Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Possible wrong config of RODC?

March 24, 2014, 8:19 am
$
0
0

Hi all,

We have got a remote location with 2 RODC. There is  a link which from time to time goes down and people cannot log-on anymore.

I thought that putting a RODC there and adding the computers and users to the "Allowed RODC Password Replication Group" would be enough. However, this doesn't work.

The architecture is like this:

-- writable DCs in the headquarter

-- RODCs in the remote site

-- the remote site has it's own Internet connection, without any proxy.

-- the name resolution for Internet(www.google.com, etc.) and for internal resources is done via RODC which passes the requests to HQ-based DCs

-- the fact the Internet names are also resolved by RODCs, when the link is down==> no Internet access :-(

So, my questions are:

-- how could i modify the current environment to allow people to browse the internet when the link is down and there is no name resolution?

--what else shall i do to allow people to logon using AD credentials when the link is down?

Thanks for any suggestion,

Search

GPO IE cannot remove automatically detect settings

March 13, 2014, 12:16 pm
$
0
0

I've created local group policy's and also top level grou policys for two servers in a Terminal server farm - Inheritance blocked so that only this GPO would apply.

Still not matter what I do -including registry entries it will not uncheck the box - I've got the option dimmed so that users can't change it - but they still will be able to browse to other sites because I cannot remove this check box.

This post which was similar also did not work...

User Configuration \ Policies \ Windows Settings \ Internet Explorer Maintenance \ Connection \ Automatic Browser Configuration \uncheck “Automatically detect configuration settings”

Any way to remove this check box? Perhaps I should only use the local machine GPO?

I've also tried some registry settings and nothing seems to remove it.....

I have an attachment but Microsoft will not let me attach it unless they verify my account..

Monitor kerberos authentication request to AD (KDC)

March 24, 2014, 2:24 am
$
0
0

Hi, I have KDC (Domain controller) where many applications authenticates through kerberos. i have requirement to monitor number of concurrent KDC connections to DC.

Security logs are huge and its impossible to get data from it. anyone know any commands or tools to monitor the connections?

Thanks,

Karthik

Thanks, Karthikeyan R

Active Directory Logins

November 3, 2008, 3:06 pm
$
0
0
Hello All-

I need to track my daily logins in AD. I need to be able to print out the User Logins for the day for Security reasons.  Can I use DSqerry and direct it to a text file or something.  Thanks for you help

How to Display Last Login Date And Time

July 15, 2008, 4:08 am
$
0
0
I am looking for information about How to Display Last Login Date And Time with ActiveDirectoryMembershipProvider. i know LastLoginDate or LastActivityDate is not supported by ActiveDirectoryMembershipProvider.

any solution?

AD LDAP Connection

March 24, 2014, 8:51 am
$
0
0

As of this morning all was fine and after some time, i could not open the Active Directory Users and Computer, i get the following error; I have 4 domain controllers running windows server 2008R2. one of the two server that are at the main office is having this error the other two functional are in two different remote offices.

"Naming information cannot be located because:
The network path was not found.
Contact your system administrator to verify that your domain is properly configured and is currently online."

on seeing this i run a DcDiag command as below

C:\>DcDiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = XXXXXXXX
   [XXXXXXX] LDAP connection failed with error 0,
   The operation completed successfully..
   [XXXXXXX] Unrecoverable LDAP Error 89:

thanks in advance

rokello

Giving mailbox rights - Server 2008 R2

March 24, 2014, 9:29 am
$
0
0
We recently migrated AD from 2003 to 2008 R2.  In 2003 ADU&C you could provide mailbox rights to another user via the Exchange Advanced tab.  This tab no longer exists in 2008 R2, is there a way to do this?

Hank Vare

DC's over VPN

March 24, 2014, 9:54 am
$
0
0

Hi:

We have two buildings that we are connecting over VPN (Site-to-Site) with Cisco ASA-5510's.  Both sides have a Comcast Business connection and static IP's.  Site A has our two DC's and Site B is where several users are moving as well as some printers that previously existed in Site A.

Site A is on the 192.168.1.x/24 Subnet and Site B is on the 192.168.2.x/24 Subnet.

The few printers are currently addressed on the Site A Subnet, but reside in Site B and Several client machines are now located at Site B and will need to authenticate and access files from Servers at Site A.

What do we need to do to allow authentication from clients in Site B to happen on DC's located in Site A? or, do we need to add a DC on the same domain at Site B and share the few printers there?

Please help me understand what all I need to do to make this happen.

Thank you,

Stangride

Search

GPO setting changed but it won't show up in GPresults even after replication to DC's was forced

March 24, 2014, 11:14 am
$
0
0

Hello,

I have a very odd situation. 

I have a Terminal Server Policy that is in-place and has been for years, well some select users want to be able to change the screen font size while some don't need it. So I created a global security group with the 4 TS servers in the group and the users that needed the gpo setting changed. I added this security group to a GPO (font size DPI 150% as seen below) and check the apply setting with an allow and unchecked the authenticated users group for the apply setting and hit apply.

