Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

LastLogonTimeStamp Attribute Not Updated for Computer Account Over SSL-VPN

January 26, 2015, 10:31 am
$
0
0

We like to use LastLogonTimeStamp (LLTS) to find stale computer accounts, disable them, and eventually delete time.  What we have found is that domain member computers that connect to the domain exclusively by SSL-VPN (for instance in the case of employees who work from their home office) do not update LLTS.  Consequently these computers frequently appear on stale computer reports.

I suppose the required logon type is never used when connecting over SSL-VPN.  Therefore I would like to know if there is a way via a logon script or some other method that we can update this attribute.

Search

What if a DC fails that had all FSMO roles?

July 16, 2011, 4:48 am
$
0
0

Hello,

We have two DCs DC1 and DC2.

I created DC2 in case of failure. DC1 holds all FSMO roles.

What happens if DC1 crashes? How do I get them?

Best Practice restart HyperV host with WinSrv 2012 R2 virtualized DC

January 30, 2015, 2:07 am
$
0
0

I would like to know if restarting a HyperV host with a virtual 2012 DC on it is supported with the standard Hyperv VM settings:

Automatic Stop Option “Save the Virtual Machine state"

Automatic Start Option “Automatically start if it was running when the service stopped”

So basically the state of the virtual DC will be saved and written to disk and it will start when the HyperV services are started after the restart of the host.

Is this way supported or wise or should I shutdown the virtual DC manually and start the DC manually whenever the host is up and running again?

Win 2003 Sites & services replication issue

January 30, 2015, 2:27 am
$
0
0

Hi people,

New to server environment, facing a challenge- AD Sites & services are not replicating -after googling I found out it's an issue with DNS:

DCDaig /test: DNS result logs:

Angola\MMADC04
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c7a090fb-f7d1-43fc-9704-f7daace51ed0
DSA invocationID: f03fbd56-0cbd-4e69-b73a-5d0009cee24c

==== INBOUND NEIGHBORS ======================================

DC=MM,DC=local
    Livonia\MMADC05 via RPC
        DSA object GUID: 032cca42-b6bd-4f59-9ead-cf2ce9b48417
        Last attempt @ 2015-01-30 01:45:43 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        85 consecutive failure(s).
        Last success @ 2015-01-19 10:53:14.
    SanLuisPotosi\MMADC06 via RPC
        DSA object GUID: e92ef3f5-c9a0-4007-910a-6abdbf6b0272
        Last attempt @ 2015-01-30 01:46:30 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        52 consecutive failure(s).
        Last success @ 2015-01-23 13:53:57.
    Russellville\MMADC01 via RPC
        DSA object GUID: f8eee78b-1250-4411-8931-a8f6d6972c5d
        Last attempt @ 2015-01-30 02:41:16 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        53 consecutive failure(s).
        Last success @ 2015-01-23 13:53:56.

CN=Configuration,DC=MM,DC=local
    Livonia\MMADC05 via RPC
        DSA object GUID: 032cca42-b6bd-4f59-9ead-cf2ce9b48417
        Last attempt @ 2015-01-30 01:45:49 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        60 consecutive failure(s).
        Last success @ 2015-01-22 13:53:24.
    SanLuisPotosi\MMADC06 via RPC
        DSA object GUID: e92ef3f5-c9a0-4007-910a-6abdbf6b0272
        Last attempt @ 2015-01-30 01:46:01 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        60 consecutive failure(s).
        Last success @ 2015-01-22 13:53:27.
    Russellville\MMADC01 via RPC
        DSA object GUID: f8eee78b-1250-4411-8931-a8f6d6972c5d
        Last attempt @ 2015-01-30 02:41:22 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        61 consecutive failure(s).
        Last success @ 2015-01-22 13:53:25.

