Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

"This operation has been cancelled due to restrictions in effect on this computer". Two forests and one transitive trust

February 19, 2015, 7:52 am
$
0
0

Hello. I manage one windows 2003 domain with a trust to a windows 2008 domain.

The users with the 2008 domain accounts are supposed to (and they do) authenticate when using my workstations. The problem is that the 2008 has very restrictive policies such as no writing on "C:", no access no "CMD", windows explorer, etc. This also causes the error "This  operation has been cancelled due to restrictions in effect on this computer" when opening some programs on my workstations when using the 2008 domain accounts. I need to override the incoming policy, but since these are two completely different forests, I thing the "Block Policy inheritance" at my domain policy won't do much. 

Any ideas on how to accomplish this?

Thanks and regards

Dave


Search

Repadmin and Outbound Neighbours for Change Notification

February 19, 2015, 10:33 am
$
0
0

Hello.

I have a question regarding repadmin command and the Outbound Neighbors for Change Notification.  In the command "dc1" represents the DC I'm running repadmin against.  If I run the following command

repadmin /showreps dc1 /repsto

I receive the following result

DC=foo,DC=local
site1\dc2 via RPC
    DSA object GUID: aaaaaaa-aaaaa-aaaaa-aaaaa-aaaaaa
    Address: aaaaaaa-aaaa-aaaaa-aaaaaa-aaaaaa._msdcs.foo.local
    WRITEABLE
    Last attempt @ 2015-02-19 10:37:58 was successful.

My confusion is around the Last attempt field.  This connection object is for the domain partition and I know that changes are occurring on it constantly on the DC dc1, however the Last Attempt field shows a time from several hours ago.  If I go look at the Inbound connection on the partner DC (dc2) that is receiving the change notifications I can see that it is replicating from this DC (dc1) constantly.  I know this because the Last Attempt field for the inbound connection on dc2 is never more than a few seconds old and the OU/PU fields are incrementing constantly.

DC1 and DC2 are in the same site, so replication between them is driven by change notification, not a schedule. 

Shouldn't the Last Attempt field on the Outbound Neighbors for Change Notification be the same or very close to the Last Attempt field on the Inbound Neighbors on the partner DC?

I can understand why the Last Attempt field on Outbound Neighbors for Change Notification would be extremely old if the partition was the config or schema partition.  Changes occur on those partitions extremely rarely, and the only replication that occurs would be the schedule intersite or intrasite replication, which isn't driven by change notification

Any insight would be appreciated.

Seizing FSMO from offline 2008 server to 2003 server

February 16, 2015, 12:14 am
$
0
0

Hi All,

Please help me to resolve the below issue in my environment!!!

We have two domain controller in my environment 2008 server is a PDC and 2003 is an ADC but unfortunately 2008 server had some issue and gone offline, if i tried it to make online all client systems goes away from domain, so kindly help me to solve the issue.

Shall i seize roles from offline server to 2003 online server?

Note:

All roles are resides in 2008 server

Thanks,

Ranjith Kumar M

ranjith

Old no longer used Iusr_oldserver

February 19, 2015, 11:45 am
$
0
0

Can these be deleted from AD ??

IUSR_oldservername

Thx !

Steven J Einhorn

Domain setup for 2012

February 19, 2015, 2:23 pm
$
0
0

I am working in Microsoft Windows Server 2012.  I have made a Domain Controller for my first Forest, "mysite.com", using the "ADDS Configuration Wizard"

Now I want to create a new Domain in mysite.com as domain1.mysite.com using the same Wizard using the second option.

I run thru (see bottom for PS) and I make it all the way to "Prerequistes Check"  and I get this error:

"Verification of prerequisites for Domain Controller promotion failed. The specified argument 'ChildName' was not recognized."

