Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Parent/child domain - delegating control to users

$
0
0
Hi,

I have a Parent / Child - domain structure also two different Exchange organizations.

I manage the child domain, and if I want to assign a User from the parent domain to manage a distribution Universal group, what would be the best way to do this ? I've been trying to work around this, but I get errors saying "A referral was returned from the server" when I try to add the user as manage of the group.

Thanks in advance

Reset lastLogonTimestamp attribute currently in the future

$
0
0

Hi.

One of my clients has a few ad objects (users and computers) that has a lastlogontimestamp that is in the future. For instance the Administrator account has the following value "132437449900141250", translated 2020-09-05 03:03:10.

How I believe it happend:

  • In the past a DC was way off, a few years.
  • The administrator logged on, and the DC updated the lastlogontimestamp.
  • The time was reset on the DC.

Now if I try to clear the lastlogontimestamp I get the following reply:

***Call Modify...
ldap_modify_s(ld, 'CN=Administrator,CN=Users,DC=company,DC=local',[1] attrs);
Error: Modify: Unwilling To Perform. <53>
Server error: 0000209A: SvcErr: DSID-031A1021, problem 5003 (WILL_NOT_PERFORM), data 0

Error 0x209A Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).
-----------

from the MSDN site about the errorcode:

ERROR_DS_ATTRIBUTE_OWNED_BY_SAM

8346 (0x209A)

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).


Oscar Virot

Delegate permission to manage Computer objects with ADUC

$
0
0

Hi,

I'm trying to give permission to "Helpdesk-Group" to manage Computer objects underWorkstationsOU and subsequent OU's below that. I have delegated the rights withDelegate Control wizard in ADUC (according to http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/F1D6D833-F3D1-4EF9-A717-1F685E99B1A2).

This works OK for single OU E.g Workstations. I can move a Computer to and from the OU.

But if I create another OU under the Workstations OU, I lose the right. However I can move Computer object to and from the sub OU Laptops. It seems that, for some reason, AD changes the permissions to the parent OU (Workstations) when adding a sub OU: Everyone: Delete All Child Objects: Deny.

Do I miss something here? How can I Delegate permissions to the Workstation OU and whole OU subtree?

OU Structure:

|-Workstation

    |-Laptops

        |-Country

Regards

lakend

RODCs Trouble with Replication

$
0
0
Client is having some trouble with RODCs not replicating. The domain has 2003 and 2008 R2 DCs in addition to RODCs. The event logs on the RODC are 1925 errors and 1645 errors. I also see a 1396 Logon Failure: The target account name is incorrect. I have looked at the SPNs throughout the domain and they all appear to be registered correctly across the DCs. I have run DNS tests and DNSLint and they all come back clean. I have also used the new Port Query tool to check communication between these servers and that comes back clean too. Any ideas?

MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

Is a trust required here?

$
0
0

Domain A is first.mylocation.com - 2003 domain with 2003 Functional level

Domain B is second.mylocation.com - 2008 domain with 2008 Functional level

Domain A has an Exchange 2003 server in it that both domains use. Currently we have DNS set up in both domains. If we use the Domain A DNS, all is well.  If we use the Domain B DNS, Outlook loses connection with Exchange shortly thereafter.  I am trying to determine if I just have a simple DNS set incorrect (the host mail.mylocation.com is added and Exchange is using SSL certificate with same name internal and external).  I know I am probably short on info here, but can supply responses to any questions.

DNS Conditional Forwarding between 2 Domains and Subnets

$
0
0

Have Domain A on subnet 10.x.x.x and Domain B on subnet 192.x.x.x. These are separated by a firewall. 1 DC in each (for the sake of my issue). All traffic is open between these 2 DC's. I want to setup Conditional Forwarding for each domain. My problem is I get a 'timeout validating' error from the DC in Domain B when trying to set this up. Any help would be greatly appreciated, troubleshooting tips, etc....

Thanks.

Understanding XP and Win7 client DNS updates

$
0
0

Hi,

I'm trying to understand how some of the DNS registration updates work between Domain member client PC and the AD infrastructure when not on the local LAN, but on a routed LAN.

I've a simple 3 DC (no RO DCs) setup. On my LAN the DHCP server updates DNS entries for clients. The DNS servers are setup only for Secure Updates.  I'm not aware of any GPO settings overriding default setups.

