how replication works between dcs?
Delete AD Computer Accounts that are inactive for 30 days
Greetings,
Could you please tell me how to disable inactive AD Computer accounts more than 30 days of inactivity.
I have used the following command to locate unused computers objects in the last 4 weeks:dsquery computer -inactive 4 , from this command is there a way to delete the results of the command ?
Thanks a lot.
Redouane
Redouane SARRA
Reset Logoncount in AD
Hello,
Is it possible to set the "logoncount" parameter for the computers to 0 ? (Powershell ?)
I want to do this to have a "fresh" look at the use of our PC's.
Thanks,
Sven
ADFS Windows Authentication inserting ADFS server hostname as domain name in username field for some users
Hi All,
I just setup ADFS on 2012 for SAML2. Unfortunately this was shoved Production by the departmemt we set this up for without enough testing. We are having an issue I was hoping that you could shed some light on. Some of our computers are configured to use restricted generic user accounts as a part of an SSO solution we use. These machines have had a Group Policy change pushed to turn off the Internet Explorer automatically login with current credentials setting to stop the generic user from logging in automatically through ADFS to our Learning Management System, where these users have no account. Suffice it to say the far end has SAML2 but only in a version 1 fashion, and the generic users can't sign in there. We need them to be prompted to enter credentials on these stations manualy. This is working. However, some of these workstations are placing the hostname of the ADFS server in the username field formatted as the domain. This presents a problem as our users for the most part, don't and won't pay attention to this and don't want to type the proper domain name into the logon box. If they clear it, authentication fails, they have to specify the domain name if it autofills with the wrong information. Additionally, we are seeing this occasionally for external machines not on the domain. I have spent many hours googling and looking at technet docs but can't find anything. Do you have any suggestions? Thanks in advance.
New domain new subnet problem
We were trying to add a new domain tree to our forest/domain with windows 2012 r2 but the promotion of the new domain controller for the new domain tree failed. Everything goes well until the final setup window, but then the new domain controller for the
new domain tree appears to stuck at "Replicating the schema directory partition" stage... It never ends the "Replicating the schema directory partition" stage!!!
So I went to the lab (in our Hyper-V) and try to replicate the problem. I created a new forest/domain and add a new domain tree, the process completed successfully. Bu then I replicated the same setup but using different IP subnet for each DC (like our production
environment), and the the SAME HAPPENS again, the setup goes until the final stage and stays forever at the "Replicating the schema directory partition" stage!!!
At this stage I don`t know if the problem is the same that we have in our PRD environment, but the problem has the same behavior. I suspect that the problem has something to do with IPV6 (I see the primary DNS for the NIC primary DNS listed with the IPV6 "::1"
before the IPV4 address), but i don`t know much about IPV6. I already tried several configurations, I disabled the firewalls in both lab DCs, I removed the IPV6 check option from the NIC properties from both DCs, I set BOTH DNS to respond only from their
IPV4, I tried to pre-stage the new domain tree DNS zone in the DC, and so on... Nothing works...
So the current scenario is:
Hyper-V physical machine / 2 Private switches (one for each subnet)
3 VMs
1 DC - First Domain/Forest / Static IP / DNS IPV4 point to itself / and IPV6 DNS = ::1 / It has the First DNS/Domain Zone and a conditional Forwarder that points to the 2nd DC that is in the other subnet.
2 DC - This is the one to be added with new domain tree in the existing Forest. Static IP address / DNS point to itself / and IPV6 DNS = ::1 / also has a conditional Forwarder that points to the 1st DC DNS domain zone that is in the other subnet.
Between both subnets I have a server that has RAS role to provide routing between both subnets
From both DCs I can ping each end, I have access to the shares in both ends, DNS appears to be working ok...
(Note: In one of the tests I created a new primary zone in DC02 to pre-stage the new domain tree zone in DC02 before running the active directory setup in DC02, then I went to DC01 and ping the DC02 by its FQDN, and DC02 replied, however if I try to ping only
the Primary Zone by its name "newdomaintree.com" it fails in both DCs witch is weird to me, I did the same test for the First/Domain DNS Zone in DC01 and worked ok for both tests, I could ping DC01 by FQDN and ping the "Domain.com" DNS
zone in both ends ).
Any thoughts on this one?!
Thank you.
