Hi

I have recently had a massive influx of password reset requests from users at the company I work at and with around 2000 or more users it has become very tedious to manage the password resets all the time.

our infrastructure consists of 1 core server running server 2008 R2 

87 separate DC's at different branches running serever 2003

6 other separate DC's running server 2003 but on different domains

our core server and the 87 other servers are on the same domain

Is there a way to get the "forgot password" option to link to the user's cellphones ,for example,if a user clicks on forgot password at the windows login screen,it then sends an sms with the new password to their cellphone?

Hi,

I have insalled Windows Server 2102 R2 and Active directory federation servcies from Add role and feature. My active directory is also insatlled on this machine. I want to configure the ADFS for oAuth so that I can implement Signle Sign On functionlality in my product suite. Please hlep me to configure the ADFS for oAuth?

Many Thanks

I just migrated a 2003  domain to 2012 R2.   Things were working ok & then XP clients became AD stupid.

Steps I took:

Added a VM 2012 R2 DC to the domain.  Server had DNS installed.  Ran dcdiag & bpa and resolved any issues. 

About a week later I moved all roles over to the VM DC.

Tore down one of the NT2003 DCs (not VM) and rebuit it as a 2012 R2 DC w/DNS.  Ran dcdiag & bpa and resolved any issues.   Had problems with DNS scavenging removing some static records.  readded records & made sure the  "Delete record when it becomes stale" was unchecked on all static records (all fwd & rev zones).

Moved all roles from the VM DC to the hardware DC.

After a week I tore down the 2nd (& last) nt2003 DC (not VM) and rebuilt it as a 2012 R2 DC w/DNS.  Ran dcdiag/bpa and fixed any issues.  Also ran it on the other DCs.

Removed the VM 2012 R2 DC from the domain (demote, remove features, remove from domain, power off, delete VM).

Everything seems to be working fine.  dcdiags look clean, event logs seem good.

Bump forest/domain to 2012 R2 native.

Then, a few days later,  it goes bad.  I (after hours) install all accumulated updates on both DCs.  Reboot both.

Next AM a user calls.  Her thin client cannot connect to the terminal services server.  DNS has deleted its dns record, even though the delete when stale was unchecked.  :|  So I readd the static record and turn off scavenging.  Problem solved.

Next call s from a XP user (we have XP, Win 7, and thin clients).  She cannot print.  Printers show "cannot connect".  Try various things to no avail.  Check Win 7 boxes and they're working fine & printers are connected.  Note that the XP & Win7 boxes all pull their DHCP address from the same dhcp server/scope.

Review error logs and run dcdiag.  There are several somewhat esoteric errors.  After several hours or tail chasing I decide to take a more scorched earth tack.  I demote the 2nd DC and remove AD & DNS from it. After demotion and role removal I check AD and it still shows the DC.  I remove the now just a server from the domain.  Clean up DNS & AD removing all traces.  This takes a while as I have to run variuos scripts (tahnk you google) to ensure AD is clean.

Run dcdiag and resolve issues.  Even a detailed dcdiag comes out clean.  Replication tests show the old server is now forgotten.

Check XP boxes and they still show printers as "cannot connect".

Remove a XP PC from the domain.  Try to rejoin and I get a error.  Rename it and still get the error.  I can ping, nslookup, etc and they return the correct IP.

I've tried the simple change the join a domain in system properties.  That gives a somewht non descript error.  The network identification wizard seemed to find the domain but didn't work.  As it was trying to find the PC in AD, I went ahead and added it via AD users& Computer console.  Run the wizard and it tells me it found the record in AD.  It then says "a domain controller for the domain [ourdomain] could not be contacted."  !?  Yet the prior screen it told me it had found the record for the PC on the DC.

nslookup for ourdomain.local as well as dcname.ourdomain.local resolve correctly.  Tried chenging the PC to static - no change.  Rename the old win 2012 R2 dc (now just a server outside the domain), reboot, and the try to rejoin the domain.  Works flawlessly.

BTW - We're running tcpip w/o netbios over tcpip.

So basically my XP boxes cannot use AD printers and cannot join the domain.  IDK if they're picking up gp updates (I'll check in the AM), but I suspect they're not.

