Need to upgrade from W2008 R2 to W2012R2
We have 2 Dc's on VMware esxi hosts and 3 DC's on 3 standalone Hyper-V hosts.
Menino Fernandes
↧
Need to upgrade from W2008 R2 to W2012R2 for 2 Vmware and 3Hyper-V hosted servers domain controllers
↧
Issue accessing share from other forest. No logon servers available to serve your request.
Hello, gents!
We have two AD forests and external 2-way trust between them. About month ago I was able to reach share on fileserver from localdomain.com to remotedomai.com without any issues. Now when I am trying to do it I have an error
"\\servername\share is not available.You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
there are currently no logon server available to service the logon request".
I validated trusts - everything validating fine.
In the event log of remote server, I am trying to access I found this error EventID 4625 from Microsoft Windows Security:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: artem
Account Domain: localdomain
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000005e
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: ANOMDC1
Source Network Address: 172.20.0.10
Source Port: 53693
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
What would be the proper steps to troubleshoot it?
↧
↧
DomainDnsZones & ForestDnsZones missing
Hello, Please excuse the lack of knowledge - have been thrown into the deep end on this one.,.
I am setting up a very simple environment with 1 server as DC with ADDS & DNS, 1 File & Print, 1 app server. All running windows 2012 R2 built from scratch.
Going through the steps to install AD DS & DNS and noticed that no DomainDnsZones or ForestDnsZones were not created when adding the AD DS role.
I am trying to figure what would cause that as I suspect I will need it when adding my other servers to the AD Domain.
Any pointer would be appreciated.
K
↧
AD Site and Service
HI All,
Ok, here is our situation. We have 5 locations with domain controllers. All Sites are connected via MPLS. ( I have cut the real names)
Ligo is the Main Site with PDC and create the site link to this from each site locations. But i kept the Defaultipsitelink?
Do i need that or delete?
found some users are in one site authenticate against other site DC's ? (echo %logonserver% )
Also found some slowness too?
↧
How to use repadmin and replication the right way
Hi Guys,
When i change the password for a specific user. It somethimes takes a while before the changes are updated.
I want to trigger this using replication.
I'm not sure the right steps to do this. I think
1.
echo %LOGONSERVER% (see on which domain controller I will do the change)
2.
In GUI i would use something like
Directory Sites and Servicesand then choose the domain-> Replicate configuration from the selected DC
Is this the right way to go? how would i do the same thing in repadmin (command prompt)?
Kind regards,
André
↧
↧
Preferred and secondary DNS setting on server 2012r2/2008r2
How do these settings work? I understand the basic concept of what they are for. But how do they interact in the real networking word. What is the myth vs reality? At which point does the secondary take over if the preferred is not available,
5, 10, 15 minutes? Would a restart of the server be required for the change to occur?
Francisco Mercado Jr.
↧
How to enable Chase Referral? After doing the same how to verify that part?
Hi,
Please guide me on enabling chase referral on my Active Directory server. Also after enabling the same how to verify it?
Setup info:
Forest1:
root.com(PDC)
child.root.com(Child)
Forest2:
test.com(PDC)
ind.test.com(child1)
us.test.com(child2)
Both these forests has two way transitive trust enabled.
We have product where we can add LDAP settings so that AD users can be mapped to that server. I have added Forest1->PDC to that settings where I am able to retrive the objects during LDAP search. Chase Referral option is available, when I enable the option and try to search for a user present in Forest 1-> child domain no object is returned.
Is there any thing that needs to be done on AD servers. Please help.
↧
Administrator in parent domain has no administrator rights when logging into child domain systems.
We have a simple layout, parent domain in the office is foo.com, I've adding a child domain in the datacenter called prod.foo.com (we have machines with the same names in the office and production, not my doing :p) Prior to this all of our production
machines were standalone and various users just had the local administrator account, which has led to some problems.
Anyway, on to my issue;
I have a security group in foo.com called Production Logins that I've added myself to, and on the test windows 2003 server I've allowed FOO\Production Logins the ability to remote desktop, and I'm able to remote into the box web01.prod.foo.com just fine, however; When I log into web01.prod.foo.com under my admin account in the parent domain, I only have basic user rights on that machine, not administrator rights. Shouldn't administrator rights carry over to the child domain for my account? Is there something specific I need to do to allow that?
