Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Active Directory L3 questioned asked in one interview

February 20, 2014, 1:29 pm
$
0
0
What if your net-logon share does not share.. what can be troubleshooting steps?
How secure channel works for client and server and domain controllers itself.

What if sysvol folder is not shared and how can you recover it?

What is USN Rollback of domain controller and what is method to recover the dc?

What are the in Active Directory 2012R2 and 2008 r2 and 2003?

How user profile loads and what is role of active directory in user profile loading?

How can you troubleshoot if you get errors in replication and what can be event id for that?

What is difference in Kerberos of 2003 and 2008 and 2012 r2 active directory?
Search

BDC sync data

February 20, 2014, 5:35 pm
$
0
0

A BDC offline nearly one month(Power off), I make it online again, Is there any problems should I care?

Can old data on BDC will overwrite the root AD? or the BDC will sync new data from AD.

 

Microsoft TechNet Wiki Windows Server Guru - Winners for January!!

February 20, 2014, 1:56 pm
$
0
0

The results for January's TechNet Guru competition were posted!

http://blogs.technet.com/b/wikininjas/archive/2014/02/16/technet-guru-awards-january-2014.aspx


Post your FEBRUARY contributions here:

http://social.technet.microsoft.com/wiki/contents/articles/22885.technet-guru-contributions-for-february.aspx


A great big thank you to EVERYONE who contributed an article to last month's competition.

Hopefully we will see you ALL again in this month's listings?

Unfortunately, forum restrictions have prevented me from posting the winners here.

You will find the complete post, comments and feedback on the main announcement post.

Please join the discussion, add a comment, or suggest future categories.

If you have not yet contributed an article for this month, and you think you can write a more useful, clever, or better produced wiki article than last month's winners, here's your chance! :D

Best regards,
Pete Laker

More about the TechNet Guru Awards:


#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

ADSIEdit

February 20, 2014, 11:38 am
$
0
0

Hello everyone

1.I have removed Windows Server 2003 Domain Controller using DCPromo.
How to remove any entries of it from adsiedit because i want to come up with the same host name
and install windows server 2008 R2 domain controller.

2.  Earlier one of my Domain Controller has failed and i did metadata cleanup.
How do i delete its entries if they are in adsiedit.

How can i remove all entries of domain controllers(either by metadata cleanup or by dcpromo)
from adsiedit.

Migrating SID history WITHOUT migrating user

February 18, 2014, 10:55 am
$
0
0

We have 2 single-domain forests with a 2-way forest trust. We have identical user accounts in both domains. Is it possible to migrate just the SID history from one domain to the identical username in the other domain?

TIA!

Active Directory Dynamic Groups

February 18, 2014, 2:19 am
$
0
0
I have Microsoft Windows server 2008 R2 environment. There are 3 groups created in AD. I want to add members in group 1 and 2 manually. After that all the members from group 1 and 2 should be added to group 3 automatically. Is it possible to convert group3 as some dynamic group? Or Is there any other method to do this? Thanks in advance. 

AD RMS Setup failed because of invalid configuration setting

February 20, 2014, 7:20 pm
$
0
0

HI,

when I configure AD RMS configuration it gives me error that "one or more  ADRMS role services could not be configured: AD RMS setup failed because of invalid configuraion setting". The user which I try to install is an administrator of DC and also the service account is a member of enterprise domain group. When I tried this on test environment it works perfectly but on production environment it didn't. pls help me with this....

Thanks......

I am using windows 2012 standard Server.. 

How do I copy the content of an Scheme Attribute to Notepad

February 14, 2014, 5:04 am
$
0
0

Hi,

I need to send the properties of a scheme attribute to a colleague either in notepad or email. Does anyone know how I get the entire contents from this properties box into Notepad?

Thanks Andy

Search

Adding email field to bulk users in AD Windows Server 2008

February 16, 2014, 10:45 am
$
0
0

I need to add the email "lastname.givenname@domain.local" to every user in a specific OU.

I'm running a Windows Server 2008 machine with a couple thousand odd users. So adding an email field individually to them all will be a major pain.

Powershell doesn't work because they added the Active Directory module in R2.

Open to scripts or third party tools.

Any ideas? 


How to pull up inventory of DC's

February 13, 2014, 8:30 pm
$
0
0

Hello Experts,

.

Is there any easy way to pull up name of all DC's / inventory details ?

