Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Windows Server 2008 Standard Domain - Cross Continent

September 12, 2014, 5:23 am
$
0
0

Working with a client that is potentially expanding into Germany in the next few months.

Current setup:

- 10 locations in US

- 5 in Canada

- 2 in Mexico

All sites have a domain controller and they are running Windows Server 2008.  As it stands everything is running ok.  I just wanted some opinions on adding another 2 sites/domain controllers and 1 2010 Exchange Server 2010 into Germany.  Any pitfalls going across the pond I should plan for?

Each site in Germany has 100MB/100MB fiber.

Thanks in advance.

Search

DHCP scope setings from multiple DHCP Servers

September 12, 2014, 9:31 am
$
0
0

Is there any way to check any particular option is configured in all scopes from multiple DHCp servers.

for eg:- we would like to check if any scope has option 150 is configured in multiple DHCP servers.

I guess there are lots of cmdlets available from Win2k12 DHCP servers.  

Regards, Nidhin.CK

Delegate CONTROL_ACCESS

September 12, 2014, 10:10 am
$
0
0

In order for one to have read access to a confidential attribute, both of the following conditions must be true: (1) permissions must be held that grant read access to the that attribute and (2) CONTROL_ACCESS permission must be present against that attribute for the entity accessing it. A side note to the original article mentions that Full Control Permissions will grant CONTROL_ACCESS as well.

Now I'm trying to delegate the right to read a specific confidential attribute using the "Delegate Control" wizard. I can easily adapt the delegwiz.inf so that it contains a new template with a "@=GA" for the attribute I'm after, in effect granting Full Control (which will in turn grant CONTROL_ACCESS). However I'd like not to grant change permissions to that attribute as well, only read (in terms of final, effective permissions). How is it possible to grant the CONTROL_ACCESS permission through a template in delegwiz.inf ? I've found here that CA should be "Control Access" I'm after, but when I use this, the template is invalidated and it's no longer visible in the "Delegate Control" wizard.

I've though about the "Reset Password" right that appears throught delegwiz.inf, and thought the CONTROL_ACCESS is a similar right, however it's nowhere to be found in thelist of rights.

Windows 2012 R2 Domain Controller Permissions

September 12, 2014, 10:25 am
$
0
0

We brought up two Windows 2012 R2 domain controllers in an outsourced data center. This company uses BladeLogic for patching and we installed the agent on both domain controllers. I was surprised that install created a new user in the Builtin Administrators account in the domain, giving that account excessive control over the domain. I immediately deleted the account and told them I will get back with a better solution.

My question is how can I create an account for them to use which will allow patching but not give them the 'keys to the kingdom'?

Your advice would be greatly appreciated.

Thanks

Slow login to Universe DB for users in diff domain

September 12, 2014, 10:55 am
$
0
0

Hi All,

We have an ogoing issues with one of the app .basically the issue is during authentcaition of domain ids which are presnet in parnet domain.

We have few users setup in parent domain :domainA

Server with Universe DB located in Child domain i.e domain B.Most of the users are in DOmain B and are able to get through the application easily but issues occurs with users in domain A in which it takes 5mins to login to the application .at the backend it seems it taking time to autheticate against a DC.though verfied all in DNS/DC sites and subnets they have DC specified.

It seems the application uses following interface to interact..DOes anyone have any idea about the authentcaition problem .

LogonUser((LPTSTR) username, (LPTSTR) domainname, (LPTSTR) password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &logon_tok) <o:p></o:p>

ManeeshB


Distribution lists with external e-mail addresses.

September 9, 2014, 2:18 pm
$
0
0

Hello,

We have users in Active Directory, some with domain e-mail accounts through Exchange.  However, some of our users prefer to be contacted at a different account (e.g., one furnished by their employer or ISP).  Is there a way to set up distribution lists to utilize the e-mail address that's in the e-mail address field, or to otherwise allow for external e-mail addresses to be specified for some users?

Thanks!

FRS Replication / promoting DC not working

August 27, 2014, 10:32 am
$
0
0

Migrating SBS 2008 to Windows Server 2012 R2 (no virtualization) I ran into problems.

(1) there is no SYSVOL/NETLOGON share

(2) NTFRS error 13508 w/o 13509

(3) NETLOGON error 5781

I do have FRSDiag logs.

Fulco

problem with sbs 2003

September 12, 2014, 11:49 pm
$
0
0

i have a station with windows 7 pro when i try to connect to domain controler (sbs 2003 windows) i have a message

''lost the trust relationships that station to MAIN domain '' . i cant access to server or to local pc.

if remove the network camble i can access in to local pc

Search

Computer account getting deleted automatically

September 13, 2014, 5:35 am
$
0
0

Have a strange issue..Computer accounts getting deleted automatically from AD. (Win 2008R2,2012 and 2012R2 DCs). I could see few events 4724 and 4742 for reset and change. Also could see 5141 event for the same computer account but its for class: dnsnode with security id system. Anyone can help me in uderstanding what this event for...? DN: shows cn-MicrosoftDNS,DC=domain,DC=com. Is this anything wrong with the DNS Server? If issue with DNS server why doesn't cause issue for all the host records.

Also, I dont see any 4743 or any other event for computer account deletion.

Need help and suggestion immediately please....

Appreciate the support provided!!

Authentication needed after doing trust between two different domains.

