Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Host Publicly Accessible DNS Servers

May 14, 2014, 12:04 pm
$
0
0

Currently we have our ISP hosting our public DNS records and our domain registrar is pointing to their DNS servers. We want to be able to control our DNS records ourselves so we are contemplating a few options.

1. Create the DNS records using our domain registrar's DNS servers.

2. Create our own, non domain Windows DNS servers in a DMZ without recursion, create NS records with domain registrar, and forward to those DNS servers.

In either case, what would be the best way to go about retrieving the DNS record information from our current DNS provider (our main ISP) to move it over to either of the 2 aforementioned options?

We really don't have that many records that need to be accessible from the public internet so I'm assuming that option 1 would be better but I was wondering if there were any opinions or recommendations flying around out there. Any advice helps. Thanks!

Search

Configure Domain Controllers for NTP

May 14, 2014, 12:11 pm
$
0
0
Hello forum, I have a medium size environment of 1000 servers physical and virtual servers. I plan to apply NTP settings on domain controllers to point to two NTP devices that I have in our infrastructure. What is the best practice around configuring NTP for domain controllers? What are the fail and watch out points? Will simply running following command work given that I have 2008 R2 and 2003 domain controllers? C:\> w32tm /config /syncfromflags:manual /manualpeerlist: "1.Site1NTPServer, 2.Site2NTPServer"

Why does changing AD group "Managedby" in ADUC give strange error?

April 10, 2014, 10:53 am
$
0
0

Hello all,

My question centers around the following error when setting the Managedby attribute in ADUCwithout checking the "Manager can update membership list" checkbox:

What I think is strange about this error is that the error occurs without the "Manager can update membership list" checkbox checked. Thus, to my knowledge, no changes to the ACL are being made to the group; the only thing that's happening is the"Managedby" attribute of the group is being changed.

Assuming no changes to the ACL are being made, here's the fun part. When a user with "Modify Permissions" rights on the group ACL changes the Managedby in ADUC (again, without the update membership checkbox being checked) there is no error. However, when a user who does not have "Modify Permissions" rights on the group ACL performs the Managedby change, it results in the above error but the changes still go through.

So my question is, even without the "Manager can update membership list" checkbox being checked, does updating the "Managedby" field in ADUC require an ACL change on the group somewhere? If not, why is the error being generated for a user without"Modify Permissions" rights? Am I missing something here?



after domain joining , shared printer adding to system having problem ?

May 14, 2014, 12:30 pm
$
0
0

i have a domain services

i have configured active directory in server

after that in clint systems i started domain joining process

1 st clint system , i add in domain services

2nd system having printer and it was in sharing position , it was not in same domain and also it was in work group,and in same network.

      now i want printer for 1st system. i do try ping response first it was working. after that \\128.128.24.7 for examle

i check it and add the printer in first day and a very next day it was not working , not add to the system,

it has daily disturbances , please guide me

windows live mail having problum after joining in domain examples incoming is good but sent or outgoing is not there and also send mails are not exporting at the time of live mail exporting time?

May 14, 2014, 12:34 pm
$
0
0
windows live mail having problem after joining in domain examples incoming is good but sent or outgoing is not there and also send mails are not exporting at the time of live mail exporting time?

Multiple Net Sessions Showing Up on Domain Computers

May 14, 2014, 1:09 pm
$
0
0
Whenever I manage or psexec another pc, I'm noticing several user sessions connected to the computer.  These computers are not serving as file shares.  What is causing this to happen?

Enabling SID History after User is Migrated using ADMT

May 15, 2014, 2:27 am
$
0
0

We have a requirement to move few users and resources from one forest to another forest.

We have configured a test environment for doing the testing. We have Disabled the SID History in the external trust and migrated the user with the SID History information. Now the user is able to access the resources in the trusing Forest (using the SID history information). We wanted to enable the SID history in the External trust after the users and resources are migrated to the trusted forest. 

We would like to clarify whether the migrated users access is maintained in the trusting forest after enabling the SID history.

