I have a standalone CA which is the root CA and a subordinate CA which is domain joined. I recently renewed the certificates of my root CA and sub CA. How will these certificates be distributed to client machines in the trusted root certificate folder.
↧
Certificate Services in Microsoft
↧
Domain accounts locked out regularly
Hi,
I have quite a number of invalid log-on daily and causing locked out.
Action taken,
1. Unselected IPv6 from Windows 7 workstation
2. Follow PSS troubleshooting method http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
3. Using NetWrix Account Lockout Examiner - All results good fine except having lot of invalid logon; ranging from 20 to 60.
4. Netstat output from Windows 7 workstation
Active Connections
Proto Local Address Foreign Address State Offload State
TCP 10.82.0.11:49182 austin801ai:52230 ESTABLISHED InHost
TCP 10.82.0.11:50231 sippoolbl20a02:https ESTABLISHED InHost
TCP 10.82.0.11:50253 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50254 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50278 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50279 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50280 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50281 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50298 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50301 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50306 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50307 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50315 autocache:8080 ESTABLISHED InHost
TCP 10.82.0.11:50316 autocache:8080 ESTABLISHED InHost
TCP 127.0.0.1:49155 2OPSLW7N048:49156 ESTABLISHED InHost
TCP 127.0.0.1:49156 2OPSLW7N048:49155 ESTABLISHED InHost
What is next? Running out of idea. Please advice. Thanks.
Kelvin Teang
↧
↧
Set msDS-AllowedToDelegateTo to
I have been given the following task, can anyone tell me how can I do it ?
Set msDS-AllowedToDelegateTo to:
§ MSSQLSvc/BLDEPP01.DOMAIN.COM\SQL2012:1450
Regards, h9ck3r.
↧
Account Lockout repeatedly, even though lockout policy is disabled
I have a remote user who's domain account keeps getting locked out, and I'm completely stumped. Due to the lockout issues, we have disabled the domain lockout policy, and use the soft lockout function available in forefront TMG. This is working for everyone but the 1 user.
On the DC that is locking the account, I see the event ID 4740 in the security logs. What makes ZERO sense is the Caller Compuer shows has her workstation. Her workstation is a surface pro, which is not on a VPN. So it has no connection to the domain controller. When users that are connecting through TMG were getting locked out, the Caller Computer showed as the TMG machine.
I have gone through and cleared any saved credentials from the Credential manager on the workstation, yet the account is still getting locked out.
So why is this account getting locked out even though the lockout policy is disabled. And how is it showing the users workstation as the caller computer, when it has no direct connection to any domain controllers?
↧
Implementing AD LDS to Authenticate for External Users
Hello,
I'm able to find documentation on AD LDS but I can't confirm if it's what I want.
My client is setting up an ecommerce site through Volusion and they want to be able to authenticate using Active Directory for their customers.
I personally don't like the idea of opening up the network for customers. AD LDS seems to be the right solution on a tight budget but I can't confirm if it will work.
The Environment:
Server 2012 1: DC; AD; Hyper-V
VM Server 2012 2: File Server (Hosted on Server 1)
VM Server 2012 3: DirSync (Hosted on Server 1)
MS documentation suggests AD LDS not be setup on a DC as well as placing the server in a DMZ. Unfortunately I can't implement a DMZ at the moment. I would like to put AD LDS on the File Sever. There is a web developer working on the ecommerce side, I just have to provide the authentication. I'm going to try a trial version of OneLogin, but for a couple thousand users, it could get expensive.
Questions:
What resources are recommended for AD LDS? (RAM, HDD Space, etc.) I only need AD LDS right now for 5-10 users but if I decide to go with it, it would need to handle a couple thousand accounts.
Is there special process of creating a SSL Certificate for authentication? Or should one be purchased?
How secure is AD LDS?
Does anyone know of any good how-to guides for linking AD LDS to an external PHP site?
Thanks in advance!
-Jake
↧
↧
Multiple AD FS instances in single forest
Hi, thank you for reading this. I have a little design question about AD FS. The current situation is like this:
- One forest, root domain: domain.lan
- domain.lan contains all user objects
- Three child domains: 1.domain.lan, 2.domain.lan and 3.domain.lan
- AD FS 2.0 server is deployed in domain.lan
Customer wants an extra AD FS instance for testing purposes.
I do find some recommendations on the internet, but I still have a few questions:
- Is it true that only one AD FS server (or farm) per forest can be deployed?
- I read that I can have multiple AD FS instances, but not in the same domain. Should I move the current AD FS server to 1.domain.lan (Because the current AD FS server also automatically supports the child domains) and add an AD FS server for testing purposes to 2.domain.lan?
- Is the configuration as suggested in point 2 supported by Microsoft?
Thanks!
