Hi all.
Why do we non-authoritative restore? Much easier to promote new server and replicate it.
Hi all.
Why do we non-authoritative restore? Much easier to promote new server and replicate it.
Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD
Add Role AD DS fails
Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.
Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.
I had a bad accident this morning. To make a long story short, I accidentally deleted a GPO. It was called "Employees". As you can guess, it contained a few groups, like Finance, QC, and Engineering, for instance. The domain has one 2008 R2 and one 2008 DC, both are GC. Domain functional level is 2008, Forest level is 2003.
To make matters worse, I don't have a good backup of the System State, or the GP. Also, the replication has occurred to the only other DC in the domain. As God is my witness, I will never be put in this position again.
I know that AD objects are tombstoned, and so I should be able to recover them. I'm looking for a way to recover these items, intact.
Any/All suggestions are welcome.
We are in the process of upgrading AD from Windows 2003 R2 to Windows 2012 R2. Are there any good articles on this?
Also, how the forest trust to be taken care of during the upgrade? we have applications that use NTLM, what is the recommended option is the application do not support NTLM v2 ?
Are there any good utilities that I can run on AD to let me know what are the applications authenticating with AD?
Hi i've recently setup a RODC for a branch office without DNS server role; however now i need to add the role how should i setup the DNS so it is able to retrieve from a RWDC with AD integrated DNS.
Thks for any info
Hi,
The primary admin account (account used to create this forest) on the domain contoller is showing locked out. We have admin tools installed on a different computer and we can just see the account is locked out. The password policy is configured for 5 attempts. Is it possible that the primary Admin account also be locked out ...as per my understanding it will be locked out and will be unlocked the moment we enter correct password.
Regards
Saurabh
Hi,
Upon troubleshooting some group policy related issues i happen to see different Logon servers and gp applied from server.
When i run nltest and SETL command i get a different server
When i run gpresult /r i get a differnt server on "Group Policy was Applied from "
Interesting part is that the bothe servers are in same Site.
Also if i just run ping domainname i get different server . Checked on few machines and mostly on each machine it is going to different server..
Hi All
I've been trying to trudge my way through an issue our client is having but I'm getting nowhere fast. This issue was discovered when searching for why users at our second site were experiencing slow logons every morning (5-10minutes to login).
Within our domain there are two domain controllers for the child domain we manage.
DC1 has connection back to the parent DC's (managed by our clients parent company), and also replicates both ways with DC2. DC2 is at another site, on another subnet and replicates to and from DC1 only.
DC2 appears to have no issues, it can resolve any address, nslookup either using itself or DC1 is fine and name servers resolve fine.
DC1 has massive issues with DC2 - using it for nslookup gives me the following:
I get this timeout error for internal and external names, but both DC's are able to ping and access internet with no issues.
When trying to resolve name servers from DC1, DC2 sits at 'validating' for a while and then comes back with 'a timeout occurred during validation'.
Restarting DNS Server, NETLOGON and registering in DNS from DC2 had DC1 talking to it fine for a few minutes, but then it went back how it is (and I haven't been able to replicate this fix since).
Reverse DNS zones are setup for all the subnets used, there are A records and PTR's for both DC's.
Performing 'ping -a dc2.ip.address' from DC1 comes back fine - it knows what it is in both directions (name and IP) but nslookup and nameserver resolution is still failing.
I just don't know where to go from here - from everything I've read they should be happy... Any ideas?
Hello guys,
The sympton is the same as the one in "The
server does not support the requested critical extension." Exception.
I got the error in calling IDirectorySearch::GetNextRow. As I observe, the error is trigger when retrieving the another page of records. The LDAP path to connect is "GC://<FQDN_of_GC>". The search filter is (&(|(objectClass=group)(objectClass=msExchDynamicDistributionList))(mailnickname=*)). There are about 100 thousands of group objects in the forest. So the answer in that thread does not help.
Any thoughts?
Thanks.
Msts.cn@Outlook.com
Dear Microsoft,
I am Using the Server 2012 with ADC, DHCP and DNS.
When ever i opening the AD Users and computers it's Loading Very Slowly and after opening ever action is very slow and not responding...
i checked in the events it shows below message "
The program mmc.exe version 6.2.9200.16496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.Domain Controller: Windows 2012 R2 - Unfortunately, I don't manage DC but my own OU (computers and users)
I have a user working mid-night shift reporting that he received error message "The group policy client service fail the logon, access denied". He is using multiple PC and he did not remember which PC gave him the error message. How do I find out which computers he logged on? I have access to my domain OU. I can manage my own Computers and Users objects in my domain (no domain controller in my department)
I searched internet but most of them are finding out which computer user is currently logging on - not the history, thanks.