↧
GPO for Users not applying
Hi,
I have a bit of a issue with GPO where when i run gpresult /r it shows that the specific GPO is not applied because it was filtered out.
the GP is roup Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.
I am Trying to disable User from accessing all the removable media, but it seems i cannot apply it.
read thru the forums and found that it could be because the GPO is not linked to the correct OU,
My OU are as {ABC company} > {departments - Users are in these OU} and a separate OU for {Computers}. I have applied the mentioned GPO to the ABC company OU so that it will be applied to all the SUb OU but it doesnt seem to be working.. i have tried gpupdate /force, restarted and also waited 12 hours and restarted again to see if it can be applied but to no avail.
Really appreciate all help.
Just a lowly techie..
↧
↧
One of the DC can't connect to AD for Windows server 2003
Dear Sir,
We have 2 Domain Controllers in our Domain, DC1 and DC3, which is running on Windows Server 2003 SP2, I found the DC3 failed to connect to AD, and I found the following error message logged in the system event many time
Source: MRxSmb
Type : Error
主瀏覽器從電腦 DC1 收到 認為它是傳輸 NetBT_Tcpip_{C1D9AA59-2423-4059-A773 網域主瀏覽器的伺服器宣告。 主瀏覽器已中止或已強制選擇。
Source: KDC
Type: warning
找不到事件識別碼 20 (在來源 KDC 中) 的描述。本機電腦可能沒有所需的登錄資訊或訊息 DLL 檔案,因此無法顯示發自遠端電腦的訊息。您可以使用 /AUXSOURCE= flag 來重新抓取這個描述。請參閱 [說明及支援] 來了解詳細資料。以下資訊為事件的一部份: 事件日誌檔已損毀。
Source: Kerberos
Type: Error
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/dc1.domain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically
named machine accounts in the target realm (Domain name), and the client realm. Please contact your system administrator.
I have searched on internet, and tried some of the suggestions but still can't fixed the issue, I also can't depromo the DC3, and can't use remote desktop connection connect to DC3
What can I do now, can I just reinstall the DC3 and process the dcpromo again?
↧
Windows 2012R2 ADFS - High Availability Geo Redundancy
Our customer has requested to expand the ADFS across multiple geographical locations to provide redundancy and to avoid single point of failure. I know there is a technet blog for ADFS 2.0 but need to know if we follow the same method for ADFS 3.0 or a
different approach is there.
Jimmy George
↧
AD FS and Microsoft live-id
Hi guys, I was wondering is it possible to have an on-premise adfs 2012 r2 server and configure/connect to microsoft sts as a claim provider so people with live id can logon to our environment.
↧
Upgrading and migrating child domain with missing parent domain
Hi all,
I've managed to inherit a bit of a mess at the company I'm at, where they have a child (I think based on the naming) and a parent domain with 2003 and 2008 DCs which they are looking to migrate to 2012 along with their Exchange, SQL and the rest of the environment. Would like to consolidate into one domain name)
I've migrated 2008 DCs in a one domain environment to 2012 before but in a working/clean environment.
Here's the info:
- There used to be three sites but it's now all in one site. Parent DCs in one site, child DCs at another site, the third site empty.
- There is a parent domain, say, vzla.com.au. both of the DCs for this have failed and have been offline for months, these still host the Schema and Domain Naming Roles
- There is a child domain, say merida.vzla.com.au. This has four DCs which are all active and hold the PDC, RID and INF roles
I'm, guessing I will have to build a new DC for the parent domain and seize the Schema and Domain Naming roles before I can do anything. Probably seizing the roles with the child domain DCs may make things even worse. Then try to migrate the child domain pc, users and groups to the new parent DC using ADMT. Probably before I do the child account migration with ADMT I'll have to try and move the exchange server over to the parent domain.
This article had a bit of information which was partly relevant. Although I know that out of the two I would have to keep the parent vzla.com.au domain and the merida.vlza.com.au would have to go - although with the vzal DCs missing that would be a problem.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/9d3834a3-55c6-40f9-82e8-33f51aaabb56/how-to-tell-if-domain-is-a-child-domain
↧
↧
Login error after changing UPN suffix - Solved by resetting passwords?
