Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

SBS 2003 Migration to 2012 R2 Standard

December 22, 2014, 9:04 am
$
0
0

Hello, I'm sure this has been asked before but I'm not finding the details that I think I need before I proceed with my migration.

Question 1) I've built the 2012 server and I'm logged on as the administrator do I start by adding this server to the current domain? or do I just follow the articles I've seen that talk about Add the Active Directory and DNS Roles on this server.  

Question 2) If that's correct can I start the data/shares migration effort once that's done and what is the best tool to do that with? We've got a handful of shares and approx 700gb's of data.  I've done some reading on RoboCopy and some other method's but I'm not sure which is the best way to go.. 

Question 3) Lastly when the data migration is done do I then decommission the old server and change the IP and Computer name on the new 2012 box so all of the workstations see it as if they were still connecting to the old one?

Thanks for your help...Scott

Search

Migration of domain 2003 as child domain to parent domain

January 9, 2015, 8:06 am
$
0
0

Dear Microsoft Expert,

We need AD professional advice out there; we are planning to migrate our domain server with 2003 to new domain with 2012.

Currently our domain 2003 environment:

We have domain1.com which hosted at our office; basically we have DHCP, DNS and file server are join to this domain1.com.

Our objective:

Migrate domain1.com as child domain (new domain = xxx.corp.domain2.com) into our existing parent domain (corp.domain2.com)

New parent domain 2012 (corp.domain2.com):

We have parent domain controller (windows 2012) hosted at data center, there are 4 child domain at different business center under this parent domain (corp.domain2.com).

                                                                 

My question as below:

1. If I want to migrate our domain1.com as child domain to this parent domain (corp.domain2.com) what is the procedure or step to achieve this?

2. We are concern about our File server, there are a lot of credential/folder permission, if we migrate domain1.com to new server, all the credential will lost. All the users would have problem to access the file server.

3. How about the DHCP server? What is the best practice, do we need to build another new DHCP and join to xxx.corp.domain2.com?

4.  We need tools to facilitate migration, If you have any experience related welcome to share.

Please comments if you have anything want to share, appreciate that!   

Thank You!

Best Regards,

Shiro

disable change notification on site links

January 9, 2015, 9:59 am
$
0
0

Everything I see on google is how to enable it; i need to turn it off. Do i just clear the options field on the site link? Does anything on the DCs in the site link scope have to be recycled? Server 2012 DCs and 2012 ffl/dfl.

Thanks!

Group MSA Problems

January 9, 2015, 11:43 am
$
0
0

I've setup a group managed service account with my AD under Windows Server 2012 R2.  The account looks fine and I can query it from on the 2012R2 AD server via powershell using Get-AdServiceAccount.  However, when I attempt to add this account to another server in the domain using the command "Install-ADServiceAccount gMSATest$"  it dumps the following error 

Install-ADServiceAccount : Cannot find an object with identity: 'gMSATest$' under: 'DC=mydomain,DC=com'.
At line:1 char:1
+ Install-ADServiceAccount gMSATest$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Install-ADServiceAccount], ADIdentityNotFoundException
    + FullyQualifiedErrorId : Cannot find an object with identity: 'gMSATest$' under: 'DC=mydomain,DC=com'.,Microsoft
   .ActiveDirectory.Management.Commands.InstallADServiceAccount

I've tried a number of different ways using -Identity but each time I get the same error.  I do have the AD-Domain-Services feature enabled, yet no joy.  The server I'm attempting to add the account on is Server 2008 R2.

Any reason why it can't find the Group MSA account I created?  


Monitor Blanks When It Didn't Blank Before Applying The Latest Updates

January 10, 2015, 2:13 am
$
0
0
I like having the time/date on display at all times on the monitor that is hooked to my server that is running Windows Server 2012 R2.  Last week I downloaded and installed the latest ISO and, despite telling Windows not to power down or turn off anything ever, the screen goes blank.  My server is a domain controller.  Today is January 15, 2015.

MARK D ROCKMAN

Report with the installed printers

January 7, 2015, 2:31 am
$
0
0

Hi,

can anybody tell me whether it is possible to get a report with all the computers in a domain and the printers installed in each computer?

My two dns are windows server 2012 datacenter.

Thanks in advance.

Regards.

What happens to local (SAM) account database, when we first time promote member server to Domain controller.( List i need to know)

December 26, 2014, 8:49 am
$
0
0

What happens to local (SAM) account database, when we first time promote member server to Domain controller.

Can you let me know what all other changes occurs. like shared folders, securities, if there are any other services prior installed.

( not the changes which can be see while installation of AD, which i have done dozens of time on prod server).

let me give you the analogy all the differences ( which we see on the server)

( Part A),if i see the member server ==============if i see it once it is Domain controller.( Part B)

example:

List of changes occurred after promoting to DC again prior properties while it was member server

consider 2008R2 server

Regards

Basavaraj Navalgund (Raj)

banavalg@yahoo.com

ADS/DNS/DHCP/RIS/GROUP POLICY/PowerShell/VMware/Esxi/Storage.

