Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Unable to change the 2003 R2 Forest Functional Level (Missing)

October 30, 2014, 2:33 pm
$
0
0

I am currently about to completely retire a 2003 R2 DC Server with a Windows 2012 R2 Server; single server environment.  Right now, I am unable to raise the FOREST functional level from Windows 2000 to 2003, the option is actually missing.  The Domain functional level is already set to 2003.

Which method can I use to raise the 2003 R2 DC to the Forest Functional Level to 2003 so I can put the Windows 2012 R2 in the same Forest/Domain?

I did a netdom query fsmo, all the roles are currently pointed at DC name 'NS1'.

NS1 = 2003 R2


Search

ADFS version 3.0

October 30, 2014, 9:32 am
$
0
0

Hi,

Is it possible to install ADFS 3 on Windows 2012 or do you have to be running 2012R2 to use ADFS 3?

Thanks.

Asp.Net LDAP authentication

October 17, 2014, 5:43 am
$
0
0

Hi,

We have Active Directory Infrastructure with Windows 2003, Windows 2008 and Windows 2012 Domain Controllers. We have got many Asp.Net applications which are doing LDAP Authentication with these Domain Controllers. Some of the applications are not able to authenticate users against Active Directory.
Most of the application servers are not added to Domain and are in workgroup. These servers are still using LDAP authentication against AD.

We were comparing the application which is working fine and the one which is not working. Both the servers are in workgroup and using same code.

I need to know can we have LDAP authentication without joining the server to domain. As per my understanding we can connect and but one Domain user account is required for LDAP bind and authentication. As per application team they have not used any Domain user account for LDAP binding. I am not sure whether it is possible because in Windows 2003 and above anonymous bind is disabled by default.

Is there a way to track whether any Domain user account is used for authentication.

Certificate Services won't start

October 30, 2014, 12:44 pm
$
0
0

Certificate Services won't start after importing registry settings from old certificate server.

I installed ca as a role and imported the certificate with the wizard and everything seemed to be find the certificate services were able to run. 

I open the registry file and edit it so that winnt is replace with windows and then I import it. and ever since then I receive the error:

The system cannot find the file specified. 0x2 (wind32: 2)

The policy module for a CA is missing or incorretly registered. To view or change  policy module settings, right click on the CA, click on the CA, click Properties, and then click the policy Module tab. 

Please Help Im need to get cert services running again, 

Thanks 

Failover to remote DC after disaster

October 30, 2014, 2:43 pm
$
0
0

I suspect this question has already been answered and apologize in advance for repetition.  Here is my current setup:

Site A:  Windows Server 2008 R2 running AD/DNS/DHCP.  Main domain controller resides here.

Site B:  Windows Server 2008 R2 running AD/DNS/DHCP.  Second domain controller at remote office.

The two sites are interconnected by a private, leased line running at around 10Mbps.  I have configured my sites, subnets, etc. and the two DCs are properly replicating.

What I am searching for is a document that will describe the actual procedures that I need to implement at Site B in the event Site A burns to the ground.  I am hunting for the actual procedure for failing-over to the DC at Site B in the event of complete disaster.


Thanks

Delegate MSA account creation

October 30, 2014, 4:46 pm
$
0
0

hello

I need to delegate Manged Service Account creation and deletion task to junior admin.  what are the rights needs to be assign to OU, where MSA account will reside? As per MS TechNet article it says delegate modify rights to OU.  but I want to make sure that junior admin cannot create normal user account but can only create MSA accounts

thanks

How to clean up metadata of tree domain from root forest domain

October 30, 2014, 10:36 pm
$
0
0

Hi,

We have a environment like below

name of Root Forest domain == Root.com

name of Tree domain in same foresrt (root.com) == treedom.com

The treedom.com has only one domain controller and unfortunately that DC got offline due to hard disk failure. Now the DC of treedom.com is offline and we want to CLEAN the METADATA of tree domain form our root forest domain i.e ROOT.COM.

Please suggest....

