Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

One Forest or Forest Trusts

December 16, 2012, 9:50 pm
$
0
0
 

Hi, hoping for some answers from some Microsoft guru's.

scenario; 8 sites dispersed across the country, currently no AD/Domain/Forest. Phase 1 - will be to build an AD environment for each site, phase 2 will be to centralised administration potentially 48 months down the line using WAN links.

I need the best solution.

I have come up with the following options, correct me if I’m wrong.

Option 1 (Preferred) create 8 disparate sites, each made up of a single forest, a single domain and dual domain controllers PDC and BDC. phase 2 will be to establish two way transient forest trust links between all forests once WAN links have been established.

Option 2 - create 8 sites as members of one forest, then disperse to 8 different sites, when WAN links are established centralised administration will be possible.

- My concern with this option is constant generation of comms errors etc with other members of the forest whilst no WAN links are in place, also concerned allot could change in 48 months and forest links may not establish correctly with the WAN links being re-established?

Option 3 - have I got an option 3?

Thanks in advance!

Regards,

Rhys

Search

Delegate unlocking accounts on server 2003

December 20, 2011, 7:52 am
$
0
0

I need to delegate unlocking a specific account which I have allocated to it's own group. I've created a group containing the users that will have this ability.

I think I need to create a custom task when actually creating the delegation but I can't seem to find the correct object to include. Server 2000 instructions mention lockouttime which I cannot find on the server 2003 AD delegation window.

Thanks.

BitLocker Schema Update Windows 2003 R2 SP2

December 17, 2012, 12:30 am
$
0
0

Hi All,

We are having a problem with implementing Bitlocker to store the recovery information in AD.

We are following this MS paper (http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx)

We did the following steps;

  • We extended our Schema for the support of BitLocker.
  • We verified that the Bitlocker object exsist in the schema after the update.

CN=ms-FVE-RecoveryGuid

CN=ms-FVE-RecoveryInformation

CN=ms-FVE-RecoveryPassword

CN=ms-FVE-VolumeGuid

CN=ms-TPM-OwnerInformation

  • We ran the ACE script (Add-TPMSelfWriteACE.vbs) to add give the computer object (Self) rights to write info to ms-TPM-OwnerInformation object.
  • We verified that the ACE where set correctly. 
  • Created a GPO to store the recovery information into AD.
  • Verified if the GPO was pushed to the clients. 

Still we are not able to get Bitlocker to write the recovery info into AD.

One strange thing we see is that after the Schema update all computer have the "ms-TPM-OwnerInformation" Attribute. But we don't see the other attributes on a computer object like;

CN=ms-FVE-RecoveryGuid

CN=ms-FVE-RecoveryInformation

CN=ms-FVE-RecoveryPassword

CN=ms-FVE-VolumeGuid

But when we look into the schema itself we see the objects are there. 

Does any one have a idea?


Should I create a new GPO for a domain password policy

December 6, 2012, 6:43 pm
$
0
0

Hello guys and thanks for your time and expertise.

My domain/forest functional level is server 2003 - hoping to go to 2008 but never seem to have the time.

Iv'e been tasked with creating a domain password policy that should apply to all users in the domain.  My first question is should I configure this in the default domain policy.  Is that considered best practices or should I create another dedicated password policy GPO and link that to the domain node and make it #1 in the link order so it applies after the default domain policy. 

My second question is will this domain policy affect local accounts such as a local administrator account on a server.  If that's the case I guess I should block inheritance on my server OUs.

Anyway - your recommendations and advice are greatly appreciated.

Unable to create child domain

December 11, 2012, 6:18 am
$
0
0

I've an existing W2008R2 domain, and I'm trying to create a new child domain using W2012 std. The new server is on a remote subnet, connected via Wan, without any firewall or security filter. It can connect to the existing domain controllers (ping, network share, and so on.. all works)

I start the wizard, and it confirms that environment is ok. Then it stalls when working on "active directory synchronizing". It reports a serie of 1963/1961/2839/1962/1125 event ID errors, then after a while it starts back reporting the same serie (it loops to check if problem are solved I think).

I cannot find any way to understand why it cannot complete the dcpromo.

Any idea?

Thanks

Computers not getting AD site configuration

December 15, 2012, 2:11 am
$
0
0

Site A: Writable DC's. Working fine. 

Site B: Two RODC's. Computers in this site are not recognizing their site. 

I have applied some site level group policies but they are not getting applied. In my troubleshooting I have found site computers are not getting any AD Site information. The two RODC's shows correct Site information but the other computers in the same Subnet are not receiving that information. I have double-checked IP Subnet-Site association in AD-SS.

I am getting the below error when I run nltest /dsgetsite

Getting DC name failed: Status = 1919 0x77F ERROR_NO_SITENAME

Despite adding both Site B user and computer AD accounts in to "Allow RODC Replication Group" they are getting authenticated to writable DC's in Site A. All DNS zones contain proper RODC records for gc,kerberos and ldap. I do not have any authentication problems. Replication is fine. 

