Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Remove old child domain

March 20, 2014, 3:43 am
$
0
0

Hello

I am an administrator of a single forest with many child domains (35 to be exact)

We had a child domain w2k3 R2 (geri.sem.com)
it crashed 7 years ago, and the guy before me removed it using ntdsutil.

Now, I am trying to upgrade Forest Function level and the old child domain is giving me a hard time removing it.

Using the ntdsutil, in metadata I cannot remove the domain, (no site available) with the error:
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.).

So, I tried to remove the DomainDNSZones, in Partition management: DC=DomainDnsZones,DC=geri\0ADEL:bb7cc7ce-96f6-4a98-888c-ed139937e2ed,DC=sem,DC=com

But when I try to delete it using "delete nc" I get:
ldap_delete_ext_sW error 0x20(32 (No Such Object).

In ADSIEDIT and LDP.exe I cannot find anywhere the DNS zone. I can see the DC=geri\0ADEL:bb7cc7ce-96f6-4a98-888c-ed139937e2ed,DC=sem,DC=com, under partitions but I cannot delete it with the same error.

I followed this steps:
Click Start, click Run, type  adsiedit.msc, and then click OK
•Expand the Domain NC container.
•Expand DC=<var>Your Domain</var>, DC=COM
•Expand CN=System.
•Right-click the Trust Domain object, and then click Delete


But under CN=System, the child domain in NOT there.

I also followed this step:

I opened the Configuration Naming Context
(CN=Configuration,DC=domain-name,DC=com)
and expand CN=Partitions. You'll see the crossRef objects in there and delete it.


I can see the partition CN=GERI and i tried to delete it and got this error:

ADSIEDIT
Operation failed: Error 0x2015
The directory service can perform the requested  operation only on a leaf object.
00002015: UpdErr: DSID-03100CB8, problem 6003
(CANT_ON_LEAF_), data 0

Please Help

Search

One way trust WMI issues - only on domain controllers

March 21, 2014, 3:38 pm
$
0
0

Hi all, 

I'm having some interesting issues with attempting to setup remote monitoring via WMI from a trusted domain service account to some remote domains in our environment. There is a one way trust setup, and the service account has no problems with any client machines, but gets rejected when attempting to query the domain controllers. 

I've verified this is an issue both in our enterprise and production environment. I assumed it had something to do with the Domain Controller Security Policy and added the account in question to the following policies to no avail:

  • Act as part of the operating system
  • Log on as a batch job
  • Log on as a service
  • Replace a process level token

Now I'm beginning to suspect it's something to do with not being able to add the service account to the "domain admins" group, however I'd much rather a solution that didn't involve giving this account admin privileges at all. 

I've given the account read permissions to /root/CIMv2 via the WMI control MMC snap-in, as well as DCOM remote enable and added it to the "Distributed COM Users" and "Performance Monitor Users" groups. 

I'm fully out of ideas and my google-fu is failing. Anyone hit this before? 

How to manage DNS for non domain remote computers with static natting

March 26, 2014, 10:02 am
$
0
0

We have roughly 9000 computers that are remote non domain joined pc's. These 9000 computers are installed at a little over 1200 sites connected via vpn tunnels. All these sites use the same matching internal addressing and they are natted by site number I have listed below basically how it is laid out granted these are made up addresses but follow the same principal. We would like to add these machines into DNS as they all have unique names and would make them compatible with more software solutions, but adding and maintaining 9000+ machines is no small task. Is there a way to poll say 10.0.0.0/8 for netbios names and automatically update dns host records for these machines.

Store 1 10.1.1.0/24

   computer 1 - 1.1.1.1 natted to 10.1.1.1 - name - store1-computer1

   computer 2 - 1.1.1.2 natted to 10.1.1.2 - name - store1-computer2

Store 2 10.2.2.0/24

   computer 1 - 1.1.1.1 natted to 10.2.2.1 - name - store2-computer1

   computer 2 - 1.1.1.2 natted to 10.2.2.2 - name - store2-computer2

Child OU`s in Domain Controllers OU

March 26, 2014, 10:02 am
$
0
0

Hello

Single Forest and Domain; two Windows 2008 R2 DC`s

I have inherited a system where the previous administrator have created sub OU`s in the Default Domain Controllers OU (for WSUS purposes, dont ask :-)).

