Scenario

I've taken an online clone of one of my Virtual Window 2003 Enterprise Domain Contoller which doesn't hold any roles. Removed the Clone Domain Controller from Network & powered it on.

Now I want to log into that Domain Controller using my Domain Admin credentials but it's not working.Is there a way to log in to that Domain Controller which is taken out of network USING DOMAIN ADMIN ID ?

I can log in to Restore Mode but that's not what I'm looking for, I need to log in to that DC using my Domain Admin credentials while It's not in network.

This is for lab purpose.

I am running RSAT version of ADUC on Windows 7.  I have done the work-around to display the Dial-in tab, which is not displayed by default in that version of ADUC.  I have noticed some odd behavior and I am wondering if someone call tell me if the behavior is by design.

When I remove an IP address from the Dial-in tab, I don't just clear the "Assign a static IPv4 address" checkbox, I actually backspace out the numbers.  I have a PowerShell script that I can run to pull all the accounts in AD that are configured with IP addresses, and if I run that script the account does not show up in the results.  This is good.  However, if I go back into the AD account and check the "Assign Static IP Addresses" checkbox on the Dial-in tab, the Static IP Addresses dialog box appears and the IP that I just removed is back in there but grayed out.  If I run my script again, the account does appear in the results.  This is bad.  We have an established process for requesting VPN access, and this behavior makes it easy for people to add an IP address back onto an account without going through the proper process.

It's as if the tool remembers the last IP address that was entered on the account and automatically adds it back when you go back into that dialog box.  What I would like is for the IP address to remain blank so that people will need to manually enter a new IP address, which they would obtain during the VPN request process.

Is there a way to prevent the last IP address used on the account from being put back in automatically when the Static IP Addresses dialog box is opened?

Thanks for any help that you can offer!

--Tom

The results for May's TechNet Guru competition have been posted!

http://blogs.technet.com/b/wikininjas/archive/2014/01/16/technet-guru-awards-december-2013.aspx

Congratulations to all our new Gurus for May!

We will be interviewing some of the winners and highlighting their achievements, as the month unfolds.

Post your JUNE contributions here:

http://social.technet.microsoft.com/wiki/contents/articles/24692.technet-guru-contributions-for-june-2014.aspx

Read all about June's competition, hopefully in a stickied post, at the top of this forum.

Below is a summary of the medal winners for May. The last column being a few of the comments from the judges.

Unfortunately, runners up and their judge feedback comments had to be trimmed from THIS post, to fit into the forum's 60,000 character limit, however the full version is available on TechNet Wiki.

Some articles only just missed out, so we may be returning to discuss those too, in future blogs.
 

BizTalk Technical Guru - May 2014

Forefront Identity Manager Technical Guru - May 2014

Microsoft Azure Technical Guru - May 2014

Microsoft Visio Technical Guru - May 2014

SharePoint 2010 / 2013 Technical Guru - May 2014

Small Basic Technical Guru - May 2014

SQL BI and Power BI Technical Guru - May 2014

SQL Server General and Database Engine Technical Guru - May 2014

System Center Technical Guru - May 2014

Transact-SQL Technical Guru - May 2014

Wiki and Portals Technical Guru - May 2014

Windows Phone and Windows Store Apps Technical Guru - May 2014

Windows Presentation Foundation (WPF) Technical Guru - May 2014

Windows Server Technical Guru - May 2014

As mentioned above, runners up and their judge feedback were removed from this forum post, to fit into the forum's 60,000 character limit.

A great big thank you to EVERYONE who contributed an article to last month's competition.

Hopefully we will see you ALL again in this month's listings?

As mentioned above, runners up and comments were removed from this post, to fit into the forum's 60,000 character limit.

You will find the complete post, comments and feedback on the main post.

Please join the discussion, add a comment, or suggest future categories.

If you have not yet contributed an article for this month, and you think you can write a more useful, clever, or better produced wiki article than the winners above, here's your chance! :D

More about the TechNet Guru Awards:

• TechNet Guru Competitions

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

I am looking for the "Official" instructions for backing up and restoring an ADFS server which uses Full Remote SQL 2012. I know the database is backed up but what are the procedures for DR on the ADFS servers themselves?

The migration of ADFS 2.1 to 2012 R2 ADFS include an export of the ADFS metadata and Import into 2012R2 ADFS. Is this a possible solution to schedule for 2012 R2 ADFS in order to quickly restore in the event that the Farm dies?