CN=Schema,CN=Configuration,DC=MM,DC=local
    Livonia\MMADC05 via RPC
        DSA object GUID: 032cca42-b6bd-4f59-9ead-cf2ce9b48417
        Last attempt @ 2015-01-30 01:46:07 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        60 consecutive failure(s).
        Last success @ 2015-01-22 13:53:28.
    SanLuisPotosi\MMADC06 via RPC
        DSA object GUID: e92ef3f5-c9a0-4007-910a-6abdbf6b0272
        Last attempt @ 2015-01-30 01:46:18 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        52 consecutive failure(s).
        Last success @ 2015-01-23 13:53:56.
    Russellville\MMADC01 via RPC
        DSA object GUID: f8eee78b-1250-4411-8931-a8f6d6972c5d
        Last attempt @ 2015-01-30 02:41:28 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.
        53 consecutive failure(s).
        Last success @ 2015-01-23 13:53:54.

DC=DomainDnsZones,DC=MM,DC=local
    Livonia\MMADC05 via RPC
        DSA object GUID: 032cca42-b6bd-4f59-9ead-cf2ce9b48417
        Last attempt @ 2015-01-30 01:45:43 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        85 consecutive failure(s).
        Last success @ 2015-01-19 10:53:18.


Source: Livonia\MMADC05
******* 85 CONSECUTIVE FAILURES since 2015-01-22 13:53:28
Last error: 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

Source: SanLuisPotosi\MMADC06
******* 60 CONSECUTIVE FAILURES since 2015-01-23 13:53:57
Last error: 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

Source: Russellville\MMADC01
******* 61 CONSECUTIVE FAILURES since 2015-01-23 13:53:56
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.

I checked DNS records-everything is set and name resolutions are working perfectly.

nltest /dsgetdc:/pdc /force command result--

Getting DC name failed: Status = 1212 0x4bc ERROR_INVALID_DOMAINNAME

Please let me know how to fix this folks..

Active Directory Users and Computers

January 27, 2015, 9:37 pm
$
0
0

Hello All,

    Please anyone suggest me that the trouble which I am facing "I am unable to create new users, computers, groups, etc., in active directory users and computers, where my DC is in domain A..I want to create a Distribution Group in Domain B (Another Domain)...The create new users, computers, groups option is disabled in Active directory users and computers if I connected to the Domain B!!!"

Thanks in advance,

User access denied logging in, password reset allows access until next log in.

January 30, 2015, 4:40 am
$
0
0

I have several users that intermittently have issues logging in to their AD accounts. The attempt to log in at the beginning of the day and receive "Access Denied Incorrect username or password"

User account is not locked and does not lock after several attempts (Domain policy is 3 attempts). Resetting the password grants access until they log off again. User accounts are configured to log on to all computers with no "Logon Hours..." restrictions. 

This is not a User error as I have sat at their computer and entered the password for them to be denied. I can log in with my standard user account or my admin account with no problems. 

Our domain is a functional level of 2003 but I have DCs that are 2003, 2008, 2008 r2, and 2012 r2. I am not showing any replication errors and AD health is good. 

I am at a loss for what to check next and internet searches have not turned up anything. Any help would be appreciated.

Thanks in advance,

Paul Norman

Domain controller upgrade in Exchange Environment

January 20, 2015, 6:32 am
$
0
0
We have an existing 2003 Server Environment and Exchange server 2003 coexistence with Exchange server 2010 with DAG setup. We have recently decided to move to a windows server 2012 standard Environment. How do I promote the new windows Server 2012 std to DC and remove the 2003 Server from the Environment. My users are currently using the old 2003 DC to logon.

in brief

We have windows 2003 enterprise + sp2 Domain controller (holding DNS as well) and Exchange server 2003 Entp + Exchange server 2010 running in Coexistence with DAG.

We have decided to remove the 2003 Server from the Environment and go with Windows 2012 Standard OS. I would know to know the what will be the impact on Exchange server environment if any ?

please suggest right path with less downtime.Mailing service should not be affected.

TheAtulA

Automatically generated site connectors in Active Directory all default to the same site

January 30, 2015, 6:28 am
$
0
0

Greetings,

I have a Single Forest/Single Domain configured with 17 sites. We are currently in 2003 native mode, but are upgrading to 2102R2. The schema has been upgraded and 3 site have been moved to 2012R2 domain controllers.

Each site has one domain controller, most are 2003 but the FSMO roles are on a Windows 2008R2 domain controller in Site1.