However we now have an off-shoot LAN, that has its only Linux DHCP server.  Clients on that LAN are pointed to our normal DNS servers directly. There are no firewalls involved, only IP routing.

What we see, is that if an existing record exists when a client PC moves from my LAN to the off-shoot LAN, then its DNS entry is not updated. However, if the client doesn't exist in DNS (because I delete it manually), then they can register in ok from that new LAN.

I don't see this in my local DHCP/DNS update mechanism. Only with the new LAN.

I know that DNS registrations are done by the DNS Client on the PC, but I'm not sure what else is taken into account when security checks are made.

Also, I'm seeing 'stale' entries in the DNS listing. Scavanging is set for 7 days, but yet I see timestamps for 30 Nov, 29 Nov, 28 Nov etc..

Any advice on how to proceed appreciated.  I've searched for basic DNS and read various articles, so I think my understanding is good, but can't see why the clients aren't updating:

http://technet.microsoft.com/en-us/library/cc784052(v=ws.10).aspx
http://social.technet.microsoft.com/Forums/lv/winserverNIS/thread/8f5310f6-3c8e-47c2-a95f-07c4f0ea19d0

External Trust RDP server issue

$
0
0

Hi 

I have External Trust between other domain (corp.contoso.com) with my domain (my.domain.com).

Corp.contoso.com domains's user can access to resource of my domain resources.

But When Corp.contoso.com users trying to take RDP of my.domain.com server's, they are getting access denied.


How can they access the RDP of "my.domain.com" server from corp.contoso.com eventhought I have open port from my DC to corp.contoso.com DCs.


2 Physical Sites - 1 Logical Site

$
0
0

I have a client with 2 physical offices, Office A and Office B.  Office A has the main data center with 2 domain controllers, Office B is a branch office with only a site to site T1 back to the main office, no servers. 

My question is, in Sites and Services currently all subnets for both offices are listed under the same AD site.  Without there being a domain controller in Office B, should Office B have it's own site in AD??  I am thinking no, just wanted to have a second opinion of the matter.

Thank you.

AD Replication commands

$
0
0

Hi,

I am facing AD replication issues in my organization, I want to know the few important commands to troubleshoot the issue.

can any one help on this???

simple and useful.


Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Chandru CT-HCL

ThanksChandru CT. MCITP

Problems with Group Managed Service Accounts in Server 2012

Access is Denied when renaming a computer

$
0
0

I am attempting to rename several Windows XP workstations that are joined to a Windows 2008 R2 domain. I log in as a local administrator, go to System Properties, change the name and click OK. Windows asks for a username/password for an account that has permission to rename accounts on the domain. I enter a username/password that has Full Control of the computers OU and all descendant objects. Then I get this error message:

Computer Name Changes

The following error occurred attempting to rename the computer to "NEWCOMPUTERNAME":

Access is denied.

 

If I use the name/password of a domain admin, it works. Why doesn't it work for my OU administrator who has Full Control of the computer object and the OU?

Disallowing a user from being a memberOf groups in certain organizational units

$
0
0

Hi Xpertz,

Is it possible to disallow a user from being a memberOf groups in certain organizational units. This to avoid user beind accidentically added to another customers AD groups. As we are a hosting company and have divided companies being hosting into their own organizational units.

I hope it's all clear.

Thank you very much.

/The Red Baron


Red Baron

How is my RODC replicating without connections?

$
0
0

Hello an thank you for all your help.

I have a hub site with 5 RWDCs and several remote sites with RODCs.  The domain functional level is 2008 and all but one RWDC is 2008r2.  All RODCs are 2008r2.

All of my RODCs had a manual connections to each RWDC at the hub site. I thought this topology was a bit overkill, so I did some experimenting with one of my RODCs and deleted all the connections.  I was going to create one connection and let the KCC handle the rest, but I noticed something strange...................

With no connections ( deleted all manual connections using adsi edit on the RODC and deleted all in sites and services on RWDCs ) the RODC is still replicating with one of my RWDCs at the hub site.  All dns zones, configuration, and schema are replicating. This was verified with repadmin /showreps, and repadmin /replsummary.  I tried rebooting and running repadmin /kcc to see if things changed, but the box has been replicating for several days.

I know I can recreate the connections and move on, but I feel like I don't have a true understanding of what is really happening, or something is just wrong.

How is this possible, or what am I missing?


Error 1864 in Active directory 2008 R2.