Hoping someone can assist.

Have an environment with multiple AD LDS deployments replicating without issue between Windows 2008 Servers

Trying to add on a 4th AD LDS instance and have the role installed on the server, however when using the AD LDS Setup Wizard to add the instance, running through all the options, towards the end of the wizard get the following error :

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Active Directory Lightweight Directory Service Setup Wizard

The selected service account cannot authenticate with the replica source <other AD LDS instance:50000> using Negotiate authentication. Either the service account is invalid or the computer's configuration does not support NTLM authentication with the replica source.

The authentication failed with error 0x6ec: The list of RPC servers available for the binding of auto handles has been exhausted.

----------------------------------------------------------------------------------------------------------------------------------------------------------------

The AD LDS service account is Using a domain account that has local administrator rights, log on as service rights on all servers, along with 'Access this computer from the network' policy settings for the account.

No software or hardware firewall in place.

also used 'nltest /sc_verify:domainnamehere' on all servers and returns results okay.

Any other suggestions to check please?

Thanks

in an attempt to transfer FSMO roles to the 2012r2 DC the first thing I ran was dcdiag /e /c /v and after correcting some minor errors, I came upon this one in the DNS portion where a SRV record is missing and I have no idea how to fix/remove this. there's only two DCs, 200.5 and 200.6 where the former is a Hyper-V VM running 2012r2 and the latter is a physical 2003r2 machine. I was able to successfully raise the levels to 2003 and join the 2012r2 DC. this missing SRV record does not look fatal and only warrants a warning from dcdiag, however I would like to fix this so there's no trouble down the road. I've tried ipconfig /registerdns, but no dice. here is the message I'm concerned about:

                    Error:
                    Missing SRV record at DNS server 192.168.200.5:
                    _ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local
                    [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

the bottom portion of the DNS section that contains this message is in the RReg section and is as follows:

06/22/2014 08:28:20:209 NetpDoDomainJoin
06/22/2014 08:28:20:209 NetpMachineValidToJoin: 'MDMSRV01'
06/22/2014 08:28:20:209 OS Version: 6.1
06/22/2014 08:28:20:209 Build number: 7601 (7601.win7sp1_gdr.140303-2144)
06/22/2014 08:28:20:209 ServicePack: Service Pack 1
06/22/2014 08:28:20:209 SKU: Windows Server 2008 R2 Enterprise
06/22/2014 08:28:20:209 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
06/22/2014 08:28:20:209 NetpGetLsaPrimaryDomain: status: 0x0
06/22/2014 08:28:20:209 NetpMachineValidToJoin: status: 0x0
06/22/2014 08:28:20:209 NetpJoinDomain
06/22/2014 08:28:20:209 Machine: MDMSRV01
06/22/2014 08:28:20:209 Domain: phamnet.int
06/22/2014 08:28:20:209 MachineAccountOU: (NULL)
06/22/2014 08:28:20:209 Account: phamnet.int\GlobalAdmin
06/22/2014 08:28:20:209 Options: 0x27
06/22/2014 08:28:20:209 NetpLoadParameters: loading registry parameters...
06/22/2014 08:28:20:209 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/22/2014 08:28:20:209 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/22/2014 08:28:20:209 NetpLoadParameters: status: 0x2
06/22/2014 08:28:20:209 NetpValidateName: checking to see if 'phamnet.int' is valid as type 3 name
06/22/2014 08:28:20:318 NetpCheckDomainNameIsValid [ Exists ] for 'phamnet.int' returned 0x0
06/22/2014 08:28:20:318 NetpValidateName: name 'phamnet.int' is valid for type 3
06/22/2014 08:28:20:318 NetpDsGetDcName: trying to find DC in domain 'phamnet.int', flags: 0x40001010
06/22/2014 08:28:20:427 NetpLoadParameters: loading registry parameters...
06/22/2014 08:28:20:427 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/22/2014 08:28:20:427 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/22/2014 08:28:20:427 NetpLoadParameters: status: 0x2
06/22/2014 08:28:20:427 NetpDsGetDcName: status of verifying DNS A record name resolution for 'DOMCON02.phamnet.int': 0x0
06/22/2014 08:28:20:427 NetpDsGetDcName: found DC '\\DOMCON02.phamnet.int' in the specified domain
06/22/2014 08:28:20:427 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
06/22/2014 08:29:08:707 [000002e0] NetpGetLsaPrimaryDomain: status: 0x0
06/22/2014 08:29:10:345 NetUseAdd to \\DOMCON02.phamnet.int\IPC$ returned 53
06/22/2014 08:29:10:345 NetpJoinDomain: status of connecting to dc '\\DOMCON02.phamnet.int': 0x35
06/22/2014 08:29:10:345 NetpJoinDomainOnDs: Function exits with status of: 0x35
06/22/2014 08:29:10:345 NetpDoDomainJoin: status: 0x35

