Hi All,
Can someone suggest me in restricting "Domain Admins" group in below two criterion.
1) Anonymous users shouldn't be able see members of this group.
2) "Builtin/Administrators" shouldn't have privilege to edit this group.
Sai Krishna
↧
Need to Restrict Domain Admin group
↧
NTDS single/Static port vs Fixed port range.
I'm well aware on how to setup a custom Fixed RPC port range (as per https://support.microsoft.com/kb/154596?wa=wsignin1.0).
I also know NTDS can be configured to use a single/Static TCP port (as per http://support.microsoft.com/kb/224196).
My question is:
- What happens if you *only specify a Fixed RPC port range*
AND - *Do not* specify a single/Static Port for NTDS
-> Will NTDS simply offer its services through the Fixed RPC port range?
Thanks.
Regards,
A.
↧
↧
What is the diffrent bettween in coming trust and outgoing trus?
Hi all,
What is the different between incoming trust and outgoing trust?
Also, What is the diffrent between incoming trust and one way trust? I think in tow, we can just inputing.
Future is mine!
↧
Retiring 2 domain Controllers
Hi, we are looking to retire 2 out of our 5 2008 r2 domain controllers. There are no FMSO roles on these 2 controllers. The only other role is DNS. All devices and workstations are now pointing to other DNS servers besides these two.
My question is that I want to simply shutdown these 2 servers for a week or so and see if anything screams. If it does I can simply bring the controllers back up and figure out what went wrong. If nothing screams I can then safely demote them from being a domain controller
Is the act of shutting them down for a bit a valid way of testing? This will be done off hours but what can the end users or application servers expect if the DC they were using is no longer there, will they get error messages on the screen or will it silently go to another DC in the background?
Any thoughts would be appreciated.
Thanks
↧
Domain / Forest functional levels
I've done some research but really need someone to tell me I've got this right in my head...
I've got 2 domains in the forest, the forest functional level is 2003. Here's the setup:
domain1.local
- root domain
- 2 DCs running W2K8R2
- DFL - 2003
domain2.local
- 1 DC running W2012R2
- 1 DC running W2K3 (soon to be retired)
- DFL - 2003
Can I upgrade the DFL of domain1 to 2008R2?
Can I upgrade the FFL to 2008R2 while maintaining trust?
Do the domain and forest functional levels have to match?
Thanks in advance for any answers!
↧
↧
AD Replication error
I'm getting the below error while run the readmin /showrepl command in my Parent Domain.
Default-First-Site-Name\(CHILDDomain) via RPC
DSA object GUID: dc7844e2-0b94-4f30-9ef2-78b1b64a4aba
Last attempt @ 2014-10-24 19:23:48 failed, result 8606 (0x219e):
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
452 consecutive failure(s).
I would appreciate any help in resolving this issue
↧
Blocking Authenticated Users from a subset of unaffilitatted users
Ok here's the problem....
We want to create AD accounts in our domain for unaffiliated users in order to provide access to our EMR application via a Citrix Published app. We don't want to host another AD just for this unaffiliated organization nor do we want to create a child domain...for many reasons that I won't delineate here. If we cloister them in separate secure OU in our domain, and even remove them from the domain users group, they still will (upon authentication) get access to many things afforded to the Authenticated Users group that we don't want them to have access to.
What would be the best way to allow them to login to Citrix (giving them EMR access) but block them from accessing any other applications or services in the domain?
We're going to check with out EMR vendor (we're not the only one's doing this) and possibly have an engagement with Microsoft but I wanted to get some ideas to see if there is an easy/quick solution that I have missed.
Thanks.
David W King
↧
Display user password changeable date with PowerShell
Hi,
I wanted to list out "Password changeable" dates of all my AD users.
