Hi,

Currently we are doing a AD clean up activity to support Virtual Directory solution in our environment. Does matching UPN with email and samaccountname with local part of email has any implications?

Initial analysis shows that the UPN,samaccountname,SIP address and email address are not in sync with each other. We plan to make email as a standard for UPN. For samaccountname we would like it to be same as the local part of email. For some users SIP does not match their email (this cannot be changed). Now before we make these changes we would like to know what can be the implications of making these changes in the environment

First consider changing UPN to email. Will it affect:

1. User profiles
2. User Home drive
3. Citrix profiles
4. Roaming profiles
5. Exchange,Lync
6. Any Applications - I am not aware where UPN is being used in the environment by any apps at this moment.

Same question applies to samaccount name change.

Thanks

Viv

Hi Everyone,

I facing some issue on adding new user account for remote access. After i found that the OU in my client PC is different from AD.Can you all tell me how to troubleshoot on this issue.

AD: Windows Server 2008

Client : Windows 7

Reference Image:

1. AD OU:

2. Client OU:

Thank You.

Regards,

Sam

Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD

Add Role AD DS fails

Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.

Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers

The article above has an illustration to determine the best way to restore a virtualized DC.  I have several questions about this chart.

1.  The step titled "Deploy the VHD against a new VM, and restart in normal mode" - Is it really necessary to create a new virtual machine?  Why can't the existing virtual machine get used and just replace the VHDX file?

2.  The steps titled "Restore the Virtual machine instance that predates the failure" - Is it really necessary to start in DSRM mode and set this registry value if the backup is an application consistent, image based backup where what you are doing is restoring the VHDX file?

3.  What will happen if you restart a Domain Controller that in good condition and go into DSRM mode and set the "database restored from backup" to 1?

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers

The article above has an illustration to determine the best way to restore a virtualized RODC.  I have one question about this chart.

In the step titled "Restore the Virtual Machine" - must a new VM be created in HyperV, or can the VHD just be replaced with a backup?

Hi all,

I went through the link http://blogs.technet.com/b/askds/archive/2012/06/26/an-adfs-claims-rules-adventure.aspx to test claim based access rules.

As far as I understand using below rule, we can create a rule to deny "passive - claims" (for instance OWA) that hist specific ADFS Proxy server and members of specific group.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy", Value =~ "\badfsp[0-9][0-9]\b"]) 
&& exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-299502267-1364589140-1177238915-114465"]) 
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"]) 
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

What I want to achieve is to create a rule to deny OWA access coming from external clients. I know this is not a scenario supported in thi link (http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx) but according the logic If I add all my users to one group and create above rule, It should work.

I need your insigths. Thanks!

We currently have a very simple AD GPO setup for our domain as follows:

Enforce password historyNot Defined

Max password ageNot Defined

Min password ageNot Defined

Min password length5

Password must meet complexity reqDisabled

Store password using rev encryptionDisabled

When we setup users for the first time, we use a script that uses a random password generator.  However, when a user goes to a Windows computer or Exchange OWA, they are unable to change their password and receive a message that the new password does not meet complexity requirements.  We do not have any other GPO's linked to the users that would be different than the domain settings above.  I realize that the settings above are not secure, but we just want the users to be able to change their password (with a min length) at first and then begin to enforce security rules (ageing and complexity) after we get them the ability to set their own password.

Anyone who can shed some light on this issue would be greatly appreciated.  

Justin H.

Hi all

For the past 3 days I am getting the below  error  while checking the  AD replication.  our present setup is

RDC and ADC was available in the same site.  and DR ADC was configured in  remote site. we have P2P link  connectivity  for OUR AD and Exchange 2010 DAG Replication. Kindly help me to solve this issue.

C:\>repadmin /replsummary
Replication Summary Start Time: 2015-01-05 18:39:15

Beginning data collection for replication summary, this may take awhile:
  ......

Source DSA          largest delta    fails/total %%   error
 DRADC             02m:39s    0 /   5    0
 RDC      02d.02h:03m:27s    5 /  10   50  (1256) The remote system is
not available. For information about network troubleshooting, see Windows Help.
 ADC            17m:39s    0 /  10    0

Destination DSA     largest delta    fails/total %%   error
 DRADC     02d.02h:03m:18s    5 /  10   50  (1256) The remote system is
not available. For information about network troubleshooting, see Windows Help.
 RDC             17m:31s    0 /  10    0
 ADC             04m:49s    0 /   5    0

C:\>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\ADC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5ddb9663-7c5b-4f2e-97b9-82a29e2c5955
DSA invocationID: 8d939f8e-fe0a-4bce-b260-e546e41e86d4

==== INBOUND NEIGHBORS ======================================

DC=ifmr,DC=co,DC=in
    Default-First-Site-Name\RDC via RPC
        DSA object GUID: 4988b352-e60b-4425-aac2-dd903d85eb2a
        Last attempt @ 2015-01-05 18:34:30 was successful.

