How to check the tombstone lifetime for DNS servers - AD INtegrated
Appreciate the earliest response
SUBBURAJ T
SUBBURAJ T
↧
Tomstone Life time for DNS
SUBBURAJ T
↧
unsuccessful domain controller demotion
Hi, i am getting the following error while demoting a windows 2003 domain controller. Our environment consists of 2 Win2008R2 DC, 2 Win2003R2 DC and 1 Win2003 DC. All FSMO roles are on one of the Win2008R2 DC. All are Global Catalogs. When i try to demote the Win2003 DC, the following error occurs:
The operation failed because: Active Directory could not configure the computer account xxxx02$ on the remote domain controller xxxx.xxxxx.local. "Access is denied."
Have followed the steps in the following MS article and no luck: http://support.microsoft.com/kb/2000939
Please help.
regards,
kishore.ch
Kishore Chakka
↧
↧
W2003 to DC communication problems
Hello, gentlemen!
I have cloned, syspreped and moved Win2003 VM from site1 to site2 datacenter, where we don't have domain controller for this domain yet. So we requested a standard set of AD ports to open from site2 to site1, described in this thread:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/1c6a59de-c1fe-4946-bb4e-1fe36fd40b08/required-ports-to-communicate-with-domain-controller?forum=winserverDS
VM is able to join/leave domain without any issues. Issues start after joining to domain, "Applying computer settings" could last 15-20 minutes. In the Event Viewer I see errors 1053 and 1054:
1054:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
1053:Windows cannot determine the user or computer name. (The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted.
Networking team says that they opened all possible port accesses to domain controllers but I still have the same issues.
Any suggestions?
↧
How to upgrade Domain - 2003 to 2012 R2 - task sequence
Could someone please sanity check this task sequence? I need to upgrade a 2003 domain to 2012 R2 and would appreciate a second set of eyes. thx.
Goal:
1. standup two new 2012 R2 DCs
2. decomm three old DCs
3. raise DFL/FFL to 2012 R2
Current DFL/FFL = 2003 (one site, one domain, 3 DCs, 400 users)
3 Existing DCs (all to be decommed):
OldDC1 = Svr2003 Std Ed SP2 x64 (holds all FSMO roles, GC=yes)
OldDC2 = Svr2003 Ent Ed SP1 x86 (holds no FSMO roles, GC=yes)
OldDC3 = Svr2003 Std Ed SP2 x64 (holds no FSMO roles, GC=no)
New DCs to be added:
NewDC1 Svr2012 R2
NewDC2 Svr2012 R2
Proposed task Sequence:
* build and patch OS, then add ADDS role to NewDC1 and NewDC2 (do not yet add servers to existing domain)
* in the network config of new DCs, set the DNS server IP to the IP of OldDC1
* when installing ADDS, I will be prompted to run Adprep.exe - it will be run as part of installing ADDS - this will update existing domain schema as needed.
* add NewDC1 and NewDC2 to existing domain
* in the network config of the new DCs, set the DNS server IP to that of the local server
* make both GCs, make both DNS servers
* distribute FSMO roles thusly:
* DC1 = PDCE, RID (more frequently used roles)
* DC2 = SM, DNM, IM (rarely used roles)
* run dcdiag.exe commands to verify functionality
* power off OldDCs one at a time, waiting 24 hours between each shut down
* raise DFL/FFL to 2012 R2 after all old DCs are decommed
↧
2008R2 DC
We use 3 DC's one domain:
Has anyone had this issue
Only one DC is getting this error unique to this DC, here are the errors;
X:\>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to retrieve new Group P
olicy settings for this user or computer. Look in the details tab for error code
and description. Windows will automatically retry this operation at the next re
fresh cycle. Computers joined to the domain must have proper name resolution and
network connectivity to a domain controller for discovery of new Group Policy o
bjects and settings. An event will be logged when Group Policy is successful.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
| Component Name | Status | Last Process Time | ||
|---|---|---|---|---|
| Group Policy Infrastructure | Failed | 7/1/2014 7:03:00 AM | ||
| ||||
| Registry | (N/A) | 6/20/2014 8:55:07 PM | ||
| Scripts | (N/A) | 6/20/2014 8:55:08 PM | ||
| Security | (N/A) | 6/20/2014 8:55:11 PM | ||
| Software Installation | (N/A) | 6/30/2014 8:48:48 AM | ||
↧
↧
How to reset local admin user password in
Dear members,
i want to reset local admin account(not administrator built-in), let say i have user adminlocal and member in administrator group. my question, how to reset this user via GPO in domain, because i have more than 5000 workstation in my environment. and how to
generate summary of all workstation which are password reset.