Regards,
Baksteen
↧
Domain Controllers not replicating
Hi All
Domain name: abc.com
DC1 - Windows Server 2003 R2 (Physical Server) - 192.168.1.1
DC2 - Windows Server 2012 (Virtual Machine) - 192.168.1.2
Somehow DC1 doesn't replicated to DC2.
-------------------------------------------------------------
netdom query fsmo's result:
Schema master DC1.abc.COM
Domain naming master DC1.abc.COM
PDC DC1.abc.COM
RID pool manager DC1.abc.COM
Infrastructure master DC1.abc.COM
The command completed successfully.
-------------------------------------------------------------
I run dcdiag in DC1:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC1
Starting test: Connectivity
The host bd9e6e75-ec75-4c6b-be1b-ebef58146bbe._msdcs.abc.COM could not b
e resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(bd9e6e75-ec75-4c6b-be1b-ebef58146bbe._msdcs.abc.COM) couldn't be
resolved, the server name (DC1.abc.COM) resolved to the IP address
(192.168.1.1) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... DC1 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC1
Skipping all tests, because server DC1 is
not responding to directory service requests
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : abc
Starting test: CrossRefValidation
......................... abc passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... abc passed test CheckSDRefDom
Running enterprise tests on : abc.COM
Starting test: Intersite
......................... abc.COM passed test Intersite
Starting test: FsmoCheck
......................... abc.COM passed test FsmoCheck
-------------------------------------------------------------------------
But funny thing is I able to ping DC1 name from DC2 and workstations:
C:\Users\User>ping dc1
Pinging dc1.abc.com [192.168.1.1] with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
---------------------------------------------------------------------------
I also run repadmin on DC1,
Result:
C:\>repadmin /showrepl /all /verbose
repadmin running command /showrepl against server localhost
Default-First-Site\DC1
DC Options: IS_GC
Site Options: (none)
DC object GUID: bd9e6e75-ec75-4c6b-be1b-ebef58146bbe
DC invocationID: bd9e6e75-ec75-4c6b-be1b-ebef58146bbe
==== INBOUND NEIGHBORS ======================================
DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 2190434/OU, 2190434/PU
Last attempt @ 2014-05-21 15:14:40 failed, result 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
1400 consecutive failure(s).
Last success @ 2014-05-20 15:38:26.
CN=Configuration,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 2180668/OU, 2180668/PU
Last attempt @ 2014-05-21 14:54:49 failed, result 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
118 consecutive failure(s).
Last success @ 2014-05-17 00:54:43.
CN=Schema,CN=Configuration,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 2110088/OU, 2110088/PU
Last attempt @ 2014-05-21 14:55:15 failed, result 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
110 consecutive failure(s).
Last success @ 2014-05-17 00:54:43.
DC=DomainDnsZones,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 2190524/OU, 2190524/PU
Last attempt @ 2014-05-21 14:54:24 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
32 consecutive failure(s).
Last success @ 2014-05-20 15:38:27.
DC=ForestDnsZones,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
DC invocationID: 7b99d5b5-1757-4533-9976-907907e99eff
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 2106507/OU, 2106507/PU
Last attempt @ 2014-05-21 14:54:24 failed, result 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
507 consecutive failure(s).
Last success @ 2014-04-30 16:48:21.
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
CN=Configuration,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
WRITEABLE
Last attempt @ (never) was successful.
CN=Schema,CN=Configuration,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
WRITEABLE
Last attempt @ 2014-05-17 00:55:01 was successful.
DC=DomainDnsZones,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
WRITEABLE
Last attempt @ (never) was successful.
DC=ForestDnsZones,DC=ABC,DC=COM
Default-First-Site\DC2 via RPC
DC object GUID: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c
Address: 2bdd0be7-3dfa-4158-b8bd-c54124226e6c._msdcs.ABC.COM
WRITEABLE
Last attempt @ (never) was successful.
==== KCC CONNECTION OBJECTS ============================================
Connection --
Connection name : 2e2755c0-c2b1-484b-a0b2-489926271fd4
Server DNS name : DC1.ABC.COM
Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Sit
e,CN=Sites,CN=Configuration,DC=ABC,DC=COM
Source: Default-First-Site\DC2
******* 1382 CONSECUTIVE FAILURES since 2014-05-20 15:38:27
Last error: 1256 (0x4e8):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
TransportType: intrasite RPC
options: isGenerated
ReplicatesNC: DC=ABC,DC=COM
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: DC=DomainDnsZones,DC=ABC,DC=COM
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: CN=Schema,CN=Configuration,DC=ABC,DC=COM
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: DC=ForestDnsZones,DC=ABC,DC=COM
Reason: StaleServersTopology
Replica link has been added.