This has resulted in SYSVOL not staying in sync, we have more objects in SYSVOL on DC1 than in DC2, and the PS script "Get-DFSRBacklog.ps1 shows this:

ReplicationGroupName : Domain System Volume
ReplicatedFolderName : SYSVOL Share
SendingMember        : DC2
ReceivingMember      : LOCALHOST$
BacklogCount         : 883
FolderEnabled        : True
ConnectionEnabled    : True
Inbound              : True
BacklogStatus        : Error

ReplicationGroupName : Domain System Volume
ReplicatedFolderName : SYSVOL Share
SendingMember        : LOCALHOST
ReceivingMember      : DC2$
BacklogCount         : 866
FolderEnabled        : True
ConnectionEnabled    : True
Inbound              : False
BacklogStatus        : Error

It has been like this for over a year.

Does anyone know the implications of moving the DC`s back to the Default Domain Controllers OU and then delete the sub OU`s?

Best Regards

Maddas69

Maddas69, Norway

Changing FSMO roles remotely via RDP

March 26, 2014, 8:43 am
$
0
0
Is there a issue with changing FSMO roles to a new server 2003 to 2008 R2 via RDP from remote location?

Dave Santel

DCPromo Failing to Demote Domain Controller

March 25, 2014, 9:25 pm
$
0
0

Hi,

We are having difficulty demoting a DC. After running dcpromo unattended we get the following error:

active directory domain services could not transfer the remaining data in directory partition DC=ForestDnsZones, DC=xxx, DC=com to Active Directory Domain Controller \\DC2.xx.xxx.com

"The directory service is missing mandatory configuration information and is unable to determine the ownership of floating single-master operation roles...

Our Forest is set up like this:

All Functional levels 2003

Forest Root 2x Domain Controllers 2003 & 2008R2 servercore

Child domain1 2x Domain Controllers 2003 & 2008R2 servercore

Child domain2 2x Domain Controllers 2003 & 2008R2 servercore

All AD integrated

We are currently trying to demote DC2 in child domain2 (2008 servercore) DC2 holds no FSMO roles

These are the last 2 servers left in the domain before we decomission the domain

child domain1 has a similar setup DC1 is 2003 with FSMO roles DC2 is 2008 servercore with no FSMO roles

The error  references DC2 in child domain1 '\\DC2.xx.xxx.com' (see error above) we cannot understand why this DC is being referenced as it holds no FSMO roles within the Forest.

I am using an account with Enterprise Admin

I hope you can understand from my description. Any advice would be great

Set Replication to Happen More Frequently Than Every 15 Minutes

March 24, 2014, 12:05 pm
$
0
0
In Active Directory Sites and Services, the UI limits to synchronize between sites every 15 minutes at a minimum for Site Links. We have it set that low and we have determined that we could potentially handle replication in the Site Links to occur more frequently. Our topology is hub and spoke with close to 50 remote locations and the replication in the site links is just between remote locations and the main hub. We have plenty of bandwidth and resources to compensate if this is possible to replicate more frequently. Also, we are running 2008R2 for our DC's (Forest and Domain functional level 2008R2). Also, what are some other ideas to increase efficiency with replication? Isn't there at least an attribute option to set that makes it so replication partners are notified of changes as they occur as opposed to notifying upon the replication schedule so replication at least happens immediately when the interval occurs? Hopefully I'm not talking gibberish. Thank you in advance for your time!

