We have hyper v host with role of Root DC in our setup. we also have DR ADC.
Due to storage issue I had transfer all our FSMO role to our DR ADC. and I tried to compact the root DC VHD. after compact the vhd its not booting I thing its corrupted. we have hyper v backup created before the Role transfer.
can restore the backup and get the RDC. if I restored the VM and power on that. will is cause the FSMO rule.
Kindly help me to come out of this issue.
Best Regards
Jags
Hello ,
Include Inheritable Permissions keeps automatically checking itself. So I am unable to reset password with delegated user.
Please help.
Need help.
The Directory Service Team has released the newest version of ADMT that now support Server2012/2012 R2.
Guide
http://www.microsoft.com/en-us/download/details.aspx?id=19188
Download
http://connect.microsoft.com/site1164/content/content.aspx?ContentID=22983
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
Every time I attempt to download ADMT 3.2 from the connect.microsoft.com site I get the following message:
"Page Not Found
The content that you requested cannot be
found or you do not have permission to view it.
If you believe you have reached this page in error,
click the Help link at the top of the page to report the issue and include this
ID in your e-mail: b7ca4403-66f3-40f6-bfde-54f26b08d6a8"
I've joined the program and unjoined multiple times. No luck.
Any ideas?
Happy New Year!
"Guru 2014" is so 'last year'!
The real glory is to be the first Guru of 2015! :D
The birth of a new year, and a new hero?
Or the stamp of authority from long established Guru leaders?
The challenge is on, all eyes are watching, anyone could win this month.
The prize? Glory! Honor! Virtual medals! Unashamed love and worship from those within the community and those bloging about it (article spotlights, weekly awards). Published interviews and the chance to climb the TechNet social ladder. Become a true TNWiki Ninja and advance through to black belt... and beyond!
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and
you could win weekly awards!
Have you got what it takes o become this month's
TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD
Add Role AD DS fails
Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.
Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.
Dear all,
I want to know how to hide and then unhide AD objects?
Thanks
Regards
Hi,
I want to edit "primarysmtpaddresses" and target address attributes in a contact. Since i want to do it in bulk mode i need a power shell command to do it. Please Help.
Thank You.
Hi friends
i have encountered an strange case.
in my test lab, i have deployed a windows 2008 R2 domain controller & i joined a win 2008 R2 to my test domain.
after first restart, i logged in as local administrator & removed the ip address of DNS server (which is the same as DC) & then log off. now i can log on by any domain user credentials & it's unusual! isn't it ? (note that no domain client has logged on yet , so they are not logged on from cache. its their first log on)
since DNS server is not Set on NIC, where from detects the domain controller?
where are these information saved in domain joined computer? where from can i remove this info so that when DNS server is not set on NIC, they be unable to log on to domain?
thanks in advanced
Hey all, got a minor mystery here. I'm in the process of scripting a complete AD sites and services refresh. We're going from an Area-of-responsibility approach to a one-to-one site config. Since I've identified all of the sites, subnets, and links that will makeup the new structure, I'm basically deleting everything and recreating.
In a nutshell (all via Powershell):
1. Create a temp AD site to hold all domain controllers.
2. Move all domain controllers to the temp site.
3. Delete all AD sites, then all site links, then all subnets.
4. Create all new AD sites, then all site links, then all subnets (assigned to the new sites).
5. Move each domain controller to its new site and delete the temp site.
Easy enough, right? I've run this series of steps several times in a lab, and it works great.
Now, here's the snag. Every time I do this, about 30 mins later, the previously-deleted sites start showing back up in AD Sites and Services. Which sites return are different each time. My problem is I don't know why this is happening, and although my lab uses differently-named sites each time I run the script, I'm nervous about production, where some of the site names will be reused. I've enabled directory service auditing, and I can see where all my changes are being made, but there's no event logged when the old site suddenly reappears. Additionally, the creation timestamp of the zombie site objects are from before my script ran.
I'm thinking the sites are either being replicated back from a neighboring DC (which is odd since I'm doing this on the DC that holds all the FSMO roles in my lab), or they're being returned from the AD recycle bin by a process.
I'm at a dead end here. Anyone have any suggestions?
