I want to sort out those users who have not login in AD or not login in email within 90 days of period.But the problem is that we have mixed environment most of the users are not on domain (Workstation users but have an email ID).
Is there any script or process to sort out the both users, domain and non-domain users.
Hello,
I have seen other threads relating to this issue, but nothing has yet solved my problem.
All my servers are Windows Server 2012
So far, I have a DC for Domain.co.uk
I am trying to create the child domain int.Domain.co.uk
The main error that I receive when using ADDS config wizard, is:
Verification of outbound replication failed. Error reading the options property of the NTDS settings. Unknown error (0x8000500c)
Also, when on the 'Deployment Configuration' page of the wizard, when I click the Parent Domain Name 'Select...' button, and it prompts me to select a domain in the forest, the only thing that is available to select is a long string of numbers. Example - '01 363 747 838 292 28 298 363 363 767 35 536 367 67 678 687'.
So far I have attempted to turn off the firewall, have the child DC joined onto the domain, re-enabled recursion on the parent DC ...
Any help appreciated :D
Thanks
I have a windows 2012 server and recently i have a active directory installed as company.local, i removed company.local from the server and tried to install again with the same name "company.local"
now i'm having issues saying "verification of replica failed. an active directory domain controller could not be contacted" when promoting it to a domain controller.
i tried to put in a different name but still give me the same error.
I also removed DNS server and installed it again, thinking it might resolved the problem. Now, DNS server doesnt have any configuration in forward lookup zone.
Please advise on what to do.
Thanks
Hey all,
If I have the following setup:
AD site definitions:
This means that Server1 would report Site1 as a result to a nltest site lookup and server2 would report Site2. Up to that point everything is ok.
However, when setting up a windows cluster, the cluster IP would also be in the 192.168.1.0/24 range. If the Server2 has the cluster IP address, what site would this server be in? Will the Server2 base its site location based on the 192.168.1.20 interface?
In general, if a server has two NICs and each NIC uses a subnet that is allocated to another AD site: how is this site selection performed.
Thanks for the responses! And if you have pointers to technet, these are also welcome!
Hi,
Is it possible to delegate permissions for specific users (for example a helpdesk user group) to impersonate domain user accounts?
The main goal is to allow a helpdesk user to log on to a computer and start a program as a different user (for example the primary user of the computer) without knowing the password for the user.
I'm in the process of rolling out a WPA2 enterprise wireless network and need to give certain users access to the wireless network but not the ability to logon to workstations. I added these users to a group called wireless only users and added the group to the list of allowed groups in NPS. Despite being only in the wireless only users group and that group not being the member of any other group they are able to logon to workstations.
How can I prevent this?
Apologies for the repeated use of the word group
Any help is greatly appreciated
Thanks
Hi, my company has over 45 DC's across about 25 sites worldwide. We are noticing a lot of traffic using wireshark and Network Monitor on Microsoft-DS port 445. I have been searching if this is normal and what I see is that it is used for SMB File and print sharing. Well, I don't have any file shares on these DC's other than the normal admin shares and sysvol share. I don't believe this is replication traffic since these 2 servers are not replication partners. I have checked sites and services to make sure the intersite and intrasite connections look good. This traffic is constant over weeks and it is about 1 GB an hour between the 2 servers. This would not be a big deal if this was just on the local LAN but it is over the WAN and that saturates the line. Should 2 DC's be talking that much that are not even replication partners? What type of traffic could it be. I am at a loss for troubleshooting this. I have done packet captures but that really does not tell me much ( that I can read anyway). Oh, I have run AV scans alos and finding nothing.
Any help would be greatly appreciated.
Steve
Steve
Hello,
For a few weeks now we have been stuck on a problem with kerberos errors randomly showing up on boot up of our Windows 7 clients. We have concluded that these random errors show up far more often on wireless notebooks, and for some reason more often on some than on others.
I have done wireshark captures of a notebook when it is working and when it is not working.
As you can see, in the top image (you will have to zoom in on the page in your browser), when it is working it shows that it connects with no kerberos error and it connects to the dns name of the server, in this case DC1.domain.ca and downloads the policy.
When it is not working it will give the kerberos error, and then try to connect to the hostname of the server \\dc1\ipc$ and it will fail to read the group policy.
