I'm trying to administer users in an untrusted domain from my PC.
I use the below CMD line and I'm able to get ADUC running. Doing some tasks in ADUC, gives me the error "The specified domain either does not exist or could not be contacted."
C:\Windows\System32\runas.exe /netonly /user:UntrusedDomain\user"mmc dsa.msc /server=1.1.1.1"
Hello all and as always thanks for your time and expertise.
Scenario: I ran the DFS Health report today to check on replication and I received the following error message for two DCs:
| Inconsistent configuration detected (conflict). | ||
Affected replicated folders: | All replicated folders on this server. | |
| Description: | The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling Active Directory Domain Services for configuration information. The conflict detected on CN=b707b5f7-3c2c-491e-b7ee-537963299830,CN=NTDS Settings,CN=blank,CN=Servers,CN=blank,CN=Sites,CN=Configuration,DC=blank,DC=net, CN=1ea58ceb-8ed7-424f-b817-d215d449d45a,CN=NTDS Settings,CN=blank,CN=Servers,CN=blank,CN=Sites,CN=Configuration,DC=blank,DC=net was resolved by using CN=0f47025f-34fa-406a-a7f9-6630aadb4dd5,CN=NTDS Settings,CN=blank,CN=Servers,CN=blank,CN=Sites,CN=Configuration,DC=blank,DC=net. Event ID: 6004 | |
Friday, February 21, 2014 at 2:19:05 AM (GMT-5:00) I obviously blanked out the private information. That said I checked ADSI.edit and I see the multiple entries for the affected DCs as well as the entries being resolved for these DCs. Should I just delete all of the duplicate entries in ADSI.edit except the entry being resolved or is this fix more involved. Anyway, I would greatly appreciate your help and recommendations. Thanks. | ||
We have several different sites with mixed windows 2003 & windows 2008 DCs.
Some DCs get event 13508 but no event 13509 almost one month ago. Now,
no event 13508 on the current log (after 1/15/2014).
But, when I ran FRS diag, it still shows failed with one error.
Should I concern these 13508 in FRS logs
(older than one month) on some domain controllers?
Thank you!
I'm taking over for someone who has left the organization.
They have used two methods for setting up a home folder for each AD user. I think they did this because over time they learned some things and just changed the way they did things. I'm not sure, but I'm trying to understand which is best to use going forward.
We use 2003 - and 2008R2 environment for AD.
We have a folder on our server called D:\userfiles
In this folder we have each department with a folder eg.
D:\userfiles\hr
D:\userfiles\accting
D:\userfiles\department1
etc.
When we set up a User in AD we click on the Profile tab and then select H: as the "Home Folder" and then in the To box enter one of two paths.
My question is which path is best. They both seem to work.
The one with the $ at the end I think creates a share in the shared folder when you look at shared folders in the computer management on the server for that user.
Anyway I'm not really sure which to use or what the difference is. I would like to use one or other.
We also have a script that is run when people log on but I'm unclear if that is just a red herring in this discussion.
Thanks.
Hi,
After I renewed root CA certificate and published crt and crl to AD containers, I open MMC Enterprise PKI on a domain computer (such as issuing CA), Enterprise PKI spins for a while then it stops.
Application event ID 1000
Faulting application name: mmc.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc808
Faulting module name: pkiview.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c95f
Exception code: 0xc0000005
Fault offset: 0x00000000000356d9
Faulting process id: 0x850
Faulting application start time: 0x01cf2f2365d59908
Faulting application path: C:\Windows\system32\mmc.exe
Faulting module path: C:\Windows\system32\pkiview.dll
Report Id: c14df7c4-9b16-11e3-8648-00155d61630b
Could you indicate what's the cause and solution? Thanks.
We recently added a Windows 2012 R2 server as a DC in an existing 2003 domain. We have transferred all the FSMO roles to the new 2012 server. We are trying to demote the 2003 server with DCPROMO but get the error "A domain controller could nt be contacted for the domain xxxxxxxxx that contained an account for this computer. "The specified domain either does not exist or could not be contacted."
How do I demote and remove the old 2003 server/DC???
I have a Windows 2003 DC with all the FSMO roles. It was the first DC of the domain
I also have 3 other DCs that are Windows 2008 R2.
All of the DCs are global catalogs.
DHCP Server is running on the Windows 2003 DC.
All of the DCs run DNS Server but a majority of the PCs in the network point to the Windows 2003 DC for DNS resolution.
1) What do I need to do to get rid of the Windows 2003 DC cleanly and efficiently? Is there a certain order of steps?
2) How should I split the FSMO roles between the remaining 3 Windows 2008 R2 DCs?Hello, Should the Username, or Logon Name of a UPN be the same as the SamAccountName for any specific reasons? It seems if the UserName/Logon Name is something other than the SamAccountName, when logging on, the SamAccountName is really the account which logs on. Im just wondering what the pros/cons are of the Username/Logon Name being different than the SamAccountName in the domain.
Thanks for your help! SdeDot
Good day all.
I understand that this issue might have been repeated several times in the previous posts/questions but nevertheless I feel the need to explain the situation I have thoroughly in order to have the right answer.
In our company, we have a W2k3 DC that has a DNS server installed with it. All clients (who happen to have a static IP, subnet, gateway and DNS) use this DC for internal DNS resolution. The hardware on this DC is getting old and we are planning to use it to run an application that acts as a middleware between the machines that we have and our information system.
In order to achieve this goal, I suggested that we buy new hardware and perform replication of AD. According to my understanding of such a procedure, I know that we have to "upgrade" the forest that the w2k3 holds to be compatible with w2k8 and after that we can perform DCPROMO, etc.