Ip Config for the Lab Servers:
*******************************************************************
DC01
*******************************************************************
PS C:\> IPCONFIG /ALL
Windows IP Configuration
Host Name . . . . . . . . . . . . : f1d1-srv-01
Primary Dns Suffix . . . . . . . : f1d1.lc
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : f1d1.lc
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-47-17
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3423:7d39:f13b:22e4%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.254
DHCPv6 IAID . . . . . . . . . . . : 201332061
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-91-77-A5-00-15-5D-01-47-17
DNS Servers . . . . . . . . . . . : ::1
10.10.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{FFDDBBEF-DD20-4ADD-98B1-B3C6D6BD66FE}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
PS C:\>
*******************************************************************
DC02
*******************************************************************
PS C:\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : f1d2-srv-01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-47-1A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d562:7f42:6041:30f8%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.20.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.20.254
DHCPv6 IAID . . . . . . . . . . . : 201332061
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-92-44-F8-00-15-5D-01-47-1A
DNS Servers . . . . . . . . . . . : ::1
10.10.20.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{545D35C6-250D-41AB-87CD-6FE8FA85E175}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
PS C:\>
*******************************************************************
should I concern these old 13508 logs?
We have several different sites with mixed windows 2003 & windows 2008 DCs.
Some DCs get event 13508 but no event 13509 almost one month ago. Now,
no event 13508 on the current log (after 1/15/2014).
But, when I ran FRS diag, it still shows failed with one error.
Should I concern these 13508 in FRS logs
(older than one month) on some domain controllers?
Thank you!
Migrating SID history WITHOUT migrating user
We have 2 single-domain forests with a 2-way forest trust. We have identical user accounts in both domains. Is it possible to migrate just the SID history from one domain to the identical username in the other domain?
TIA!
Infrastructure Master FSMO on a server which is also a GC
Hi All,
Recently, one of our admins created a new child domain. The domain is spread across 3 sites, and there are 3 DCs' on each site and every DC is a GC server. I have now taken over the administration of that domain. As part of prep up work, i noticed that on one of the sites, the DC is holding the Infrastructure Master role of the domain and co-incidentally the server happens to be a GC as well. I then recommended adding an additional DC and transferring the Infrastructure Master FSMO role to that server and that server not to be a GC. However, they opined to me strongly that this is not going to cause any issues as long as all DC in that domain is a GC.
Can someone please enlighten me as if this is the way to go as Active Directory design Best Practices recommends not to place the Infrastructure Master role and the GC on the same server irrespective of the size of the domain. Consider this question also from a scalability perspective too.
BTW, we will soon be creating a two-way transitive trust with one of our external partner domain and I wanna make sure i got all my ammo cocked up...
Regards,
Ochen
Linux
Windows 2008 R2 Domain Controller with Certificate Authority
We have a linux box on our domain that needs a PKCS#7 certificate.
Everything works great for all other certs on our Windows system I just don't know how to do it with Linux.
Local ADUC Security mismatch
Hoping someone may have a suggestion to point me at.
Our AD is 2008 R2:
Scenario: Go to the OU and open up properties on a user account. Select the Security tab - then click Advanced. Select the Effective Permissions tab and enter in the user name your checking.
If I do this on the Domain Controllers (Any of them) it shows the permissions to be List contents Read all Properties, Read permissions and so on - but only read. If I repeat this very same task on my workstation using ADUC it shows the user with "Everything" except for Full Control and Delete subtree. I have no clue why they would be different. I tried it from 3 desktops using ADUC tools and all are the same. I have told it to use a different domain controller and still the same thing.
Any clue as to what is going on here?
Willis
Copy / Backup Users data file to another location / network location within Windows Server 2008 R2 enviroment
I have network envirenment with Window Server 2008 R2 with about 50 Windows XP clients. I want to schedule copy / backup of specific user (working in my network, apart of those have left but their profile exist on Server) data file / folder (typically their Desktop Folder, My Documents Folder).
How can do it. whether with a batch file put in schedule task ..... or any other way......... Pls give me the content accomplish this task...
active directory subnets
hi,
we have multiple sites and subnets on different vlans. most active directory sites and services have two domain controllers.
we have had a few projects come up where we have had to create a couple of servers on different subnets but creating ad controllers is not really needed.
my question is.... should we really be creating ad controllers in each zone regardless as best practice? at the moment we are just pointing the smaller zones to a larger zone for ad authentication and using the firewall to direct traffic to the ad controllers.
Is this method ok or should we be doing this different?
Thanks
phill
DCDIag Assistance
Hi, im getting a lot of best practise analyser errors and warnings etc.
I had an old lab DC that I demoted and joined to a new 2012 DC as a secondary DC.