CN=Configuration,DC=ifmr,DC=co,DC=in
    Default-First-Site-Name\RDC via RPC
        DSA object GUID: 4988b352-e60b-4425-aac2-dd903d85eb2a
        Last attempt @ 2015-01-05 18:39:22 was successful.

CN=Schema,CN=Configuration,DC=ifmr,DC=co,DC=in
    Default-First-Site-Name\RDC via RPC
        DSA object GUID: 4988b352-e60b-4425-aac2-dd903d85eb2a
        Last attempt @ 2015-01-05 18:34:26 was successful.

DC=DomainDnsZones,DC=ifmr,DC=co,DC=in
    Default-First-Site-Name\RDC via RPC
        DSA object GUID: 4988b352-e60b-4425-aac2-dd903d85eb2a
        Last attempt @ 2015-01-05 18:54:39 was successful.

DC=ForestDnsZones,DC=ifmr,DC=co,DC=in
    Default-First-Site-Name\RDC via RPC
        DSA object GUID: 4988b352-e60b-4425-aac2-dd903d85eb2a
        Last attempt @ 2015-01-05 18:40:04 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

Jags

The following error occurred attempting to join the domain "GUTS"

An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server can resolve DNS names in the target domain.

I am running Windows Server 2008 trying to connect with a Windows 7 Ultimate computer.

I have already sset the DNS in my computer to the Server running DNS Server (same as DC server)

I can ping the server domain name and IP.

Can someone help me and tell me what I am doing wrong

Microsoft Windows [Version 6.0.6002]
Copyright <c> 2006 Microsoft Corporation. All rights reserved.

D:\Users\Administrator>ipconfig /all

Windows IP Configuration

Host Name ...........: Office-PC
Primary Dns Suffix .......: it.guts.org
Node Type ............: Hybrid
IP Routing Enabled .........: No
WINS Proxy Enabled .........: No
DNS Suffix Search List ......: it.guts.org hsd1.wa.comcast.net.guts.org

Wireless LAN Adapter Wireless Network Connection:
 Connection-specific DNS Suffix .: hsd1.wa.comcast.net
 Description ...........: D-Link DWA-125 Wireless N 150 USB Adapter (rev.A2)
 Physical Address ......: 1C-BD-B9-32-B8-86
 DHCP Enabled ..........: Yes
 Autoconfiguration Enabled ....: Yes
 IPv4 Address ...........: 192.168.0.194(preferred)
 Subnet Mask ............: 255.255.255.0
 Default Gateway ..........: 192.168.0.1
 DHCP Server ..............: 192.168.0.1
 DNS Server ...........: 192.168.0.1
 NetBIOS over Tcpic .........: Enabled

Ethernet adapter Local Area Connection:
 Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: SiS 900-Based PCI Fast Ethernet Adapter
 Physical Address ............: 00-11-5B-4A-98-43
 DHCP Enabled ................: Yes
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *8:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: isatap.{4FA1F217-5A33-4F73-9997-8A0C643AB5FD}
 Physical Address ............: 00-00-00-00-00-E0
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *11:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .:
 Description .................: Teredo Tuneling Pseudo-Interface
 Physical Address ............: 02-00-54-55-4E-01
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

Tunnel adapter Local Area Connection *12:
Media State..............: Media disconnected
 Connection-specific DNS Suffix .: hsd1.wa.comcast.net
 Description .................: isatap.hsd1.wa.comcast.net
 Physical Address ............: 00-00-00-00-00-00-00-E0
 DHCP Enabled ................: No
 Autoconfiguration Enabled ....: Yes

D:Users\Administrator>ping guts.org
Pinging guts.org [216.33.93.211] with 32 bytes of data:
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245
Reply from 216.33.93.211: bytes=32 time=71ms TTL=245

Ping statistics for 216.33.93.211:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
     Minimum = 71ms, Maximum = 355ms, Average 168ms

D:Users\Administrator>ping 216.33.93.211
Ping statistics for 216.33.93.211:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
     Minimum = 70ms, Maximum = 75ms, Average 72ms

D:Users\Administrator>nslookup
DNS request timed out.
    timedout was 2 seconds.
Default Server: Unknown
Address: 192.168.0.1

Hi,

can anybody tell me whether it is possible to get a report with all the computers in a domain and the printers installed in each computer?