Short of buying a truckload of Win 7 licenses and reloading OSs, what can I do to fix this?

Details on the XP box error (fyi - I did a record to record comparison to a Win 2008 domain's SRV records and they look identical (except, fo course, the domain& server names)) :

The domain name [ourdomain] might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain [ourdomain]:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.[ourdomain]

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child zone:

[ourdomain]
. (the root zone)

For information about correcting this problem, click Help.

dcdiag /test:dns results

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Domctl1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOMCTL1
      Starting test: Connectivity
         ......................... DOMCTL1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOMCTL1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DOMCTL1 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : [ourdomain]

   Running enterprise tests on : [ourdomain].local
      Starting test: DNS
         Test results for domain controllers:

            DC: Domctl1.[ourdomain].local
            Domain: [ourdomain].local


               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local

               Domctl1                      PASS PASS PASS PASS WARN PASS n/a
         ......................... [ourdomain].local passed test DNS

Hello community,

Environment
Mixed with one (1) domain controller running Windows Server 2008 and one (1) domain controller running Windows Server 2012.

Steps to Produce the Problem
These steps produce the problem both on the Windows Server 2012 domain controller and on another Windows Server 2012 server configured for centralized management. I login with my account which is in the Domain Admins group, and I start the Active Directory Module for Windows PowerShell with Administrative privileges. I execute the Import-Module Kds command; then I execute the Add-KdsRootKey -EffectiveImmediately command and get the following error:

Other thoughts
Based on my understanding of the elements at work here, I believe there is a file located on the domain controller itself that is being locked by some other service. If anyone could provide clues as to which file and/or service could be at fault, I'd appreciate. Alternative theories are more than welcome.

Thanks in advance,
Michael

Trying to add windows 2012 server as domain controller to 2003 servers.

Get the error message - A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server

I have run the 'hotfix' schema extension from microsoft but it did not work.

Server with FSMO roles in windows 2003 standard SP2

If I try to run 2008 adprep 32-bit I get this error from adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


C

==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=MSSFU2x-uidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=MSSFU2x-gidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=MSSFU2x-loginShell,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.5" defined for object CN=MSSFU2x-shadowLastChange,CN=Schema,C
N=Configuration,DC=domain,DC=com conflicts with the schema extension
s needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.5" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.10" defined for object CN=MSSFU2x-shadowExpire,CN=Schema,CN=C
onfiguration,DC=domain,DC=com conflicts with the schema extensions n
eeded for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.10" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.12" defined for object CN=MSSFU2x-memberUid,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.12" and resolve this inconsistency.  Then run adprep again.

Any ideas?

Default-First-Site-Name\TESTCMAD1

DC Options: IS_GC

Site Options: (none)

DC object GUID: 8182d2d1-bb2e-415e-96c4-c3e32cb32341

DC invocationID: 4c39039f-a7e5-494c-998f-3c1b8e2d887e

==== INBOUND NEIGHBORS ======================================

DC=TESTCM,DC=LOCAL

    Default-First-Site-Name\TESTCMAD2 via RPC

        DC object GUID: 58c4a24c-0da1-440b-8876-8262f5404ed1

        Last attempt @ 2009-02-21 15:26:19 was successful.

CN=Configuration,DC=TESTCM,DC=LOCAL

    Default-First-Site-Name\TESTCMAD2 via RPC

        DC object GUID: 58c4a24c-0da1-440b-8876-8262f5404ed1

        Last attempt @ 2009-02-21 15:14:00 was successful.

CN=Schema,CN=Configuration,DC=TESTCM,DC=LOCAL

    Default-First-Site-Name\TESTCMAD2 via RPC

        DC object GUID: 58c4a24c-0da1-440b-8876-8262f5404ed1

        Last attempt @ 2009-02-21 14:45:27 was successful.

DC=DomainDnsZones,DC=TESTCM,DC=LOCAL

    Default-First-Site-Name\TESTCMAD2 via RPC

        DC object GUID: 58c4a24c-0da1-440b-8876-8262f5404ed1

        Last attempt @ 2009-02-21 14:45:27 was successful.