Need a script and CSV sample for AD User creation

January 11, 2015, 3:36 am
$
0
0

I need a a script and a sample CSV file to create users in active directory. It would be much appreciated if somebody can help me on this.

Thank You,

Search

FGPP created but PSO seems like it is not applied

January 11, 2015, 9:28 pm
$
0
0

I am running a native 2012R2 domain and forest with the forest and domain level being that of 2012 R2.  I have created a Fine-Grained Password Policy via the AD Admin center and have it applied to a single test user. There is only one PSO applied to this user and this is the only PSO in the directory. When querying the user via "dsget user <User-DN> -effectivepso" the correct PSO is applied for that user. When looking at the user attribute of msDS-ResultantPSO it also shows the correct PSO is being applied. The PSO disables password complexity, however whenever I try and reset the test user account via aduc or the as admin center tools the operation fails stating "Failed to reset the password for test user. The password does not meet the length, complexity or history requirements of the domain". I have removed all other requirements in the PSO for length, history, etc in a basic attempt to confirm that the PSO is being applied, but I am unable to reset the user password to anything less than what is specified in the default domain policy (which includes complexity). I have waited for replication (within this one site only) and also rebooted the domain controllers with no change to this behavior.

Is the PSO only read and applied when the user is actually logged in within their context and when changing a password? Is the failure of being able to administratively reset the account in question to a password that complies with the PSO attached to that user operating by design?

I will be logging in with that test user account to see if this interpretation is true, but I would appreciate any insight for anyone with experience with this situation can give. 

Thanks,

Brian


Adding secondary ADFS server to farm fails with Could Not Load Assembly error

November 3, 2014, 4:36 am
$
0
0

Hi all,

I have two servers running Server 2012 R2.

There are two AD sites, in site 1, I have the primary ADFS server running on a member server.  In site 2 I have a secondary ADFS server running on the only DC in the site.  There will be WAP servers publishing these servers in either site.

I successfully set up the first ADFS server in site 1, and this is working ok.  However, when I set up the server in site 2 I get the following error during the prerequisite checker:

Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

Unable to retrieve configuration from the primary server. Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

I ran this as my domain admin account and also as domain\administrator which is seldom used.

When I run the resulting PowerShell script, I get errors relating to the GSMA, so not sure if that is where my issue lies.  Here is the script:

# Windows PowerShell script for AD FS Deployment
#

Import-Module ADFS

# Get the credential used for performaing installation/configuration of ADFS
$installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."

Add-AdfsFarmNode `
-CertificateThumbprint:"Thumbprint Here" `
-Credential:$installationCredential `
-GroupServiceAccountIdentifier:"DOMAIN\STSSvc`$" `
-PrimaryComputerName:"machine.domain.net"

I tried using the FQDN of the ADFS server as well as the common name of sts.domain.net, neither worked.

Any suggestions?

Andrew Hodgson

Removing an out of date domain controller

January 8, 2015, 4:28 am
$
0
0

Hi all.

One of our domain controllers has been put into an isolated network for DR testing, whilst in this isolated network computer accounts, service accounts and user accounts were all changed during the DR testing. In the live environment these computer accounts have not been changed in any way.

Of course we can't now move the domain controller used for DR testing back to the live environment as this will replicate the updated accounts out to all other DC's - this would be a really bad place for us to be.

The only solution I can think of at the moment is to demote the domain controller using dcpromo /forceremoval whilst still isolated and then manually clean up the metadata - this is of course a drastic fix for a simple mistake.

Has anyone got any thoughts on if this is in fact the best solution or if someone has any other way to stop this DC replicating and then being able to run a normal clean dcpromo on the production network?

Please advise.

Restoring Virtualized Domain Controllers

January 6, 2015, 10:02 am
$
0
0

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers

The article above has an illustration to determine the best way to restore a virtualized DC.  I have several questions about this chart.

1.  The step titled "Deploy the VHD against a new VM, and restart in normal mode" -  Must a new VM be created in HyperV, or can the VHD just be replaced with a backup?

2.  The steps titled "Restore the Virtual machine instance that predates the failure" - Is it really necessary to start in DSRM mode and set this registry value if the backup is an application consistent, image based backup where what you are doing is restoring the VHDX file?

3.  What will happen if you restart a Domain Controller that in good condition and go into DSRM mode and set the "database restored from backup" to 1?


Best Practices Granting Permissions Across Forest Trusts for Administrator

January 7, 2015, 3:50 pm
$
0
0
We're beginning to work on moving from a Windows 2008 R2 Domain to a brand spanking new Windows 2012 R2 domain.  We've created a 2-way forest trust between both domains. We want our Domain/Enterprise Admins to have the same access to the new 2012 R2 domain. What's the best practice in granting access to another forest just for Admins? Should we put the Domain/Enterprise Admins in the 2008 domain into the same groups on the 2012 R2 Domain?