Our network is a mesh, but many site have different bandwidth speeds. In this case, Site3 has a 6mb connection to the network.

When I upgraded site3, I couldn't add the renamed replacement server to the domain. The demotion proceeded properly and the objects were removed from sites and services. I found I had problems with duplicate SPNs which were solved by removing the old and new servers from AD. I still had problems with the new server and found that replication was now broken. We traced it down to to corrupt automatically generated site connectors that all still pointed to the now missing site3 domain controller. I was able to setup manual replication connectors and then regenerate the automatic connectors, which now pointed to the (in my opinion) proper servers. I only have one manually created site connector to minor site that is not part of the mesh.

This behavior was noticed back in late 2012 when another replication problem occurred during maintenance and was fixed.

This morning I was working on Site4 when I noticed that all the automatically generated site connectors switched back to the new Site3 domain controller.

Can anyone help me determine why the system seems to prefer site3 as a hub. Is there some setting stuck or configured that would make site3 preferential? I want to avoid more down time if site3 has a problem.

Thanks

Derek


Search

Installing SQL 2008 / SQL 2012 in a DMZ covered by RODCs

November 20, 2014, 3:41 am
$
0
0

Hello guys,

I'm trying to install SQL 2008 (tried also SQL 2012) in a W2008R2 server that lives in a DMZ site covered by a couple of RODCs.

The RODCs have full access to the RWDCs, but the traffic is blocked from the rest of computers in the DMZ to the RWDCs.

Every time I run the wizard to install SQL server, it fails when trying to setup a domain user to run SQL services (“Server configuration >> Service Account” step). When I temporary allow the communication from that SQL Server to one of the RWDCs, it works.

I have obviously cached and prepopulated passwords in the RODCs and I am using Domain Admins and non-domain admins accounts.

We have more than 30 windows member servers authenticating against those RODCs in the DMZ and everything works fine.

Any ideas why the SQL installation wizard cannot authenticate against a RODC? I have been googling and I didn’t find anything!

Btw, I have already posted a similar thread in the SQL forum. They suggested to "install SQL Server with a local Windows account and then change the SQL Server service account with to the Domain account". That actually works, but I'd like to find out what is wrong my RO AD setup or this is a just an expected behavior in SQL installations covered by RODCs.

Thanks.

NTDS Settings - replicate to/from

January 30, 2015, 7:26 am
$
0
0

My understanding is that the replace to/from links is created based on the site links that have been defined.

What could be wrong/have happened when the replicate to/from links don't match the site links?

Simplified example:

I have sites SITE_A, SITE_B and SITE_C.  I have a DC in SITE_A that is replicating to/from SITE_B and SITE_C, but SITEC doesn't have a link specified, so it is not a connection I'm expecting to see (or want).  I'm having known communication issues between SITE_A and SITE_C currently.

How can I force the replication to stop attempting connections between SITE_A and SITE_C?  Is it possible?

rename security group effect

January 30, 2015, 7:41 am
$
0
0

hi,

I need to rename a security group from abc to xyz (just for info: DCs 2008 FL2003).

I am sure that it will not have any impact on GPO processing or currently logged in users and new log in but want to ask...

Am I correct?

thanks.

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

DC services not working anymore after restart

January 27, 2015, 6:06 am
$
0
0

Hi all,

I have DC1 ( win2003 holding fsmo roles ) and DC2. ( 2008 r2)  - win 2003 functional level


Whenever my DC2 is restarted without my DC1 running, then DC2 has no services available anymore. Following errors occur on DC2 :


   - AD domain service ( naming information cannot be located because: the specified domain either does not exist or could not be contacted )

   - DNS ( the server DC2 could not be contacted.  The error was: the server is unavailable. )

   - DFS not available

   - network is in unidentified network & Public network. ( but firewall allows AD, DNS, DFS )



=> is this an expected behavior when an additional DC doesn’t find the DC holding fsmo roles ?

=> Or should I still have my services including dns available in DC2 ?

=> Is the only way to resolve this is to seize all roles on the DC2 ?