I used the command "$user = Get-ADUser -Identity username" in a DC to get an AD user's information. I see that this object has the following properties:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
PasswordChangeable
PSShowComputerName
SamAccountName
SID
Surname
UserPrincipalName
WriteErrorStream
OK, there's a property called PasswordChangeable whose definition is
Microsoft.ActiveDirectory.Management.ADPropertyValueCollection PasswordChangeable {get;set;}
Could someone tell me how to use this property? How could I get the date?
Thanks in advance
↧
ADMT 3.2 ServicePrincipalName duplicates – Users unable to logon
Hello everyone,
We are doing an intra-forest migration using ADMT 3.2 (Version with 2012R2 Support as the colleague who installed it told me). Domain Controllers are running at Windows Server 2012 R2 and Windows Server 2003. Clients are running at Windows 7. When migrating computer objects we experience the following:
When the migrated computer boots and joins the destination domain it throws NETLOGON events 5788 and 5789. Therefore, the destination computer object hasn’t any single SPN registered. Because the HOST and RestrictedKrbHost SPNs are missing no user is able to log on to the machine.
After investigating the issue I think I found the cause of the problem.Please correct me if I’m wrong:
When ADMT migrates a computer account it does not clear the SPNs that are registered for the source computer account. Because of the new feature of Server 2012 R2 that does prevent the registration of duplicate SPNs in the forest described here http://technet.microsoft.com/en-us/library/dn535779.aspx this prevents the migrated computer to register its SPN during the first boot in the new domain (leads to 5788 and 5789).
Let’s assume we have a client called client1.emea.contoso.com. This client has the following SPNs registered:
- HOST/client1
- HOST/client1.emea.contoso.com
- RestrictedKrbHost/client1
- RestrictedKrbHost/client1.emea.contoso.com
When the client is migrated to us.contoso.com it will try to register the following SPNs for its account:
- HOST/client1
- HOST/client1.us.contoso.com
- RestrictedKrbHost/client1
- RestrictedKrbHost/client1.us.contoso.com
Because the SPNs HOST/client1 and RestrictedKrbHost/client1 are not unique in the forest their registration is blocked by the Server 2012 R2 DC. Also, the registration ofHOST/client1.us.contoso.com and RestrictedKrbHost/client1.us.contoso.com is blocked as well because the client tries to register the Service/Hostname and Service/FQDN -Record at the same time which both fail in the process. This leads to Kerberos failure for interactive logon. Because of the security feature of Windows Vista and above which prevents failback to NTLM for interactive logons mentioned here http://support.microsoft.com/kb/2015518 no logon is possible under this condition.
Note:
Windows Server 2008 R2 DCs that do not have the above mentioned feature of "SPN uniqueness testing" just let the newly booted client register the duplicate SPN for HTTP/client1 and RestrictedKrbHost/client1.
What are we ought to do now? Currently we work around this issue by manually deleting the SPNs at the computer object in the source domain. This does not seem to be the optimal solution for me. Am I missing something? Did I forget something?
Thanks and best regards,
Steven
↧
↧
Where do deleted Static DNS records go?
Since we enabled the Active Directory recycle bin some time ago, we noticed that there is also a recycle bin for the ForestDNSRecords and DomainDNSRecords container. It appears that dynamic DNS entries are being treated like any other object and getting
moved to CN=Deleted Objects,DC=<Domain|Forest>DNSZones,DC=<YourDomain>,DC=<Suffix>. When Static entries are deleted we do not see them in the Deleted Objects container. Is that a bug, by design, or are we missing something?
↧
Replication issue from site
Hi All, have a strange issue that I'm trying to find a quick fix for while I continue to troubleshoot.
I recently converted a site with a single DC from MPLS to site-to-site VPN. Since then, I am not replicating between that site (ATL and CM). This is because I cannot ping from ATL-DC to CM-DC. I know, the simple solution is to fix the communication issue between ATL-DC and CM-DC, but it's not a simple connectivity issue and the tombstone clock is ticking. While I continue to troubleshoot the underlying communication issue, is there a way to get replication working again?