I have numerous errors and dns just doesn't seems right I deleted reference to my old records in dns and thought id cleaned things up but not sure I have.
also on the secondary DC there is no netlogon or sysvol so I don't have replication between dcs
d
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MYDC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MYDC
Starting test: Connectivity
......................... MYDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MYDC
Starting test: Advertising
Warning: DsGetDcName returned information for
\\SVR2012PDC.AlexCorpDom.Internal, when we were trying to reach
MYDC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... MYDC failed test Advertising
Starting test: FrsEvent
......................... MYDC passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... MYDC failed test DFSREvent
Starting test: SysVolCheck
......................... MYDC passed test SysVolCheck
Starting test: KccEvent
......................... MYDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... MYDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... MYDC passed test MachineAccount
Starting test: NCSecDesc
......................... MYDC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\MYDC\netlogon)
MYDC An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... MYDC failed test NetLogons
Starting test: ObjectsReplicated
......................... MYDC passed test ObjectsReplicated
Starting test: Replications
......................... MYDC passed test Replications
Starting test: RidManager
......................... MYDC passed test RidManager
Starting test: Services
......................... MYDC passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000008E
Time Generated: 02/14/2014 11:23:21
Event String:
The time service has stopped advertising as a time source because the local clock is not synchronized.
A warning event occurred. EventID: 0x00001695
Time Generated: 02/14/2014 11:35:11
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'oldDC.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 02/14/2014 11:35:11
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.OLDDC.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 02/14/2014 11:35:11
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.OLDDC.local' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x0000008E
Time Generated: 02/14/2014 12:06:49
Event String:
The time service has stopped advertising as a time source because the local clock is not synchronized.
A warning event occurred. EventID: 0x00000032
Time Generated: 02/14/2014 12:06:49
Event String:
The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.
A warning event occurred. EventID: 0x0000008E
Time Generated: 02/14/2014 12:09:01
Event String:
The time service has stopped advertising as a time source because the local clock is not synchronized.
......................... MYDC passed test SystemLog
Starting test: VerifyReferences
......................... MYDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : AlexCorpDom
Starting test: CheckSDRefDom
......................... AlexCorpDom passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... AlexCorpDom passed test CrossRefValidation
Running enterprise tests on : AlexCorpDom.Internal
Starting test: LocatorCheck
......................... AlexCorpDom.Internal passed test
LocatorCheck
Starting test: Intersite
......................... AlexCorpDom.Internal passed test Intersite
cdiag output below (this output is fro the second dc). any help appreciated
ADFS compatibility with SSL Offloading
Hi All
we are going to Implement the ADFS 3.0 in Farm with Hardware load balancer, we have query that is ADFS support the SSL Offloading.
Thanks in Advance
JP
Question on Active Directory Account Policy "Password Never Expires"
Hi everyone,
I have been asked by my lead to do an analysis on the user account attribute "Password Never expires".
Here's the situation:
Our current domain account/password policy is set to 6 chars and we will be increasing the password complexity and the account lockout threshold duration too, however this is irrelevent to my question.
We have some few users on our corporate domain whose password are set to never expires (special VIP users). I have been tasked with increasing the password and the account lockout policy. I will be setting the min password to 8.
So if a user account currently has a password length of 6 and password set to never expire. What will happen to the user account once i edit the default domain policy? Will the user be asked to change the password to atleast 8 chars and will the "Password Never Expire" attribute stick or will it go away, reset ???
Anyone ever came across this? Thanks.
Regards,
Ochen
When does a DC advertise itself after promotion?
not replicate anymore?
Hi all,
Mixed Windows 2003 DCs and Windows 2008 DCs
We have 7 different sites
We have one DC gets journal wrap error and use burflags to fix it
Now, if I drop one txt file in the netlogon folder on one DC,
it will not replicate to its partners. No errors and repadmin all
passed.
If I dropped folder in sysvol\domain folder, it has no issue to replicate.
only if I drop file to netlogon folder, it seems that file can not replicate all domain controllers.
How should I troubleshoot this replication error in netlogon folder?
Thank you!
ADMT 3.2 - Can it migrate Server 2012 servers?
Stale host names still being reported from active directory
Protect password hash when delegating user management rights.
dsacles <TargetOU> /I:S /T <AdminGroup>:CC;user;
dsacles <TargetOU> /I:S /T <AdminGroup>:DC;user;
dsacles <TargetOU> /I:S /G <AdminGroup>:GRGW;;user
dsacles <TargetOU> /I:S /G <AdminGroup>:GA;;user
What we would like as an end result is that within a specified OU, a designated group could modify any field, create and delete users, reset passwords, but they cannot read or dump the password hash. When we just do GRGW, we notice most fields are not selected, and we don't really want to specify every individual field unless that is necessary to protect the password hash.