i've tried from this link,
http://community.spiceworks.com/how_to/show/1966-how-to-change-local-user-or-admin-passwords-on-remote-computers
using PSTools sysinternal from microsoft, but while i execute one PC on domain for sample using this script, they showing access denied
anyone in this forum can help me to resolve this problem?.
↧
Restricted Group as like as domain admins
I have configure Restricted Group in GPO in mydomains.com.
So I added a group called 'ABC_Support' and on the second box (This is group is a member of) was Administrators.
in ABC_Support group, there is one user called 'tech_admin'.
Result: GPO was successfully pushed into workstations, and ABC_Support is a member of local administrators and tech_admin can able to administer the workstations.
Problem: The problem is that, in domain controller, you will see the ABC_Support is also a member of built-in Administrators. The tech_admin is able to access domain controller remotely and can create users and really like domain admins.
Is there any solutions that prevent the problem? and is this behaviour is normal? is restricted group designed like that? I know there is a GPO under user configuration "local users and group".
↧
DNS Record Creating SubFolder in Zone
Hi Folks,
Today, I have a domain "enterprise.intranet", and a Sharepoint site named intranet.
Until few weeks ago, we have a CNAME Intranet, pointing to our sharepoint site and a SRV record pointing to our KMS Server.
So, yesterday, I see any changes on my DNS. The CNAME records don´t appear on my forward lookup zone, and created a subfolder on my zone.
This is a example:
SERVER
- Forward Lookup Zone
- _msdcs.enterprise.intranet
- enterprise.intranet
-_sites
-_tcp
-_udp
-DomainDNSZones
-ForestDNSZones
-KMS
-Intranet
- (same as parent folder) alias(CNAME) Site
I would like to know, why happening these changes?
Because, in my another zones, these changes don´t occur.
And all other records are created normally.
No errors appears on event viewer, scom, adrap.
Thanks.
Daniel Felipe
↧
Upgrade 2008 r2 domain to 2012 r2 and ADFS/DirSync implications
Hi,
I would like to upgrade our 2008 r2 fully functional level domain to 2012 r2 fully functional. We use DirSync and ADFS for o365 in our Exchange Hybrid environment.
Is there any implications with doing this? Will I need to upgrade my ADFS proxies and ADFS servers to 2012 r2 as well?
Best wishes
Michael
↧
↧
how to enable Built-In Administrator Accounts in Active Directory?
As you may know that Built-In Administrator Accounts in Active Directory should be disabled according to Microsoft recommendation
http://technet.microsoft.com/en-us/library/dn535492.aspx
The question is how to enable Built-In Administrator Accounts from one of our DC's if we lost all our domain admins passwords? does Directory Services Restore Mode help us to enable it?
↧
Users Email Address are getting changed
Hi
I have shared on-premise Directory to Office 365 with DirSync. Now what i am getting is, User's Email id are getting changed on Office 365 as @domain.onmicrosoft.com which was @domain.com.
When i checked on Onpremise Active Directory, in User's Proxy (user's attribute)..there is some value automatically came.....which is....
"x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ec1e3384d2934427b721563588def141-user@domain.com "
whenever i removed this entry from users attribute, after syncing the use's email getting revert back. i.e. user@domain.com
It is happening with multiple users as randomly.
Suggest some resolution.
Thanks
Techsol
Thanks, Kk
↧
Does Windows 2012 ADPrep Includes Updates for Windows 2008/2008 R2
Hi
We have a Windows 2003 forest with single domain. We wish to upgrade it to Windows 2012 but also want the flexibility to be able to add Windows 2008/2008 R2 DCs if the need be in future. My question is:
Do we first need to run Windows 2008 R2 ADPRep.exe commands first in Windows 2003 forest and then run Windows 2012 ADPrep.exe command OR running Windows 2012 ADPRep directly in Windows 2003 forest will let me achive the desired result?
