Greetings,

Could you please tell me how to disable inactive AD Computer accounts more than 30 days of inactivity.

I have used the following command to locate unused computers objects in the last 4 weeks:dsquery computer -inactive 4 , from this command is there a way to delete the results of the command ?

Thanks a lot.

Redouane

Redouane SARRA

Hello,

Is it possible to set the "logoncount" parameter for the computers to 0 ?  (Powershell ?)

I want to do this to have a "fresh" look at the use of our PC's.

Thanks,

Sven

Hi All,

I just setup ADFS on 2012 for SAML2. Unfortunately this was shoved Production by the departmemt we set this up for without enough testing. We are having an issue I was hoping that you could shed some light on. Some of our computers are configured to use restricted generic user accounts as a part of an SSO solution we use. These machines have had a Group Policy change pushed to turn off the Internet Explorer automatically login with current credentials setting to stop the generic user from logging in automatically through ADFS to our Learning Management System, where these users have no account. Suffice it to say the far end has SAML2 but only in a version 1 fashion, and the generic users can't sign in there. We need them to be prompted to enter credentials on these stations manualy. This is working. However, some of these workstations are placing the hostname of the ADFS server in the username field formatted as the domain. This presents a problem as our users for the most part, don't and won't pay attention to this and don't want to type the proper domain name into the logon box. If they clear it, authentication fails, they have to specify the domain name if it autofills with the wrong information. Additionally, we are seeing this occasionally for external machines not on the domain. I have spent many hours googling and looking at technet docs but can't find anything. Do you have any suggestions? Thanks in advance.

We were trying to add a new domain tree to our forest/domain with windows 2012 r2 but the promotion of the new domain controller for the new domain tree failed. Everything goes well until the final setup window, but then the new domain controller for the new domain tree appears to stuck at "Replicating the schema directory partition" stage... It never ends the "Replicating the schema directory partition" stage!!!

So I went to the lab (in our Hyper-V) and try to replicate the problem. I created a new forest/domain and add a new domain tree, the process completed successfully. Bu then I replicated the same setup but using different IP subnet for each DC (like our production environment), and the the SAME HAPPENS again, the setup goes until the final stage and stays forever at the "Replicating the schema directory partition" stage!!!

At this stage I don`t know if the problem is the same that we have in our PRD environment, but the problem has the same behavior. I suspect that the problem has something to do with IPV6 (I see the primary DNS for the NIC primary DNS listed with the IPV6 "::1" before the IPV4 address), but i don`t know much about IPV6. I already tried several configurations, I disabled the firewalls in both lab DCs, I removed the IPV6 check option from the NIC  properties from both DCs, I set BOTH DNS to respond only from their IPV4, I tried to pre-stage the new domain tree DNS zone in the DC, and so on... Nothing works...



So the current scenario is:

Hyper-V physical machine / 2 Private switches (one for each subnet)

3 VMs

1 DC - First Domain/Forest / Static IP / DNS IPV4 point to itself / and IPV6 DNS = ::1 / It has the First DNS/Domain Zone and a conditional Forwarder that points to the 2nd DC that is in the other subnet.

2 DC - This is the one to be added with new domain tree in the existing Forest. Static IP address / DNS point to itself /  and IPV6 DNS = ::1 / also has a conditional Forwarder that points to the 1st DC DNS domain zone that is in the other subnet.

Between both subnets I have a server that has RAS role to provide routing between both subnets

From both DCs I can ping each end, I have access to the shares in both ends, DNS appears to be working ok...

(Note: In one of the tests I created a new primary zone in DC02 to pre-stage the new domain tree zone in DC02 before running the active directory setup in DC02, then I went to DC01 and ping the DC02 by its FQDN, and DC02 replied, however if I try to ping only the Primary Zone by its name "newdomaintree.com" it fails in both DCs witch is weird to me, I did the same test for the First/Domain DNS Zone in DC01 and worked ok for both tests, I could ping DC01 by FQDN and ping the "Domain.com" DNS zone in both ends ).

