Hi,
This is a basic question.
Can I have AD,NPS and CA server running on a Single 2008R2 machine.
if yes, then please outline NPS config steps when AD is installed.
Thanks in advance.
↧
Can I have AD and NPS and CA server running on a single 2008R2
↧
AD Server decommissioning
We have a site with some servers and users.
I need to decommission the only AD server on this site (others AD servers exist elsewhere along with FSMO roles).
Should I stop this server being a global catalog server first then dcpromo or just go for the straight DC promo?
Need to ensure that the other servers and clients continue to function fine as this site is almost in use 24 hours.
I would like to test the removal of this server first by downing the server for 12 - 24 hours, how would this affect users and servers onsite and can this be done safely in the day?
Looking forward to your comments :)
↧
↧
Allow non-admin to install software/printer
I have a issue now...Right now im running with this
net.exe localgroup administrators interactive /Add
But can i remove that so they still can install software?
the target mashine is a windows 7.
When that group is under local admin they can see the wireless key.
When I remove interactive from local administrator they cannot...which is good but now they cant install software?
Can superuser install software???
Helpdesk Supporter
↧
adprep32 /domainprep /gpprep fails with: adprep was unable to complete because the call back function failed gpprep
Running adprep32 to prep our Windows 2003 domain for new Windows Server 2008 R2 DCs.
adprep32 /forrestprep ran without error after changing domain to native mode. However running adprep32 /domainprep /gpprep fails with adprep was unable to complete because the call back function failed. After running it a second time, it looks like /domainprep worked as it says that the domain-wide information was already updated. However the log shows this:
[Status/Consequence]Adprep did not attempt to rerun this operation.
[2012/11/20:16:03:17.312]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a3dac986-80e7-4e59-a059-54cb1ab43cb9,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[2012/11/20:16:03:17.312]
LDAP API ldap_search_s() finished, return code is 0x20
[2012/11/20:16:03:17.312]
Adprep verified the state of operation cn=a3dac986-80e7-4e59-a059-54cb1ab43cb9,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
[2012/11/20:16:03:17.312]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=446f24ea-cfd5-4c52-8346-96e170bcb912,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[2012/11/20:16:03:17.328]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/11/20:16:03:17.328]
Adprep checked to verify whether operation cn=446f24ea-cfd5-4c52-8346-96e170bcb912,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2012/11/20:16:03:17.328]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=51cba88b-99cf-4e16-bef2-c427b38d0767,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[2012/11/20:16:03:17.390]
LDAP API ldap_search_s() finished, return code is 0x0
[2012/11/20:16:03:17.390]
Adprep checked to verify whether operation cn=51cba88b-99cf-4e16-bef2-c427b38d0767,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2012/11/20:16:03:17.390]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a3dac986-80e7-4e59-a059-54cb1ab43cb9,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[2012/11/20:16:03:17.406]
LDAP API ldap_search_s() finished, return code is 0x20
[2012/11/20:16:03:17.406]
Adprep verified the state of operation cn=a3dac986-80e7-4e59-a059-54cb1ab43cb9,cn=Operations,cn=DomainUpdates,cn=System,DC=4Seasons,DC=net.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
[2012/11/20:16:03:18.953]
Adprep was unable to complete because the call back function failed.
[Status/Consequence]
Error message: (null)
[User Action]
Check the log file ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20121120160315 directory for more information.
[2012/11/20:16:03:18.953]
Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20121120160315 directory for more information.
I've check other forum questions and not found an answer. I've check all the symptoms mentioned by http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx and all of those check out.
What I have found is that if I look in ADUC (after going to view ->advanced features), under system -> domainupdates -> operations there is no a3dac986-80e7-4e59-a059-54cb1ab43cb9 listed. This appears to be my issue, but I can't find a resolution. Please Advise.
Thanks!
↧
Some Important Question About Active Directory.
Hi,
i have two questions
Q1- if i have one domain controller another is in remote office like RODC but in first time we are unable to create replication between them so what is the step to replicate them ? how the user login ?
Q2- i have two domain controller with Global Catalog another is just additional with out GC and primary domain controller fails what are the my step to Up additional ?