We have an Oracle IDM solution, and after a "human error", several users had their UPN Suffixes changed
My default domain name is "company.ad" and a LDAP application has changed to "company" (the option "company" cannot be used in the user account properties/drop down for UPN rightafter the Pre-Win2000 Name)
After the mass change, the affected users cannot do logins anymore and we noticed that besides changing the UPN suffix back to the original one, it was not enough, also, the user´s password had to be reseted.
Why is that?
Why even after changing back the original sufficx, the password was not being being accepted?
↧
Require Smartcard for interactive Logon and Outlook 2013
Hello,
I have a problem in an Office365 federated Domain (federation just for information, I donÄt think this is the Problem).
We are Using Office 365 for E-Mail, so Outlook connects to Office 365.
Wen I enable "smartcard required for interactive logon", Outlook stops working and asks for credentials all the Time. But this is not working as the Smartcard Flag is set.
Is there any Way to get Outlook working correctly when the flag is set?
best regards and thanks for your help
↧
AD accounts not getting locked out properly ID 4771
hi,
We are customer, who is facing weird issue, one of the old account is getting locked everyday, we tried to find from where it is locking but it didn't help,
would you please help to find out what is causing this lockout below is log message content for the account lockout
<EventRecordID>391793161</EventRecordID><Correlation/><Execution ProcessID='508' ThreadID='564'/><Channel>Security</Channel><Computer>abc.dc.corp</Computer><Security/></System><EventData>A
user account was locked out.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: abc$
Account Domain: dc
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: ***\*********_******
Account Name: *********_******
Additional Information:
Caller Computer Name: </EventData></Event>
I am not getting what is role of the
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: abc$
↧
Active Directory
Hi Team,
I have few queries mentioned below. Kindly share me your suggestion.
1) how can we make sure that time is getting synchronized properly in AD infrastructure and how to monitor this?
2) Is there anyway to find which attribute got changed recently of object ?
Regards
Sajin P S
↧
↧
DSGetDCName error in advertising test
Hello, i have this problem:
We have two servers:
- DC - Windows 2012 - FSMO holder (main server)
- V32 - Windows 2008 - trying to setup like GC
I run dcpromo and set V32 as global catalog with DNS. But SYSVOL and NETLOGON isnt replicate. DCDIAG say error DSGetDCName:
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE
All next test are passed. Server has correctly set IP and DNS (first DNS is server own adress). I can post ipconfig if you want.
I also try D2/D4 restores but problem is still here. I must notice that i dont realy understand what D4/D2 do and how to perform it correctly, that can be one problem. I make virtual PC with another Win2012 and have same problem. Can be this caused by "downgrade" forest and domain level to Windows 2008? There arent any modification in schema or policy which uses higer level than Windows 2008.
DCDIAG on server DC passed well. I also read and try related topics but problem i still here...
Thanks for any help and sorry for my english.
↧
Change password, unlock account only.
Hi Guys,
Hope this is in the right forum.
I am looking for a method to allow an helpdesk admin to only unlock accounts and change passwords for accounts without login onto the domain controllers. The best option would be a webconsole that only allows unlock and change password.
I can see a few options just wondering if anyone has a better method.
1) RDP to Desktop with AD management console installed.
2) Use power shell script.
3) use webconsole to change password, but cannot unlock using this.
4) create a vbs script that runs 'powershell commands' to unlock or change passwords.
Thanks for any help.
Craig
Craig
↧
Hyper-V host fails with “RPC Server unavailable” error when I try to promote Windows Server in virtual machine to a domain controller
Host: Windows Server 2012 R2 with Hyper-V and RRAS (for Internet over NAT)
VM: Windows Server 2012 R2 with installed Active Directory Domain Services
When I open AD DS configuration window (“promote this server to a domain controller”) many services and programs on my host (include Hyper-V, RRAS & Server Manager) fails with RPC Server unavailable error.
VM: Windows Server 2012 R2 with installed Active Directory Domain Services
When I open AD DS configuration window (“promote this server to a domain controller”) many services and programs on my host (include Hyper-V, RRAS & Server Manager) fails with RPC Server unavailable error.
↧