ReplicatesNC: CN=Configuration,DC=ABC,DC=COM
Reason: StaleServersTopology
Replica link has been added.
enabledConnection: whenChanged: 20140520094554.0Z
whenCreated: 20131005064554.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: 111111111111111111111111
Mon: 111111111111111111111111
Tue: 111111111111111111111111
Wed: 111111111111111111111111
Thu: 111111111111111111111111
Fri: 111111111111111111111111
Sat: 111111111111111111111111
1 connections found.
Partition Replication Schedule Loading:
00 01 02 03 04 05 06
07 08 09
10 11
0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3
0 1 2 3 0 1 2 3
Sun: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Sun: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Mon: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Mon: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Tue: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Tue: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Wed: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Wed: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Thu: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Thu: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Fri: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Fri: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Sat: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Sat: 0500000005000000050000000500000005000000050000000500000005000000050
00000050000000500000005000000
Any suggestion, thanks.
↧
Is there any way to provide only Install / Uninstall rights to domain users in AD 2008?
I need to provide just Install / Uninstall rights to domain users avoiding all other admin privileges.
I cant provide admin rights to them.
Is there any way I can provide them???
↧
Schema Master down
If Schema master role is down will I able to create user or not.
↧
↧
unsuccessful domain controller demotion
Hi, i am getting the following error while demoting a windows 2003 domain controller. Our environment consists of 2 Win2008R2 DC, 2 Win2003R2 DC and 1 Win2003 DC. All FSMO roles are on one of the Win2008R2 DC. All are Global Catalogs. When i try to demote the Win2003 DC, the following error occurs:
The operation failed because: Active Directory could not configure the computer account xxxx02$ on the remote domain controller xxxx.xxxxx.local. "Access is denied."
Have followed the steps in the following MS article and no luck: http://support.microsoft.com/kb/2000939
Please help.
regards,
kishore.ch
Kishore Chakka
↧
Periodic NETLOGON & GroupPolicy errors results server hangs (Hard Hang)
Hi,
Our server hangs (Hard hang) randomly once or twice a month. Its Server 2008R2 SP1 with all latest patches, Its Virtual machine on VSphere 5.5, Virtual machine version 10.
I notice around the time of hang we have NETLOGON error 5719 and Group Policy error 1054
Log Name: System
Source: NETLOGON
Date: 26.06.2014 09:49:54
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxx.domain.no
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5719</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T07:49:54.000000000Z" />
<EventRecordID>91928</EventRecordID>
<Channel>System</Channel>
<Computer>xxx.domain.no</Computer>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>%%1722</Data>
<Binary>170002C0</Binary>
</Even
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 26.06.2014 08:11:49
Event ID: 1054
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: xxx.domain.no
Description:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1054</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T06:11:49.361463400Z" />
<EventRecordID>91916</EventRecordID>
<Correlation ActivityID="{A79795FE-5CB2-4051-83F7-FA6F9BC566E1}" />
<Execution ProcessID="872" ThreadID="1148" />
<Channel>System</Channel>
<Computer>xxx.domain.no</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1903</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">1139</Data>
<Data Name="ErrorCode">58</Data>
<Data Name="ErrorDescription">The specified server cannot perform the requested operation. </Data>
</EventData>
</Event>tData>
</Event>
I have checked all settings such as domain and DNS connectivity, Sysvol access, Ping check (NetBIOS\FQDN), deleted the computer account and rejoined the server to domain and all other basic steps but nothing has helped.
What shall be the next step to figure out the cause?
Regards
Prabhash
↧
Certificate Services - Autoenrollment not occurring
I am having an issue getting autoenrollment to occur. I am not getting an error that I can see - it appears to be not initiating.
The forest is at Windows 2008 R2 domain functional. The root CA is an enterprise CA. The client machines are Windows 2008 R2.
I installed only the Certification Authority role service. This CA will only be used to issue server authentication certificates within its forest.
I've followed the tasks for Configuring AutoEnrollment in Group Policy.
I've verified the Default Action for a Certificate Request.
Along with th steps outlined in Set Up Automation Certificate Enrollment, I duplicated the default Computer (Machine) template, set properties, and granted Read, Enroll, and AutoEnroll to Domain Compunters.
Results:
I see two information entries in the Application event log on the client with the following text:
- Certificate enrollment for Local system is successfully authenticated by policy server {9EC47EC2-7C6B-42EE-9722-3650C7E4EED1}
- Certificate enrollment for Local system successfully load policy from policy server
On the CA, I see no entries in Failed Requests, Pending Requests, or Revoked Certificates. I also see no new entries in Issued Certificates.
On the client, I can use certutil or the certificates MMC snapin to request a new certificate that automatically gets issued, but I'm looking for autoenrollment to kick-in so I can avoid logging into every machine.
I appreciate any advice or direction in this matter.