Adding AD users from one forest into a different forest

February 20, 2014, 6:14 pm
$
0
0

Hello Community

    Using Windows 2008 Server domain controller, the UI and Active Directory
I have a domain in a forest.

    There are Active Directory users that exist in a different forest that need to access resources in my forest.

    I setup a one-way trust relationship to grant the Active Directory users access in the
other forest access to resources in my forest using Active Directory Trusts and Domains.


    What are the necessary steps that I should follow to add users from the other forest into my forest so that they can access the resources in my forest?

    Thank you
    Shabeaut   

Active directory functional level upgrade failed

February 20, 2014, 4:14 am
$
0
0

Hi, I am trying to upgrade forest & domain functional level from windows 2003 to windows 2008 R2 with all pre-requisites completed. however while upgrade i am getting error that "The functional level could not be raised: The server is unwilling to process the request"

i tried from the DC which hosting domain fsmo roles, also i checked the events but dont find anything relevant to this.

any help much appreciated.

Thanks, Karthikeyan R

Spread the Love! Be our Windows Server TechNet Guru, this Valentine's

February 5, 2014, 5:29 pm
$
0
0

TechNet loves you!

 

We love your contributions at TechNet Wiki sooo much that we give you more than just love in return...

We give you NOTORIETY, GLORY... and VIRTUAL MEDALS!

That's not all, this love we have, together, it flows both ways my friend.

You give us stuff, we give you stuff, like interviews, recognition points, Ninja Belt rankings, and of coursefront page love!

If the love is strong enough, who knows where it could end! We may even invite you into secret clubs and other initiatives.

So why not spread the love a little further this Valentines, with more than just a cheap card from the highstreet...

Express your love for your favourite technology in a TechNetWiki article!

Pour your heart out to us, capture our hearts and woo us with your prowess!

 

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.


New Domain account Users password must be changed before signing in

October 28, 2013, 5:21 am
$
0
0

Hello

After i create a new domain user account in the AD , i define a temp password and check the flag user must change password in next login , and when i go to windows 8.1 it accepts fine the tmp password, and asks to input a new password ,after putting the password allowd by the group policy requirements it says  :  The users password must be changed before signing in , it works fine with previous versions of windows , this issue started when we started to add windows 8 and windows 8.1 clients for tests , the only workarround we could see is not to put the flag users must change their password next login , they had to come to an admins computer and add their password directly into AD.


Set-up of a Forest Trust - Unique situation

February 17, 2014, 4:54 am
$
0
0

I am in need of advice on how to setup a forest trust between to separate, but similar forests.

My AD server is Server 2012R2, their AD server is Server 2008R2.

We are a small community college in the process of separating from our parent university, current the parent university has AD services for both domains ( theirname.edu and ourname.edu) I have built a completely new & separate AD server on a different network using the same ourname.edu as the parent university is currently using.

Is it possible to setup a forest trust between the NEW ourname.edu and the old ourname.edu?

We are trying to get the NEW AD server up and running so as that it can be fully functional by users, also this trust is so we can migrate our student & employees user data from the OLD AD to our NEW AD using ADMT tool or something similar.

Search

LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 534, v1db0^@]

February 21, 2014, 6:13 am
$
0
0

Hello,

Could someone tell me what does the error below indicate please?

error code 534

LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 534, v1db0^@]

Many thanks.

Chissley,

Site Logon Issues

February 17, 2014, 6:05 am
$
0
0

I have a strange issue that I'm having an issue figuring out...

I have a branch office that has two network subnets.

One is a public IP range that we are moving off of because its a public range... (128.1.8.x/23) and the other is a private range (172.16.20.x)

We are moving users and servers off of the public network to the private network. I have already done this for all of my 20 branch offices (all from the 128.1.x.x network) and this is the last one.

I have created a new DC and placed it on the 172 network in that site and have assigned all the necessary subnets to that site. The DC is a global catalog.  Currently I have a 2008 R2 DC on both the local site 172 network DC1 and the 128 network DC2.

So here's the issue.

In the migration process I point all the user PC's and servers to DC1 as their primary DNS server and DataCenter DC as the secondary with DC2 as a third.

Also in our environment we have Desktop Authority as a script engine that we've had for ever and I mention it because it has a great log that it generates at login for the user that I use for troubleshooting these types of issues.