Upgrading domain from 2008 R2 to 2012 R2

March 26, 2014, 1:16 pm
$
0
0

I am looking to upgrade my domain from server 2008 R2 to 2012 R2.  We have 10 remote sites, each with a single physical ESXi host hosting 2 vms, 1 2008 R2 vm with the ADDS/DHCP/DNS/File Services (user home drives) roles and the second 2008 R2 vm runs WDS/MDT and a couple applications.  At our main site we have a physical 2008 R2 DC which holds all the FSMO roles, a vm with the ADDS/DHCP/DNS/File Services roles, and another vm running WDS/MDT.

I've gathered from my research that Microsoft recommends clean installs when upgrading DCs but since our DCs are also file servers that's not an ideal course of action for us, it'd be a lot of additional steps.  My plan at this point is to bring up a new physical 2012 R2 server, make it a DC, transfer the FSMO roles to it, then demote and retire the current physical 2008 R2 server.  For the virtual DCs, since they are also file servers, I'm leaning towards in-place upgrades on them, unless anyone would advise against.

The other thing I'm considering is creating a 2012 R2 DC at each remote site, then demoting the current 2008 R2 DC, leaving some combination of DHCP/File Services on it, then run an in-place on it to 2012 R2.  This would requre another Windows license though since our physical hosts are not on Hyper-v.

For the virtual servers running WDS/MDT, I personally prefer an in-place so I don't have to move the MDT deployment share, but I'm open to suggestions. 

What are your recommendations?  Which server should I upgrade first?  How much time should I allow between each DC upgrade?  I appreciate the help.


Search

is there a way to fix this?

March 26, 2014, 6:35 am
$
0
0

I got this event 5723 and searched computer1 and it is not shown up in AD users and computers MMC.
why did we get this event even the computer is not in AD database? is there a way to fix this error?

Log Name:      System
Source:        NETLOGON
Date:          3/26/2014 7:44:00 AM
Event ID:      5723
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      domain controller 1
Description:
The session setup from computer 'computer1' failed because the security database does not contain a trust account 'computer1$' referenced by the specified computer. 

USER ACTION 
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'computer1$' is a legitimate machine account for the computer 'computer1' then 'computer1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem: 

If 'computer1$' is a legitimate machine account for the computer 'computer1', then 'computer1' should be rejoined to the domain. 

If 'computer1$' is a legitimate interdomain trust account, then the trust should be recreated. 

Otherwise, assuming that 'computer1$' is not a legitimate account, the following action should be taken on 'computer1': 

If 'computer1' is a Domain Controller, then the trust associated with 'computer1$' should be deleted. 

If 'computer1' is not a Domain Controller, it should be disjoined from the domain.
E

Operations Master DC unavailable

March 24, 2014, 7:14 am
$
0
0

I'm not sure what's going on here.  Not even sure where to start looking.

The operations master DC is showing as unavailable, so traffic is going to one of our remote site domain controllers.  I discovered this by trying to check the FSMO roles on the domain.  Please see attached snapshot.

What is a good place to start?  THanks.

User Password Reset delay - After Domain Upgrade to 2012

March 25, 2014, 11:38 pm
$
0
0
I resently upgraded Windows 2003 domian to 2012 and everything work fine. After this I could see delay in password reset for users for around 15 t0 20 minutes. How to solve this issue.

Windows 2012 & R2 DCs on Windows 2003 Domains

March 27, 2014, 5:37 am
$
0
0

   Hello to all. As written on several MS articles, W2K12 R2 does not have W2K3 domain functional level or forest functional level anymore, they are both deprecated.

   I have 1 forest at W2K3 forest level, all its domains at W2K3 level and just 1 W2K8 DC among all these domains (the rest are all W2K3 DCs).

   I want to upgrade this forest to W2K12 R2. Considering that W2K3 forest and domain level are deprecated on W2K12 R2, can I insert W2K12 R2 DCs on this existing W2K3 forest or not?

   Regards, EEOC.

Block drag-n-drop from PST to mailbox

March 27, 2014, 6:43 am
$
0
0

Backstory - Horrible PST implementation, 18+ PST's for some users, we are cleaning it up

I need to completely block the ability for users to move or copy (either from drag and drop or import) items from PST or IMAP/POP mailbox into their primary MAPI mailbox. I still want them to have the ability to create new folders and move around items within their PST's and MAPI mailboxes respectively, just not between them.