My two dns are windows server 2012 datacenter.

Thanks in advance.

Regards.

Hi Guys,<o:p></o:p>

I have two windows 2012 R2 with enterprise CA and Subordinate CA and the certificates is about to expire, so I need to renew before the expiration date.<o:p></o:p>

Can I renew It now? What will happen to my other certificates <o:p></o:p>

Should I renew the subordinate immediately after <o:p></o:p>

Should I ask a new or the same private Key <o:p></o:p>

Many thanks <o:p></o:p>

Regards<o:p></o:p>

HO<o:p></o:p>

Hi

I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the original IP address to the same assuming that everything would just working fine.

Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version. I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).

So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number in GPT.ini files which are mentioned below:

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5439513

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5308439

Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.

Regards

Sajat Jain

Hello,

Could be possible to migrate users, groups and permissions from a Small Business Server 2003 with a .local domain to new Windows Server STD 2012 with new domain .com?

¿Could be used Active Directory Migration Tool (ADMT)?

¿could be used USMT 4.0 for workstations migration? ¿What happens with Windows 8 profiles?

Thanks in advanced.

Hi All,

  I'm looking for a script to remove the file server data by keeping last 2 years?

As

Hello,

l I was curious if any one had any experience with renaming active directory servers?

In short we want to apply a clean image of one server that has been built in hyper-v to specifically to be applied to a different physical server. once the image has been successfully applied we want to rename the physical server to its old name. The Physical server is a DC with DNS and GC as it's other critical function, this server also Houses user profiles which is why we want to be able to name it back to it's original name. 

So how difficult or even possible is it to rename a DC that has DNS and GC on it?

Thanks for the help.

bjz 

Hi Guys,

I hope that anyone can help me and also hoping that the issue can be resolved with Ldifde tool.

I need to import all exported OUs 423 entries (from source ) into specific OU in destination; is this possible ?

The syntax I have seen regarding import says to import to the root of the Destination Domain

for example: 

ldifde –i -f C:\filename.ldf -s servername (This import to root of domain on destination and not specific OU of your choice) 

I need the syntax for import into a specific OU in the destination domain?

Otherwise is there any other tool to import OUs into destination that is easier than Ldifde

Hi Team,

We are using ADFS 2.0 for SSO on office 365.

Current setup:
1) one ADFS Farm (2 servers)
2) One ADFS proxy Farm (2 servers)
3) Directory sync.
4) Single on-premises domain.

Now we have a requirement-

We have one non-Microsoft application hosted in cloud and wants to integrate it with AD. Can we use/configure separate ADFS (new standalone) for achieving the same. If yes, does it have any impact on existing office 365 SSO setup ? We only have single domain on premises which is already federated to O365.

Regards

Pankaj Sharma

Hi,

I am trying to find a site where Microsoft has shared any use cases for the products they offer but can't find one.Anyone aware of such site?

Viv

Hello,

We are planning to use Proxy AuthN for ADLDS from AD.

So I dig the ADAMSync process and stuck on two problems:

1. DN name in ADLDS is coping from AD.

AD DN: CN=ADUser1,OU=UsersAdministrative,OU=_GlobalResources,OU=NITM,DC=myDomain,DC=ad,

From ADAMSync DN on ADLDS: CN=ADUser1,OU=UsersAdministrative,OU=_GlobalResources,OU=NITM,O=adldsRoot

But we want ADLDS DN to be:    CN=ADUser1,ou=ProxyUsers,O=adldsRoot

2. Can we change RDN name of DN to uid from CN, We want sAMAccountName (AD) value in uid (ADLDS) filed?

If require I will modify schema to support DN starts with uid.

Here is ADAMSync xml configuration file

description>sample Adamsync configuration file</description>
  <security-mode>object</security-mode>
  <source-ad-name>my AD Source Here</source-ad-name>
  <source-ad-partition>Source partition</source-ad-partition>
  <source-ad-account></source-ad-account>                
  <account-domain></account-domain>
  <target-dn>O=adldsRoot</target-dn>
  <query>
   <base-dn>BaseDN for AD Query</base-dn>
   <object-filter>(Ldap Query)</object-filter>
   <attributes>
    <include>objectSID</include>
   </attributes>
  </query>
 </configuration>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy> 

Thanks,

The users already exist in Active Directory and I need to add them to multiple groups in Active Directory.  For example, I need to add my users to Engineering Lab,  MS Office, AutoCAD, etc. Distribution Groups.  I don't want to add all users, but selected users.  Is there a way to setup a script?  Thanks.

Diane

Diane