Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Parent/Child Domain

December 19, 2013, 2:23 pm
$
0
0

I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn how can I stop that from being the domain controller that replies?

Thanks for any advice

Chris

Search

Adding 2012 server to 2003 domain on same subnet

December 16, 2013, 8:25 am
$
0
0
 I have a 2003 forest and domain - I have added a 2012 server it is not a domain member.  It is a workgroup member - I want to set up a test environment for Remote Desktop Services and tsweb - I have to make the 2012 server a domain controller - I don't want the 2012 server joined to my 2003 domain but I want to use internet on the same subnet as the 2003 server - can I have 2 different forest and domains  on the same subnet? I will not setup dhcp on the 2012 server 

Hyper -V V2P Windows 2012 DC

December 20, 2013, 1:33 am
$
0
0

Hi All,

Currently my Primary DC and additional DC are running on Microsoft hyper-V, can i V2P Windows 2012 additional DC from Microsoft Hyper-V to physical server?

Any preparation or concern?


Outlook disconnectivity due to some ADFS issue for whole enterprise

December 20, 2013, 2:23 am
$
0
0

How this CPU utilisation in ADFS secondary server  impacts the outlook connectivity?

·         What is the maximum number of connections a single ADFS server can handle?

·         Today at round 7:45 pm AEST(Off business hours)we found around 76,000 connections at ADFS HLB (Hardware Load Balancer) , where 80% of the connection between ADFS server and domain controller. Could you please confirm, whether this behaviour is expected?

·         Today during the business hours (when the issue occurred) we found around 1,40,000  connections at ADFS HLB, which includes outlook authentication and couple of other ADFS dependent application authentication. In our project, we have around 4000 users and 6000 mailboxes. Is it possible to confirm, whether this high connection is legitimate or expected?

·         What is the TTL value for the ADFS authentication token. Means, if a user authenticate once then how long the same authentication session continue?

·         Whenever we experience any issue in any of ADFS server, then users start receiving password prompt or outlook disconnect issue. Could you please confirm whether this behaviour is expected or the users who already logged on to outlook shouldn’t receive any issue?

Phantom Object on a last non-GC DC?

December 20, 2013, 3:00 am
$
0
0

Hi,

I'm wondering what happens to the phantom object on the last non-GC domain controller in the domain/forest once it becomes a GC? Are they get destroyed immediately or they will stay hanging around in the database forever? Should I transfer Infrastructure Master to that DC before making it a GC to cleanup those?

Thanks,

Ivan

Ivan Seriavin

how to install apps

December 20, 2013, 12:11 am
$
0
0

i am not able to install or download any app or game,due to my family setup,please help me to ,setup all accounts

Using the whr parameter

December 20, 2013, 2:07 am
$
0
0

Hi all,

I have a question about using the whr parameter to automate home realm discovery.
We have a trust with a RP for a specific application. That application is being used by multiple IDP's. Hence we get a screen to select the home realm we need to authenticate on.
Is there a step to step guide to setup the whr parameter? Searched the internet and found information like:

Another approach is to use the WHR parameter in the URL / queryString when accessing the relying party as shown below:
https://xxx.yyy.com/RPApp/?WHR=https://ppp.qqq.com/IdP/

Does this mean i have to resetup my Relying Party Trust and add the /?WHR=https://sts.mydomain.com/adfs/services/trust behind the URL of the application on the RP side? 

Thanks.

ADAMSync migration sanity check !

December 18, 2013, 6:02 am
$
0
0

Hello,

Just a quick sanity check to make sure I am not ovelooking something serious here.

We are using ADAMSync to populate proxy user objects into AD LDS from production AD.

Currently we have 2 AD LDS Servers in the configuration set, and a data centre move means adding a new one, and retiring one of the old ones, & moving ADAMSync form the old instance to a new one.

We will be using the same ADAMSync configuration XML, and I am presuming that nothing nasty is going to happen to the data in AD LDS when it is moved to the new server, and the full sync runs the first time ?

I am pretty sure it will be fine, and the initial full sync on the new server just builds the state cookie for the dirsync ldap control, and it will run delta syncs after that, but want to be sure I havent overlooked anything that may damage the Data already in AD LDS.

Regards

Search

DC Forest Level 2003 adfind shows 2000

December 20, 2013, 1:17 am
$
0
0

In order to install a new DC 2012 in my AD Env, i upgraded my Domain functional level and Forest functional level to 2003. When i am using Active Directory Domains and Trusts it shows me the 2003 Forest functional level. When i use adfind -sc modes it returns forestFunctionality 0 Windows Server 2000 Forest Mode.

When i try to install my new 2012 DC, the following message is displayed in the dcpromoui.log:

Forestprep was not done
Schema mismatch: forest schema version 31, required 69
The forest functional level must be Windows Server 2003 or above.

Isn't the 31 version enough? According this list http://msdn.microsoft.com/en-us/library/cc223174.aspx it should be 2003 R2 and not 2000.

Windows Server 2003 R2 operating system: 31

What's worng?

Thank you for your help

Daniel Meili


AD FS Windows 2012 R2: adfssrv hangs in starting mode

October 17, 2013, 6:52 am
$
0
0

Does anyone has the same issue. Installed and configured ADFS with service account. After a server reboot service cannot start anymore and it always stay in "starting" state.

Unfortunately nothing in a log and no Windows Updates for 2012 R2 yet... many holes like Swiss cheese.

