Hi ,
I don't know is it a ryt place for email to you, if its not then guide me plz///.........
any way I want to block usb mass storage devices(Pen Drive) on all users. from the Group Policy can i block for all users, and in future if some 1 ask me to enable it then changes will happen in a group or for a single user,,,
Or Can i block manually on all computers ?
I am trying to block it, but if after restart a pc when i plug another 1 it become enable again...
Regards,
Sami
Hi Team,
I'm having below evt in my DC - win 2k8 R2.
The Security System detected an authentication error for the server ldap/*******.. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts
have been requested.
(0xc0000234)".
Event Source is LsaSrc and Event ID is x - 40960
Kindly let me know the steps to fix the issue.
Thanks SUBBU.T
I am trying to update the managedBy attribute of a list of groups read from excel. Below is my script which worked fine a month ago but not am getting an error "Exception calling "Setinfo" with "0" argument(s): "A constraint violation occurred.
"
At Update_group managedby.ps1:38 char:26
+ $objgroup.Setinfo <<<< ()
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
Script:
$Datafile = New-Object -Com Excel.Application
$Datafile.visible = $True
[threading.thread]::CurrentThread.CurrentCulture = 'en-US'
$Excel = $Datafile.Workbooks.open("C:\GroupsOwner.xlsx")
$Sheet = $Excel.Worksheets.Item(1)
$intRow = 2
$null = ""
$Class = "group"
$OwnerName = 'Richard Brown 000031984'
Do {
$GroupName = $Sheet.Cells.Item($intRow,1).Value()
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"LDAP://DC=abc,DC=xyz,DC=com")
$Search.filter = "(&(objectCategory=group)(sAMAccountname=$GroupName))"
$Search.SearchRoot = $objDomain
$Search.SearchScope = "Subtree"
$Search.PageSize = 1000
$group = $Search.FindOne()
if ($group -ne $null ){
$dn = $group.properties.item('distinguishedname')
$objgroup = [ADSI]"LDAP://$dn"
$objgroup.Put("managedBy","$OwnerName")
$objgroup.Setinfo()
}
$intRow = $intRow + 1
}
While ($Sheet.Cells.Item($intRow,1).Value() -ne $null)
$Datafile.quit()
Note: I am running this script using a Domain Admin account. Also, I have tried another method i.e. $objgroup.managedBy = $OwnerName $objgroup.commitchanges() but both ways it throws same error.
Could you please help me on this?
I have recently configured ADFS 2 according to MS guides and have encountered an issues that I just want someone to confirm my suspicions?
I have configured FS1 and FS2 as DC's with NLB and a separate FS proxy. The issue I am having is related to DNS resolution in as much as each of the FS machines have IP addresses say 192.168.1.1 and 192.168.1.2 with the FS NLB cluster setup as 192.168.1.3 and are entered in DNS as such. However FS1 and FS2 also have entries of 192.168.1.3 separately so that the DNS table looks like this:
fsHost (A)192.168.1.3
fs1Host(A)192.168.1.1
fs1Host(A)192.168.1.3
fs2Host(A)192.168.1.2
fs2Host(A)192.168.1.3
This is causing FRS errors as when AD replication occurs to FS2 or FS1 it is resolving to 192.168.1.3 instead of the individual machine IP and as such can't replicate due to machine name inconsistencies. Question being is am I safe to remove the entries of FS1 and FS2 pointing to 192.168.1.3 (the FS cluster IP) or would it be safe enter the correct IP's into the Hosts file?
Regards
Drac
Dear friend,
We have 2 server in our company with win2k3 - DC and ADC
Unfortunatly DC is down and will not come live again. But ADC is still working
Now i want to sieze all roles of dc and transfer roles to ADC.
So how to fix this problem.
Please helpme.
Regards,
RahulJ
I'm trying to have a trust between domain A and B. But only user RODC on the Domain B
Domain B trusts A.
RODC for Domain A have full firewall port access to RW DCs in Domain A.
In domain A, theres a site containing all subnets on Domain B. The RODC belonging to Domain A is placed in on a subnet in Domain B.
When logging on a server in Domain B with a Domain A account. It works well.
Running NLTEST /DSGETDC:DomainAthe answer points me to the RODC.
All well but,
When trying on the member server to add groups from Domain A to local groups. It tries to communicater with the RW DCs in Domain A.
That will fail beacuse if blocks in firewall.
Is this by design?
Is there there a articel describing this?
Regards
Anders
If I have a branch office that is hosted by a single DC and I restart AD DS on that server will it disrupt the users in that branch office?
I would assume that it shouldn't because users already have received there kerberos tickets from that DC.
