Saving and migrating all active directory in Window Servers 2003 R2 to Window Servers 2008 or 2008 R2...Just an OS upgrade but saving all the Active Directory contents.
↧
Window Servers 2003 upgrade process to Window Servers 2008 migrating active directory
↧
DFS between two DMZs
Is DFS replication between two external DMZ ideal?
↧
↧
Active Directory Web Services
Does ADWS provide a web page interface to users that allows management of the active directory objects? The web services interface is somewhat confusing. Does it provide a web portal?
↧
One way trust from 2012 domain to 2008
We have a 2008 native domain, non-R2.
For a project, in a remote data center, a 2008R2 DC was setup specifically to create a trust between a customer domain and ours.
We have VPN connectivity, wide open, to the colo (tested). Their server is 10.168.1.199 and their domain is ibts.int (2012)
The server they gave us is 10.168.1.200 and it's successfully been promoted as a full domain controller with GC. I've tested replication and replication seemed to work fine, but when I run dcdiag I get this. (2008)
Doing primary tests
Testing server: Lantel\IBTS-EXTDCStarting test: Advertising
Warning: DsGetDcName returned information for \\IBTS-DC.IBTS.int, when
we were trying to reach IBTS-EXTDC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... IBTS-EXTDC failed test Advertising
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... IBTS-EXTDC failed test DFSREvent Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\IBTS-EXTDC\netlogon)
[IBTS-EXTDC] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... IBTS-EXTDC failed test NetLogons
Obviously these failures are a concern but i don't know why they would happen. I ran the same test on my primary dc with no errors. The first one concerns me the most "\IBTS-DC.IBTS.int" is their DC server name, why would my server be returning information for that server with no trust up?
Anyway moving on..
The vpn only allows their DC to talk to our one DC in the colo, but not the rest of my dc's but I don't think that matters?
For DNS on my colo machine NICI used 10.168.1.200 as primary, and i've tried a few different things as secondary, but currently it's one of my other DC's in my home office.
They created their half of the outgoing trust to us, with a shared password, with no problem. When I create my side External trust incoming, I get the following error.
"The operation failed. This operation cannot be performed on the current domain."
and in the system log
"The Security System could not establish a secured connection with the server LDAP/IBTS-DC.IBTS.int/IBTS.int@IBTS.INT. No authentication protocol was available."
I'm researching this error but not finding anything specific enough.
Any help is greatly appreciated.
↧
Update user
I have the above powershell script can do the attribute update every day , it works fine , can advise if I would like the windows server send the alert to my exchange email a/c to display what user attribute have been updated (eg. the orignial attribute and the updated attribute ) , can advise what can i do ? thanks
get-qaduser -searchroot "OU=xxx,DC=yyy" | foreach {
$username = $samAccountName
$emaildomain = "@abc.com"
$fullemail = "$username$emaildomain"
set-qaduser $username -email $fullemail
}
↧
↧
How to join AD with LDS
Hi,
We have kept our web server [Win 2012 OS] on different subnet and we want to join it to our AD Domain [Installed on Win 2012 OS] using LDS.
Is it possible? If yes, please mention the steps for that...
The only purpose is single sign-on...
Thanks,
↧
account lockout mechanism
Hi all,
I want to know the lockout mechanism of wrong password attempt. For example, the Group Policy in our organization, the domain user account will be locked out if 3 times wrong password attempt. I want to know how Windows knows it has been 3 times.
- The domain user account will be locked out if 3 times wrong password attempt within how many minutes?
- If a domain user tries wrong password for 2 times on Computer A and then tries the wrong password again on Computer B immediately, will this user account be locked out? (A and B are in the same domain)
Thanks,
高麻雀
↧
Can't open Active Directory Users and Computers console and DNS error 4000
Hi, we have seen Error log in the eventlog regarding DNS server, below is the message:
************
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and
reload the zone. The event data is the error code.
************
I have tried to open Active Directory Users and Computers console and I got the below error message:
************
Naming information cannot be located for the following reason:
The server is not operational.
