Hi
Can advise how to diagnostic the secondary DNS is working well when the primary DNS is offline?
I have DC2 which is secondary DNS server but client pc failed to call nslookup when the primary DNS server DC1 is rebooting.
Thanks a lot
Chan
↧
Alternative Secondary DNS Server Requirement
↧
Account Lock
Hi,
Is there a proactive way to know that an account will be lockout after say x attempts. For e.g. we have a lockout policy of 10 bad password attempt, can i write a script know when the BadPassword count reaches say 6 and then we proactive check the cause of the lockouts even before the user gets effected?
Can we write a powershell script to that? if yes, please provide pointers on how we can achieve that.
Regards
↧
↧
Does an AD Schema Extension wipe out Custom AD Attributes
Hi,
I am just about to create a custom attribute in Active Directory using the method below.
http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx
I have tested this in a lab and it all looks good!
However, I have been asked to confirm that future Schema Extensions will not wipe this new attribute out. My understanding is that Schema Extensions only add attributes...
Is there a Microsoft position on this one? Not sure what the answer is.
Thanks in advance!
Paul
↧
Permission issues for directory services & file services
Hi All,
Basically we have created a test environment; we have created two way trusted for domain1.com and domain2.com. We plan to migrate all the user from domain1.com to domain2.com. We are using ADMT 3.2 to migrate the ad users. We have follow the instruction given by ADMT Doc to migrate users. We found that after migrate the users to domain2.com the user are not able to access file services. Just want to clarify we have migrate the group of users, SID history to new domain2.com.
We wonder is there any step we have missed out? Or anyone have face similar issues like us?
Please comments, if you have any experience can share with us.
Thank You!
↧
Error on users changing passwords "mutual authentication failed . the server's password is out of date at the domain controller".
my apologies if this question has already been raised in this forum before :i have migrated users to domain setup . The DC is running on 2008 server.Everything looked good until the end user passwords started expiring . ALL end users are not able to change the passwords (especially when they have expired ). They are getting an error with the message : " mutual authentication failed . the server's password is out of date at the domain controller".
i am forced to change the users' passwords at the domain controller . To say this has been a real challenge will be an understatement. How do i sort out this problem?
↧
↧
Force Forest Trust to establish between Core DCs
Hi,
The scenario is as follows; 2 forests which require a trust. Network comms only allow Domain Controllers residing in respective data centres to talk yet there are multiple remote sites in each forest.
I am finding that the verification and trust secure channel works intermittently and external network monitoring indicates DCs trying to talk to remote site DCs (which indeed fails).
_msdcs nslookup returns all DCs in 'other' domain and all with same priority and weight (0,100). There is conditional forwarding configured (also tried Stub and Primary Zones with same result). I am suspecting that a round robin / pseudorandom effect is happening that results in timeouts.
How does one establish consistent trust communication between 'bridgehead' domain controllers while ignoring those DCs that are not reachable?
Appropriate ports are open and tested. These are Windows 2008 DCs in Windows 2003 functional level. I have researched DCLocator and AD Site configuration without luck. If we need to change SRV records for ONLY those trust domain requests, how would that be achieved?
Thanks in Advance,
Al
↧
ad user only in one ad group
I have the following question about Active Directory. (Domain and Forest level: Windows Server 2008 R2)
I have created in Active Directory three security groups.
Now I want to add a Active Directory user to only one of these three groups.
The user may only be a member in one of three groups.
It´s not allowed to be a member in two or three groups that a have create.
How can I create this.
↧
Windows 2003 AD upgrade to 2012 R2 AD
Dear all
I would like to ask if I have Windows 2003 SP2 server with domain controller function, want to add a new 2012 R2 domain controller into domain.
Forest level is 2000, domain level is 2000 mix.
What I should prepare?
Do I need to upgrade existing 2003 SP2 to SP4 before upgrade to 2012?
Do I need to upgrade forest level to 2003 before upgrade to 2012?
Do I need to upgrade domain level to 2003 before upgrade to 2012?