I was thinking there would only be a possible issue for a user that need to request a new ticket from a tgt while the AD services were stopped, but considering how long it takes to restart the services (seconds) this scenario is unlikely.
Are my assumptions correct?
This issue has been annoying my users for several months now and I have tried all that I can think of to resolve this or even replicate it, so I'm posting here to see if anyone has any thoughts. Here's the situation. We just installed new Windows 2008 R2 servers. Our users are running Windows 7. In a nutshell -- once in awhile when a user copies a files to a folder another user will not be able to see the files that were just copied. If I look in the folder from the computer that copied the files they will be there. I can go to another computer and see them, but this one user doesn't. It isn't just a single user. This will happen to just about all of our users. If the person that is having trouble seeing the files waits 5 to 10 minutes, most times they will show up or if they reboot their computer they will then see them. Here is what I've tried without success in getting the files to show:
I don't know what else to do. 98% of the time the files will be there. Once or twice a week this will happen to a user. And in most cases 5 to 10 minutes the files will just show up on their own. I have see where after more than an hour they didn't show and only could be found after a reboot.
Any thoughts or suggestions I can try?
Hi,
As you can see in the screenshot I have a server name appears on the Reverse Lookup zone (icb22) whihc had been removed 2 years ago and it's no longer exist physically. Obviously I need to fix that, I tryed but stuck on the last screen. Whihc one to choose
and continue to fix that?
Ok, first a brief synopsis of this network.
1. We have the Enterprise DC in the U.S. and it is the Schema master and the Domain Naming Master. We can never seize the Schema from it.
2. I work in the Middle East and we have one root DC here and 3 other Domain Controllers. We have 2 DC's in remote sites.
3. We had to remove a DC the other day and when we ran dcpromo we got the following error.
The Operation failed because:
Active Directory Domain Service could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=example, to Active Directory Domain Controller \\exampleDC1\...............
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
So because of that we had to run dcpromo /forceremove
Afterwards I followed the article here http://support.microsoft.com/?id=216498 to remove the metadata.
Now when I go to the Schema into DC2 it shows the current Schema master. When I right click and change to another server I get this.
"The schema FSMO holder could not be found. Schema modifications can only be made on the schema FSMO holder"
I try to change to any of our other 4 DC's and I get the same error.
When I open Schema on those DC's I get this.
Current Schema Master (Offline)
Error
That is not true because that resides in the states as I mentioned above and it never goes offline.
What is possibly related is when I try to do a replicate with our root DC that fails with the error below.
"The following error occurred during the attempt to synchronize naming context conus.cano.com to from Domain Controller RDC3 to Domain Controller DC1: The naming context is in the process of being removed or is not replicated from the specified server." This operation will not continue.
I think somehow this might be pointing at the Root DC. Our DC3 has all of the other 3 roles and is our primary DNS server.
So to sum it up
DC1 - Current Schema Master (Offline): Error
DC2 - Can see the Schema Master fine
DC3 - Current Schema Master (Offline): Error
DC4 - Current Schema Master (Offline): Error
DC5 - Current Schema Master (Offline): Error
Also when I go to AD and search for one of our larger Groups, all of the members in that group show as SIDs only.
Any help would be appreciated. Thanks
Hi
5 hours ago i installed a new 2008 R2 domain controller to my forest (GC/DNS).
After the successful installation process, i rebooted the server. From that moment, i can't connect to the server using remote desktop as domain administrator.
I am receiving the following error message: "The security database on the server does not have a computer account for this workstation trust relationship."
All domain controller's services are ok (all tests are passed on dcdiag) and the replication diagnostics are also ok.
Any ideas?
Hi everyone
I have windows server 2003 enterprise edition SP2 32-bit running active directory. I just want to upgrade it to active directory 2008 r2. what are the simple methods to do that. And also tell me please, if i upgrade from active directory 2003 to 2008 r2. Then will i need to join domain on all clients or not?
Hi,
i m getting bellow error under "Directory Service" events on my every domain controller...
pls. help me to sort this out.
-------
This is the replication status for the following directory partition on this directory server. Directory partition:CN=Configuration,DC=Domain ,DC=com This directory server has not recently received replication information from a number of directory servers.
The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
0
---------------------
repadmin /showvector /latency DC=domain,DC=Com shows bellows..