September 5, 2014, 11:05 am
$
0
0

Hi There,

I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides ,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :

NY domain can get the users and computers of 2012DC1 

but 2012DC1 can't get the users and computers of NY

Date and time are the same,i am always getting this error 

The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'test.com.' is a legitimate machine account for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  

If 'test.com.' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.  

If 'test.com.' is a legitimate interdomain trust account, then the trust should be recreated.  

Otherwise, assuming that 'test.com.' is not a legitimate account, the following action should be taken on '2012DC1':  

If '2012DC1' is a Domain Controller, then the trust associated with 'test.com.' should be deleted.  

If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.

Can you please help me in this error.

Thank You in advance.

Unable to login to the domain controller

September 10, 2014, 12:27 pm
$
0
0

Hi,

We recently decommissioned two of our 2003 DCs and introduced two 2012 R2 DCs(one physical server, and one VM residing on the same physical server). Due to applications binding to IP address and hostnames, we had to add the old Domain controller's IP address as the secondary ip on the new DC and we kept the hostname of the old DC pointing to the same IP.

Now after two months the server is throwing bunch of kerberos security errors, and I am unable to logon to either of the DCs.

I am unable to obtain the exact errors at the moment but the only thing I am able to access remotely are: Remote registry, Event viewer, ADUC, and ADSIEDIT. I can't access DNS manager.

Anyway I can rescue these DCs?

Thanks in advance

Why a WDS server must be a member of an AD DS?

September 14, 2014, 3:02 am
$
0
0
Why a WDS server must be a member of an AD DS? 

What are the network bandwidth recommendations at remote sites for AD object migrations?

September 9, 2014, 10:40 pm
$
0
0
What are the network bandwidth recommendations at remote sites for AD object migrations?

domain controller sizing

September 14, 2014, 7:47 pm
$
0
0

I am making an AD controller for 15000 users and about 5000 workstations.

how many vCPUs do I need? is it 1 per 5000 users? is that total across all DCs?

I am looking at about 4 DCs to deploy based on 1 DC per 5K users

RAM: 10GB

Disk: 60GB for OS; 20GB for NTDS, logs, sysvol

vCPU: ?

2012R2 DC - AD LDS Service Principal Names - Duplicates

August 14, 2014, 4:57 am
$
0
0

Hello

After installing the first domain controller with 2012R2, we see the following error in the directory service log on the new 2102R2 domain controller:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL Winerror: 8647 
 See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.

it seems to be related to the SPN for: AD LDS

http://technet.microsoft.com/pt-br/subscriptions/cc816802

http://technet.microsoft.com/en-us/library/dn535779.aspx

The error only occure for member servers where AD LDS are installed. (application dependency)

replication status is ok.

Any ideas on how this error should be handled/corrected?

Erlend



Search

Error 2148074306 The encryption type requested is not supported by the KDC

August 24, 2009, 8:12 am
$
0
0
Our domain is Windows 2008 Native. I ran repadmin /replsummary and noticed an odd error that I cannot get to the bottom of. Error 2148074306 The encryption type requested is not support by the KDC. This appears between two DCs only. I cannot find any reference to what might be causing this.
Orange County District Attorney

LDP Query length

November 5, 2013, 9:55 am
$
0
0

I was wondering if anybody knows if there are limitations on the size of an LDAP query.

I have an application that is enumerating AD via group membership. Using the query (&(objectclass=group)(CN=Groupname*)) with Attribute of Member only pulls back the DN of the users where the application requires SamAccountName.

So. I have reversed the query and have searched for users that are memberof:

(&(objectclass=user)(| (Memberof=CN=Administrators,CN=Builtin,DC=Domain,DC=nonprod)( MemberOf=CN=APP_TH_Admin_DEV,OU=Groups,OU=User Groups,DC=Domain,DC=nonprod)))

This works in pulling back all members of each group

However, this statment does not...

(&(objectclass=user)(| (MemberOf=CN=APP_TH_ContentStudio_DEV,OU=Groups,OU=User Groups,DC=domain,DC=nonprod(MemberOf=CN=APP_TH_Admin_DEV,OU=Groups,OU=User Groups,DC=domain,DC=nonprod)))

The only thing I can think of is the size of the query?

Also, if anyone knows a way that you can pull back the SamAccountName from groups that would be even better :)

Cheers,

Sean

CA monitoring on windows 2008

September 15, 2014, 6:45 am
$
0
0

Hi All,

I would like to use the CA monitor.vbs script on my 2008 CA. However there appear to be some compatibility issue.

As anyone got a CA monitor.vbs which works on 2008 which they can share or if not can anyone please point me in the right direction to resolve the monitoring requirements we have.

Thanks in advance

WA

CA monitoring in windows 2008

September 15, 2014, 6:47 am
$
0
0

Hi All,

I would like to use the CA monitor.vbs script on my 2008 CA. However there appear to be some compatibility issue.

As anyone got a CA monitor.vbs which works on 2008 which they can share or if not can anyone please point me in the right direction to resolve the monitoring requirements we have.

Thanks in advance

WA

Replications errors

August 29, 2014, 3:46 am
$
0
0

Topology

3 sites

Location 1: 1 DC

Location 2: 2 DC

Location 3: 3 DC

The location 1 DC is having replications issues

The replication status tool show the following errors

1 The target principal name is incorrect

2. The remote system is not available

The issues has started after the machine DC1 was not in network for 3 hours. Can any one help me on this



Amal RS

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>