Orange County District Attorney

AD user are updated with a common phone number automatically

January 8, 2015, 4:21 am
$
0
0

Hi All,

Got a strange thing , Some of the AD users are updated with a common phone number and latter reverted back with their original. Could not understand how? Pls help to find the RCA

Regards, Prabhu

0x800700ea when Configuring Certificate Enrollment Web Service

December 12, 2014, 2:05 pm
$
0
0

We installed a CA on a member server running Server 2012 R2. The server is already running a website. It is not the default site, but its own.

We are trying to install the Web Enrollment Service. When we get to the configuring wizard it crashed with error0x800700ea More_Data_Available

In event viewer Event ID 103 Micosoft.CertificateServices.Deployment.Common.CES.EnrollmentServiceSetupException:(Win32/HTTP: 234 Error_More_Data)

We are installing with an enterprise admin account. UAC is off, but we still "Ran As Administrator". We uninstalled/reinstalled the role several times.

Any ideas? My feeling is some conflict with the other IIS website, but can't be sure.


Search

Slow response in active directory connections from client machines

January 12, 2015, 12:55 am
$
0
0

Good day

May you assist im experiencing a slow reponse in connection to active director.Whenever we open active director the response time take 5-10 minutes to open and even if we rest or unlock account it take longer. I have run the following command from the command prompt  on one of the AD servers (dcdiag /q and replsum) this is the results I get

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\daniel-a>dcdiag /q
         The host 49b66143-966c-421a-897f-91bc51134e94._msdcs.energy.gov.za
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... LIGHT failed test Connectivity

C:\Users\daniel-a>repadmin /replsum
Replication Summary Start Time: 2015-01-12 10:51:21

Beginning data collection for replication summary, this may take awhile:
  .........


Source DSA          largest delta    fails/total %%   error
 PARLIAMENT        22d.14h:02m:51s    5 /   5  100  (8524) The DSA operation is
unable to proceed because of a DNS lookup failure.
 REFINERY                  02m:47s    0 /   5    0
 RENEWABLE                 02m:47s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 LIGHT             22d.14h:03m:22s    5 /  15   33  (8524) The DSA operation is
unable to proceed because of a DNS lookup failure.


Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - Renewable.energy.gov.za
          58 - Parliament.energy.gov.za
          58 - Magnetic.energy.gov.za
          58 - REFINERY.energy.gov.za
          58 - REACTOR.energy.gov.za

C:\Users\daniel-a>dcdiag /q
         The host 49b66143-966c-421a-897f-91bc51134e94._msdcs.energy.gov.za
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... LIGHT failed test Connectivity

PLEASE ASSIST URGENTLY

Regards

Dan

Computer Policy and User Policy with different setting - whats the precedence?

December 12, 2014, 1:32 am
$
0
0

Hi!

I have an example of a GPO policy, identical for user and computer, with a DIFFERENT setting.

Eg. GPO Setting Prevent use of Offline Files folder - Computer: Disabled

GPO Setting Prevent use of Offline Files folder - User: Enabled

Which one will actually apply, when the user logs on? Which setting, HKLM or HKCU, will win/ take precedence.

thanks.

Add AD DS Role to Server 2012R2 fails 0x800f0831

December 3, 2014, 3:25 am
$
0
0

Windows Server 2012 R2 on ESXi 5.5 10GB RAM 200GB HD

Add Role AD DS fails

Using the Server Manager to install AD DS, fails with error:0x800f0831. I can add DHCP role as a test that worked fine. and removed it also fine.

Have tried Reboots etc. All fully patched apart from Nov2014 Rollup package. No other roles or soiftware running. machine is on an existing domain with no errors.


I have also installed Net Framework 3.5, as I suspected the error may be indicating that was needed. It installed fine but no change in adding the AD DS role still fails exactly the same (about 75% of the blue bar)

Version number for GPO's not in sync with the version number for GPO's on the Baseline domain controller

January 3, 2015, 1:05 am
$
0
0

Hi

I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the original IP address to the same assuming that everything would just working fine.

Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version. I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).

So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number in GPT.ini files which are mentioned below:

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5439513

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3

\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5308439

Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.

Regards

Sajat Jain


how to connect to Active directory lds instance using LDAP connection

January 12, 2015, 3:22 am
$
0
0

I want to connect to ADLDS instance using ldap connection -http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapconnection(v=vs.110).aspx .

I tried the following ways :

LdapConnection(String)-http://msdn.microsoft.com/en-us/library/awac5k73(v=vs.110).aspx

 The string with value machineName:ADLDSPort number. Adds the network credential to the connection

LdapConnection(LdapDirectoryIdentifier, NetworkCredential) - http://msdn.microsoft.com/en-us/library/d4xyhsxe(v=vs.110).aspx)

  I have created an LDAP identifier with machine name and ADLDS port.I have used this in creating Ldap Connection.

I am doing the following to get the search request -

     SearchRequest request = new SearchRequest(distinguishedName, Filter, SearchScope, null);

Search request details are available in the following link :

http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.searchrequest(v=vs.110).aspx

I am getting the following exception even when I am giving the right credential :

    The supplied credential is invalid.

How can we connect to AD LDS instance using LDAP connection.


 
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>