↧
↧
Account Lockout in Active Directory 2008 R2
We've implemented Account Logout policies in our Windows 2008 R2 domain with these settings
Lockout duration: 30 minutes
Lockout threshold: 15 invalid login attempts
Reset account lockout counter after: 30 minutes
We've turned on NETLOGON.log logging and are watching for any user problems. On a few users, we see over 300 attempted logins from a machine (0xC000006A Transitive Login attempt) over a 4 hour period. We're watching the account but it's not locking out. Are these types of login exempt from the Account Lockout policy?
Orange County District Attorney
↧
Active Directory Operations Master Isolated itself
So, Active Directory Newbie here. Have enough experience/knowledge to be dangerous. We have some trouble in the office, but I got a good feeling whats going on, but I don't how to professionally handle the problem.
We have 3 DCs. The DC with all the operations master roles seemed to flat out stop replicating with the other two. Those two are still communicating and replicating with each other just fine. Have troubles accessing network shares because of it. Can't pull down Group Policy because of it to desktops.
I'm interested in learning the quick and dirty way to get us back in good shape.
I was thinking demote the machine with all the operation's master roles, configure one of the other DCs to have all the roles, and the re-promote it DC. Switching the operation masters a second time isn't a requirement here.
I'm uncomfortable pulling the trigger with that method.
Could I bother anyone to share how they would approach this situtation? I would perfer not to try create any dump files or post error messages related to why the server became "isolated." I want to know how to fix this in the shortest amount of time, not a complex procedure of complete rebuilding my schema.
Please and Thank you.
"Knowledge changes life" "The quieter you are, the more you are able to hear" >Backtrack Linux FAN<
↧
AD Administration
Hi,
We have AD Domain under which for each branches of our company we have created separate OU.
Each location have separate admin to manage users under it.
So how to give administrators in each individual location to give admin power only that particular OU.
↧
Read Cache or Write Cache ?
IS there any terminology in MS regarding READ CACHE ? can i say my local system or my local dns dns cache records are read cache ?
↧
↧
LastLogonTimeStamp query result is 0?
Hi Guys,
Our client has a script that they are using to query the LastLogonTimeStamp of their users in their domains. Unfortunately, they have this domain that when they use this script to query for users LastLogonTimeStamp, the displayed result is 0? Do you think this could be a setting in the Domain Controller that needs to be enabled for the script to function properly? By the way, they are using Windows Server 2003. Please advise.
Thank You,
Arnel
↧
Best way to migrate DNS, DHCP, WINS and DFS from Windows 2003 to Windows 2008 R2
Hi,
I'm looking to see what would be the best approach to migrate DNS, DHCP, WINS and DFS from Windows 2003 to Windows 2008 R2
Also, the best way to manually move the these services to another server.
-TIA- thestriver
↧
How to Replicate ACL for the directories and files that are synced thru Robocopy
We have one server(main site) running with Windows 2003 and DR server running with 2008.
We have the robocopy to replicate the users folders and files from Main site to DR server.
And We cannot use the Robocopy options that replicate ACL.
And the data sync is successfull but not the security settings.
Both the servers are running in a same domain.
We need to replicate and sync the Security and ACL from main site to DR.
↧
DC promotion and adprep/forestprep
I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder".
Trouble is that adprep/forestprep says that:
Adprep cannot run on this platform because it is not an Active Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
So, which needs to be installed first (they cannot really be dependent upon each other), and how do I go about completing this?!
Thanks
Stephen Simpson
↧
↧
Disable users to join computer to domain
Hello :
How can i restrict users to not join any computers to domain using group policy ?
thank you
Network is my LOVE
How can i restrict users to not join any computers to domain using group policy ?
thank you
Network is my LOVE
↧
Preventing roaming profiles automatically migrating from XP to .V2 Windows 7 profile
We are currently running Windows XP SP3 clients with a Windows Server 2008 R2 domain. We are migrating our estate to Windows 7 and want to give the users a "clean slate" by giving them a brand new profile.