Thank you

Permissions to create Reverse Lookup Zones in DNS

January 31, 2012, 8:32 am
$
0
0
What Active Directory permissions are needed to create Reverse Lookup Zones in DNS?  My co-worker is getting an access denied error when completing the wizard for this and the zone is NOT created.  He is a member of the "DnsAdmins" group and he can create Forward Lookup Zones.  We are running Server 2008 R2 SP1 on our Domain Controllers where DNS is running.  Any ideas?

Domain Administrator Problem

January 29, 2015, 5:17 pm
$
0
0

I created a new domain admin account that is part of AD Administrators, Domain Admins and Enterprise Admins.   I have been using this account for a couple of years with no issue. However after promoting the domain to W2k3 and adding 2012 R2 domain controllers I keep running into issues with the account. 

The most recent was using the command 'appcmd list backup' in preping for IIS migration. I received and Access is denied  error.  I tried this with another account that should have domain admin privileges and got the same error.  When using the original Administrator account there is no issue.

Does anyone have any thoughts on this? Is there a way to check rights and permissions for a domain admin, Enterprise admin and Administrator account?  So far all I have found is stuff related to the SID but I don't believe this is a true check or rights.

Thanks

The following domains are not available.

January 30, 2015, 10:25 am
$
0
0

I've ran into this problem a few times. We have two separate forests with a two-way trust. We have a clustered file server that both forests access.

Randomly I will notice the file server has some issues resolving the names (showing the SID instead) and I can't modify permissions because it prompts this message:

The domain resolves fine from both sides (I have DNS forwarders in each location in place). When I go to domains & trusts on both domain controllers and "VALIDATE" it says everything is fine.

How do I troubleshoot this?

Search

Newly promoted Domain Controller consuming constantly high CPU in lsass

January 30, 2015, 2:50 pm
$
0
0

Hi

We newly promoted a VMware Server........ Windows 2008 R2 to Domain controller  fully patched upto date with Microsoft patches and Symantec Endpoint protection 11

Can anybody point me to check which component to find it why lsass is consuming more cpu because we recently promoted many DC's of physical servers which are functioning properly....

Thanks & Regards S.Swaminathan Live & let others live!!!

Recover bitlocker recovery package from AD

January 26, 2015, 2:50 pm
$
0
0

I am trying to recover data from a drive using repair-bde. The first attempt using just the recovery password didn't work and the tool recommended trying the keypackage method.

We are backing up the bitlocker information to AD. Is there to recover the recovery key package from AD so that I can try the restore this drive?

The client was Windows 8.1 the Active Directory version is 2010.

Active Directory 2008- Change Password From WEB

January 30, 2015, 3:56 pm
$
0
0
Hey how are you?
currentlyI havea Server2008Active Directoryand another withExchangeServer2010.


Iauthenticateremote usersviaVPN.

My goalis to giveusers the ability to change your passwordviaWEB.

There is someproprietary toolfrom Microsoft thatallows me toreach mygoal?

Whattooldo you recommendto use?

I readabout changingpasswordsthroughOWAbut it is verycomplicated for the end user, I wouldevaluate othermethodsfromthe web!

How to identify the manager of a department (not the User ) in AD via PowerShell ? Using the department as parameter .

January 30, 2015, 3:19 pm
$
0
0
How to identify the manager of a department (not the User ) in AD via PowerShell ? Using the department as parameter .

Torres

Adding a second server to a Windows 2012 server domain

January 30, 2015, 8:33 am
$
0
0

I have a small site with one server running Windows server 2012 Standard edition. This server is the PDC.

We have purchased a new accounting system and they vendor wants their own server, also running server 2012.

I have the server and it is on the network and currently configured as a workgroup server.

I have some questions.

1) How do I add tis server to the existing domain?

2) Once it is added to the domain, I need to make sure that some of the current users can use the server. Do I have to give them rights to the server in AD, or do I just map a drive to it.

3) The accounting software will be installed and maintained by an outside company. I need to prohibit them from accessing anything on the curent server, however enable them to install SQL and other programs on the new server. 

Sorry if my questions are amatuerish, This is my first multi server enviromnent, although I have been building servers for a long time.

Thank You

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>