$
0
0

Hi experts,

I've a few months now, on and off, i've been working on my lab to learn new stuff about active directory (and just for the record, the forums are the BEST way to know and ot learn how to troubleshoot things).

My problem as i mention in the tilte, is replication, and it began a gew months ago when i my first DC started to cause weird issues, i decided to install a new one, and since then the replication began.

I found a great blog: http://www.joeware.net/freetools/tools/adfind/index.htm which finally helped me see the light, and maybe with your help i'll be able to see solve this issue.

Just for the record, this is a test lab, 2 DC'S with 2008 R2, and a few more servers...(the dc's are: viper-dc-02 and viper-dc-03).

after i'm typing the command:adfind -h viper-dc-02 -config -s base msDS-NCReplCursors;binary -metasort lastsync -mvnotfiltersors=deleteddsai'm getting this result:


dn:CN=Configuration,DC=viper,DC=local
>msDS-NCReplCursors;binary:     354130 2012/07/28-10:13:35      Default-First-Site-Name\VIPER-DC-01\0ADEL
4047-90A0-F2BC1BAEE3F9
>msDS-NCReplCursors;binary:     165589 2012/12/11-22:45:09      Default-First-Site-Name\VIPER-DC-03
>msDS-NCReplCursors;binary:     419294 2012/12/11-23:10:32      Default-First-Site-Name\VIPER-DC-02

1 Objects returned

and dear experts, now i need your help to remove this viper-dc-01. how do i do this?

- it's not hiding in the the Sites and services console.

- it's not hiding in the lost and found container

- it's not hiding in the DNS colsole.

- it's not hiding in ntdsutil

there's got to be a way to remove this orphen object.

p.s

the result i gave you is shown exactly the same in viper-dc-03.

Please advise, i really want to solve this issue.

Best regards, and keep up the amazing wirk you are doing in this forum. i'm learning alot.

Nahum,

Israel


Active Directory DNS Outside Advantages...

$
0
0

Hello,

I have a W2K8 DC set up with DNS on itself for testing purposes.  In addition there are several workstations configured on that domain controller, but they still log on to their local account.  The workstations are still looking at the DC as their primary DNS server.  Does that DNS server improve peer-to-peer networking even though a person on a workstation is not logged into the DC?

ISA Server Authentication

$
0
0

I am looking for ways for users who are members of the domain to use ISA Server Proxy without giving the credentials again once they are logged in to their domain account. 

Currently, when the users open browser, a pop-up appears while accessing any website, asking for authentication for proxy servers. 

How can this be configured?

About Domain Controller and Domain Controller Authentication Certificate

$
0
0

I'm taking over a new domain, where all my domain controllers are above Windows 2003.

When I look at the auto-enrollment that my DCs get I see that the template used for the certificate is Domain Controller. Is this normal ? Should not the certificate build based on the "Domain Controller Authentication" template instead ?

If I'm correct how to fix it ? should I just delete the "Domain Controller" template ?

When I look at the template properties, I see the "Domain Controller" template being published in AD, and all the options a greyed out, and therefore cannot be modified.

The "Domain Controller Authentication" template is not Published in AD, and all options are accessible.

Thanks for your input



Life is short, Enjoy it now. Cyreli

replication does not work on one DC

$
0
0

Hi all,

Windows 2008 R2 SP1

We found out that replication fails on this DC as we have multiple DCs at multiple sites.

check the directory service log and find out the event id 474

Log Name:      Directory Service
Source:        NTDS ISAM
Date:          12/10/2012 9:08:28 AM
Event ID:      474
Task Category: Database Page Cache
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC6
Description:
NTDS (496) NTDSA: The database page read from the file "C:\Windows\NTDS\ntds.dit" at offset 132931584 (0x0000000007ec6000) (database page 16226 (0x3F62)) for 8192 (0x00002000) bytes failed verification due to a page checksum mismatch.  The expected checksum was [92da6d25e0b99bbf] and the actual checksum was [90586fa7c17f4529].  The read operation will fail with error -1018 (0xfffffc06).  If this condition persists then please restore the database from a previous backup.  This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

then followed event 1084 and event id 2108

How should I troubleshoot this?

Thank you.

Migrate user but not mailbox.

$
0
0

Here's the situation.

Need to migrate users accounts to a new domain; but not the mailboxes.

How can the mailboxes be linked to the user accounts across the domains?

Thanks.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>