So it looks like Windows Server 2012 is vry fussy with the DNS records. I had no issues joining machines to the domain until Server 2012 came along. Can someone help here? If triple checked the SRV records in the DNS and ive screwed around with DNS suffixes etc. 

I created a windows server 2008 r2 Active Directory Server.
But I see two error events:
>
    Active Directory Domain Services was unable to establish a connection with the global catalog.

    Additional Data
    Error value:
    8430 The directory service encountered an internal failure.
    Internal ID:
    3200db0

    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.


>    
      LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

    Additional Data
    Error value:
    8009030e No credentials are available in the security package


When I try to join my linux box to this windows AD sever using msktutil I get below error:
    # msktutil --precreate --host DNS-SERVER.mydomain.com
    Error: ldap_sasl_interactive_bind_s failed (Local error)
    Error: ldap_connect failed
    --> Is your kerberos ticket expired? You might try re-"kinit"ing.

Why is this happening any idea?
Any way to resolve this issue?

TechNet Gurus... we salute you!

You're awesome, and we know it!

Your knowledge uploads and nifty info nuggets are our life blood at TechNet Wiki.

Every awesome article that gets an award is just the start. We are building up the most sensational collection of gifts of knowledge from eminent community heavy weights and young guns alike. And we plan to promote you and your work wherever we can.

Reputations are being forged.

History is being made.

Generations will know your name.

Your children, grandchildren and great-grandchildren will marvel at your technical prowess.

And now, my mighty code warriors, cool consultants and platform specialists, now your chance is here again.

A new month of possibilities. Another chance to prove YOU are the ONE!

The mighty TechNet Guru medal winner for June!

Take up your mouse and keyboard!

Unleash your mighty words of wisdom and bask in the glory that we bestow upon you!

GO GO Gurus! Give, give, give!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Submit now : http://social.technet.microsoft.com/wiki/contents/articles/24692.technet-guru-contributions-for-june-2014.aspx

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

Hello,

I'm able to find documentation on AD LDS but I can't confirm if it's what I want.

My client is setting up an ecommerce site through Volusion and they want to be able to authenticate using Active Directory for their customers.

I personally don't like the idea of opening up the network for customers. AD LDS seems to be the right solution on a tight budget but I can't confirm if it will work.

The Environment:
Server 2012 1: DC; AD; Hyper-V
VM Server 2012 2: File Server (Hosted on Server 1)
VM Server 2012 3: DirSync (Hosted on Server 1)

MS documentation suggests AD LDS not be setup on a DC as well as placing the server in a DMZ. Unfortunately I can't implement a DMZ at the moment. I would like to put AD LDS on the File Sever. There is a web developer working on the ecommerce side, I just have to provide the authentication. I'm going to try a trial version of OneLogin, but for a couple thousand users, it could get expensive.

Questions:
What resources are recommended for AD LDS? (RAM, HDD Space, etc.) I only need AD LDS right now for 5-10 users but if I decide to go with it, it would need to handle a couple thousand accounts.
Is there special process of creating a SSL Certificate for authentication? Or should one be purchased?
How secure is AD LDS?
Does anyone know of any good how-to guides for linking AD LDS to an external PHP site?

Thanks in advance!

-Jake

I have a migration scenario where I Plan to use ADMT for migration.

The source domain is windows 2003 r2 and the target domain (newly created) is windows 2008 r2. I have already created a two-way external trust between the two domains. However when I want to add the 'administrator' user from the target domain to the source domain built-in "administrators" group it does not allow me to do this. why??

can anyone help?

Team,

Help required. Setup 4 Servers & need ADFS-Resource forest Web server sample files. Include webconfig.

Can you pls provide a link where I can download those files? Thanks in advance.

Want to deploy Test ADFS Scenario.

Regards~Biswajit

Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.

MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

Domain Controllers inventory-Quest Powershell

Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate

Generate a Report for installed Hotfix for Bulk Servers

Hi

I have created a Security Group, and delegate below rights to this Group.