Now under the scope of the GPO I added the 4 TS server ie (PCGTS1$) and the user's that need the object on-top of the security group that was delegated the permission in the paragraph above... -- see picture below...

now my problem is this....

Our TS servers are in there own OU and our users (that need this are in the Executive OU, as seen below) are in a OU which in the same parent OU as the TS servers as shown in the picture. I'm pretty sure the Users and computer need to be in the same OU for the GPO to work so I'm adding the GPO to the top of the OU in the picture called 'President Container'

Now my problem is this; I ran a GPresults on one of our TS servers after performing a gpupdate /force command on one of the executive added to the global security group but even after force replication to the other 5 DC's the bloody GPO isn't even being processed. I've waited 3 hours but still nothing. Now it's only a user setting so I shouldn't have a need to restart the computer, also the computer config is disabled since it's only a user setting change.Anyone ever run into this issue?

AD Nested Groups not always receiving permissions

March 24, 2014, 7:20 am
$
0
0
We have multiple domains in our forest. We use Universal Security Groups for our department names, and Universal Security Groups for job titles. Within the job titles group is where we list the individual users.

Every once in a while, we will have an instance where a user is a member of their job title Universal Security Group, which is a member of their departmental Universal Group, but cannot access a share, even though that departmental Universal Group has the correct permissions assigned on the share. Furthermore, another member in that same job title group can access the share.

The only fix that I have found thus far is to add the user directly to the share's permission.

Has anyone come across this before? Like I said, it only happens every so often, but I have yet to find an explanation for it.

Thanks

Domain Name

March 17, 2014, 9:00 am
$
0
0

Hello Everyone,

I have a domain that is already in use, but the only challenge is that its one domain name i.e Contoso This forces run some registry entries for XP machines inorder to join the one name domain. from experience if i had it asContoso.com i would have no issues.

  1. Will it be ok to continue with this setup? What are some other challenges that i might face while working with this?. I would like to deploy new systems like the Configuration Manager 2012 and others System Center suite. my worry is if i would have issues before rename or after rename.
  2. Help with some Considerations to have in mind before domain rename to Contoso.com I don't have Exchange in my environment which i understand could be a major issue.
  3. Help with some good material/ documentation that will help me accomplish this without major impact to my users

My DC is running Server 2008 R2 but the forest is still 2000

Meshack



Delete Trusted relationship between domains

March 24, 2014, 3:33 am
$
0
0

Hi guys,

So I am creating a trusted relationship between a Windows 2003/2008 domain and a windows 2012 domain as part of a migration process. When I clicked on Domain and trusts I found a trusted relationship with a domainX.local which happens to be the name I called my new domain. It is believe that this trust is no longer in use. At least if I ping DomainX.local from server it does not respond.

Can I just delete DomainX.local from trusted relationship and create the new Trusted Relationship, or should I rebuild the new domain. (Not to hard only 1 DC in that domain.)

Also is there any problem with creating the trusted relationship between windows 2003 domain and windows 2012.

Thanks for your advice.

Craig

Craig

Set Replication to Happen More Frequently Than Every 15 Minutes

March 24, 2014, 12:05 pm
$
0
0
In Active Directory Sites and Services, the UI limits to synchronize between sites every 15 minutes at a minimum for Site Links. We have it set that low and we have determined that we could potentially handle replication in the Site Links to occur more frequently. Our topology is hub and spoke with close to 50 remote locations and the replication in the site links is just between remote locations and the main hub. We have plenty of bandwidth and resources to compensate if this is possible to replicate more frequently. Also, we are running 2008R2 for our DC's (Forest and Domain functional level 2008R2). Also, what are some other ideas to increase efficiency with replication? Isn't there at least an attribute option to set that makes it so replication partners are notified of changes as they occur as opposed to notifying upon the replication schedule so replication at least happens immediately when the interval occurs? Hopefully I'm not talking gibberish. Thank you in advance for your time!

Event ID 1046 followed by event id 1049

March 24, 2014, 2:39 pm
$
0
0
I installed windows server 2008 r2 on this computer many times before with the same domain name. But lately every time i try to reintall the server and configure the ADDS followed by DNS and DHCP I get an error  saying The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain <var>domain</var>, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized." which is event id 1046 and my DHCP and Activer directory doesnt seem to be working with each other.  I am new working with the server. Could anyone help me finding a step by step procedure for the following problem.

PKI 2012 R - How to Get Security Certificate via Autoenrollment from the CA in the Local Site?

March 25, 2014, 5:02 am
$
0
0

Hello All,

  1. Thare 2 Active Directory sites in 1 domain.
  2. Site1 contains DC1 (domain controller), RootCA (enterprise root CA), SubCA1 (enterprise subordinate CA - issuing)  and W701 Windows 7 laptop.
  3. Site2 contains SubCA2 (enterprise subordinate CA - issuing) and W702 Windows 7 laptop.
  4. SubCA1 and SubCA2 have the the identically configured template which should be issued to W701 and W702, respectively.