Repadmin /replsum >
Source DSA largest delta fails/total %% errorTMP-DC 11m:59s 0 / 5 0
ATL-DC 08m:25s 0 / 20 0
CM-DC 15d.18h:54m:56s 5 / 5 100 (1722) The RPC server is unavailable.
SHI-DC 11m:58s 0 / 5 0
LAS-DC 11m:58s 0 / 10 0
Destination DSA largest delta fails/total %% error
TMP-DC 02m:58s 0 / 5 0
ATL-DC 15d.18h:55m:18s 5 / 20 25 (1722) The RPC server is unavailable.
SHI-DC 05m:52s 0 / 5 0
LAS-DC 03m:04s 0 / 5 0
LAS-DC 08m:47s 0 / 10 0
Experienced the following operational errors trying to retrieve replication information:
58 - cm-dc.xxxxxxx.com
↧
ADFS or DirSync w/ Password Write-back?
Hi all,
I've been doing some research on this and just wanted to clarify on my findings...
My company is trying to figure out which syncing solution would be the best fit for our special cases that we have.
Environment:
O365 fully deployed, users have two passwords, one for their machines and one for O365.
PCs - All joined to the domain
Macs - Not connected to the domain - has local user account w/ full admin rights
Original Goal: Have both passwords synced so there's one less pw to remember and give users the ability to change pw on portal and have it sync to on-prem AD.
I had thought that DirSync would have been the perfect fit since it has low overhead and doesn't require more than one dedicated server, but the more I read about it, the more I realize that to fulfill the goal of having users change their own passwords on O365 portal and to have it sync, I would either need to pay for AzureAD Premium to get the Password-writeback function or deploy ADFS instead.
DirSync also mentions that once the users are synced, the cloud password is set to "NeverExpires" and that's definitely not what we want for the mac users since they never login to the domain aside from using the VPN. I know there's a way to set the "NeverExpires" flag to $false for certain users, but in doing that, there doesn't seem to be a way to specify it to expire at the same time as my on-prem AD. It's also not very easy/ideal for my mac users to find a windows PC to change their domain password every 6 months.
Ultimately, my question is given our situation and our end goal, would deploying ADFS or paying for AzureAD premium be our only options?
I've been doing some research on this and just wanted to clarify on my findings...
My company is trying to figure out which syncing solution would be the best fit for our special cases that we have.
Environment:
O365 fully deployed, users have two passwords, one for their machines and one for O365.
PCs - All joined to the domain
Macs - Not connected to the domain - has local user account w/ full admin rights
Original Goal: Have both passwords synced so there's one less pw to remember and give users the ability to change pw on portal and have it sync to on-prem AD.
I had thought that DirSync would have been the perfect fit since it has low overhead and doesn't require more than one dedicated server, but the more I read about it, the more I realize that to fulfill the goal of having users change their own passwords on O365 portal and to have it sync, I would either need to pay for AzureAD Premium to get the Password-writeback function or deploy ADFS instead.
DirSync also mentions that once the users are synced, the cloud password is set to "NeverExpires" and that's definitely not what we want for the mac users since they never login to the domain aside from using the VPN. I know there's a way to set the "NeverExpires" flag to $false for certain users, but in doing that, there doesn't seem to be a way to specify it to expire at the same time as my on-prem AD. It's also not very easy/ideal for my mac users to find a windows PC to change their domain password every 6 months.
Ultimately, my question is given our situation and our end goal, would deploying ADFS or paying for AzureAD premium be our only options?
↧
userCertificate attribute not set
When my user enrolled for their USER certificate from our CA, it was not set in their attribute in AD.
Why is this? I'm using the default template for user certificates. The template has "Publish to AD" checked.
This is for S/MIME.
