Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Directory Synchronization tool not initiating Bind Request

September 17, 2013, 6:28 pm
$
0
0

In our environment, we have 5 domains as follows

a.abc.com

1.a.abc.com

2.a.abc.com

3.a.abc.com

b.abc.com (Forest root domain)

all DC's are windows server 2008 r2

We have installed Directory Synchronization tool  for FOPE on a windows server 2008 R2 machine.  There is a firewall between the machine on which DST is installed and the DC's which are in 3.a.abc.com domain.  The ldap port 389 is opened from machine on which DST is intalled.

When i initiate DST sync, the DST is failing when connecting DC's in 3.a.abc.com domain.

I ran a Netmon on client machine on which DST is intalled and found the DST is able to send and receive "Search Request" and "Search Response" packets but it is not initiating BIND REQUEST to the DC's in 3.a.abc.com domain.

I also checked, when i open dsa.msc and try to change the domain to 3.a.abc.com, it throws the following error

 "The domain 3.a.abc.com could not be found because: A local error has occurred."

Any help would be appreciated.

Thanks

Search

User Password Change via LDAP Commands

September 17, 2013, 4:18 pm
$
0
0

Once a user's password has expired, or if they are set to force a password change on next logon, what's the appropriate way via LDAP to change their password?

I know that I can bind and replace unicodePwd using an account with elevated credentials, but it seems that when you do, it bypasses the password policy.  does that sound correct?

Domain Joining PC using RODC

September 17, 2013, 5:39 am
$
0
0

Hi to all

I have problem with RODC and Perimeter Network.

Here is my situation

I've got Network 192.168.1.0/24 that has two (2) Writable Domain Controllers based on Windows 2008 R2

I'd created second routable network 172.16.0.0/24 that has one Read-Only Domain Controller .

Between the networks there is a firewall configured only for DNS TCP/UDP traffic and UDP 500 (IKE) . I'd created IPSEC Tunnel Between WRDC and RODC using Windows Firewall with Advanced Settings .

All of the domains and server in both networks are working fine (replication,SMB, network time, DNS etc)

After that I wanted to create another perimeter network with only one server that will be connected to my corporate domain . So again with Windows Firewall and UDP IPSEC Tunneling I created connection from my third network to my RODC . The third network is routable and it address space is 10.10.10.0/24

Again : I can ping RODC from the third network , and using Office domain Join I added Windows 2008 R2 Server to the Corporate domain.(pre-created account is replicated to RODC)

When the server is getting rebooted it gets stucked at "Applying Computer Settings" forever. If I disconnect LAN cable of Server at that stage then it goes through.

After providing UserName and PAssword it again get stucked at "Applying User Settings" After disconnecting cable it goes ahead.

After Logging into the Server and connecting the LAN cable I have checked nslookup and DNS name resolution. Everything is working fine. Only while starting and logon it get stucked.

I have checked and found that there are certain errors in the EventViewer like

Error 1: Name resolution for the name domain.com timed out.

Error 2: Group Policy Application failed.

I've created AD Site Links and Subnets to point RODC but again nothing is working. I have also created below entry in Registry of the server.

Navigate to: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

String VAlue: SiteName and mentioned the site name of the RODC server.

Any ideas ?

Adding Second Domain to Single Domain Forest

September 18, 2013, 5:09 am
$
0
0

I have been asked to add another domain to our Forest (we are currently single-forest. Here are some of the requirements below:

1. Cannot be a child domain - They want it to have its own domain namespace so they can register it under the completely separate name (such as primary domain = a.org and the 2nd domain = b.org).

2. There can only be a one-way trust so first domain (let's stay with a.org) a.org trusts b.org so admins of a.org can manage b.org but b.org does not trust a.org so no administration can happen in reverse.

3. Enterprise admins of a.org need to be able to manage DNS and a.org should be able to resolve DNS of b.org but not b.org of a.org

4. Each remote location must have a local DC for a.org and b.org (NOT RODC) for local authentication. We already have DC's for a.org (our primary domain). We assume the best route would be to add another virtual DC as we have been doing as we have Hyper-V servers at each location.

There may be a few other concerns but those are the main requirements so far. I've been hearing that leaving everything under a single domain is what is becoming the recommendation these days but it has been made clear that this domain must be separate in name, functionality, and authentication. It is okay to leave it in the same forest as long as the trusts are correct; however, I am wondering if we will need a separate DC to hold PDC role and other FSMO roles if we are to go this route. Any recommendations are welcome. I am just trying to get on the right path so I do it right the first time...! Thank you so much in advance for your time and I look forward to hearing responses! Please feel free to ask any questions.

NTDS ISAM 508 and 509

September 14, 2013, 2:40 pm
$
0
0

Hi All,

I have a single-domain forest with 3 DCs spread across 3 seperate hypervisors (all DCs are hypervisors).