So, when DC1 and DC2 are both on the PC's have no issues logging onto the network. Typically 15-20 seconds for a desktop to show up. The set command shows the login DC as DC1. If I look at the log file generated by the script engine it also states its using DC1 as it login server. The issue is when I turn DC2 Off. If the PC reboots just the booting process takes 15-20 minutes before it gets to a cntr-alt-del login. IF a user logs on, local account OR domain account it takes another 20-30 minutes. In looking at the same logs I see that it is logging onto DC1. I don't see any real issues in the Windows Evnt logs. This continues for all the PCs until DC2 is turned back on. Then logons go back to normal. I see no warnings or errors on the DC's event logs. Replication test show good. And when I look at the logs the PC's are still using DC1 as the login server.

The PC is currently on the 128 network and my plan today is to move a PC over to the 172 network and test again but I'm really confused on what's going on here and what log I should look at to see what's going on during the delay.

Any ideas/help would be appreciated.

Thanks

RS

External Forest Trust Issue

February 19, 2014, 1:57 pm
$
0
0

This has got to be a bug in the GUI.  I have two new forests that are in different subnets which I have created a selective auth, 2-way, external trust between, the trust passes validation without issue.

I am unable to search users in the other domain with the GUI, but they can be added fine in command-line.  (dsacls, and alsonet localgroup).  Using CLI in Domain-Z, I set 'allowed to authenticate' on a computer object, and also added the user from Domain-A to the Remote Desktop Users local group on a machine and was able to RDP to it and login as a user from Domain-A.

I can't search users in the other domain (from either side), and if I click Advanced and then Find Now in the Select box then I get this error:
'The following error prevented the display of any items: Unspecified error'

What I did to configure the trust..

  1. Setup cond. forwarders on both ends and can resolve multiple records
  2. Created trust.  Have tried creating both sides at once as well as each side separately.
  3. Try to add users to computer objects, can't find anything except command-line.

Hardware Firewall ports allowed:  (Have also allowed all traffic and disabled Windows Firewall to troubleshoot and recreated trust with it disabled)
135-U
389-T/U
53-T/U
88-T/U
445-T
3268-T
464-T/U
5000-5001 for RPC/LSA/SAM/Netlogon (set to static in registry)

I am stumped here.  What should I look at besides rebuilding these machines from scratch?


AD not working on new DC

February 19, 2014, 2:39 pm
$
0
0

Hello TechNet forums,

We have come across an issue we have not seen before.  On a network with a single 2003 Standard DC, we installed a 2008 standard server. Ran DCPromo, and made it a Global Catalog server.  Transfered the FSMO roles to the new server.  Shut down the 2003 DC, and none of the AD snap-in's work correctly.  Namely,  When we open AD Users and Computers, the snap in freezes, and never comes up.  When the 2003 computer is powered on, and running all works smoothly and correctly.  This is meant to be an upgrade, but with this behavior, we cannot decommission the 2003 DC.  

I am not sure what else to provide you in way of information,  and I know I probably did not provide enough.  Right now, we do not want to sieze the roles, as the 2003 DC is the only way we can continue normal business.  We have asked around our company, and none of our techs have seen this before.  If you have any suggestions as what to try we would appreciate it.  

Oh, one thing we did do already was to DCPromo the 2008 server back to a member server and DCPromo it back up.  This did not change the behavior. 

Thank you in advance for all your wise wisdom. 

Protect password hash when delegating user management rights.

February 19, 2014, 11:55 am
$
0
0
We want to implement a user management policy that protects the password hashes of active directory user accounts. As such we want to grant our account administrators rights to those OUs that they should have access to. Is it necessary to grant each specific field in active directory specifically, or is it OK to use GA and GRGW to grant these users the rights they need. For example:

    dsacles <TargetOU> /I:S /T <AdminGroup>:CC;user;
    dsacles <TargetOU> /I:S /T <AdminGroup>:DC;user;
    dsacles <TargetOU> /I:S /G <AdminGroup>:GRGW;;user
    dsacles <TargetOU> /I:S /G <AdminGroup>:GA;;user

What we would like as an end result is that within a specified OU, a designated group could modify any field, create and delete users, reset passwords, but they cannot read or dump the password hash. When we just do GRGW, we notice most fields are not selected, and we don't really want to specify every individual field unless that is necessary to protect the password hash.
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>