acepting new users, computers and other issues are raised.
repadmin report
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
l>repadmin /showreps
Default-First-Site-Name\IRDAGOV
DC Options: IS_GC
Site Options: (none)
DC object GUID: 84c7b6e0-3f37-4b78-8fbe-d642228bd9d6
DC invocationID: 4670e924-ced1-43f2-ba75-4257edf6824d
==== INBOUND NEIGHBORS ======================================
DC=IRDAONLINE,DC=ORG
Default-First-Site-Name\IRDAHO via RPC
DC object GUID: 9594f27c-9870-4b95-82e7-876220fe8134
Last attempt @ 2013-08-07 10:23:20 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
26342 consecutive failure(s).
Last success @ 2010-08-04 13:21:25.
CN=Configuration,DC=IRDAONLINE,DC=ORG
Default-First-Site-Name\IRDAHO via RPC
DC object GUID: 9594f27c-9870-4b95-82e7-876220fe8134
Last attempt @ 2013-08-07 10:23:22 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
26329 consecutive failure(s).
Last success @ 2010-08-04 13:21:25.
CN=Schema,CN=Configuration,DC=IRDAONLINE,DC=ORG
Default-First-Site-Name\IRDAHO via RPC
DC object GUID: 9594f27c-9870-4b95-82e7-876220fe8134
Last attempt @ 2013-08-07 10:23:24 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
26324 consecutive failure(s).
Last success @ 2010-08-04 13:21:25.
Source: Default-First-Site-Name\IRDAHO
******* 26342 CONSECUTIVE FAILURES since 2010-08-04 13:21:25
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
>netdom query fsmo
The specified domain either does not exist or could not be contacted.
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine irdagov, is a DC.
* Connecting to directory service on server irdagov.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\IRDAHO
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 9594f27c-9870-4b95-82e7-876220fe8134._msdcs.IRDAONLINE.ORG could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
......................... IRDAHO failed test Connectivity
Testing server: Default-First-Site-Name\IRDAGOV
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... IRDAGOV passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\IRDAHO
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Testing server: Default-First-Site-Name\IRDAGOV
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
↧
Unable to set hidden home folder path
Hi guys,
maybe someone can help in the following Problem we have. Right now we are still using some 2003 Server for user account Administration. Now we have Setup a new 2008R2 Server for the administration team and have the following issue.
Our user homefolders are located on a hidden share. E.g.: \\server1\userhomes$\username
The home Folder path within AD account is set to: \\server1\username
If the admin team is moving any homefolder for any reason, they have to adapt the home Folder path within the ad account to e.g.: \\server2\username
On Server 2003 you will get an error message, that the path could not be found, but the new home Folder path will be taken over from the MMC (there is just an OK button). If you are doing the same procedure on the new 2008 Server, you also
get the same error message, that the path could not be found. But after click on OK, no changes will be written to the AD object. :(
Which means: On 2008 i'm unable to set a hidden home Folder path, if i skip the hidden share Name (userhomes$) in the home Folder path.
Funny, this is still working on Server 2003.
Any ideas? :)
Thanks in advance. Niggoh
*********************** Haben ist besser als brauchen ***********************
↧
↧
How to change Active Directory object owner?
I have a problem where I need to change owner of the multiple AD objects. dsacls from the ADAM has /takeownership switch but it changes the owner to the account I have logged on. But I need to change owner to specific computer account. Of course I can manually change it from adsiedit but there is more than hundred of them and it's tedious. I searched for some utility but didn't have any luck finding any. Have anyone done same thing with some utility/script?
↧
Cannot modify or edit the objects in ADSIEdit
I am unable to delete or modify objects in Configuration container though I am a schema admin. Any help will be highly appreciated. I have two failed child DCs which shows up their and I am unable to modify or edit them to add fresh child DCs with same domain name.
Thank you.