Let me know if more information is required .

subnet prioritizing different subnet DC / client

October 30, 2014, 11:48 pm
$
0
0

Hi all,<o:p></o:p>

We have two sites (production and DR) and in production environment domain controller are in 132.147.161.0/16 series. DR site have a different subnet. Client segment in 192.168.11.0/22 series.<o:p></o:p>

From client system we have tried to ping domain or try to lookup for dc the results are appearing on round robin method. <o:p></o:p>

We recently aware of subnet prioritizing. But from some web forms we found subnet prioritizing is works only same subnet.  Please confirm it’s is true<o:p></o:p>

Please suggest in our scenario how possible for subnet prioritizing<o:p></o:p>

Thanks, Mariappan Shanmugavel

Search

Log DNS record Creation / deletion events on DC's security event viwer

October 31, 2014, 12:26 am
$
0
0

hi,

I have configured the DNS record creation and deletion auditing as per below microsoft blog

http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx    on one of my DC.

All setting are done correctly and events for DNS creation and deletion is generated in security event logs. BUT THESE EVENTS ARE ONLY GENERATED ON ONE DC. We have 3 other DC, i checked the security events on other 2 DC but there is no event logs. Only one DC has that events.

Is there any way so that whenever DNS record is created / deleted the events SHOULD CREATED ON ALL DCs. This will save time else i have to check on all DCs security events.

Please suggest

Windows 2008 Domain Controller rename and re-promote.

October 30, 2014, 8:14 am
$
0
0

Ok. So I became the IT Admin of a company that is still operating as a Workgroup (in terms of the company) and I am trying to get us all on a domain. Shouldn't be to difficult I think...only a few issues that I am not fully aware what it will effect.

Currently we HAVE a server already made a few years back that is a "domain controller" that is just sitting there operating as our DNS. The previous IT set all computers IP addresses to static along with the DNS connection of course. The problem I am running into when wanting to set up this as our domain controller is, well, it has the wrong domain name. This company got renamed and we use a different domain name now (albeit we still own the old one but I am not sure how long we should keep it so I prefer not to use it in our DC).

The problem I am worried about is this server is already operating as the DNS for all our computers, so I am worried about demoting/re promoting the server in order to rename the DC, because I am not fully aware what this will effect for our users.

TL;DR

----------------------------------------------------

So I want to change our companyold.com connection to companynew.com connection in our domain controller as well as rename the server. Problem is Server runs as a DNS already. I would like step by step instructions of what I can do so I can rename the server/DC without breaking my current DNS setup and have it work like it has been.

We use Windows Server 2008 R2 Standard


What note when remove an Domain controller from Existing Domain!!!

October 30, 2014, 9:40 am
$
0
0

Dear everybody,

My company has 3 Domain controllers at the moment.

all of them have some functions: DHCP, DNS.

Now, we have plan to remove an DC/

So, What note we need to pay attention when remove one of them?

Thanks for your help!!!

FRS upgrade to DFSR Root Domain or Child Domain first?

October 31, 2014, 6:10 am
$
0
0

We are looking to upgrade SYSVOL replication from FRS to DFS-R Can somebody tell me what order we should use to upgrade our Root Domain and Child Domain. Root first then Child Domain or the other way around?

Thanks in advance!!

Replace 2008 R2 domain controller with 2012 R2 domain controller

October 29, 2014, 11:51 am
$
0
0

Good afternoon.  We currently have 3 older Dell floor unit servers running Windows Server 2008 R2.  All of them have the exact same server roles (AD, File Server, DHCP and DNS).  This year we bought 3 brand new Dell rack mount servers we would like to use to replace these older ones.  The new servers are running Windows Server 2012 R2.  I want the new servers to have the exact same name and IP address as the old servers when its all said and done.  I'm looking for an article or some pointers on how to approach this.  Here is what I was thinking:

-Copy files for File Server role from 2008 server to 2012 server using something like robocopy (or any other utility someone may suggest)

-Demote current 2008 AD server and reboot

-Rename demoted 2008 AD server and change the IP address and then reboot

-Rename the new 2012 AD server and change the IP to match the old server and reboot

-Promote new 2012 AD server as new DC

Does anyone see anything wrong with this or have any input on what I should do?  Any help is appreciated.  Thanks

ADFS proxy error: An error occurred when attempting to create the proxy trust certificate

October 31, 2014, 8:53 am
$
0
0

I have windows 2012 R2 Federation server but trying to add an ADFS proxy server (WAP) which runs on windows 2012 R2 server. I keep getting the above error. I have research and I the certificate is right yet i keep getting same error. I used net mon to monitor the traffic and i could not see any connection or attempt to communicate with the Federation server. The proxy server is not even in the DMZ, there is no firewall between them. any help?