Any suggestions on where else to look. 


how could I search AD object by ldap query using CN

December 16, 2012, 10:02 pm
$
0
0
how could I search AD object by ldap query using CN value ?

Win2003 x32 and 2008 R2 x64 with AD synced is not providing redundancy--instead doubling downtime.

December 17, 2012, 12:15 am
$
0
0

My goal is to provide redundancy.  I did not set up the network this way--the last company was in the process of eliminating DC1 and moving to DC2 the year before I was hired (they had been with us a year and were changing things from the way the original IT guy configured things).  The two issues preventing me from eliminating DC1 is some old databases on DC1, and the fact that I want redundancy (in worst case scenarios, such as tombstone, I can replicate with DC1).  DC1 is Windows Server 2003 32-bit that is the Schema Master.  DC2 that is Windows Server 2008 R2 64-bit that fulfillsall other FSMO roles.  Right now, these servers are not providing redundancy--even though AD is replicating fine.

When DC2 is down, noone can log on (including thin clients--there is a separate terminal server, but DC2 has all of the licenses) even though AD replicates fine between DC1 and DC2.

When DC1 is down, noone can access Webmail& possibly other things, but can log in--even though that is on an exchange server.  The user gets this error page in their browser:

Outlook Web App didn't initialize. If the problem continues, please contact your helpdesk.
The Microsoft Exchange Active Directory Topology service on server localhost did not return any suitable domain controllers.

Request
Url: https://mail.my-fca.com:443/owa/auth/error.aspx?url=https://mail.my-fca.com/owa/&reason=0
User host address: 72.78.200.24
OWA version: 14.0.722.0

Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaInvalidConfigurationException
Exception message: The Microsoft Exchange Active Directory Topology service on server localhost did not return any suitable domain controllers.

Call stack
Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager()
Microsoft.Exchange.Clients.Owa.Core.Globals.InitializeApplication()
Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.NoSuitableServerFoundException
Exception message: The Microsoft Exchange Active Directory Topology service on server localhost did not return any suitable domain controllers.

Call stack
Microsoft.Exchange.Data.Directory.DSAccessTopologyProvider.GetConfigDCInfo(Boolean throwOnFailure)
Microsoft.Exchange.Data.Directory.TopologyProvider.PopulateConfigNamingContexts()
Microsoft.Exchange.Data.Directory.ADSession.GetConfigurationNamingContext()
Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.GetRootOrgContainerId(String fqdn, NetworkCredential credential)
Microsoft.Exchange.Clients.Owa.Core.Utilities.CreateADSystemConfigurationSessionScopedToFirstOrg(Boolean readOnly, ConsistencyMode consistencyMode)
Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.InitializeConfigurationManager()
Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager()



Search

unable to access server after upgrade to Server2008 R2

December 13, 2012, 5:10 pm
$
0
0

I upgraded a 2003 R2 enterprise server, a single domain controller in its own forest (in nutshell one machine in the whole forest) before the upgrade I could ping, remote desktop to it. Everything worked fine.

After I upgraded to Windows 2008 R2 server, I cannot see, or ping it. Time out is all I get.

Firewall is OFF, services =disabled.

DNS Client,Function Discovery Resource Publication,SSDP Discovery, and UPnP Device Host services are running.

NIC driver up to date. From the server I can go out and ping anything successfully. From LAN cannot do anything.

David

Issues with members of account operators group in Active Directory inability to reset their own password

December 12, 2012, 9:33 am
$
0
0

All:

 There is a subset of users that belong to a security group that cannot reset their own password.  This security group is a member of account operators.   They can reset passwords for other users ,but not their own.  The accounts exist in the Users Container in which they can reset other users passwords through ADUC.  When they logon to a workstation and try to reset their password they receive "Windows Cannot Change Password because Access is Denied". Any help is greatly appreciated. 

Browse groups over trusts.

December 5, 2012, 5:13 am
$
0
0

I'm trying to have a trust between domain A and B. But only user RODC on the Domain B

Domain B trusts A.
RODC for Domain A have full firewall port access to RW DCs in Domain A.

In domain A, theres a site containing all subnets on Domain B. The RODC belonging to Domain A is placed in on a subnet in Domain B.

When logging on a server in Domain B with a Domain A account. It works well.
Running NLTEST /DSGETDC:DomainAthe answer points me to the RODC.

All well but,

When trying on the member server to add groups from Domain A to local groups. It tries to communicater with the RW DCs in Domain A.
That will fail beacuse if blocks in firewall.

Is this by design?
Is there there a articel describing this?

Regards

Anders

How Password Sync

December 17, 2012, 3:25 am
$
0
0

Hi there,

we have 2 domains and wat to push the password on the first domain to the second domain.

so that the users have the same username and password on the second domain.

how can we do that ?
Can we arrange it with a domain trust ?

also if the password is changed in the first domain it will also be changed in the second.