Delegated can reset the password, but after resetting the users password, on account tab, user must change password at next logon got selected automatically.

And when delegated user try to uncheck this option or try to check another option it says access denied.

Even delegated user is not able change any option on account tab of users properties.

Same thing happening while delegated user created a new user with password never expire option

Below is Error Message.

Note:- delegated user can delete/Disable the user and can change the other properties

In my test environment these delegation rights working fine

Balwan Singh

Hi All,

Recently we have demoted some Directory servers from the Forest. it was demoted successfully. then we checked in sites, ADSIEdit, DNS to find any stale record for that. we couldn't find any but when runs the repadmin the DCs which removed comes to the result.

Replication Summary Start Time: 2014-06-22 21:37:15



Beginning data collection for replication summary, this may take awhile:

  ..............................





Source DSA          largest delta    fails/total %%   error

 DC01    >60 days            6 /   6  100  (1908) Could not find the domain controller for this domain.

 DCVM        >60 days           12 /  12  100  (1908) Could not find the domain controller for this domain.

 ADDC01              13m:42s    0 /  47    0  

 ADDC02              13m:42s    0 /  47    0  

 ADDC03              13m:42s    0 /  48    0  

 first 2 DCs we have removed 2 months back and still it comes to the repadmin summery.

appreciate everyone's ideas to remove this stale records,

many thanks

Regards, Dematri

Hello there

I am trying to write a C# code that search for a user which exist in Active Directory

when I run the code in virtual environment with AD 2012 server and windows 8, it works fine with no exceptions. But when I run it in production environment which contains AD 2008 R2 and windows 8, the exceptions starts to appear. I searched for the exceptions throw the internet but I couldn't find a solution that solve my problem.

I have two exceptions:

1-  an operations error occurred , the exception type is: DirectoryServicesCOMException

this exception appears when I run this code and it is thrown by the last line of the code because findOne() returns null:

DirectoryEntry entry = new DirectoryEntry(LDAP://10.10.60.32/DC=parts, DC=mars, DC=com,"user1","password",AuthenticationTypes.Secure);
DirectorySearcher search = new DirectorySearcher(entry);

search.ReferralChasing = ReferralChasingOption.All;
                
search.Filter = "(sAMAccountName=" + logonID+")";

search.PropertiesToLoad.Add("sn");
SearchResult result = search.FindOne();

                
String last_name=result.Properties["sn"][0].ToString();

2- object reference not set to an instance of an object, the exception type is: NullReferenceException

this exception appears when I run this code and it is thrown by the last line of the codebecause findOne() returns null:

DirectorySearcher search = new DirectorySearcher();

search.ReferralChasing = ReferralChasingOption.All;
                
search.Filter = "(sAMAccountName=" + logonID+")";

search.PropertiesToLoad.Add("sn");
SearchResult result = search.FindOne();

                
String last_name=result.Properties["sn"][0].ToString();

Please Help me. I am trying to solve this problem for three days and no result. The logon ID (sAMAccountName) is exist in AD and I am sure about it because I copied it directly from the AD but I don't know why findOne() returns null.

regards

Hello!!

I have couple of questions regarding the Time service on a AD domain.

1. It is the normal way that workstation>DC>PDC hierarchy is followed in a domain and runningw32tm /query /status on a client workstation returns my domain controllers.

HOwerever the following registry key;

hklm/system/controlset001/services/w32time/parameters/ntpserver is test totime.windows.com,0x9.

hklm/system/controlset001/services/w32time/parameters/type is set to NT5DS

is this normal?

2. why doesn't this registry value change to my domain controller?

3. what's the value after the comma stands for? (0x9 in this case)

Dear All,

I have the big problem with my ADDS Server running with Windows Server 2008 standard Edition as the following log :-

Error Event ID: 404

The DNS server could not bind a Transmission Control Protocol (TCP) socket to address 0.0.0.0.  The event data is the error code.  An IP address of 0.0.0.0 can indicate a valid "any address" configuration in which all configured IP addresses on the computer are available for use.
Restart the DNS server or reboot the computer.

Error Event ID: 408

The DNS server could not open socket for address 0.0.0.0.
Verify that this is a valid IP address for the server computer.  If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces.  Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error.  In that case remove the DNS\Parameters\ ListenAddress value in the services section of the registry and restart.)
 
My solution is reboot the ADDS server. But do you have any better solution that reboot the system?

I'm looking to hearing from you.

Warmly

Khemarin