thx
Q K
↧
WDC\RODC DFSr Event 5008
Hi all,
I have the following environment:
NetworkA: WDC01 (2012 R2)
NetworkB: RODC01 (2012 R2)
NetworkC: RODC02 (2012 R2)
These three networks are connected by a router. In order to allow communication from RODC01\RODC02 to WDC01 I opened on the firewall the following ports:
- TCP 135
- TCP\UDP 389
- TCP 3268
- TCP 445
- TCP\UDP 53
- TCP 88
- UDP 123
- TCP 5722
- TCP\UDP 464
- TCP 59998-59999 (following this guide to restrict RPC dynamic range (http://support.microsoft.com/kb/224196)
From WDC01 to RODC01\RODC02 the following ports are opened:
- TCP 59998-59999
- TCP 135
- TCP 389
Now, I have fully operational RODCs. I'm able to make login, directory browse and policy update. In any case I have on eventviewer of RODCs the following error:
The DFS Replication service failed to communicate with partner TEST-DC01 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server. Partner DNS Address: TEST-DC01.xxx.local Optional data if available: Partner WINS Address: TEST-DC01 Partner IP Address: 10.12.0.12 The service will retry the connection periodically. Additional Information: Error: 1722 (The RPC server is unavailable.) Connection ID: 0CC41287-FF36-4D29-AE35-F2595929AA4E Replication Group ID: 8295F003-E783-4BC0-914E-72BC899DA4E8
This event is raised suddenly after 5-30 minutes after restart of the server.
Even though this event, I still able to make replication from WDC to RODC using ActiveDirectory Sites and Services and use other services.
I have the following questions:
- How can I solve this RPC-related error? Dcdiag and repadmin tests went ok.
- It's correct to make the Restrict RPC port tasks on WDC and also on RODC?
- ICMP is necessary between DC and RODC? I missed some ports to open? I followed this guide (https://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx)
If you need any additional info on this environment, let me know.
↧
↧
Group Management (IGLDA)
i have a short question about group management in AD. i've read a lot about IGLDA/IGUDLA and while most of it is quite clear, i still wonder whether to use the domain local groups for each and every object i apply permissions to. i understand that i use
the DL groups when assigning permissions to file shares, printers, ... but what about delegating permissions to AD objects like group policies and OUs? do i also use DL groups in that case? or what about groups that i assign specific rights to like local admin
permissions on my workstations or RDP access to specific servers?
all the examples in the various blogs/books/articles only speak about file/printer permission and don't elaborate about permissions in AD itself - so maybe someone can shed some light into this?
all the examples in the various blogs/books/articles only speak about file/printer permission and don't elaborate about permissions in AD itself - so maybe someone can shed some light into this?
↧
User access denied logging in, password reset allows access until next log in.
I have several users that intermittently have issues logging in to their AD accounts. The attempt to log in at the beginning of the day and receive "Access Denied Incorrect username or password"
User account is not locked and does not lock after several attempts (Domain policy is 3 attempts). Resetting the password grants access until they log off again. User accounts are configured to log on to all computers with no "Logon Hours..." restrictions.
This is not a User error as I have sat at their computer and entered the password for them to be denied. I can log in with my standard user account or my admin account with no problems.
Our domain is a functional level of 2003 but I have DCs that are 2003, 2008, 2008 r2, and 2012 r2. I am not showing any replication errors and AD health is good.
I am at a loss for what to check next and internet searches have not turned up anything. Any help would be appreciated.
Thanks in advance,
Paul Norman
↧
Multiple Domain active directory authentication
I have an active domain environment that looks like this.
Domain A Domain A controller in Site 1 Domain B Domain B controller in Site 2
If a user in Site 1 is a member of Domain B. Can the Domain A Domain controller handle the authentication or does the user's request go out to find a domain controller in Domain B? trying to understand how it works.
I guess the question is if we have 2 domains do we need both domain controllers (one for each) at each site?
They are all both global catalog servers and a trust is set up.
I don't know if a user from one domain can authenticate to a different DC.
Thanks
↧
Client Certificate Authentication
Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
Jesus
↧
↧
Active Directory Schema Extension for Directory Synchronization - ADFS 3.0, Office 365
Hi Team,
We are in a situation with extending the schema for one customer so that these additional exchange attributes may be utilized. They have a single data center where the Primary Domain Controller resides and have multiple remote sites each of which have Additional Domain Controllers installed.
As recommended by Microsoft, I am going to extend the Active Directory Schema with Exchange Setup so that I can leverage targetaddress attribute from Local AD to set primary email address when directory synchronization happens.
My Query: Do I have to extend the AD Schema with Exchange from each of these ADC's? Or the changes I make on any of them will replicate over the others also?
Note: The customer will be using ADFS 3.0 'Single Sign On' with Office 365 and does NOT have any On-Premise Exchange deployment.
↧
Query for remote users
Im doing an audit and one part they want to know a list of users who are granted remote access? Is there in Query in AD that I can run if so let me know asap.
thanks,
↧
Sysvol replication between DC Windows Server 2008 R2 and Windows Server 2012 R2.
Hello friends, I am experiencing a problem with Active Directory that can not solve, I've tried everything, or almost everything, researched enough but I found answer.
next:
On the network have a Windows Server 2008 R2 domain controller, installed a Windows Server 2012 R2 virtualized on VMware ESXi (so far nothing too), then installed the Active Directory services, electing this server the additional domain controller.