Security considertaions across AD trusts

May 7, 2014, 5:23 am
$
0
0

Hi

what are the security considerations (for Forest/DomainA) when creating a one-way trust between DomainA (the trusting domain) and Forest/DomainB (the trusted domain)

so resources in DomainA are exposed to users in DomainB

I am trying to articulate the security considerations (i.e. that the concept of Forest security boundary has been broken) to the owners of DomainA

this is because DomainA is also used to provide authentication services to DomainC  - that have very strict security compliance policies

can DomainB enumerate users in DomainA?, can an Admin in DomainB elevate his/her rights in DomainA

presumably a misconfiguration of permissioning in DomainA could see rights given to resources used by DomainC

Thanks everyone

Search

What event triggers an update in the LastLogonStimeStamp information?

April 4, 2014, 12:09 pm
$
0
0

What event triggers an update in the LastLogonStimeStamp information (not the LastLogon that is spreaded in all my 18 DCs, i´m talking about the centralized information, replicated to all DCs stating about the last time a logon was detected)?

I need to know in wich circusntances  the LastLogonTimeStamp info is updated in AD. 

Of course a regular logon updates the LastLogonTimeStamp, like any morning logon that every userd does in the beggining of the day.

But other types of logon also update the LastLogonTimeStamp ?

I have several examples of logons and i would like to know if they triggers an update also:

VPN Access, authenticated by AD+RADIUS, coming from domain-joined and non-domain-joined machines?

Web Applications, Forms, http IIS basic authentication, Sharepoint integrated authentication  coming from domain-joined and non-domain-joined machines?

TS Gateway/RDS Apps coming from domain-joined and non-domain-joined machines?

There are circusntaces that i know, for example, unlocking a machine does not triggers, because i´m with the defaults where the AD authentication is not required to unlock machines, so, in these case, the LastLogonTimeStamp will not be updated, am I right?

 

Active Directory Problem

May 15, 2014, 3:20 am
$
0
0

Hello All;

Well I'm a new administrator to this company.  Come to find out the previous admin has completely blocked my schedule with work due to misconfigurations.  So here is the problem;

At our corporate office, we have our domain called: Company.net -  Within this environment, the old administrator 'tombstoned' an old domain called 'service.company.net' -  I created a new virtual server and I'm create an new AD server so my other domains (farm.company.net) will stop complaining trying to find the old AD.  Hope I didn't lose you there.

Company.net  <~ Complaining about not seeing 'Service'
       farm.company.net <~ Complaining about not seeing 'Service'
       service.company.net <~ Has ZERO servers within this domain. I need to rebuild AD so I can join other servers, &                                             etc.

So again; I have ZERO servers within the 'Service' domain. How he accomplished this is beyond me.  So would I just DCPROMO and 'Create a New Domain In a New Forest'  --- When I try to DCPROMO to an existing forest, I get error'd regarding domain could not be contacted.  Or am I into huge other work 

Again, Hope I didn't lose you. Thanks for your help

Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.

May 15, 2014, 6:55 am
$
0
0

I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:

The KDC encountered duplicate names while processing a Kerberos authentication request.

When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3 machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).

We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!

Delete Lingring Object from entire Domain.

May 11, 2014, 10:39 pm
$
0
0

Hi,

we have 150 DC in our Domain and getting 1388 event for lingring object frequently.I am using Repadmin /removeLingeringObjects
command to remove lingring object by logginng on to each DC.

how can we remove lingring object from all the DCs using script or command ?

Regards, Triyambak

Operation Terminated with error -1101 (JET_errOutOfSessions, Out of sessions)

May 10, 2014, 1:00 am
$
0
0

Hi team,

I am getting below Error Message while doing off-line defregmenation of one of domain controller. how i can resolve this issue.

C:\>ntdsutil "activate instance ntds" "files" "integrity" q
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
file maintenance: integrity
Doing Integrity Check for db: D:\Windows\NTDS\ntds.dit.

Checking database integrity.
Operation terminated with error -1101( JET_errOutOfSessions, Out of sessions ).

Regards, Triyambak

Implement an "Internet Cafe" in a working environment?

May 15, 2014, 7:24 am
$
0
0
Hi All,

Stuck again,

We have recently had a change around with our inhouse canteen and decided to include pool tables etc. in it to provide more entertainment.