Here is my PS code:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomain `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$true `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" `
-DomainType "ChildDomain" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NewDomainName "domain1" `
-NewDomainNetbiosName "DOMAIN1" `
-ParentDomainName "mysite.com" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Best Practices - Active Directory and Domain Controllers for Public / Internet Facing

February 18, 2015, 1:18 am
$
0
0

Hi All,

I am looking for some ideas and steps to put my AD domain for Public / Internet Facing. Appreciate your help in advance.

Regards, Prabhu

Naming information cannot be locate

February 19, 2015, 5:16 pm
$
0
0

HI All,

I have two domain controller in my environment , server 1 holds Schema and Domain naming and server 2 holds PDC, RID and Infrastructure master role, Suddenly i got following error in server2 when i am tried to open active directory users and computer

NOte:

Both servers are windows server 2008R2

Please find the below error and help me to solve the issue ASAP,

Naming information cannot be located for the following reason: The server is not operational.

If you are trying to connect to a domain controller running windows 2000, verify that windows 2000 service pack 3 or later is installed on the DC, or use the windows 2000 administrator tools.

Thanks

ranjith

Group Policy

February 19, 2015, 4:56 pm
$
0
0

Why would our Engineer that is managing our Group Policy not want to add a Group Policy to remove computers that have not been connected to network after 60 days ? Why leave computers on the Domain, active that are not being used?

Search

SYSvol folders duplicating after issue with FRS (xxxx_NTFRS_yyyy)

February 17, 2015, 11:50 am
$
0
0

Server 2008 R2

History

On Jan 5, we experienced an issue with a domain controller.  It was not hosting the netlogon share.  Only after confirming the netlogon was working on another DC, we set burflags to D2 to pull the netlogon from the other DC.  That appeared to resolve the issue.

Issue

Now we are seeing the sysvol\domain\ folder filling up (9000+ folders, currently at20GB and growing).  From 1/5/15 to 2/14/15
Folders are named such as "scripts_NTFRS_a5785e07_NTFRS_407f3555" & "Policies_NTFRS_abcf63bd" & "ClientAgent_NTFRS_938ff2e2_NTFRS_4065f336" The latest of these folders are timestamped 2/14/15 5:18am

It DOES have the expected folders "Policies" & "ClientAgent", these are timestamped 2/14/15 5:19am

These repeat and appear to have the same information.

This has replicated to all (2) domain controllers in the environment.

Is it safe to delete these xxxx_NTFRS_yyyy folders?  Or what is the best way to resolve this?  We need assistance quickly as we are approaching 15% free space on the system volume.

Thanks,

John Woodall

Block OWA and OWA App for 365 Users via ADFS 2012 R2

February 20, 2015, 1:50 am
$
0
0

We are currently in the process of migrating to Office 365 alongside our Exchange 2010 environment in Hybrid mode. We have DirSync in place as well as Single Sign-On via ADFS 2012 R2 with Proxy. This all works as expected but we need to lock down external access to OWA and the OWA App for iPhone/iPad/Android but leave Active Sync working as well as Outlook Anywhere for all 365 mailbox users.

I found this article:

https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx#build

This is almost what we need but there is no mention of Outlook Anywhere so I'm sure that unless your machine falls into the IP Range you create for internal users it will block your access.

Is there any way around this?

If not, is there any other way to block OWA and the OWA App for iPhone/iPad/Android for external 365 users?

Thanks,

Alastair.

_msdcs delegation name servers

February 20, 2015, 2:55 am
$
0
0

Hi all,

We have a single forest with a single domain. I've found a strange thing in our DNS at the _msdcs delegation. (Window Server 2008 R2 domain controllers). When I look at the name servers tab, i can see that the DC's are listed with their NETBIOS name, not with the FQDN. Will it cause any problems? The IP's are resolved fine in the properties of _msdcs.

Thank you,

Dvijne

Replicating AD

February 20, 2015, 7:05 am
$
0
0
Is it possible when replicating AD to pull certain groups or users instead of the whole directory at once.

How to run gpupdate /force on remote computer?

July 29, 2010, 9:39 pm
$
0
0

How to run gpupdate /force on remote computer?