Thang Mo
Hi Community,
OS: Windows server 2008 r2 (Do let me know if i have posted in a wrong area)
My experience is lacking in AD LDS , guidance will be greatly appreciated.
Does anyone has import successfully from this format?
Import .ldif file from (DSEE) to AD LDS along with user define schema
If we are doing this on DSEE:
Command to run is simply :
dsadm import <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">instance-path</var> <var style="border:0px;margin:0px;padding:0px;vertical-align:top;-webkit-font-smoothing:antialiased;">LDIF-file dc=example,dc=com</var>
I understand that under AD LDS import is via
ldifde -i -f filelocation.ldf -s localhost:389 -k -j -c "cn=dc=example,dc=com" #schemaNamingContext
I have also created an application directory partition dc=example,dc=com in AD LDS.
Hi folks.
Wondering if this is the right place to ask this question but you folks may have had the same challenge..
I need to explain on a high level (think in terms of explaining to a 10 year old child) how to explain Active Directory, GPOs and OU's etc to a group of non technical managers.
Do you know of any good resources that I can refer to that might have already addressed this challenge?
I have to present a slide show and I think it needs to be very visual with nice diagrams etc.
Any links / references to existing resources and material is greatly appreciated!
Thanks a lot
Hi ,
In my environment two of the user accounts are having an frequent account lockout.
We have found that the account lockout was happening in their own machines with the help of the event logs in the domain controllers.
Please tell us how do we find that which application on their machines are making an frequent account lock with the help of event logs else do we have some other options.
All of your suggestions are much appreciated.
Thanks & Regards S.Nithyanandham
Hello,
I'm trying to set a new password for a user (using Java and binding via an account with create permission) and would like AD LDS to use the password policy that states history must be observed.
Even if I set the policy hints oid (as documented at http://msdn.microsoft.com/en-us/library/cc223320.aspx) with the value '0x1' (other developers are using the value { 48,(byte) 132, 0, 0, 0, 3, 2, 1, 1 } in Java with the ASN1OctetString class) it has no effect and previous passwords are ignored and the change occurs.
If I retrieve the rootDSE supported control OIDS or call supportsControl(1.2.840.113556.1.4.2066) or even same with 1.2.840.113556.1.4.2239 the server reports it supports it.
One thing that concerns me is that AD LDS or ADAM is not listed on http://msdn.microsoft.com/en-us/library/cc223320.aspx as supporting this even though the server lists it on the rootDSE in ldp runnign on the server.
The O.S. here is Windows Server 2012 standard.
Can anyone confirm if this is indeed supported and if so provide any suggestions to enforce it?
Thanks,
Lumus
Hi
We are tryiing to introduce 2012 DCs into our root domain.
The schema has updated fine but the domain prep fails, both on the 2012 server we are trying to promote and whilst running it direct from the infrastructure server itself.
Replication is good and AD itself seems happy enough. The account has the necessary rights.
Any help gratefully received.
Thanks
The error log contains:
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.
[2014/12/08:08:32:53.055]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/12/08:08:32:53.055]
Adprep verified the state of operation cn=d262aae8-41f7-48ed9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=xxxx,DC=xx,DC=xx.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
[2014/12/08:08:32:53.055]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=xxxx,DC=xx,DC=xx.
[2014/12/08:08:32:53.055]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/12/08:08:32:53.070]
Adprep was unable to modify some attributes on object DC=xxxx,DC=xx,DC=xx.
[2014/12/08:08:32:53.070]
Adprep encountered an LDAP error.
Error code: 0x13. Server extended error code: 0x20b5, Server error message: 000020B5: AtrErr: DSID-03152A9F, #1:
0: 000020B5: DSID-03152A9F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects)
DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384
[2014/12/08:08:32:53.086]
Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
Hi,
I have 2 DC 2008R2 & i have 2 ts one of them don't get the GPO i do everything i found that my 2 dc don't replicate good i can see the different on sysvol folder.
After that i explain my self, My question if i remove the dc (its not the fsmo dc its the second), and after removing i add this dc ?
I need to check some checks before ?
After removing i need to delete from the dns record
?After Adding the same dc to the domain i need to check something ?
Thanks
Zahi