I'm trying to add a 2012 R2 DC to a very old domain (currently 2003 SP2). There's no ADWS on the old DC. When I try to install, it says I need an update to System.DirectoryServices.AccountManagement. All signs indicate that means I need the hotfix described by KB969166. When I try to download that from Microsoft, I can't seem to. Where can I get my hands on the update to the DLL so I can install ADWS and get my new DC up? Thanks
-- logs trying to install ADWS indicating I need System.DirectoryServices.AccountManegement.dll updated:
0.063: ================================================================================
0.063: 2014/12/21 21:41:02.451 (local)
0.063: c:\a11cd3f5b3c77c315020\update\update.exe (version 6.3.19.0)
0.063: Hotfix started with following command line:
0.063: In Function GetReleaseSet, line 1193, RegQueryValueEx failed with error 0x2
0.110: SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType is Equal To Specified Value
0.110: First Condition in Prereq.CheckIfAnyInstanceRunning.Section Succeeded
0.110: Condition succeeded for section Prereq.CheckIfAnyInstanceRunning.Section in Line 1 of PreRequisite
0.125: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5 is Present
0.125: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5\SP is Greater or Equal To Specified Value
0.125: Condition succeeded for section Prereq.CheckCLR.Section in Line 2 of PreRequisite
0.125: C:\WINDOWS\system32\netlogon.dll is Present
0.125: FileVersion of C:\WINDOWS\system32\netlogon.dll is Greater or Equal To 5.2.3790.4482
0.125: Condition succeeded for section Prereq.CheckDCLocatorQFEInstalled.Section in Line 3 of PreRequisite
0.125: C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Present
0.125: FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126
0.125: Second Condition in Prereq.CheckSDSAMQFEInstalled.Section Failed
0.125: Condition Check for Line 4 of PreRequisite returned FALSE
0.125: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.125: KB968934 Setup encountered an error: Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
0.141: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102
0.141: Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:\windows\KB968934.log
Hi Everone,
My primary DC is windows Server 2012 R2 and ADC is windows Server 2008 x64
I am trying to demote Windows Server 2008 x64 and i am facing issues.
when i demote2008 I am getting Error : A Domain Controller could not be contacted for the domain(mydomain.com) that contains
an account for this computers.Make the computer a member of a workgroup then rejoin the domain before retrying the prmotion.
The specified domain either doesnot exist or could not be contacted
When i browse my \\windows2012dc i cannot see sysvol and netlogon shared folders.
on window2012dc C:\windows\sysvol\mydomain and mydomain folder is empty.(no issues with replication in sites and services and no issues with connectivity or gateway )
please guide me because i dont want forceful demote.
Hello,
I have my PKI in FO Cluster and everything works well except of Web Enrollment,
when I'm opening my webbrowser and typing https://cahostname/certsrv - webpage is opening but when I want to request any certificate then I receive an error - no certificate templates are available or you don't have rights to request - something like that.
I've read somewhere that certdat.inc under c$\Windows\System32\CertSrv must be modified,
I've tried many possibilities, even if certutil -ping is working, I'm still receiving that error. Ofc IIS server s restarted everytime after I change the file.
Any ideas or advices are appreciated.
Dear Team,
We are facing the CD writing issue using domain users login. we are using windows xp in our organization and domain user can able to write Cd using CD drive but not using their application. error in the application is driver not found . how to find for which
DLL Required permission to detect the drivers in the application. please help me out to sort this issue.
I have MS Active Directory setup on Windows 2008 R2. I created two groups 'Admins' and 'Devs' under the default group Users. I added two users in 'Admins' group with Administrator rights and one user in 'Devs' group. I am trying to login with admininstrator
user 'kishank' but I am getting the following error:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
I googled upon this error which says invalid user or password. Here's the link: It gives description about error code 49 DSID 0C0903A9. It says that the error only occurs on MS AD servers.
I also read somewhere that I should uncheck "Password never expires" checkbox for users but no luck.
