Dears:
we have ready application using windows ODBC data source to link to active directory how we can do that in windows 7?
↧
ODBC data source link to active directory
↧
Cannot authenticate without one of two AD controllers
Hello, we are finally migrating our AD environment. Till migration we had one AD 2003 SP2 AD controller (physical). We have decided to add second controller(VM) based on Windows 2008 R2. Firstly, new AD controller was fully patched with MS update before joining AD domain.
Specs of AD controllers:
1x physical 2003 SP2 (GC, all FSMO roles), dns role
1x virtual 2008 R2(reserved 4cores, 8gb ram, 2xhdd dedicated to AD in raid 1) - GC and dns as well
Both controllers work well and replicate data between themselves. Both are GC, and 2003 holds all FMSO roles.
DNSs on DC's are configured as follows: preferred DNS - itself, secondary- second DC.
We wanted to configure them crosswise (preferred to second DC and secondary to itself) but it gave a following, strange situation:
When only 2003 DC is online we cannot login to it with RDP and locally. Workstation login takes quite long so I assume it timesout to finally login with cached credentials. The error message is "The specified domain either does not exist or could not be contacted"
When only 2008 DC is online we can successfully login to it with RDP and workstation login takes quite long as well.
Unfortunatelly configuring preffered dns server to itself (local ip, not loopback) gives the same error.
Steps that were performed:
fully patch 2003 DC
fully patch 2008 R2
join 2008r2 to 2000 level domain served by 2003 DC
upgraded 2000 level domain to 2003
upgraded 2000 forest level to 2003
promoted 2008r2 as second GC DC
reconfigured dns as stated above.A
Above steps were performed in about one week time-span, so servers have had time to synchronize and replicate.
I would like to know what causes above situation, that without the new DC the old one doesn't serve clients nor DNS requests, so clients doesn't have internet access.
Next step is to add temporary third 2008r2 DC, migrate FSMO roles to them, demote 2003 and upgrade domain and forest to 2008 level but before that we wanted to test things and above situation occurred.
Additionally, when the old DC starts up without the new one it logs following errors:
DNS: event 4015 - critical error, check if dns service works and is availiable,
then, six DNS: event 4004 - error, dns server was unable to enumerate following dns zones <-this one repeats for every dns zone, including _mscds.domain_name.
I suspect dns service to fail but what's the reason? That's why server cant authenticate and serve dns requests
Any suggestions?
↧
↧
Active Directory Delegation of Control Wizard
Hi All,
I just want to ask if there is a security concern or it is not the best practice after I delegated control to our help desk staff some common tasks but I delegated it directly to our domain name and not on the specific OU's. (Kindly see attached screenshot)
Delegated tasks were:
1. Create, delete and manage user accounts
2. Reset user passwords and force password change at next logon
3. Join a computer to the domain
4. Read all user information
Do I need to remove the delegated permission because it was made on the domain itself(please give me some instructions how to do it) and do delegation again in our specific OU's or is it ok and pretend that I made the right thing? please advise.
Forest functional level: Windows server 2008R2
Domain controllers were mixed of winserver2012 and winserver2008R2.
Appreciate any comments/ suggestions.
↧
Slow logon (online/offline) with users home folder enabled
Hi.
In my scenario I’m using Windows Server 2003 R2 X64 and Windows XP Pro SP3.
When I assign a Home Folder for a user, the logon process is slow (long time). When I remove the Home Folder from the user object the logon process is fast. Why is this?
For this troubleshoot I have created a new user, who is not affected with any GPO, Roaming Profile, logon script etc. DNS works great. I have also tried to remove the Home Folder from the user object and run a script to map the earlier used Home Folder share. This is to "manually" assign the user a Home Folder share. The logon process is fast this way.
What is it with the centrally assigned Home Folder on the users object that are different from other shared and mapped folders (for not the obvious ..)? A quick-fix is of course to remove every users Home Folder registration, and manually assign these Home Folder/Shares trough logon-scripts, but I do not like the thought of this..