DC=ForestDnsZones,DC=TESTCM,DC=LOCAL

    Default-First-Site-Name\TESTCMAD2 via RPC

        DC object GUID: 58c4a24c-0da1-440b-8876-8262f5404ed1

        Last attempt @ 2009-02-21 14:45:27 was successful.

DsReplicaGetInfo() failed with status 8453 (0x2105):

    Can't retrieve message string 8453 (0x2105), error 15100.

DsReplicaGetInfo() failed with status 8453 (0x2105):

    Can't retrieve message string 8453 (0x2105), error 15105.

Hi,

we're running the following TFS 2012-Setup (Update 3) on Windows Server 2012:

Domain A (Productive)

Domain B (TFS-Services)

There is a one-way trust between the domains. When i want users to connect to the TFS, I create "Local Security Groups" in Domain B and add users from domain A to that groups. This works fine, when i add the users directly. But when i add groups from domain A, the authentication fails.

Is there a known problem with nested groups?

Thanks for any hints on that issue!

Hello all,

I established and validated a 2-way trust between 2 forest, one with 2003 (2003.local) and another with 2012r2 (2012r2.lan)
DNS are using conditional fowarders.

From 2012r2.lan, I can explore the 2003.local domain, add 2003 users to 2012's domain local groups, and everything seems to work fine.  (Users can log in, access resources, etc..)

From 2003.local however, I can only see the 2012r2.lan domain under Locations if I'm trying to add members to a 2003's global security group.
Problem is, if I open a 2003 user and want to add it to a 2012r2 group, the 2012r2.lan domain is not listed under locations.

So, only way to add 2003 users to 2012r2 groups is doing it from the 2012r2.lan domain and after adding them, the 2003 domain user's "Member of" tab doesn't show any group from 2012r2.lan domain.

What can I do to be able to add 2012r2.lan domain local groups to 2003.local users from the 2003 domain controller Active Directory Users and Computers?

Thanks

Hi,

I've recently installed a new Windows Server 2012 Server and promoted it to be a DC. There are 2003 and 2008 DC's currently running which will be decommed eventually. How can I check/ensure everything is working on the new DC other than just looking at the event logs? I'm new to AD and 2012.

Thanks for any help.

Dear All,

We are about to raise the domain functional level of our domain. We have two DCs, both Windows Server 2008 R2, but the domain is still Windows Server 2003. From what I understand raising it to Windows Server 2008 or Windows Server 2008 R2 should not be a problem, but reversing that process to a level below Windows Server 2008 would impossible "unless you are prepared to restore the entire domain from backups." I have looked for instructions on how this restoring of the domain from backups would work (just in case I break SaMBa compatibility), but I have only found resources on how to perform a full server restore (which is unnecessary as our servers would still be there), or how to perform an authoritative restore of deleted items (which is not enough as I would not just want to recover some lost items, but put it back to functional level Windows Server 2003).

Does anyone know of instructions specific to the "I need to reverse a domain functional level raise" question?

I am running daily "wbadmin start systemstatebackup" backups; would that be enough for this kind of restore?

Thank you for your help.

Yours,

FD

Hi All,

I have a number of 2008 R2 Domain Controllers spread across a number of sites within AD. Recently I've noticed that the A record for one of these DCs disappears from the zone file for a few hours at a time then re-appears. All the A records for the Domain Controllers are static, and the errant record continues to report its timestamp as static each time it reappears. No DCs or DNS servers have been added or removed in the 3 months prior to this starting to happen.

I had initially suspected that scavenging being set too short was the cause, however while our scavenging on the domain has matching no-refresh interval and refresh intervals set scavenging isn't enabled on the zone or any of the DCs. I have tried adding the record back manually, however this only alleviates the immediate symptom as the issue continues to occur.

Grasping at straws I had applied promoted the DC, which did appear stop the issue occurring for about a week, however that could just be random chance as the issue doesn't appear to happen every day.

I'm hoping someone might be able to point me in the right direction to figure out what is removing the record, my only remaining thought is that one DNS server is replicating an older copy of the zone to the rest of the servers which is then later getting updated with the correct one by a server working correctly, however if this were the case I don't see how it would only impact one record.

Any ideas or suggestions would be gratefully received.