If you are trying to connect to a domain controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the domain controller, or use the Windows 2000 administration tools. For more information about connecting to domain
controllers running Windows 2000, see Help & Support.
************
So, can any one help us to solve the DNS error and the console error?
The server is Windows server 2003 R2 standard edition.
Thanks.
↧
Create domain users without admin rights in powershell
Forgive me if this has been answered in a different thread. I am not sure what I should be searching for. In vbscript, it was possible to hard code and pass the doman admin username and password in a script to create users in active directory. This is very handy when a non-administrator runs the script to create users. In vbscript it looked something like this
Set ou_SES = DirectoryService.OpenDSObject ("LDAP://OU=Elementary,OU=Students,OU=Sidney Central School Network Users,DC=sidney,DC=k12,DC=ny,DC=us","administrator","password",ADS_SECURE_AUTHENTICATION)
In my case, human resources enters all the employee information into the HR system and then exports a text file that is read by my script. How do I do the same thing with Powershell that I did with vbscript? I would like to have hr run the script but they are not admin's and it pukes.
Any suggestions would be greatly appreciated. Thank you
↧
↧
Is there any way to get Active directory Password in plain text format
Hi,
Is there any way to get Active Directory user password in plain text format. I am using windows 2008 Server R2.
Regards,
Mangesh Bhanage
↧
Group Policy not working on some users
I have a domain level a policy that restrige users to 3 fail atemps log on to block. But some users get block by first try. No enforce, not block enheritance and not overwritten policy(as far I See )is applied.
What could cause this?
↧
One single user needs admin rights for clients in domain
Is there anyway that I can give a single domain user administrator rights to the clients in our domain, but not the server? I got a superuser who could help his department with a lot of stuff and I'd trust him administrator-rights for their laptops, but I don't want him to have the possibilities to do anything else, like accessing the servers. It would however be nice if he could install software, printers and so on. It would also be nice if he could take clients in and out of the domain as well. Is this possible in any way?
- Greetings from the Valleys of Norway
↧
Kerberos Token Size
Hello,
As per MS KB article http://support.microsoft.com/kb/938118, if you want to increase
Kerberos Token Size, you should set following registry value:
Entry: MaxTokenSize
Data type: REG_DWORD
Value: 48000
We have case opened with 1st line Microsoft support, and they are suggesting the following:
1. Right click the value “MaxTokenSize”, and rename it to MaxTokenSizeValue
2. Right click the value MaxTokenSizeValue, and choose Modify
3. Please choose Decimal, and type the value as 144000
I cannot find any references regarding MaxTokenSizeValue in the internet :-(
Does anybody has experience is the “MaxTokenSize” is correct value?
I can provide MS case ID if necessary.
Thanks!
↧
↧
One single user needs admin rights for all clients in domain
Is there anyway that I can give a single domain user administrator rights to the clients in our domain, but not the server? I got a superuser who could help his department with a lot of stuff and I'd trust him administrator-rights for their laptops, but I don't want him to have the possibilities to do anything else, like accessing the servers. It would however be nice if he could install software, printers and so on. It would also be nice if he could take clients in and out of the domain as well. Is this possible in any way?
Using Server 2012 and all laptops uses Windows 7 Pro 64-bit.