The problem I experience is also described in this forum and thread: http://www.minasi.com/forum/topic.asp?TOPIC_ID=32051
Other, what I regard as not important, information:
I have an AD with several sites, and a domain controller in every site. I do not think this is part of the problem, because the client computer is authenticating and connected to the right domain controller. This is also the server hosting the users Home Folder.
↧
Ktpass: failed getting target domain for specified user
Hi all,
I am trying to generate keytab file by following document
http://docs.oracle.com/cd/E17904_01/doc.1111/e15740/wna.htm#REGADWNA
relevant section 7.3.2.
Environment we are using as follows:
Microsoft windows server 2008
Command executed :
ktpass /princ NTDS@MSCAD.AE /mapuser syed@MSCAD.AE /pass Micro123 /out c:\poc.keytab
Here NTDS (AD windows service name)
MSCAD.AE (AD domain name)
syed@MSCAD.AE (AD user)
Micro123 (Password)
c:\poc.keytab (file location)
while executing display error as response:
C:\>ktpass /princ NTDS@MSCAD.AE /mapuser syed@MSCAD.AE /pass Micro123 /out c:\poc.keytab
Cannot bind to default domain: 0x54b
ktpass:failed getting target domain for specified user.
Your assistance in this regard would be highly desirable.
Regards,
Syed Waqar
↧
↧
Migrate servers between domains
Hello
We need to plan an AD domain migration to an already existing domain - i.e. not a new domain - for dozens of servers hosting different roles and am looking for some general pointers for what we should be aware of.
We cannot use ADMT (for internal political reasons) and cannot use external tools, e.g. Quest (for cost reasons)
The roles on the servers include:
Domain controllers, IIS, SQL, CRM, VMWare Virtual Center - plus other bespoke applications.
I know there will NOT be a "one size fits all" process for every server (or even every application) but was hoping someone could provide general information for the apps mentioned above.
e.g. should we not even consider moving the server(s) between domains but rather build a new server and reinstall the application ? If rebuilding a server is NOT an option for any reason, CAN we move the application server(s) to the other domain without issues ?
I realise this is a very complex set of tasks but, as I said, just looking for some general information to give us a starting point.
Thanks
↧
Migrating to another AD
Hi All,
We have a main network with few DCs at few sites, Exchange in the datacenter on the same domain etc. Some time ago we bought another company who had their own AD domain so we just connected our networks via VPN, set up trust etc. domain1 has got user accounts with same names as in domain2 (plus its own) as we using single exchange which is in domain1 (so domain1 has all the users already).
Now - we want to migrate/merge purchesed company domain (domain2) to our main domain (domain1) so the questions are:
1. Can we, and if we can - does it warth, to move/merge all the PCs/DCs/Memberservers etc from domain2 to domain1 (specialy - what can we do with domain controllers in domain2)?
2. what can we do with files/folders permitions on fileservers in domain2 if we would want to move data from domain2 to domain1 (just to remind - we have user accounts with same names in dmain2 and domain1)?
Thanks
↧
Error when pre staging RODC server 2012 R2
Hello,
I am having an issue pre-creating a Windows Server 2012 R2 RODC in my new domain tree. I have a forest which runs with server 2012 servers and the FFL and DFL are 2003. I needed to make a new security boundary so I created a new domain tree
and used server 2012 R2 as the OS for the first DC. That works fine, but when trying to create the RODC I see the error at the very end of the wizard:
The operation cannot continue because a required object was not found in Active Directory Domain Services: CN=Partitions, CN=Configuration, DC=Contoso, DC=com;onelevel;(&(ncName=DC=DomainDnsZones,DC=adatum,DC=com)(msDS-NC-Replica-Locations=*))".
I do have 2012 RODCs in the child domain of the forest but not 2012 R2 RODCs.
any help is appreciated.
thanks!