(Without psexec)

Thanks Biswajit

Computer not recognizing membership in group

February 20, 2015, 8:12 am
$
0
0

Hello,

In my active directory, I have a group called "TestComputers". I have a domain computer called "Computer1" that is a member of this group.

On that computer, when I run GPUpdate and then GPResult, under "The computer is part of the following security groups" it does not show this group. However, it DOES show this group under "The user is part of the following security groups".

Why is it associating the user with the group instead of the computer with the group? The computer recognizes that it is part of other build-in computer groups such as "Domain Computers".

Raise the Forest functional level

February 19, 2015, 5:48 pm
$
0
0

I am running one Domain Controller on Windows Server 2012 R2 DataCenter.  Right now both the forest functional level and the domain functional level is at Server 2003.  I want to raise both the forest functional level and the domain functional level to Server 2008 R2.  

Question:  Do I need to update the Schema before I try to Raise the forest functional level or before I try to Raise the domain functional level?

Question: Once I Raise both the forest functional level to Server 2008 R2 it is best to not move past that point to Server 2012 R2. I only have one Domain Controller in the domain?  

Van R. Johnson

Search

Network Drives Mapping Issue

February 18, 2015, 8:57 am
$
0
0

Hello Everyone,

Since 10 days we have been facing a very different issue. A user in my company is not able to map shared drives on his Windows 7 Laptop.

There are 6 windows-7 workstations having a Share in their respective c drive.  C:\ABC\xxx_share. These folders has "everyone" on both share and security permissions.

\machine1\xxx_share (Using single slash instead of double slash here becoz its not letting me post links here)
\machine2\xxx_share
\machine3\xxx_share
\machine4\xxx_share
\machine5\xxx_share
\machine6\xxx_share

when we try accessing \machine1\c$ - nothing comes out.

We have tried mapping through IP address
We have tried force mapping through CMD
we checked firewall, everything is off.
I have directly added the user to all the 6 folders even though user is not able to map it.

We are not able to diagnose as what an issue can be here.

The machine is pingable and we are able to take RDP a couple of days back, but now even the machines are not accessible.

I would request your help.

Thanks
Metal Musician

Migration Active directory

February 20, 2015, 10:10 am
$
0
0
it's possible to migrate AD from Windows server 2003 to Windows server 2012 R2 ?

User Folders in a Parent / Child Domain Structure

February 13, 2015, 8:39 am
$
0
0 

Hi,

I have a forest setup with a parent and 3 child domains.

We have a DFS share setup for home folders.

I used Group Policy to create the User's share folders, map the drive, and setup folder 
redirection.


Each user has a separate ID for each domain.

The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share 
path from each domain in order to access files from any domain, and have privacy from other 
users doing so.


The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, 
his folder is created at "\\parent.com\home\JohnD" and mapped.

But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions 
to map the drive.


I realize why, but I'm wondering if anyone can think of a way to change this setup so 
that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.

Having domain specific home folders has been shot down.

Giving all shares EVERYONE access has been shot down.

Open to other suggestions.

Thanks!

-Matt


There's no place like 127.0.0.1



safe range to limit Dynamic ports for AD

February 6, 2015, 9:27 am
$
0
0
  • What is the safe range for limiting dynamic ports for AD , the minimum is 255 but what is the safest range for say 500-1000 if we have to give a number ?

W32tm / query /source issue

November 26, 2012, 8:56 pm
$
0
0

Hi

I'm trying to use "w32tm" to check on out servers here and I'm,
seeing the following problem with some (not all) of our server and can't seem to find out why. Here's the command:

w32tm /query /verbose /computer:server1 /status

w32tm /query /computer:server1 /source
The following error occurred: The procedure number is out of range.
(0x800706D1)

but other machines are fine. Any ideas what I should check here?

Also This issue occurring only for windows 2003 Server DC.

Viewing all 31638 articles
Browse latest View live
Search