Thanks
Taranjeet Singh
zamn
↧
RODC in Amazon cloud connected by VPN to our LAN. Is it a good idea ?
Hi,
we are planning to add a RODC in Amazon Web Service. This RODC will be used to authenticate Windows Servers and some users on this platform.
AWS and our LAN are connected through a VPN (with filtered network access).
My questions are : Is it secure to configure an RODC in the cloud like that ? Is there a better solution ?
What are the best practices ?
Thank you
↧
↧
Remove GroupSids from Acceptance Transform rule
I have run into a problem with Safari users not being able to log into office 365 using ADFS. This only affects users that are members of a large number of groups and is due to safari not being able to deal with cookies larger than 4k. I believe I have found a workaround by removing the "Pass through all Group SID claims" from the Acceptance Transform Rules on the active directory claims provider trust. This seems to work as the group sids are no longer being added to claims, and the safari users are able to log in. I have validated this from both the client perspective (being able to authenticate) and the server perspective (the claims logged in the security eventlog no longer have groupsid entries). The odd thing is, when I test authenticating with outlook, or activesync, I do see all the groupsid entries in the security eventlog.
Does modifying the Acceptance Transform Rules only affect clients authenticating with a browser?
btw. I'm using ADFS 2.0.
↧
Caching credentials on a RODC
We are looking at using Windows Azure to host a RODC for our institution. We have a couple essential hosted applications that require LDAP lookup and would like to have some redundancy if our WAN connection drops. I have never setup a RODC and after doing some reading it looks like credentials need to be cashed in order for authentication to work if the WAN were to go down. Is it possible to cache credentials for all our users? Looks like most organizations have these at remote sites and only cache users for that location. Any help/guidance is appreciated.
↧
Active Directory domain Services – "You do not have permission to modify the group" followed by (Chinese or Japanese characters). Error message
Folks:
I am having an issue with a system, which is throwing a really odd error message. When the user tries to modify the AD group, they receive the following error message:
“You do not have permission to modify the group”, which is then followed by what appears to be Chinese or Japanese characters. In addition, the characters randomly change, which makes me believe the characters are ASCII values or equivalent, not specific values for any coherent words provided by installed language packages.
Has anyone seen this issue before? If so can you offer any advice?
Thank you.
↧
the security dadabase on the server does not have a computer account for this worksation truest relationship
Please help me
I am login on server 2008 r2 via administrator id but server not getting password and show error "the security dadabase on the server does not have a computer account for this worksation truest relationship".
how to login on this server ???
Please help me ASAP .
↧
↧
Domain Name Change
Hi,
Our company have two different domain and different locations.now i want to change the single domain for both location.how can i change it and if i change the domain after will come any problem like server down problem,folder access problem,user log in problem please let me know?
Regards,
Illayaraja
↧
How to safely upgrade the OS on a RODC in a DMZ
Hello,
We have a Server 2008 R2 RODC in a DMZ. I need to upgrade to Server 2012 while retaining the computer account. I need to retain the computer account cause there a number of groups populated with users accounts in the 'Allowed RODC Password Replication Group' and by retaining the computer account, I wont force the user accounts who authenticated on this RODC to reset their password, correct? If I deleted the computer account during the upgrade, I'd force the users accounts who authenticated on this RODC to reset their password due to the fact that the computer account's metadata is gone, correct?
Thanks for your help! SdeDot
↧
Remove Lingery Objet
sometime ago one ofmyofficeinDCcrash,there is still a1 DC againactive,andIwant tore-createa newDC asa backup.butbeforeIcheck firstactiveDC conditions,andfound thename ofa server crashis stillthere.what shouldI do tomakeme healthyDC
Please Help
Dnia\NDNTS10 via RPC
DC object GUID: 76f671f0-d901-4975-b44c-479e3392564d
Last attempt @ 2014-06-19 13:49:17 failed, result 1722 (0x6ba):
The RPC server is unavailable.
4458 consecutive failure(s).
Last success @ 2013-12-14 15:17:07.
↧