Franz
↧
the dfs replication service stopped replication on the replicated folder (ad domain controllers x 2)
Hi, i have 2 domain controllers. i had an issue one of the dc's said that it the sysvol was older than the default of 60 days.
I increase the number of days and then started replication again by using the follwing command
wmic /namespace:\\root\microsoftdfs pathdfsrVolumeConfig where ‘volumeGuid=”VOLUME GUID″’ call ResumeReplication
On my test env this all worked and the issue is resolved but on prod i get the follwong
The DFS Replication service stopped replication on the replicated folder at local path C:\Windows\SYSVOL\domain.
Additional Information:
Error: 9073 (Content set initialization is pending journal wrap task to resume journal read)
Additional context of the error:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 7AB1B551-0EBB-4405-8009-62EA3E692F71
Replication Group Name: Domain System Volume
Replication Group ID: 829F9485-564E-40A1-B4FC-2CE3E54D5CBE
Member ID: 309FB688-2A1F-410A-B068-16ABC24EF698
Any one got any suggestions on what i should try next?
Thanks
phill
↧
↧
DC ungracefully demoted but being used as a member server
Hi there,
I have a question regarding a set-up I have seen that I was hoping someone could advise with.
Essentially, The client had 3 domain controllers. DC1, DC2, and DC3. The servers are all 2003 SP3 Standard. The forest and Domain functional levels are Windows 2000.
DC1 and 2 are still there, DC3 is running as a member server and has the DHCP role installed along with some apps. However, it is still present in AD Sites and services. It seems it has been ungracefully demoted but onsite IT aren't providing further info. The object for DC is tomb-stoned and this was probably done some months back. I have cleaned up DNS. However, on DCs 1 and 2, I am seeing Event ID 1925, Event Source NTDS KCC (the attempt to establish a replication link for the following writeable controller directory partition failed) The event data points to DC 3 and the error value is 1753. There are no more endpoints available from the endpoint mapper.
In AD users and Computers, DC 3 is located in the Member Servers OU and is not in the Domain Controllers OU.
In AD Sites and services, when I go to Sites>Sitename>DC3>NTDS Settings and click delete, it gives me three options:
-I want to demote this DC and continue using it as a computer
-I want to restart AD Replication for this DC
-This DC is permanently offline and can no longer be demoted using DCPROMO.
If I choose the first option (as they are using the server), I get a message that I need to use DCPromo to demote the DC. However, DC3 does not even have the Domain Controller Role Installed.
If I use ntdsutil and metadata cleanup, I can see DC3 listed as a Domain Controller.
What is the safest way to fix this issue (removing DC3 as a DC in AD sites and services, resolving event id 1925)?
I can
- Use metadata cleanup. Following this, will I have to remove the server from the domain and then rejoin it to the domain? Will Metadata cleanup remove the 'member' server as well or will I need to take further steps to ensure the server can still be used as a member server (be able to log on to it, etc.)?
-Rename the server to Member1 from DC3. Use metadata cleanup to remove DC3. Rename Member1 to DC3 again (some apps and pcs require the same name and IP address).
Any other suggestions welcome.
Thanks very much.
Kind Regards
HA
↧
Workplace Join on Azure
Hello All,
Is workplace join feature is coming on Azure platform?
Any reference link to understand what all will be coverered?
Regards, Dematri
↧
protect object from accidental deletion domain controller server
May be I am missing something. we had wanted to protect DC servers from accidental deletion using "protect object from accidental deletion" option. But after setting the checkbox on the servers object, after sometime the checkbox is removed
automatically, why could this happen. On the OU we have the box checked and stays on.
↧
Find Computer name
Hi
I have a computer object named weirdly (E29GDG87G9D) in active directory Users and Group.
There is no description available of that Computer.
I don`t know how to find that computer. how to find who uses that computer? Is there any way to do reverse engineering to find who uses that?
Because other computers are named according to our naming convention.
Thanks,
↧
↧
Adprep encountered a Win32 error. Error code: 0x6ba Error message: The RPC server is unavailable.