Another thing that we temporarily added was two desktop PC's with their own AD account logins for Internet Access only, disabled disc drive, usb bios protected blah blah blah, until we realised this was a security risk.

Basically we have some users that are blocked from accessing the internet, what is stopping them from using that login on their desk computer to access the internet? Nothing.

Is there anyway we can implement this "internet cafe" without compromising the security of our network etc?

I'm not sure if its possible but is there a way to have two seperate AD accounts, with Internet Access only, no network drives or file access (they will be locked down, ie. UAC controls, all other user accounts will be blocked from logging into these two PC except from Domain admins, BIOS locked, boot sequence locked etc) that are only allowed to log into the desktop PC that they are assigned too? Meaning those two account details cannot be used anywhere else? Is there a way to stop an authenticated AD user, from using one of these accounts to login to the PC, then map a network drive using their credentials?

We also have a range of workers that would have access to these two desktops, including temp workers from a staff agency.. one concern from my boss is that somebody could create/post something harmful and it would come back to our IP address and make this company building look bad as the only detail we would have of the suspected user is that they used "Internetaccess1", if they are a temp users and don't have an AD login etc. is there any possible way to tell who was on the PC at a certain time?

Regards, Max.

How to create and add a logon/logoff script to populate last user into the computer field in AD

May 15, 2014, 7:59 am
$
0
0
Hi All,

Bit stuck here,

Not sure what forum to put this is as it involves different subjects,

I work in a Server 2008 RT environment and have access to Active Directory etc.

I saw this a few weeks ago - http://ivan.dretvic.com/2012/10/automatically-generate-description-field-for-computers-in-active-directory/

Now, I'm not particularly sure what to do here, I don't know how to create a group policy etc. How to implement it in a test environment etc. Never done this before.

Can somebody give me a step by step guide on literally everything that would be involved in this?

Or any links that may be able to help?

I basically want the AD to show who was the last user that logged into a specific client when the client named is searched for in the Computers OU, and if possible being able to pull the make/model and serial number from the client aswell.

If possible there should be a way of including this with the existing login script that we already have, how can I do this?

I've tried a few so far and got stuck, I have domain admin priveledges also.

Thanks,
Regards, Max.
Search

Publishing External website name with the same name of Internal Active Directory name

May 15, 2014, 5:19 am
$
0
0

Hello,

Our Active directory Domain name is ukhtg.com. We are planning to publish a site externally named 'rpg.ukhtg.com'.

Is it Ok to expose internal domain to external world like this? do you think is it a best practice?

Mahi

Any change between 2003 & 2008 while using User Placeholder (%username%)

May 15, 2014, 5:17 am
$
0
0

Hi Experts,

I just want to know if there is any change while using place holder (%username%) between 2003 & 2008R2.

Vipin Tyagi

Need some Best Practices advice on remote site AD setup

May 15, 2014, 11:01 am
$
0
0
I need to build a domain controller for a remote site.

I need it to replicate user/machine credentials when the VPN tunnel to corp HQ is up, so I would assume i want to build a backup domain controller, but I also don't want it to self promote or try to take over when the VPN tunnel crashes... regularly.  

It would also be great if I could continue to make user accounts on this DC when the VPN is down, and have those accounts push back to HQ when it comes up.

Is this were sub-domains, or trust relationships, or forests come into play, or am I over thinking it?

Why does my "Enable Disk Quota Management" option gray out?

May 15, 2014, 11:14 am
$
0
0
I'm a student who is taking on a project of Windows Server 2008 R2. Anyways, I'm trying to enable the Disk Quota management for the network drives that I have created for the departments and users. Unfortunately, the option to enable is grayed out. Obviously, I am logged in as the admin. I've checked the GPO and have set the disk quota settings to not configured or to enabled, but I still cannot enable it.

Flat name space to Hierarchical Domain conversion

May 15, 2014, 11:49 am
$
0
0
While doing some discovery on updating our 2003 AD environment to 2008 R2 we discovered issues with our domain name which is still using the NT style flat name.  Lets call it contoso.  Exchange 2010 apparently doesn't like this either.  Is there a way to "convert" contoso to say contoso.com?
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>