Any thoughts on this one?!

Thank you.

Ip Config for the Lab Servers:

*******************************************************************

DC01

*******************************************************************

PS C:\> IPCONFIG /ALL

Windows IP Configuration

   Host Name . . . . . . . . . . . . : f1d1-srv-01
   Primary Dns Suffix  . . . . . . . : f1d1.lc
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : f1d1.lc

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-47-17
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3423:7d39:f13b:22e4%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.10.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.254
   DHCPv6 IAID . . . . . . . . . . . : 201332061
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-91-77-A5-00-15-5D-01-47-17
   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.10.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{FFDDBBEF-DD20-4ADD-98B1-B3C6D6BD66FE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
PS C:\>

*******************************************************************

DC02

*******************************************************************

PS C:\> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : f1d2-srv-01
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-47-1A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d562:7f42:6041:30f8%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.20.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.20.254
   DHCPv6 IAID . . . . . . . . . . . : 201332061
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-92-44-F8-00-15-5D-01-47-1A
   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.20.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{545D35C6-250D-41AB-87CD-6FE8FA85E175}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
PS C:\>
*******************************************************************

We have several different sites with mixed windows 2003 & windows 2008 DCs.
Some DCs get event 13508 but no event 13509 almost one month ago.  Now,
no event 13508 on the current log (after 1/15/2014).

But, when I ran FRS diag, it still shows failed with one error.

Should I concern these 13508 in FRS logs
(older than one month) on some domain controllers?

Thank you!

We have 2 single-domain forests with a 2-way forest trust. We have identical user accounts in both domains. Is it possible to migrate just the SID history from one domain to the identical username in the other domain?

TIA!

Hi All,

Recently, one of our admins created a new child domain. The domain is spread across 3 sites, and there are 3 DCs' on each site and every DC is a GC server. I have now taken over the administration of that domain. As part of prep up work, i noticed that on one of the sites, the DC is holding the Infrastructure Master role of the domain and co-incidentally the server happens to be a GC as well. I then recommended adding an additional DC and transferring the Infrastructure Master FSMO role to that server and that server not to be a GC.   However, they opined to me strongly that this is not going to cause any issues as long as all DC in that domain is a GC.

Can someone please enlighten me as if this is the way to go as Active Directory design Best Practices recommends not to place the Infrastructure Master role and the GC on the same server irrespective of the size of the domain. Consider this question also from a scalability perspective too.

BTW, we will soon be creating a two-way transitive trust with one of our external partner domain and  I wanna make sure i got all my ammo cocked up...

Regards,

Ochen

Windows 2008 R2 Domain Controller with Certificate Authority

We have a linux box on our domain that needs a PKCS#7 certificate.

Everything works great for all other certs on our  Windows system I just don't know how to do it with Linux.

Hoping someone may have a suggestion to point me at.

Our AD is 2008 R2:

Scenario: Go to the OU and open up properties on a user account.  Select the Security tab - then click Advanced.  Select the Effective Permissions tab and enter in the user name your checking.

If I do this on the Domain Controllers (Any of them) it shows the permissions to be List contents Read all Properties, Read permissions and so on - but only read.  If I repeat this very same task on my workstation using ADUC it shows the user with "Everything" except for Full Control and Delete subtree.  I have no clue why they would be different.  I tried it from 3 desktops using ADUC tools and all are the same.  I have told it to use a different domain controller and still the same thing.

Any clue as to what is going on here?

Willis 

I have network envirenment with Window Server 2008 R2 with about 50 Windows XP clients. I want to schedule copy / backup of specific user (working in my network, apart of those have left but their profile exist on Server) data file / folder (typically their Desktop Folder, My Documents Folder).

How can do it. whether with a batch file put in schedule task ..... or any other way......... Pls give me the content accomplish this task...

hi,

we have multiple sites and subnets on different vlans.  most active directory sites and services have two domain controllers.

we have had a few projects come up where we have had to create a couple of servers on different subnets but creating ad controllers is not really needed.

my question is.... should we really be creating ad controllers in each zone regardless as best practice?  at the moment we are just pointing the smaller zones to a larger zone for ad authentication and using the firewall to direct traffic to the ad controllers.