Our user's roaming profiles are located in a folder called XPProfile on their personal network drive, example \\server1\user1$
When they log onto a Windows 7 device, it creates a .V2 profile on both the client and their home drive (in our case, XPProfile.V2). This profile contains all the UI customisations, shortcuts, etc. from Windows XP which we don't want to bring across to the new OS.
Is there any way we can prevent these settings being migrated across whilst still creating the new profile when they first log on?
Our first obvious problem is that the user profile attribute on the users account will be set to use the old profile directory (\\server1\user1$\XPProfile). Does this require changing for all users or can we
do it another way?
Thanks in advance
↧
Secondary DNS not Authoratative
Hi everyone
I've been looking around the forums and Google for a while but haven't found a solution to my problem.
I have DNS configured on my DC right now and am looking to setup a backup DNS server on a member server as I do not have a second DC. The current DNS is AD integrated so I am looking to do a secondary zone transfer for the backup DNS.
When I try to add the second server to the Name Servers list I am receiving the error: The server with this IP address is not authoritative for the required zone. I thought adding the server to this list would resolve the problem, not show me the same error!
Secondary question, once this is resolved, do I have to add the backup server to every Name Servers list in each Forward and Reverse lookup zone? Is there a way to put it one place for every one in DNS instead of each one individually?
Thanks for your help!
Ryan
↧
ADFS 2.0 - RP Trusts always show as out of date due to monitoring errors, until I manually click on "Update"
I am running Win2008r2 and have a pair of ADFS servers and ADFS proxy servers behind load balancers and Office365 is only ADFS partner. Everything is working right now, but I have noticed that RP trusts for Office365 always had a Red Critical"X" on it, until I open it up and click on "Update from Federation Metadata/update" Then everything looks good. In the properties of the trust, I do have checks to monitor the relying party and to automatically update the relying party. Any ideas as to why I have to update this manually?
I know there is a powershell script out from Microsoft that will helps to relay new token-signing certificates, etc to Microsoft Office365 and wondering if that would also fix these errors as well. If anyone has any ideas, let me know.
Thanks,
Dan
Dan Heim
↧
↧
promote server 2012 to dc - trust for delegation test fails
Hello,
I added a server 2012 to my domain (win 2003 native functionality level), I'm now trying to promote it to DC but it fails while verifying the requirements.
The test Test.VerifyAdminTrustedForDelegation.DCPromo.General.1006 does not pass, I'm logged in as a "Administrator" of the domain which of course is/should be trusted for delegation
I already have 3 DCs, a win 2008 and win 2008R2 at main site, one 2003 r2 in another AD site within the same domain.
Any hint?
thanks
I added a server 2012 to my domain (win 2003 native functionality level), I'm now trying to promote it to DC but it fails while verifying the requirements.
The test Test.VerifyAdminTrustedForDelegation.DCPromo.General.1006 does not pass, I'm logged in as a "Administrator" of the domain which of course is/should be trusted for delegation
I already have 3 DCs, a win 2008 and win 2008R2 at main site, one 2003 r2 in another AD site within the same domain.
Any hint?
thanks
↧
KRB_AP_ERR_MODIFIED then migrate VM
Hello
When i create a domain account or move a virtual machine with windows 2008r2 , get this error:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mss_farm. The target name used was% servername%. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using.
This error appears only on machines with windows 2008R2 and will not appear on the 2003
I checked replication between 2 domains used in our network and replicate runs without errors.
Also, when you connect with RDP error is that the server can not be found.
↧
Domain Trusts, break email communication
I need help i have a domain i wish to migrate into another domain.
When i set up the 2 way forest trust the trust part works great but what happens is the ability to email them goes out the window.
currently our china location has a domain i will call it for now domainb.com they have there email through an offsite provider (internet host something like gmail or yahoo) but there email domain is also domainb.com. I set up the trust between my domain domainA.local and there domain domainb.com communition between the two ad's AWESOME but they can no longer email us and we can no longer email them ... they do recieve mail from exteranl sources we just can't email eachother.
I need to know how i can temorarily fix this wial i migrate all there users to domaina.local and to our internal exchange server (which is exchange 2007 btw)
thanks in advanace for any assistance you may be able to provide.
↧