Is this possible via GPO? If so how?

TIA!


LDAP vs X.500

March 27, 2014, 1:17 am
$
0
0

Hello everybody,

what are the differences between LDAP & X.500? I know that LDAP is a directory access protocol but what about X.500?

Changing Active Directory name

March 27, 2014, 6:08 am
$
0
0

Presently have an AD name  xxx.net with an external name  x.x.com.  We own the x.x.com but not xxx.net

This is causing big problems especially with Exchange.

we are running Windows 2008 r2.

If we want to move from xxx.net to x.x.com internally what would that actually take to do?

I was thinking of creating a new domain forest for x.x.com trust to the xxx.net then move objects over.

But if there is a better way could someone let me know

Thanks

Dave

Dave Kozlowski

Search

Prevent changes on client PC inherited from AD Group membership change.

March 23, 2014, 11:20 pm
$
0
0

Hello everyone,

membership of some AD users was sudenlly change last week (at thursday). Impact of this change is huge - deleted profiles on client PC. I catched this problem early, when just few users had this problem. At friday I removed users from the "bad" AD Group, but today the problem continuing. I know that users must logoff and logon back in case of application the change of AD Group membership. So my idea is next - many of our users didn'y shutdown the computer last week and went it just to sleep. The computers "registred" the group membership change but waiting to the first restart regardless of the change is not valid anymore. Is this possible? I can't explain it in other way. Is there some way how to find if there's another "sleeping problem" in the network and prevent in the application of inherited changes from AD Group?

Thank you for any suggestion or idea. I want to "rescue" remaining computers in the network.

Martin

windows server 2008 user longing problem

March 27, 2014, 9:22 am
$
0
0

halo,

i have an issue  i add my laptop to domain and in computer properties it shows that it is connected to domain but when i restart it on start up screen it shows ''computer name\user name'' instead  off ''domain name\user name'' and when i enter my password it give password wrong error and when i press enter it logging without password.

Active directory issue in subdomain

March 26, 2014, 4:54 am
$
0
0

Hello all

I have domain root.corp with a subdomain 123.root.corp that has other subdomain ABC.123.root.corp

My problem is that in site and services in root.corp and 123.root.corp i can not see domain controllers of ABC.123.root.corp, but in site and services of the domain controller of this one i can see all dcs, and replicate connections

W2008 R2 in all the dcs. all global catalog, no issues in DNS

Any idea?

Transfer of FSMO roles after installing 1st 2008 R2 DC into 2003 domain.

March 27, 2014, 6:44 am
$
0
0
I am looking at upgrading my 2003 domain to 2008 R2 and installing the 1st 2008 R2 DC at the forest level first then at the other remaining child domains.  My question when is it a good time to transfer the FSMO roles, right after I install the 1st 2008 R2 DC into each domain or wait a week and then transfer roles? Any gochha's in doing it right after the 1st 2008 R2 DC into the domain?

Server 2003 Event ID 7 KDC

March 10, 2014, 8:59 am
$
0
0

People were suddenly having issues logging in to the domain over the weekend and I noticed I could not log in either.  I could only get to the terminal server via a local login, so I went in to the office and checked the Domain controllers, one of them let me log in fine as the domain admin, but the other did not.  It said my user name and password were incorrect.  I shut it down and then powered it back up and I was able to log in as the domain admin there or on any machine on the domain.

Today I'm looking at the logs earlier in the day before this happened, or before anyone noticed that it had happend and I see a lot of errors in the system log Event ID 7 KDC as the source.  It looks like any time any machine on the domain tried to authenticate it generated this error.  Any ideas on what caused it or what can be done?

There is another domain that we have a trust with which is located in a different country, and and there have been errors showing authentication problems to that domain, could that be related?

Thanks,

Brian

Thanks, Brian

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>