I have done a lot of research and I know about resetting the domain controller computer account, checking the SPN's, and verifying that the the secure trust rerelationships good between the servers, checking for duplicate DNS entries, etc.
The problem I have is why is it so random. All of the posts online talk about these problems and the solutions, but they never mention that it is completely random. I can reboot this laptop 5 times and it will work perfect, but then it won't work 3 times in a row, then it goes back to working again.
Am I completely off track in trying to fix errors on the DC's and I should be looking at a hardware issue or a driver problem on the client side?
One other note is that when you get a kerberos error on boot up, if you wait up to 30 seconds, the client will try the connection again and it will succeed with the connection just as it is in the working one. This is great, but most users have already tried logging in within 30 seconds and the GP's have then already failed.
Thanks,
Dan.
In my environment i have two domain controller installed one is main dc i.e is DC1 and another one Additional dc (DC2).in dc2 i have taken the system state backup and kept this system state backup into dc1. what happens my adc got crush and its totally down.so i have a create a another fresh machine with server 2008 R2 and trying to installed adc with this system state backup which i have taken from dc2...
my query is its possible to install the adc from that system state backup
Abp
hi, i have been working with AD / DC's for a year in a small single site environment with 2 DC's
a remote office of ours has recently expanded and now is requesting a domain controller to be operational onsite.
the users currently connect to our domain via a VPN that's permanently connected. so they can access domain shares and resources.
what are the benefits of setting up a domain controller on there site, and what would be the best configuration so i can ensure nothing is done that could effect the domain in our main site and potentially bring down the network
i have found a few bits but does anyone have any advice or good articles they could point me to?
many thanks
Hi,
We are configuring the "UNIX Attributes" tab here in our organization.
I've noticed that on the Login Shell option it has a default value: /bin/sh
So I had manually changed it to: /bin/bash
My question is: Is there a way to change the default value to /bin/bash?
Searched for it on ADSI edit and no joy.
PS: Found this website showing that using a special software we can change it.http://documents.software.dell.com/DOC123819
I just want to change it without that software =]
Hi all
Hoping to get some help on an issue that started today and so far has got me scratching my head.
We started getting calls from our user base that they could not access mapped drives and desktop shortcuts that points to file servers residing on a different AD forest. They get presented with a login prompt which never happened before.
We can ping domainB.local for the most part, they have some domain controllers around the world we cant connect to.
nslookup domainB.local also works fine. we get about 8-10 domain controllers where we can only get to 6 of them (UK and Germany)
Other troubleshooting info:
using \\SERVERIP\share seems to work. users do not get asked for creds
Opening AD Users and computers on our main Domain Controller we cant change domain to domainB.local we get something about username and password. doing this from the other side seem to work.
hope someone has heard of this before and can offer some assistance.
myself and the team i work for suspect something in DNS but then again we can ping and resolve just fine. users from DomainB.local do not have issues accessing resources our on our side.
We are running 2008r2. Had a problem where most of our domain admin accounts got locked from a brute force attack. We are actually seeing a 4740 event on our original domain Admin account showing it locked, but I did not think that was possible? Looked at the Domain Admins AD group and Authenticated Users had read access on that group. Few questions
1. What AD permissions should I have on the Domain Admins group in AD? Guessing that gets templated by AdminSDholder
3. I have one important high security domain admin service account. No one really has access to it, but should I maybe create a fine-grained passwd policy for that account to make it have a super complex passwd, but not get locked out by invalid attempts as specified in the default domain policy?
Thanks,
Dave
Dears,
Site A (Main) : 2 DC (win 2003 R2 Sp2)
Site B : 1 DC ( win 2003 R2 Sp2)
On of my clients has a DC replication problem and after investigating using replmon we discovered that the DC on Site B is ran out of Tombstone Lifetime !
And when i checked the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition , I found the value <not set> , which means from what I know its 60 days !
Now i need to know what if I changed the Attribute "tombstoneLifetime" to 180 days , would I face any problem if I did that ? , because I need to enable replication again between both sites !
mwahab
Kashi
Hi All,
I want to know what encryption method used to stored password in Active Directory 2003 and how we can view this settings.
As I searched in different blogs, it stored in two different formats--LM hash and NT hash. So want to check which is the default
encryption method in AD and how we can view this policy/settings in Somewhere in AD Server.
Thanks in Advance.
Mukesh
Mukesh Bisht
Abp