My question is: What happens to the DNS server on the old DC after I successfully perform the replication of AD on the new hardware and demote the old DC? It seems to me that I should keep the DNS server there running in order to prevent the action of manually changing the IP settings for all clients in the network.
My other questions is: Should I create a replica for the DNS server as well ?
I appreciate the efforts made on TechNet and thank you for your time.
Nadim.
Dear All,
I'm having a small confusion on how the adprep needs to be run. According to this article http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx#BKMK_WS2012 it is explained such that the adprep command needs to be run on the Schema master of the Forest first before introducing a newer version of a domain controller to a forest. At the same time it also refers that adprep is automatically invoked when install and introduce a windows server 2012 domain controller into an existing forest. Since the new windows server 2012 is not the schema master for the forest how can it be possible to run?
Thanks,
Shashi.
My Domain Controller crashed I then removed the AD role without demoting it and built another server with the hope that the backup domain controller will be automatically promoted to be the primary domain controller. The active directory schema still exists and it doesn't replicate with other domain controllers.
If this server is not switched there are other users who cannot logon and when a run sekcheck it still sees the server as the DC and shows the policies on it and not on the server that I think it is now the domain controller. What do I need to do?
Hello,
First this is a brand new domain environment with everything running server 2012 datacenter edition.
Second I've never seen anything like the following occur in a domain environment. What I had is what appears to be a bad 2012 AD structure however so far all AD tests come back good. The problem is the built-in domain level groups do NOT offer any level of access that they should. For example if I add a user in the administrators group, they don't have any permissions that group is supposed to have. THe same with every other builtin, backup operators, server operators, account operators and on and on. The only way a user gets that level of access is if I add them into the domain admins group. As you can imagine this is crazy and not a solution for my help desk crew. (having them all be domain admins that is) So while I could very well use delegation, I need to find out why my builtin groups don't function as they should. Anyone have any ideas on what to check or where to look? I'm at the point of opening a case with Microsoft on this.
Thanks in advance
Hello Community
"forestA" is my forest it is a Windows 2008 Server Enterprise Edition
domain controller using Active Directory and the UI.
In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
forest trust with Forest-Wide authentication so that a different forest user(s) or
group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
But also forestB needs to create a "One-way, Incoming" forest trust so that
I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
in my "forestA" or I can add user(s) as "domain user(s)" from “forestB” into my "forestA".
The problem is that when I right click the global group in my forestA and then
properties, when I click "Members" and then the "Add" button when I type
"forestB\username" I get an error message from Active Directory stating:
"the following object is not from a domain listed in the Select location
dialog box, and is therefore not valid: forestB\username".
Am I doing something wrong when creating the one-way trust in my
“forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
Or could I possibly need to select "Change Domain" or "Change Domain Controller"
before adding the users or Groups to my forestA from forestB?
That is why I am asking how do you add an Active Directory user from one forest into another forest?
Thank you
Shabeaut
Our Organization has two domains - Oceania and Global
All the Users are getting migrated from the old Oceania to the new Global Domain.
Users use Oceania account for Win XP and Global account for Win 7. There are some applications which runs only on Win XP Environment and those apps require Oceania Domain ID and Password, and users are logged into the New Win 7 Global Domain.
User has changed the password for Global Domain. User can login to Win 7, but unable to log in to the apps which uses the old Oceania Domain. As usual it could take a while to replicate or Synchronize.
Will the User ID loose the trust between these two domains if I reset the Password for the Old Oceania even if the User is migrated to the new Global Domain?
Some said, Yes... But they don't have any explanation why the trust looses... I've reset the password for one User. If the User ID loose the trust, How can I recover?
Please help me... Thank You...
Hi,
I Need a SOP which depicts steps by step how to Check for manually created connection objects in Active directory.
Thanks
Mukesh
Hi,
I have 2 domain controllers which share operations. The secondary DC handles authentication however I can't authenticate against it unless the PDC is online, or has been online while the secondary DC is
I've transferred all the FSMOs to the secondary DC to make it operations master, which hasn't made a difference.
How do I authenticate against this second DC without the PDC being online?
Thanks
Installed windows server 2008 r2 and updated with all updates and service pack 1
ran DC promo successfully and restarted
machine took a long time to load and finally gave a black screen with just a mouse cursor. cannot boot in safe mode.
Tried the above process 3 times same issue.
Please help.
Hi All,
Is it possible to have the IdP return an error via a webpage to the end user in the event they cannot authenticate or have incorrect group memberships for accessing a service provider?
Case A
User is not allowed access to the resource so is given an error saying you cannot use the following service.
Case B
User is in group A which has limited access to the resource but not group B which has enhanced access, can it say you are a member of group A as a message.
The question comes because of setting this system up for global enterprises and it helps ticket logging for the global helpdesk for the different services (access issue rather than service issue).
Cheers,
-M
I have a brand new 2012 cluster with 2 hyper-v host nodes running Server 2012 (not R2). I have successfully spun up several virtual machines from templates via VMM 2012R2.
I added the AD DS role today to my DC01 server running server 2012 (not R2). Then I promoted it to a domain controller. When it came back up I got the login screen as normal and logged in. Upon login I only see a black screen. I can click ctr-alt-del and get the typical menu, but only logout responds. Everything else such as Task Manager just goes back to the black screen. Connecting via remote eventvwr and checking logs and events shows the DC Promo was successful; I can verify replication to other DC's etc. I don't see any problems with this server other than I can't see it after login. RDPing in provides the black screen as well. I am able to log in via safe mode and can see the desktop, but am not sure how to troubleshoot from there. I verified that integration services were latest and greatest before I promo'd.
I de-promo'd it via server manager on another server 2012 server, then removed the roles and deleted it. I just created a new server and did the same process, only used a remote server manager for DCpromo this time. After reboot I have the identical issue with a black screen.
Can anyone help?
Peter