I am getting two errors, which I think are related. Error #1

NTDS ISAM 508 and 509

http://www.eventid.net/display-eventid-509-source-NTDS%20ISAM-eventno-7173-phase-1.htm

http://www.eventid.net/display-eventid-508-source-NTDS%20ISAM-eventno-4694-phase-1.htm

So each VM basically has one VHDX (or VMDK in the case of the vSphere environment). No RAID, no SAN/NAS devices, just JBOD.

The disks are running fine, no health errors there, so what's causing this?

Thanks

AD Account Management Audit and DS Access enabled security log doesn't log change in telephone attribute for a user.

May 8, 2013, 9:17 am
$
0
0

Hello,

this is something I stumbled on and haven't been able to find the solution so far.

Followed

http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx

and many other similar threads which practically describe the same.

My setup is:

DC with default domain controller policy in which under Advanced Audit Policy Configuration>Account Management>Audit User Account Management is enabled for success events.

Also under Advanced Audit Policy Configuration>DS Access>Audit Directory Service Access and Audit Directory Service Changes are enabled for success.

I also set SACL on the OU where the user account I want to monitor resides for everyone giving "write all properties" to this and all descendant objects.

Then went ahead and changed the telephone number or office attribute Security log did not log any event related to this. If I make other change like changing UPN suffix, or add description that gets logged.

This is baffling me as I think the setup is correct and in the link above it's specifically says

"For example, if there is no ACE in a SACL requiring Write Property access on the telephone number attribute of a user object to be audited, no auditing events are generated when the telephone number attribute is modified"

I've set ACE so the telephone number change should be logged.

I should also add that I also tried with Local Policy>Audit Policy>Audit Account Management and Audit Directory Service Access instead of Advanced Audit Policy Configuration using auditpol to enable the necessary sub categories but that didn't make a difference. Also I tried different groups setting SACL in advanced security like domain users and authenticated users, to no avail.

Any help going in the right direction would be greatly appreciated.


Machine Authentication Script

September 19, 2013, 12:51 am
$
0
0

Dear all,

we are using Cisco ISE to authenticate users on Network against Active Directory.

With this solution ISE requires machine authentication and user authentication against the active directory.

The issue is that when we unplug the network from a station then it needs to be restarted in order to make the machine authentication again.

Is there a way or a script to run manually in order to force the machine authentication without restarting the station?


Active Directory Migration 2012 to 2012 due to Normal to RAID

September 19, 2013, 12:55 am
$
0
0

Please provided me complete details for immigration Server 2012 AD to another server with different hardware and RAID on server 2012.

thanks in advance.

Search

Bridgehead Server Selection in 2008 R2

September 19, 2013, 2:52 am
$
0
0

Hello

I am looking for a quick answer to the question on load balancing the Bridgehead role on DCs running 2008 R2 or greater.

In the scenario where you have 2 sites with 3 DCs in each site running 2008 R2.  Do I have to select all 3 DCs per site as preferred Bridgehead servers for load balancing to work or does the ISTG automatically enable load balancing with no user intervention?

I would like to ensure all 3 DCs are acting as load balanced bridgehead servers.

Thanks 

Change file security level for parent folder, without inheriting downwards

September 18, 2013, 11:58 pm
$
0
0

Do i have to manually remove inherit from parent on all files to avoid files and folders changing permissions when changing parent?

The problem is that parent folder has Everyone set to allow edit and write which is inherited by all sub folders and files, but we need to change this to avoid users from accidentally moving folders around.

/regards A 

Ad recycle bin not listing the deleted object

September 18, 2013, 3:10 pm
$
0
0

Hi Team,

Active directory (Windows 2008 r2) recycles bin not able to find the deleted object more than 60 days old . The current Tombstone lifetime setting is 180 days. Please let me know what action needs to take to display the last 180 days  user account.

is it possible to add a new AD Server 2008 R2 with a different domain name to existing Server 2000 AD on same IP address

September 18, 2013, 8:01 pm
$
0
0

I have existing Domain1.com that has 1-Server 2000 AD, 1-Server 2000 Act! apps server and 1-Server 2008 R2 member server (Also file APPS server). This domain needs to be decommissioned and all users and ONLY move the Server 2008 R2 APPS server need to move off this domain.

I would like to add a new Server 2008 R2(AD/DNS Role) as new Domain2.com on the same IP subnet and only move the Server 2008 R2 member server APPS server and the 10 users from the old server.

Questions:

1) Can 2 different and distinct domains live on the same IP subnet? No trust or communications should be required.

2) Since the Server 2008 R2 APPS member server doe snot have AD on it, only role is DNS/Application/File Server role, can I just change the domain name in System Properties and point to the new AD Server 2008 R2 server when ready? Same with clients?

Can anyone help with this? I would really appreciate it.

Thanks!

 

change build-in group from domain local to universal

September 18, 2013, 9:13 am
$
0
0

I have changed the built-in security group such as "DHCP users" from domain local to universal.

does it will affect anything or can we change it back as original status.

Please advice.