Thanxs

LDAP Client Sessions

December 12, 2012, 11:46 pm
$
0
0

HI

I have several DCs with "LDAP Client Sessions" above 100 and I'd like to know:

1) How can I know where that sessions come from

2) How can I reset or logoff that sessions.

Thank you very much!

Alberto

LDAP Modify DN, ERROR: Access is denied insufficient rights

May 21, 2012, 10:23 pm
$
0
0

I need to modify the DN of an OU I have created on my PDC. Using LDAP.exe connect and bind using current logon credentials. When I attempt to modify the DN of the OU, I receive the following error

0x32 = ldap_rename_ext_s(ld, OU=Emerald Inc.,DC=********,DC=com, O=Emerald Inc., L=Ottawa,S=Ontario,C=Canada, TRUE, svrCtrls, ClntCtrls)
Server error: 00000005: SecErr: DSID-0315203B, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x5 Access is denied.
Error: ModifyRDN: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-0315203B, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x5 Access is denied.

I have gone into active directory users and computers, and delegated control (temporarily) to allow every full and complete access, but still receive this error.

What do I have to do?

Logon information of service accounts

December 16, 2012, 10:32 pm
$
0
0


Hi,

Account cleanup process is going on in our system. So we are disabling those accounts who didn’t login from last 395 days. We are fetching login information from lastlogontimestamp in AD.

We are facing the problem with service accounts, because service account can’t login into the system. Service account can only start or stop the service. So lastlogontimestamp can’t be updated for these accounts. Can anyone guide me that how can i filter the unused service accounts in AD.

Thanks in Advance



Abhishek

Search

What the Directory Services Group is for

May 28, 2006, 7:59 am
$
0
0
This Directory Services group is intended for questions and discussions on the indentity fearures contained within Windows Server, including Active Directory, ADAM, Infocard, etc.

Posts widely off topic may be moved to a better location to ensure answers to questions or to better direct the conversation.

Create Account for Select Users to Install Programs

December 13, 2012, 9:56 am
$
0
0

We are outsourcing some of our IT to a local company and I'd like to allow a few select users to have the ability to install plug-ins or software on end-users machines without having to contact an expensive helpdesk.

What kind of account can I create that will allow users to install software on Domain Computers but not be a full admin account?

Thanks,
JOe K.

Need DNS server to respond to queries from a workstation in a different subnet with the correct IP of the multi-homed DC

December 17, 2012, 6:25 am
$
0
0

Hello,

Here is my environment:

 - Multi-homed DC/DNS server (I know this is not recommended, but there is no way around it to meet the requirements of the system).  There is what I will call the "normal" connection over which the server serves clients (192.168.1.100), and the"management" connection for remote management and logging (192.168.10.100).

- Round robin is turned off on the DC/DNS server, so that clients on the 192.168.1.0/24 subnet receive the 192.168.1.100 address for the server when they query the DNS.

- I have a workstation outside a routed firewall - its address is 192.168.50.10.  There is no NAT on the firewall (the NAT screws up the DNS records, and the workstation could not join the domain unless NAT was off).  Since it is not on the 192.168.1.0/24 subnet, turning off round robin doesn't seem to be helping make sure that this workstation receives the 192.168.1.100 address for the server when querying the DNS. My firewall logs show the machine attempting to communicate to the 192.168.10.100 address, which is not allowed by the ACLs.  Nslookup on the workstation returns both entries, but their order is random (not consistent).

- This is a disconnected system without a distributed AD hierarchy (everything is in the lab.local domain).

How can I set up the DNS server such that it will respond to DNS queries from the workstation with the correct IP of the multi-homed DC?

Is there a way to configure the DNS server such that is sees the 192.168.50.0/24 subnet as being "closest" to the 192.168.1.0/24 subnet so that the subnet prioritization will take care of this?


Running domain controller in virtualization on Windows Server 2012

December 15, 2012, 2:09 am
$
0
0

Hi All,

As per Running Domain Controllers in Hyper-V (downloadable Word document) document there are some limitations with virtualized domain controllers. It is recommended to have a physical domain controller in a domain till Windows Server 2008. Is this behaviour remains the same with Windows Server 2012 or not? Is it required to keep a physical server dedicately for domain controller purpose?

Regards,

Monika

Migration of critical infrastructure applications to a new domain

December 17, 2012, 1:03 pm
$
0
0

We just recently stood up a new domain for our company. We consolidated from 7 domains to 1, but prior to that we had just stood up some recent core infrastructure apps. My question is which of the below environments can i un-join from the old domain and join into the new domain and which environments will have to be built again. Below are the apps. we just stood up in an old domain and need to be migrated:

Exchange 2013

Systems Center Service Manager 2012

Systems Center Config. Manager 2012

SQL Ent. 2012 Clustered

SharePoint 2012 Clustered

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>