- Greetings from the Valleys of Norway
↧
How To Move a User To a Different OU in Active Directory 2008 r2
Hello,
We are trying to automate the process of disabling a user in Active Directory. One part of this process is moving the user from whatever OU it is currently in to another OU called 'Accounts Disabled'. First we tried to do this over the LDAP protocol using a program my colleague uses called ADTOOL, but received the following errors:
Error in ldap_rename_s for ad_move_user: Other (e.g., implementation specific) error
I then tried to do this over the LDAP protocol via ldapmodrdn and ldapmodify commands in a linux environment. Here's that error:
ldap_rename: Naming violation (64)
additional info: 00000057: LdapErr: DSID-0C090A8E, comment: Error in attribute conversion operation, data 0, v1db1
Then I tried using a utility we use to browse the directory from our desktops called LDAPAdmin to move the user. Here's the error from that:
LDAP error! Unwilling To Perform: 0000209A: SvcErr: DSID-031A0FBB, problem 5003 (WILL_NOT_PERFORM), data 0
Here's some things that we tried that didn't have an effect:
- We made sure that the prevent accidental deletion from active directory option was not checked for the users (we also tried the OU briefly before re-checking it)
- We made sure that the user performing the action had read/write permissions on user objects and groups
- The problem still occurs when using an account with domain admin permissions
We also tried running a Move-ADObject command from the powershell. And in here, it actually worked. The only caveat being that we ran the powershell 'as administrator'. This proved that the previous errors had nothing to do with the name of the user or ou. For us though, this is not a solution. We need a way to be able to do this over the LDAP protocol.
Anyone run into this before or have any suggestions on other things to try? Let me know if there is more info that is needed.
↧
w32tm /query /status Access is denied. (0x80070005) from elevated prompt
I am in the process of decomissioning the 2008 DC so I have moved all FSMO roles to another DC. The old DC is getting time from the newly promoted PDC as are the domain clients it seems.
I have gone through this below more times than I should have needed, the info is clear and it seems to work. however I still get an error from an elevated cmd prompt.
C:\Windows\System32>w32tm /query /status
or
C:\Windows\System32>w32tm /query /configuration
The following error occurred: Access is denied. (0x80070005)
pushd %SystemRoot%\system32
.\net stop w32time
.\w32tm/unregister
.\w32tm/register
.\sc config w32time type= own
.\net start w32time
.\w32tm/config/update /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org",0x8/syncfromflags:MANUAL /reliable:yes
.\w32tm/resync
popd
Why am I not able to run a query on the PDC with an elevated cmd prompt and I do have domain rights in all the right areas! I have never had this problem before.
Thanks, Charlie
↧
AD User Attributes
Two questions
1. What are User attributes in the context of Active Directory?
2. How does Active Directory differ from NT 4.0 in terms of User attributes?
↧
↧
How to deal with replication when we replace a 2k3 DC in a remote AD site with a 2K8R2 RODC.
At one AD (remote) site is a Windows 2003 domain controller. We want to place a Windows 2008R2 RODC in that site and later demote the Windows 2003 DC. All other domain controllers in our domain/forest will be Windows 2008 R2 before we will replace this one.
Because Windows 2008R2 RODC can't replicate (the domain partition) with Windows 2003, the question will be how to configure replication when we place the RODC in the same AD site as the last Windows 2003. There are no other DC's in that site.
We don't have preference to create a new site in that location because of our complex environment
Regards,
Jeroen Bleeker
↧
domain admin account constantly locked out
My domain admin accpunt is constantly getting locked out. I am seeing numerous 4771 ids on the DC that shows the most lockouts. Any idea?
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/5/2013 10:35:47 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID:
domain\machine$
Account Name:machine$
Service Information:
Service Name:
krbtgt/domain.COM
Network Information:
Client Address:::ffff:10.190.1.6
Client Port:
51819
Additional Information:
Ticket Options:0x40000000
Failure Code:
0x18
Pre-Authentication Type:2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-09-05T17:35:47.449854500Z" />
<EventRecordID>4950613833</EventRecordID>
<Correlation />
<Execution ProcessID="604" ThreadID="9732" />
<Channel>Security</Channel>
<Computer>DC.domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">machine$</Data>
<Data Name="TargetSid">S-1-5-21-1702431690-1831029836-1105138716-117926</Data>
<Data Name="ServiceName">krbtgt/domain.COM</Data>
<Data Name="TicketOptions">0x40000000</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:10.190.1.6</Data>
<Data Name="IpPort">51819</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
↧
User Creation Event Logs
Hi,
I have DC and ADC. In ADC my client user name have access to create/delete user account. My doubt how i find out whether he only created that user account or not ?
How to check the Particular User Create/Delete any user accounts ?
Thanks in advance
Regards, Hari Prasad.D
↧