Thanks!

change password error

December 20, 2013, 4:10 am
$
0
0

When i am changing password using ALT+CTRL+DEL on win8 in domain network . it done on some machines.but some machine showing bellow error: "security database on server does not have a computer account for this workstation trust relationship."

Domain vs. Local machine network settings

December 20, 2013, 5:18 am
$
0
0

I've been asked by a project manager to make changes on a large amount of PC's because we have changed to a new IP subnet for the entire dept.

This is a domain environment, yet I am being asked to make the changes by logging on into the local machines with an admin account (as opposed to logging in under the domain with an admin account).  

I don't understand why this should be done this way, after all, when the users plop down at their desk, they are going to log on into the domain.

FYI: the changes are Network Connection changes: Show Icon when connected; Select DHCP; Obtain IP address and DNS address automatically; Auto negotiate speed; and change the network printer IP's on the default printer (to the new net).

Are there certain settings that follow through between a local machine log on and a domain log on?  If so, is there a simple way to understand which settings those are.

I am new to PC support and even newer to a domain environment, so please correct me if i have used the wrong language to describe my situation, and feel free to correct me. 

Thanks !

BB 

How to delete from Active Directory users who have the same characters in their user name.

December 20, 2013, 4:53 am
$
0
0

Hello.

I have many users in my Active Directory that their user names contains the same word in the beginning.

for example:

testabc@mycompany.local

testdef@mycompany.local

testghi@mycompany.local

testjkl@mycompany.local

What I want to do is to find and delete all the users in my active Directory that starts with the word "test".

What power-shell command should I use?

Thanks in advance

DFSR Error - The Replication Group Cannot Be Found

January 27, 2011, 9:05 am
$
0
0

In the DFS Management console when I view entries under the Replication node of the tree I am seeing three entries with red X's as icons.  When I click on one of these an error is displayed...'The replication group cannot be queried.  The replication group cannot be found'.  I would like to delete these bad entries.  How can this be accomplished?

Thanks in advance for your help,
Terry

twahl

do windows domain members cache domain controller names/records

December 20, 2013, 11:28 am
$
0
0

hi, we have an issue with our vpn clients.

we have 4 old DC's and 4 new Dc's. we created subnets so all users have to log in to the 4 new DC's and we shut down the 4 old ones. when we shut down the 

old DC's users could login through vpn but could not connect to outlook sharepoint, intranet, and never gpt their mapped drives.

What’s odd is that in Office Mode DNS, there are no A records for our domain, or any records in the AD subdirectories… So how do VPN connected machines know 

how to talk to the domain’s domain controllers? Do they cache domain controller information from when they’re connected internally, and then just look up 

those domain controllers instead of re-looking up our domain?

Our firewalls are set up to allow access to the 4 new domain controllers. 


Search

stop users from seeing other group folders

December 12, 2013, 8:50 am
$
0
0

Hello all,

How do I prevent  users that don't have access to  particular folders  from seeing all folders? For example: I have a Data shared folder, which is the root folder. Inside that folder i have a folder "Groups", inside of "Groups" it houses all of the group folders such as Acct, HR, Technology etc... The user only have rights to there group folder, if they click on any other "group folder" access is denied. How can i prevent them from even seeing other group folders they don't have access to. We have Windows Server 2008R2 attached to a NETAPP fas 2020 storage array.

Thank you in Advance

The Active directory Newbie

Robert Blakey

ADFS cache

December 20, 2013, 5:42 pm
$
0
0

First of all thanks for taking the time to read, any response is greatly appreciated.

If I setup ADFS between my in-house operations with an off-site host and my in-house AD's go down, can users still use SSO to log into the off-site host?

I guess I'm curious to know if the off-site host can cache accounts.

Is it bad practice to have account credentials cached for a long time due to security reasons?

How can I get my users to log into the off-site location using SSO when my in-house ADs and ADFS servers are down?

Thanks in advance for your help,

John

remove AD with IIS installed

December 20, 2013, 6:21 pm
$
0
0
i inherited a windows server 2008 R2 box that has AD and IIS installed. I am in need of removing AD and i was wondering what problems i will have when i remove AD

Problem with renaming domain Server 2008

December 18, 2013, 2:49 am
$
0
0

hi,

we have only single domain in our forest with windows server 2008 r2 domain controller(only one domain controller)...no exchange in our environment...

we done the domain rename process using Windows Server 2008 R2 ADDS Domain Rename Operations Document.pdffounded here

everything went well until we proceed with the repadmin.exe /syncall /d /e /P /q Moneta command (Moneta is the DC name).  I get the error  

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    The naming context specified for this replication operation is invalid.

Now the domain network in the server appears monetaks.com as the name that we wanted to be but the computers joined before with the old name cannot work through out this. Also when we look in the properties of the computer the domain apperars

Computer Name: Moneta

Full computer name: Moneta.testsrv.com 

Domain: monetaks.com (testsrv is the old name of domain, the one that we want to change)

but the document that we followed says that it should looks like: 

Computer Name: Moneta

Full computer name: Moneta.monetaks.com 

Domain: monetaks.com

any idea about this?

Thanks in advence


How to find inactive and disabled users in AD

December 20, 2011, 6:07 am
$
0
0

Hello Experts,

I want to export the inactive and disabled users and thus to cleanup AD database.

I have tried dsquery with different syntaxes but not getting the expected result, I want to export the outputs in an Excel sheet so it will ease my task.

Thanks in Advance.

 

Rahul
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>