Regards,
Udayan
↧
Intermittently unable to access the NETLOGON share
I have noticed that I get intermittent problems accessing the NETLOGON share via \\domain\NETLOGON. This just happened one day and we haven't made any changes.
I first noticed the problem because we have a logon script stored in the NETLOGON share that stopped working intermittently.
Unusually the logon script (vbscript) still appears to start however during the script a csv file from the same share is opened for reading. I have changed the location of the csv file to a share on a file server and the script is running fine now.
I still see the problem accessing the NETLOGON share though.
The error I get when trying to access is:
"\\domain\NETLOGON is not accessable. You might not have permission to use this network resource. Contact the administrator of this server to see if you have access permissions.
The format of the specified network name is invalid."
The script error from the logon script also had the error: "The format of the specified network name is invalid."
I have checked the permissions and the everyone group has read access. Oddly I can still access the Sysvol share and have no problem using a domain controller name i.e. \\dc1\NETLOGON is fine.
The majority of support calls were received from users on Citrix Desktops (although a handful from desktop users in branches). The VDIs that are a member of an AD site however there are in a different subnet to the Domain Controllers in that site.
This means that when resolving the domain name they get a random Domain Controller from any site (because DNS subnet ordering is used and there are none in the same subnet). To work out which Domain Controller was being used I created a share on each
DC with the same name as the DC - this way when I browse to the domain i.e. \\domain I can see the name of the server by viewing the shares. Unfortunately the problem is not DC specific.
Also strange is that after some time this problem goes away almost at random.
I have attempted to verify the netlogon and sysvol shares are working correctly by running “net share” and “dcdiag /test:netlogons” on all our domain controllers but haven’t found anything unusual.
One other thing we have tried is to remove old DNS entries for domain controllers that no longer exist from decommissioned sites however the problem still persists.
I ran wireshark and could see the DNS query and then connections to and from a domain controller (ruling out connectivity.)
While I've worked around the logon script problem, I'm concerned about group policy or other problems that might result.
All our DCs are running Server 2008 R2 and our Domain and Forrest Functional Level is 2008 R2.
Any thoughts on where to go next would be appreciated.
↧
Upgrade Win 08 R2 DC to Win 2012
I have a virtualized DC running Win Server 2008 R2 Enterprise. Can I upgrade it to Win 2012 Standard or Datacenter edition?
Shawn
↧
↧
How to grant a user "rights" "only" to create new users over a OU
Hi ppl,
I have a user "test" and a OU "TestOU". I would like to grant the user "test" with permissions to create new users in the "TestOU" but "test" should not be able to do other management activities like deleting user objects, creating a child OU or adding a new computer etc..
Anand
↧
Domain Users unable to change their passwords.
Hi All,
I've done alot of searching around for this but non of the answers I saw really seemed to fit or do the trick.
We have two domain controllers (Server 2008R2) that have not changed in years and suddenly I found out this morning that users couldn't change their passwords through the CTRL-ALT-DEL interface (Windows 7 machines). I know this was working 7 days ago so I'm a little at a loss to explain what is going on.
Users can successfully change their passwords if I force them to do so at next login but on their own it's a no-go. I get the message: "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
Here's my GPO on my primary domain controller:
Enforce Password History: Not Defined
Maximum Password Age: Not Defined
Minimum Password Age: Not Defined
Maximum Password length: 7 characters
Password must meet complexity requirements : Disabled
Store Passwords using reversible encryption: Disabled
Any ideas? I'm rather frustrated with this.
↧
Error: the RPC server is unavailable. 0x800706ba
I have a domain controller that is also a CA running Windows 2008 R2 Enterprise SP1.
Any attempt to enroll a certificate remotely fails, with; “Error: the RPC server is unavailable. 0x800706ba (WIN: 1722)”
The only thing I can think of that has changed the firmware on the network and iLO; which are in the same port. The server is a HP DL320 G6. All other commination is working.
I checked the security setting in COM security, the setting are correct. The members of the group Users are correct.
Any other ideas?
↧