Question: how to configure the PKI and GPO infrastructure in order to enable the certificate autoenrollment so thatW701 would have SubCA1 (The CA in the W701's local site) as preferred source of the certificate and SubCA2 as a backup source of the certificate. W701 should be able to obtain the certificate from SubCA2 if SubCA1 is unavailable. And vice versa - W702 should have SubCA2 (The CA in the W702's local site) as preferred source of the certificate and SubCA1 as a backup source of the certificate. W702 should be able to obtain the certificate from SubCA1 if SubCA2 is unavailable.

Thank you very much in advance!

Search

MetaData Cleanup - Remove Domain Implications

March 25, 2014, 2:33 am
$
0
0

Morning All,

I am working on a customers environment and after an AD health check, it is obvious they have Tombstoning domain controllers from a sub domain that shut down back in Jan (well over the 60 days). This is a single forest 'forest.local', with two subdomains, domain1.forest.local and domain2.forest.local.

Domain2.forest.local had two domain controllers that have been shut down (and VMs deleted), without performing a demotion. The forest & domains are at 2008 R2 functional level. My recommendation for this is to run a metadata clean-up to remove the domain and its corresponding domain controllers. I do have a few questions that I hope you guys can answer before we go ahead?

1)  Will the ntdsutil remove domain function remove the domain controllers associated with the domain aswell? Or will I need to remove the domain controllers first?

2) I will be performing a System state backup on all FSMO role holders within the environment. Will I need to backup all domain controllers?

3) What is the usual success rate of a meta data cleanup? And what kind of things can go wrong?

4) In the event of a failure, would this process make sense for a restore?
a) Restore forest.local domain controllers using Authoritative Restore from DSRM

b) Restore domain1.forest.local using Authoritative restore from DSRM

Thanks in advance,

Paul 

  

Kind Regards, Paul Sanders | MCSE PC | MCITP EA, VA | MCTS SCCM/SCOM | My Blog: http://tameyourcloud.com

"The home folder could not be created because the network name cannot be found" error in AD users and computers

March 10, 2014, 9:12 am
$
0
0

Our home folders are stored on a non-windows NAS device and with Windows XP and 2003 we've always got the above error when creating or modifying users home folders, even when the shares were al ready created and being used.

However this was never really a big issue as the error that popped up was really for information and finshed with a "we've modified the user properties anyway, please create the share manually" type message.

Unfortunately now we are moving to windows 7 and 2008R2, this last part of the the message is missing and it won't accept the correct value. 

This issue may be in the way that the NAS device shares the folder, as only the username that matches the folder name can access the share.  This behaviour can't be modified.

Is there a way to get Windows 7/2008R2 AD users and computers to behave the same way that Windows XP/2003 does , i.e. don't try and create the share just set the value in the user properties  ?

The AD is still at 2003 level and we can still use Windows XP/2003 clients to make the changes but this is a bit of a limitation.


Transitive trust between a server 2003 forest and a server 2012 R2 forest, is it possible at all ?

March 24, 2014, 11:30 pm
$
0
0
HI all
Can anyone verify/tell me, if it´s possible to create a Transitive trust between a server 2003 forest and a server 2012 R2 forest ?
We´re having some issues/Problems - and can only create a one way external trust (from 2003 forest -> 2012 R2 forest). I have search the Internet - and I´ve read that it is possible between 2003 forest level - and 2012 forest level. But nothing found on creating a transitive trust between 2003 - and 2012 R2, thanks

warning "last DNS server for integrated zone" when demoting a physical DC

March 19, 2014, 5:14 am
$
0
0

Hi,

We're demoting a physical domain controller, and receive an error stating that one of the zones (Integrated AD), will be removed.
This zone is however succesfully replicating to other DC's.

the active directory domain controller seems to be the last DNS server for the following AD integrated zones ;

zonename

if you demote this DC you may be unable to resolve any DNS names in these zones.

Any idea what may be causing this? We have no issue for the other AD integrated zones.

Excessive 4624 and 4634 events

February 13, 2014, 12:09 am
$
0
0


Windows Server 2012 AD DC, users on Windows 7 SP1 x64 are logging in (~800 or so users). A small percentage of them are generating 300-400 logon events in the Security log - *per second*. 

Most other users are not generating excessive logon events... this is filling our security log quite fast. 

P.S. I suspect this happened after Logon and Logoff event auditing has been configured in the Advanced Audit Policy Configuration (Success and Failure). Still - most users do not generate that much logon events when logging in. 

Some incompetent moderator is marking all similar questions as answered even though they are NOT. So I am reposting - yet again - and let's hope this time the mods will hold their horses until the reason and a solution is actually found. 

Viewing all 31638 articles
Browse latest View live
Search