Is this method ok or should we be doing this different?

Thanks

phill

Hi, im getting a lot of best practise analyser errors and warnings etc.

I had an old lab DC that I demoted and joined to a new 2012 DC as a secondary DC.

I have numerous errors and dns just doesn't seems right I deleted reference to my old records in dns and thought id cleaned things up but not sure I have.

also on the secondary DC there is no netlogon or sysvol so I don't have replication between dcs

d

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = MYDC

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

  
   Testing server: Default-First-Site-Name\MYDC

      Starting test: Connectivity

         ......................... MYDC  passed test Connectivity

Doing primary tests

  
   Testing server: Default-First-Site-Name\MYDC

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\SVR2012PDC.AlexCorpDom.Internal, when we were trying to reach

         MYDC.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... MYDC failed test Advertising

      Starting test: FrsEvent

         ......................... MYDC passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... MYDC failed test DFSREvent

      Starting test: SysVolCheck

         ......................... MYDC passed test SysVolCheck

      Starting test: KccEvent

         ......................... MYDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... MYDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... MYDC passed test MachineAccount

      Starting test: NCSecDesc

         ......................... MYDC passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\MYDC\netlogon)

         MYDC An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... MYDC failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... MYDC passed test ObjectsReplicated

      Starting test: Replications

         ......................... MYDC passed test Replications

      Starting test: RidManager

         ......................... MYDC passed test RidManager

      Starting test: Services

         ......................... MYDC passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   11:23:21

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'oldDC.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.OLDDC.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/14/2014   11:35:11

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.OLDDC.local' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   12:06:49

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         A warning event occurred.  EventID: 0x00000032

            Time Generated: 02/14/2014   12:06:49

            Event String:

            The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 02/14/2014   12:09:01

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         ......................... MYDC passed test SystemLog

      Starting test: VerifyReferences

         ......................... MYDC  passed test VerifyReferences

  
  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : AlexCorpDom

      Starting test: CheckSDRefDom

         ......................... AlexCorpDom passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... AlexCorpDom passed test CrossRefValidation

  
   Running enterprise tests on : AlexCorpDom.Internal

      Starting test: LocatorCheck

         ......................... AlexCorpDom.Internal passed test

         LocatorCheck

      Starting test: Intersite

         ......................... AlexCorpDom.Internal passed test Intersite

cdiag output below (this output is fro the second dc).  any help appreciated

Hi All

we are going to Implement the ADFS 3.0 in Farm with Hardware load balancer, we have query that is ADFS support the SSL Offloading.

Thanks in Advance

JP

Hi everyone,

I have been asked by my lead to do an analysis on the user account attribute "Password Never expires".

Here's the situation:

Our current domain account/password policy is set to 6 chars and we will be increasing the password complexity and the account lockout threshold duration too, however this is irrelevent to my question.

We have some few users on our corporate domain whose password are set to never expires (special VIP users). I have been tasked with increasing the password and the account lockout policy. I will be setting the min password to 8.

So if a user account currently has a password length of 6 and password set to never expire. What will happen to the user account once i edit the default domain policy? Will the user be asked to change the password to atleast 8 chars and will the "Password Never Expire" attribute stick or will it go away, reset ???

Anyone ever came across this? Thanks.

Regards,

Ochen

Hi all,

Mixed Windows 2003 DCs and Windows 2008 DCs
We have 7 different sites
We have one DC gets journal wrap error and use burflags to fix it
Now, if I drop one txt file in the netlogon folder on one DC,
it will not replicate to its partners.  No errors and repadmin all
passed.

If I dropped folder in sysvol\domain folder, it has no issue to replicate.

only if I drop file to netlogon folder, it seems that file can not replicate all domain controllers.

How should I troubleshoot this replication error in netlogon folder?

Thank you!