My configuration files are as below:
applicationContext-security-ldap.properties
contextSource.providerUrl=ldap://host:port/cn=Users,dc=domain,dc=com
contextSource.userDn=domain\kishank contextSource.password=pass
userSearch.searchBase=CN=Users,DC=domain,DC=com userSearch.searchFilter=(sAMAccountName={0})
populator.convertToUpperCase=false populator.groupRoleAttribute=cn populator.groupSearchBase=cn=Devs,cn=Users,dc=domain,dc=com populator.groupSearchFilter=(memberof:1.2.840.113556.1.4.1941:=({0})) populator.rolePrefix= populator.searchSubtree=true
allAuthoritiesSearch.roleAttribute=cn
allAuthoritiesSearch.searchBase=cn=Devs,cn=Users,dc=domain,dc=com
allAuthoritiesSearch.searchFilter=(objectClass=group)
allUsernamesSearch.usernameAttribute=sAMAccountName allUsernamesSearch.searchBase=cn=Devs,cn=Users,dc=domain,dc=com allUsernamesSearch.searchFilter=objectClass=person
adminRole=cn=Admins,cn=Users,dc=domain,dc=com
adminUser=sAMAccountName=kishank,cn=Users
repository.spring
singleTenantAdminDefaultUserName=kishank
singleTenantAdminUserName=kishank
singleTenantAdminDefaultAuthorityName=Administrator
singleTenantAdminAuthorityName=Administrator
repositoryAdminUsername=pentahoRepoAdmin
singleTenantAuthenticatedAuthorityName=Devs
singleTenantAnonymousAuthorityName=Anonymous
superAdminAuthorityName=SysAdmin
superAdminUserName=super
systemTenantAdminUserName=system
systemTenantAdminPassword=cGFzc3dvcmQ=
Can anyone please help me with this?
Hello,
I am trying to create a script for 1 specific user. This user is a standard domain user and added to the AccountOpperators group, and AccountOpperators have full control on the rootfolder of homefolders. This user is supposed to create user accounts for new students. All goes well untill the creation of the homefolder and its permissions. When this user creates the folder it also automatically becomes owner of that folder instead of local\admin or domain\admin. And i get the message "the security identifier is not allowed to be owner of this object". Is this fixable? So the creator of the folder isnt actually in the security tab of the created folder? Only local or domain admins and what is inherited and the actual user whom the folder is for.
Thanks
Domain Functional Level: 2003
PDC Emulator: 2008 R2
Lockout Origin DC (also the RADIUS server): 2003 R2
For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts. Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740. This usually tells me that our Cisco WLAN Controller caused the lockout.
Our Default Domain Policy is set to audit Account Logon Events for failure, Account Management for success/failure, and Logon Events for success/failure (plus numerous other things).
This time there is no Event 4740 for this account lockout and I can't figure out why. The events are there for other lockouts several minutes before or after this one. Windows just hates me so it decided to skip this one. The main reason this is a problem is because I just set up Scheduled Task on the PDC Emulator, triggered by Event 4740, to run a PowerShell script that will provide the help desk with a report for each account lockout, even parsing the IIS logs on the Client Access Server to identify which ActiveSync device caused it. Of course the week after I announce that, Windows decides not to log one.
Using LockoutStatus.exe I determined that the Origin DC for the lockout was the RADIUS server.
NetLogon debug logging is enabled on the RADIUS server, however I took a nap today after being let out of work early for the holiday so by the time I checked the netlogon.bak file it had already been overwritten with newer data.
There was, however, an Event 644 locked on the RADIUS server (pasted below with domain/computer/user details edited for privacy). I don't even know where to start as far as trying to prevent this from happening again. Anyone have any suggestions? Within the next couple months I will spin up a 2012 RADIUS server and a separate 2008 R2 DC to replace the 2003 multipurpose server, but it's not high on my boss's priority list so it's a tough sell considering the WLAN is functional right now.
Event Type:Success Audit
Event Source:Security
Event Category:Account Management
Event ID:644
Date:12/31/2014
Time:10:00:35 AM
User:NT AUTHORITY\SYSTEM
Computer:DomainControllerAndRadiusServer
Description:
User Account Locked Out:
Target Account Name:LockedOutUser
Target Account ID:DOMAIN\LockedOutUser
Caller Machine Name:CISCO
Caller User Name:DomainControllerAndRadiusServer$
Caller Domain:DOMAIN
Caller Logon ID:(0x0,0x3E7)
Hello Experts,
I want to export the inactive and disabled users and thus to cleanup AD database.
I have tried dsquery with different syntaxes but not getting the expected result, I want to export the outputs in an Excel sheet so it will ease my task.
Thanks in Advance.
Hello !
i add many times a user in a AD security group, but the user is removed automatically after a day. What i don't understand is that other users have been added to the same group but they are still in the group (there is no problem with their accounts).
To add this user that is always removed after a day (or a period), i use the member of tab in the account properties.
Right click on the user account -> properties-> member of -> add -> groupName->ok
Thank you for your help !!