But, the Sysvol folder and the Netlogon folder, are not replicated and shared on the server running the Active Directory Replication tool Status Tools, is no error found in the Event Viewer also has no replication errors, at least nothing that justifies this behavior, found this article http://support.microsoft.com/kb/3002288 that even makes some sense, but even applying the appropriate updates on both servers, not solved.
Replication of Sysvol and Netlogon no longer use the NTFRS service but the DFS, the Domains System volume replication group is active in the DFS console both servers.
So friends, someone here has gone through this case? How to solve?
Thank U!
next:
On the network have a Windows Server 2008 R2 domain controller, installed a Windows Server 2012 R2 virtualized on VMware ESXi (so far nothing too), then installed the Active Directory services, electing this server the additional domain controller.
But, the Sysvol folder and the Netlogon folder, are not replicated and shared on the server running the Active Directory Replication tool Status Tools, is no error found in the Event Viewer also has no replication errors, at least nothing that justifies this behavior, found this article http://support.microsoft.com/kb/3002288 that even makes some sense, but even applying the appropriate updates on both servers, not solved.
Replication of Sysvol and Netlogon no longer use the NTFRS service but the DFS, the Domains System volume replication group is active in the DFS console both servers.
So friends, someone here has gone through this case? How to solve?
Thank U!
Ivanildo Teixeira Galvão
↧
Restore Domain Controller Server with Snapshot in HyperV
Dear Team,
I have a Domain Controller (Windows Server 2008R2) hosted in my HyperV, and Accidentally its got corrupted and i have a snapshot backup which took 20 days back. when i restore that snapshot, i am unable to establish communication with al other computers those were already added to the domain.
We will highly appreciate if you could let us know how we can resume our AD Server’s communication with other servers.
↧
↧
Active Directory - Users and Computers - Reset Account
In Active Directory Users and Computers, if you right-click a computer object there is an option to "Reset Account". Resetting the computer's account essentially breaks the secure channel connection between the computer and the server. The computer must be rejoined to the domain before it can be allowed to provide access to the domain. Domain users will not even be allowed to log into the computer unless they also have a local account on the machine.
My question: In what scenario would the "Reset Account" option be used on a computer object? I am not asking how to do it. I’m asking why you would do it.
I am inquiring for research purposes only. There are plenty of articles on different ways to reset a computer account but they do not state why or when to do it.
↧
Error durring connect to ADAM with Ldap within a Java Application
Hello Guys,
my name is Chris and i´m new on this board. I searched a while for developing ADAM with java and i found a few tutorials. I made a connection to an Active Directory and it works. For my current project i need a connection to an ADAM.
- I installed an ADAM instance on my local machine (Win 2008 Server SP2)
- I used the same connection code, which i used for the connection on the Active Directory. ( This code works with AD)
LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 2030, v1772
So my questions are:
What ist the correct username and pw for the instance and where can i find it.
How can I change the authentification methods on ADAM Instance.
Is it possible to connect to an ADAM Instance though the server is not in a domain.
I look forward to get some responses :-)
Thanks Chris
my name is Chris and i´m new on this board. I searched a while for developing ADAM with java and i found a few tutorials. I made a connection to an Active Directory and it works. For my current project i need a connection to an ADAM.
- I installed an ADAM instance on my local machine (Win 2008 Server SP2)
- I used the same connection code, which i used for the connection on the Active Directory. ( This code works with AD)
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
public class ActiveDirecoryConnectionMain {
public static void main(String[] args) {
try {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"LDAP://localhost:389"); //replace with your server URL/IP
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,"Administrator@"domainname""); // specify the username env.put(Context.SECURITY_CREDENTIALS, "pwString"); //the password
DirContext ctx = new InitialDirContext(env);
ctx.close();
} catch(NamingException ne) {
System.out.println("Error authenticating user:");
System.out.println(ne.getMessage());
return;
}
//if no exception, the user is already authenticated.
System.out.println("OK, successfully authenticating user");
}
}
Now i tried the code with my ADAM Instance and i get the following error.LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 2030, v1772
So my questions are:
What ist the correct username and pw for the instance and where can i find it.
How can I change the authentification methods on ADAM Instance.
Is it possible to connect to an ADAM Instance though the server is not in a domain.
I look forward to get some responses :-)
Thanks Chris
↧
Newly promoted Domain Controller consuming constantly high CPU in lsass
Hi
We newly promoted a VMware Server........ Windows 2008 R2 to Domain controller fully patched upto date with Microsoft patches and Symantec Endpoint protection 11
Can anybody point me to check which component to find it why lsass is consuming more cpu because we recently promoted many DC's of physical servers which are functioning properly....
Thanks & Regards S.Swaminathan Live & let others live!!!
↧