↧
↧
Transfer Fsmo roles when main dc is offline
its is possible to transfer or seize FSMO roles when my main dc turn down.say that i have two dc,node 1 & node 2. node 1 hold the main dc and node 2 hold 2 another dc. i want to move fsmo roles from node 1 to node 2. but my node 1 is shutdown
so its possible to transfer / seize all roles from main DC
Abp
↧
User locks with out any log in event viewer
Hi,
In our active directory environment, Domain user gets locked out with out any event saved in event viewer as i am not able to see why these users gets locked.
Any help?
↧
Access to shares
Hello,
I can access share located on domain controller using IP address but not via UNC path or FQDN path. The issue started after applying Microsoft patches.
BTW there is another domain controller and if I shut it down then I can access shares on the first controller using UNC.
Please advice.
↧
Windows 2012 R2 Active Directory Server Blank Screen
I have a Windows 2003 Domain, I added a Server 2012 R2 to the domain. The 2012 R2 server is a hyper-v virtual machine. When promoting the server to a domain controller it hung on the process and I had to reboot the server. When I log into the server now with the same account I was using when I promoted the server I get a black screen. When I hit the (ctrl-alt-del) button on the hyper-v console screen I see several option such as task manager but clicking on it doesn't bring up anything. I can also sign out. If I log in using another admin account I have no issues. If I view the application log I see a 4006 Event Id:
The Windows logon process has failed to span a user application. .... C:\Windows\system32\userinit.exe.
If I boot in safemode I am able to logon with with problem account and see the normal safe mode screen. Also, BTW the DC promotion process completed without issues.
Thanks,
↧
↧
DNS lookups timing out
Hello,
I am attempting to deactivate an old DNS server from our network and whenever I turn it off, DNS lookups fail for all clients and the other two DNS servers that I am keeping.
I have checked that the zones have properly replicated and that pointer records exist for both DNS servers. I have run nslookup on the name servers and the lookup times out twice and then provides the correct IP for the name. The primary DNS server is 2008 R2 and the secondary is 2012. The old server I am trying to deactivate is 2003 and was previously the primary. I can ping DNS names and IP addresses for both servers with no errors and even ping external names as well. Yet, in a browser, dns lookups still fail. I am sure I am missing something obvious here, but any advice or suggestions on what to look at here would be appreciated.
Thank you,
Josh
↧
Change to FSMO roles not replicated to some servers.
Hi, we have a mixed set up of Windows 2003, Windows 2008 and Windows 2008R2 servers. Recently I installed a new server in London as a 2008R2 server, call it Ldn1, and used ADUC to transfer the FSMO roles from the older 2008 server (Ldn2). On the new server ADUC was definitely showing the new server as holding the roles so I ran dcpromo on Ldn2 and demoted it and then removed it from the domain. The server has been physically reconfigured now and so there is no chance of reconnecting it. This was a couple of weeks ago.
Following some other issues I have been doing some digging and have found that two servers had some replication issues and they both still think that the FSMO roles are held by Ldn2 rather than Ldn1.
My question really is what is the best way to proceed? Should I be concentring on sorting out the replication problems and hope that that will update the FSMO information on the two affected DCs?
I know I can transfer the roles onto another server but the only other candidates are the two servers which think the current role holder is offline.
The other issue is that I recently installed a new Exchange 2007 SP3 server which made changes to the schema and that is on the same site as the correct FSMO role holder and so I would imagine that the schema changes have been made on Ldn1. If I seize the roles to one of the two affected sites I would be concerned that I would lose or mess up these schema changes.
Thanks for any assistance and I apologise in advance if I sound like a total numpty, AD & Replication has always been my weak point.
Regards, Eddie
↧
Active Directory setup in a Hospital
Hi Guys,
Just wondering if anyone done something like this before …
I have been asked to set up an infrastructure for a hospital, So in terms of Active directory structure and best practice in relation to a hospital – anyone have a document , visio, pdf anything useful will be great!. Any suggestions as to what I could put into consideration would also be nice – that’s in terms of a hospital.
I will be happy to hear from you all no matter how little or so much your input might be .
Thanks Guys
Regards, MassonTech
↧