I managed to resolve this issue myself but I would like to put the knowledge out there
I got the above error when joining a 2012 R2 Standard server to a 2003 Domain.
I found the following article which pointed me in the right direction, but didn't resolve it for me
http://support.microsoft.com/kb/2737560
I verified that my NEtwork Service was properly configured to LogonAsAService
However, when I opened Windows Firewall it told me that IPNAT was using the network, so it couldn't be configured
I removed the Routing and Remote Access COnfiguration from my Domain Controller, and that allowed me to access the RPC server
↧
Renewing CS root certificate
I have a CS based on WIn2008R2 domain (now we have some WIn2012 R2 DCs too)
It was installed in January, 2010 and the certificate is valid through 2020
I´m not worried about security, i´m worried about compatibility, impact on end users, not breaking applications, general availability of the system
My CA is used only to internal systems certificates for some internal services, like RADIUS, DCs, TS Gateway, AP controller (not clients) some minor applications, we do not sell certificates and nor have any critical system using it.
The procedure to renew the CA root certificate uising the same key it´sa really easy? Just renew, and that´s it?
There is some caveats? There is something i need to worry about?
Lok to me so easy, there are pitfalls?
↧
DSQuery Question
I am trying to get a list of all users of a group by first name and last name (and all subgroups if possible)
When I type in the following I get the inline error about formatting.
C:\Windows>dsquery group -name [MyGroupNameHere] | dsget group -members -expand | dsg
et user -fn -ln
dsget failed:Value for 'Target object for this command' has incorrect format.
type dsget /? for help.
C:\Windows>
I have figured out that I am getting the error because the dsget user command is seeing the nested groups and trying to treat them as users and having problems in doing so. Is there a way to filter out the groups and only look for users? The command is nearly worthless if you can only run it on groups that have no nested groups within.
Lastly I would like to be able to 'in one command' pull the first name and last name of all users in the group including any nested groups. Is this possible if I filter the groups out so I can run the command to get the first name and last name of the users listed?
You can see where below this command works on a group without nested users:
C:\Windows>dsquery group -name [MyGroupName] | dsget group -members -expand | dsge
t user -fn -ln
fn ln
Betty Xxxxxxxx
Lori Xxxxxxx
dsget succeeded
C:\Windows>
Thanks for any help.
↧
Can't login ADFS using IE
I created ADFS v2 on one of windows 2008 R2 serves. The AD Sync works fine. However, I can't login the ADSF server using adfssvr.mydomain.com/adfs/ls/idpinitiatedsignon.aspx even we have correct internal DNS settings.
Troubleshooting steps:
1. I read this article "A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Windows Intune". If I modify the web.config, I can login. But none of resolutions fixes the probelm.
2. If I use Firefox broswer, I can login. Only IE doesn't work.
3. I have tried different IE version, differen computers, using compatibility view and adding the website to IE security site.
What could be hte probelm?
Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com
↧
↧
Getting reports out of Active directory
I may be asking in the wrong community, so sorry. It has been a very long time since I have worked with Active Directory, and I am sure it have come a long way since the 90s.
I am looking for a way to report out, accounts and permissions, group membership and shared directories and their permissions, for an entire domain. It's not that but, maybe 100 users and 25 shares.
Where do I start with this?
Are there tools made by Microsoft already to do such a thing (why not if there are not). I am really hesitant to go third party because of expense. I probably won't do this very often.
Lise Quinn
↧
Disabling AD
I want to convert my server from active director to just a file server, but all of the AD options are grayed out. Can I disable this option without starting over?
↧
make users login to domain
Hi everyone
How do i make my Domain users forcefully login to domain, i have many computers which are not in domain,
Can i block web traffic for users who are not logged to domain, Do Radius Server do this.does it requires a license,
and do i need a different hardware. I have twos dc's one is windows server 2008 R2 x64 and the other windows Server 2008 x64
↧