↧
Verify ForestPrep, Domainprep & Rodcprep result-Powershell
Verify ForestPrep, Domainprep & Rodcprep result
http://gallery.technet.microsoft.com/scriptcenter/Verify-ForestPrep-4df59cd5
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOGDomain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
↧
↧
within adfs I need to pass domainname\username as nameid.
Newb here, The idp is adfs and my sp needs the nameid to equal the windows account name. When I edit the claims rule I don't see windows account name as an option and if I just type it in it passes nothing onto the sp. What am I doing wrong..
thanks greatly
tr
↧
NTDS.DIT object deletion verification
How can I truly verify that the NTDS.DIT doesn't contain an object that I have deleted? I know, I could copy/systemstate backup the orig, then delete an OU, then offline defrag, then restart NTDS and try to restore the OU.
My question is there an easier way? I need this in order to appease my infosec guys.
Thanks,
Dell
↧
AD object security inheritance getting disabled
Hi,
I am observing few uses are having security inheritance issue and AD administrators are losing their permissions on these user objects.
Inheritance is getting removed automatically after some time even after setting it manually as per below screenshot.
Please if anyone can tell me on how to find the cause of this issue. Also, If I check advanced security on the parent OU, I am not getting the option to apply the inheritance on all child objects. Is there any way or command via which I can re-enable inheritance or apply permissions on all child objects under an OU ?
Thank you in advance.
Regards,
J R Dash
↧
Unable to connect to Netlogon share in Windows 2008 R2
Hi,
Let me tell you about the initial setup. We had a Windows Server 2003 Standard edition 32 bit operating system, which was our Domain Controller. We installed a Windows Server 2008 R2 Standard edition, which is a virtual machine hosted in ESXi Server. Adprep was ran and DCPROMO was performed. The installation was successful.
But, after installation SYSVOL and Netlogon were missing. I had changed the registry value HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady flag to 1, which was initially 0. After the change, the SYSVOL folder is showing as shared folder why typing C:\>net share. If the registry value is reverted, the SYSVOL is missing.
The issue is still, I am not getting the NETLOGON share folder. Does any one have any idea?
Also, When I try an nslookup, I get the Server: Unknown answer. Why is it so? I would really appreciate if anyone can put any clue on this issue.
Thanks in advance.
Tom Jacob
↧
↧
Server 2012 Active Directory replication problems
Hi.
I`ve got a forest with 2 sites.
forest - domain.local
site a: - everything appears to work fine
srv-adc1 10.100.100.11 - domain controller - replicating with srv-adc2
srv-adc2 10.100.100.12 - domain controller - replicating with srv-adc1
site b: - was offline for more then 180 days
srv-bdc1 10.200.100.11 - domain controller - not replicating with srv-adc1
srv-bdc2 10.200.100.12 - demoted domain controller
each domain controller is also a dns server
all the servers are microsoft 2012
site B was offline for more than 180 days, so it exceeded the tombstone`s lifetime.
i demoted srv-bdc2 and did a metadata cleanup on the rest of the servers.
i took srv-bdc2 out of the domain and brought it back in.
when i try and promote it again i get an access denied error.
when i try and browse to \\domain.local\ from any server in the site B i get a network name error.
the same thing if i try \\srv-adc1\
with ip its working just fine.
i look everywhere in the dns but got nothing.
anyone has an idea?
↧
Need adext.zip to add users phot in AD
Hi,
I am having only windows 2008 and 2012 server on my network. Don'e have exchange and communicator server in my environment. While surfing on the net i found that the adext.zip file will fulfill my requirement
and the link - http://www.dewdney.co.uk/adext/adext.zip is not working now. Can you please guide me to get the file. Thanks.
Regards,
Ramasamy R S
↧
User roaming profile error - Access denied with event ID 1521
Hi,
I got event error log with user roaming profile issue.
Event Log Details - http://social.technet.microsoft.com/Forums/getfile/483551
User profile Properities - http://social.technet.microsoft.com/Forums/getfile/483552
In the user properties I don't find any roaming profile configuration also in the logon script as pasted below. Still I am getting the roaming profile error.
Logon Script;
REM net use i: /d
REM net use l: /d
REM net use m: /d
REM net use s: /d
REM net use t: /d
REM net use z: /d
REM set Mdlogic export directory
REM net use i: \\new\trans /persistent:yes
REM set MedMaster directory
net use l: \\new1\med /yes
REM set drive for APPS share
net use m: \\new1\apps /yes
REM set COMMON SHARE
net use S: \\new1\share /yes
REM set directory for VASLAB ACCESS Database
net use T: \\new1\system /yes
REM set Mdlogic export directory
net use z: \\new\trans /persistent:yes
rem centps
rem \\new1\source\centps\KcsSetup.exe
Please guide me to proceed further.
Regards,
Ramasamy R S
↧