Minimum Rights in Active Directory for users who are administrators of Exchnage 2007/2013 and Sharepoint systems

September 19, 2013, 6:30 am
$
0
0

What is the minimum AD rights required for an Exchange Administrator and a Sharepoint Administrator to do their roles without them having Domain\Enterprise Administrator rights to Active Directory?

Removing old exchange AD object

September 19, 2013, 7:51 am
$
0
0

The old IT staff at my workplace improperly demoted domain controllers and an old Exchange server. We were able to cleanup the remnants of the old DCs and promote new ones, however parts of the old Exchange server still linger. What's odd is using the AD tool, all I see is our current DCs in the Domain Controllers unit. However, when I open ADSI edit I see an OU with the CN of our old mail server.

If I attempt to delete it, I receive an error message informing me that I do not have permission to delete this object. I have the permissions set to full control under that account, however I still cannot remove it.

I've also tried using the ntdsutil to perform a metadata cleanup, but I can't seem to locate that object.

Is there anyway I can remove that object and any other of the old exchange remnants?

Thanks in advance for any suggestions!

Search

How to force the FQDN name to appear at logon screen (vs NetBIOS name)

September 19, 2013, 8:03 am
$
0
0

By default the NetBIOS domain name appears on the domain drop-down box at login.  We would prefer for branding reasons that the FQDN appear instead.

Question:  Can you force the FQDN to display instead at the login

David W King

Windows 2003 AD DC going to transfer roles to 2008 R2 - Revision, ObjectVersion Questions

September 19, 2013, 7:52 am
$
0
0

I am a new Admin for the network at my company.

We have a single DC currently running Windows 2003 R2 SP2.

The prior admin appears to have been messing around with Server 2012:

CN=ForestUpdates, CN=ActiveDirectoryUpdate Revision integer 11
CN=Schema,CN=Configuration objectVersion integer 56

CN=DomainUpdates, CN=ActiveDirectoryUpdate Revision 9

There IS no CN=ForestUpdates, CN=ActivedirectoryRodcUpdate anywhere in the view in the console.

I need to know the following.

Am I able to use DCPromo tp make the 2008 R2 macine a DC and then transfer all roles to it as things stand, or do I need to do more prep?

Thanks



Uncheck "User must change password at next logon"

September 20, 2013, 9:37 am
$
0
0

Hey guys,

How can I disable "User must change password at next logon" on testAccount1, testAccount2 and testAccount3 in AD? Which attribute can I modify to disable this in ADSI Edit?

Here are the Distinguished Names I have from ADSI Edit.

CN=testAccount1,CN=Domain,CN=Employees,CN=Users,CN=Application,CN=Program Data,DC=Domain,DC=NET
CN=testAccount2,CN=Domain,CN=Employees,CN=Users,CN=Application,CN=Program Data,DC=Domain,DC=NET
CN=testAccount3,CN=Domain,CN=Employees,CN=Users,CN=Application,CN=Program Data,DC=Domain,DC=NET

Any help very much appreciated.

Thanks!

Forest Trust verifies but ADUC does not find other forest

September 20, 2013, 10:06 am
$
0
0

We have two forests.

Each side has DNS stub zones configured for the other DNS zone.  
nslookup -type=srv _ldap._tcp.dc._msdcs.otherdomain returns the expected entries.

Two-way forest trust is created and verifies in both directions.

Running the following command on a server or workstations works: net localgroup Administrators otherDomain\userid /add

After running this command, the otherDomain\userid account can log onto the server.  This tells me "everything" about the forest trust is working.

There is a firewall between the two forests, but I'm told all TCP and UDP traffic is allowed among all the subnets involved in the two environments.

PROBLEM
Active Directory Users and Computers cannot not find objects from the other forest.  When adding otherDomain\userid to a group, the drop-down Locations list does not include the other forest, and typing otherDomain\userid returns a not found error.  This behaviour happens on both sides.

I suspect a DNS problem, but everything looks like it is configured properly.

Any troubleshooting guidance would be most appreciated.  I have done trusts in the past, and this is the first time I have seen this behaviour. Everything seems clean from nltest, netdom, domain.msc, etc.

Thank you very much.

Need to create a trust but same NetBIOS names

September 20, 2013, 11:03 am
$
0
0

I have 2 domains over an IPsec tunnel, the FQDN names are:

DogWater.local

DOG.local

Both have the "Domain name (pre-Windows 2000)/NetBIOS name of "DOG". I would like to change the NetBIOS names to DOG-SM and DOG-RM so I can tell by names which is where and for consistency.

Both are running Server 2008 R2. We are the same company and want to create a 2way transitive trust so DNS works across both as well as user group folder permission (which neither currently has setup). The DNS portion is the critical part though since users in one domain need to talk to a database software on the other and that softwares tech support says it will only work via DNS, IP only won't work.

Anyway, I obviously have an issue since both NetBIOS names are the same :( Renaming the NetBIOS name of a domain seems risky and creating a new domain and migrating is not an option.

What is the safest way I can do this and be sure it will work without a hitch?

Thanks!






Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>