Thanks,

Marc,

I created a global security group called "IT Support", and I'd like to grant this group the permission to:

1. Join computers to domain

2. Move newly created (or already existing) computer accounts from the Computer container to a specific OU and sub-OUs

3. Modify group memberships for computer accounts (new or existing)

I can't seem to get this right...can someone help me complete this task correctly?  

Windows Server 2008 R2 (domain and forest level).

Users will be using RSAT for Win7 (x86).

Thank you!

I'm trying to change the User Template File Location with group policy. I have the Word 2007 administrative template, but it appears the only option is Word Options > Advanced > File Locations is to change "Default File Location". I only want to change the template location. Is this possible?

Thanks,

Scott

Hello,

I am having a problem with one of my servers replicating. The error I keep getting in the event logs is;

I have stopped both the Anti-Virus and Backup Apps on the server and I still get the same error. I have 4 other servers running DFSR and none of them are having this problem. Does anyone have any suggestions?

Server 2008 SP2 (Primary) trying to replicate to Server 2012

Thanks,

Gavin

I'm going to be blunt, this is just an astoundingly bad feature.  I can't have people making OUs with this box checked as it breaks basic functionality in our environment.

I want the default to go away, after being beaten and tortured, but left alive to suffer.

To be clear:  When making an OU I want the "Protect object from accidental deletion" box to be unchecked by default. 

Please tell me how to make it so.

Today I discovered that about 6 months ago, someone had reconfigured our PDC emulator to sync from non-existent time servers, causing it (and in effect everything else in AD) to be off by 37 seconds from the intended, reliable NTP server.  I corrected it on the PDC emulator and made sure the other DCs got in sync with it.  (We have one domain, forest and site so that part was easy.)

Since I did that, many member computers are off from the DCs by 37 seconds, which is expected.  Many of them show Event ID 50 in the System Log: "The time service detected a time difference of greater than 5000 milliseconds for 900 seconds.......When a valid time stamp is received from a time service provider, the time service will correct itself". 

I assume I don't have too much to worry about since it's well within the 5 minute difference allowed by Kerberos.  However, it's now been 5 hours since then time correction on the DCs and when I spot check clients, many are still off by 37 seconds.

When will these member computers correct their clocks WITHOUT INTERVENTION?  I'm wondering how they will find a "valid time stamp".

Thanks.

Hi,

I have two VMs both running Windows server 2012 R2.

S1-DC.domain.local (GC)

S2-EMS.domain.local (Exchange 2013 CU2)

When I add a new user account from the Admin Center on S1-DC.domail.local, no Exchange 2013 mailbox is being created.

I can add the AD user to Exchange 2013 manually, but I assumed a mailbox would be created automatically when an account is created.

What would be the cause of this?

thanks,

Fultz.

Have a good day.

Hi guys

We have a 2008r2 forest and running AD-integrated zones on all of our Domain Controllers.  We now want to make a member server(non-DC) a DNS server.  Are there any issues having AD integrated zones and going to a non-DC?

Thanks,

Dan

Dan Heim

Thanks & Regards Amit Kumar | EDP Dept.| Indus Weir Industries Limited | FF-42 | 3rd Floor | Mangal Bazar Road | Near V3S Mall | Laxmi Nagar | Delhi-92 | M +91 8010477243 E-Mail singhamit1993@hotmail.com

Hi,

I have a small windows domain with 2 Win server 2008 R@ running active directory in 2008 mode

I have caused a problem with one of my domain controllers.

I had antivirus software that would not uninstall properly.  I could not resolve the problem and decided I need to restore the system to a backup dated before any uninstallation attempt.

Unfortunately I did not realize this would cause kerboros problems for my network. If the DC restored from backup is turned on it is affecting the functioning of DFS and other services because it's SPN does not resolve properly.  I do not know what an SPN is and how it relates to Active directory functioning.

I think I have a process that I believe will restore proper functioning to my DC:

1. I have a  3rd windows server (all 2008 R2 BTW).  I will enable the Active directory roles that failed DC have.
2. I would remove the Active directory roles etc from the failed DC.
3. I would remove the system from the local domain  and then add it back in

Is this process an effective way to resolve the problem?

Hugh