Alert from TechNet Posting

DCDIAG question

October 31, 2014, 9:53 am
$
0
0

I have 4 2003 DC's that i am running dcdiag on in preperation for an upgrade to a 2012 forest. The forest and domain are at a 2003 level. So far everything is looking good but i do not know what this is. Can someone tell me what this information from DCDIAG means? Also what I need to do to make this come up properly.

Thanks for your help.

Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=Domain,DC=com
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 

Thanks for your help

Search

Modify default value of LoginShell attribute

October 31, 2014, 11:27 am
$
0
0

Hi,

We are configuring the "UNIX Attributes" tab here in our organization.

I've noticed that on the Login Shell option it has a default value: /bin/sh

So I had manually changed it to: /bin/bash

My question is: Is there a way to change the default value to /bin/bash?

Searched for it on ADSI edit and no joy.

PS: Found this website showing that using a special software we can change it.http://documents.software.dell.com/DOC123819

I just want to change it without that software =]


Perimeter Network Dynamic Site Assignment update

October 16, 2014, 9:52 am
$
0
0

Good Morning,

I would like to understand if the behavior I am seeing is correct or incorrect.  If I have a machine that is created on an internal network that has access to a RWDC, but then is migrated to a perimeter network where it only has access to an RODC, should the DynamicSiteAssignment update automatically?  I have cached the computer account in the password replication policy for the RODC but the computer does not know who it should update its site assignment from. The computer which has moved from an internal network to a perimeter has updated its DNS to use the RODC.

The RODC is also a DNS server.

This also occurs on an offline domain join.


Any help would be appreciated!

Thank you,
Franz

User can't change password

October 31, 2014, 11:23 am
$
0
0

Hi there,

I have a small two-site Active Directory. Windows Server 2008 R2 servers running at the 2008 functional level.

Recently, a user came back from maternity leave. I reset her password to our default and asked her to change it. She was unable to, her workstation telling her that the new password didn't meet the complexity requirements or was in her password history. After careful examination, we discovered neither was true: newly-formulated passwords which met the requirements were rejected. I assumed a problem with the domain, but her account is the only one having these issues. I can't even change her password on the DCs.

Any suggestions? 

Want to put ns1.any-domain-name.com & ns2.any-domain-name.com on server 2012,, I have an ip adress + main domain name + 5 other domain names (want after to add these)

October 31, 2014, 2:30 pm
$
0
0

Want to put   ns1.any-domain-name.com   &   ns2.any-domain-name.com   on server 2012,, I have an ip address + main domain name ( we will use    any-domain-name.com   for an example )   + 5 other domain names (want to add these afterwards)

I have added dns  and IIS to my server 2012,, I believe I have added correctly my main domain name being     any-domain-name.com 

I am a bit lost where to put the     ns1.any-domain-name.com   &   ns2.any-domain-name.com 

All my domain names at the registrar are set to    ns1.any-domain-name.com   &   ns2.any-domain-name.com      have also glued the record with the ip address to the main domain name   any-domain-name.com 

I have put the 5 domain names on the server and now realise I need the ns1 ns2 zones  which means I might have to delete the 5 domain names

Can someone give me some guidance please


How to config a trusting domain so that domain admins in the trusted domain can only see users in a certain OU in the trusting domain?

October 15, 2014, 1:31 am
$
0
0
I want the domain admins in the trusted domain to be only able to see users in certain OUs in the trusting domain. I don't want  the domain admins in the trusted domain to be able to enumerate/see all users/OUs in the trusting domain.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>