2851c3ac-1108-4aac-9608-a07d32c879e7 @ USN 41591 @ Time (unknown)
1223c1fc-1402-4b30-833f-c24ba17841b8 @ USN 185138 @ Time (unknown)
1e5c730d-eddc-4492-b909-b4a27fae2db7 @ USN 6619 @ Time 2005-10-31 12:58:30
7a922154-dc44-4efd-b4c4-6ca7d5644371 @ USN 22134 @ Time 2007-01-05 11:05:20
90ef3ee7-54ec-4696-881b-368368ea4f47 @ USN 16591 @ Time 2007-02-20 17:25:02
fa3c588b-6865-45e6-92d1-854767942944 @ USN 3621800 @ Time 2007-08-29 15:26:18
e66046a1-4a70-4538-9cc2-b50d50396825 @ USN 973525 @ Time 2007-11-23 10:52:12
308b9a54-bb7f-4f08-90b6-105365974da9 @ USN 51581 @ Time 2008-03-05 11:05:58
7e12d19d-6407-4546-920a-97346d2fe4a5 @ USN 1453417 @ Time 2008-05-12 18:26:23
0044325e-eb34-4067-9ddb-d76d8e926be2 @ USN 10195260 @ Time 2008-05-12 19:07:57
948c7c7d-c535-42dc-8f03-bd17548242c8 @ USN 1432178 @ Time 2008-05-26 18:20:24
e3b0b895-9ebe-438b-a95a-af917286995b @ USN 10580025 @ Time 2008-05-27 17:22:15
d2b7e144-e1f8-4983-85d2-509227bca11d @ USN 10752012 @ Time 2008-06-02 22:22:15
283f3bea-a49f-4e23-b293-edbb4e801afc @ USN 41031 @ Time 2008-07-04 07:00:12
ee9a214a-7cb7-4493-9962-2e12032768d7 @ USN 53589 @ Time 2008-07-04 12:50:09
f998f4f5-5088-47ac-b425-8437550076a4 @ USN 10842471 @ Time 2008-07-08 15:15:13
7240d8dd-5230-4825-b2ac-f62505d5e678 @ USN 1630669 @ Time 2008-09-26 15:50:38
fd29e05f-d068-48e7-b391-512e5f91feb3 @ USN 20359052 @ Time 2009-06-15 09:04:42
626aed3b-6ab6-47c2-bbe1-6948d543a439 @ USN 6675257 @ Time 2009-06-15 09:06:02
aecb0b51-b38f-4e8d-a1d4-3c8409b3c2a6 @ USN 2669438 @ Time 2009-08-31 07:31:35
d47a4101-688f-4467-91ef-dca4ffacdf34 @ USN 3333066 @ Time 2009-12-11 09:20:25
25a579f2-e9db-4a65-9c87-4b9ef0c33538 @ USN 1776084 @ Time 2010-03-19 18:43:38
13caf359-e384-4f10-85bb-18a9645545b9 @ USN 12084560 @ Time 2010-03-24 17:41:13
15d09514-1108-44d0-85a5-8c8f05442d7d @ USN 1724423 @ Time 2010-04-07 15:52:43
9aac8154-4bd7-4942-9eee-cdada4ee13b9 @ USN 57349 @ Time 2010-10-28 10:29:44
c1638603-067d-4b56-99db-8c951dee801d @ USN 19403280 @ Time 2011-01-06 18:58:50
a1b069a1-355d-4018-97e0-72cfdb69e6c7 @ USN 11165974 @ Time 2011-01-12 15:39:08
7a7ce435-2f93-4dd1-95d9-67d623f9a666 @ USN 823756 @ Time 2011-01-27 15:15:27
b0214bbd-503a-4771-9736-ff436f4fd5dc @ USN 90285 @ Time 2011-01-31 16:13:29
558a28f3-e4b8-455c-a9d2-dda8ea32a77a @ USN 5220516 @ Time 2012-08-21 11:07:09
LofacBranch\TECHMAIN @ USN 1457345 @ Time 2012-12-21 11:58:20
Cotta-Road\LCRMAIN @ USN 1724284 @ Time 2012-12-21 11:58:23
CLC-Head-Office\CLCMAIN @ USN 8042487 @ Time 2012-12-21 11:58:23
XXXX-Head-Office\ROOTDC @ USN 57482205 @ Time 2012-12-21 11:59:54
XXXX-Head-Office\ADC @ USN 41784326 @ Time 2012-12-21 11:59:58
XXXX-Head-Office\PDC @ USN 49975130 @ Time 2012-12-21 12:00:02
-------------------------------
Event Details:
| System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| - | EventData |
| DC=ForestDnsZones,DC=Domain,DC=com |
| 1 |
| 1 |
| 0 |
| 0 |
| 0 |
| 60 |
----------------------------
Dear Team,
Greetings for the day,
Here we are facing an issue in our organisation regarding domain administrator account locked out very frequently.
This issue has been become very major.
Looking for your kind support please..
Regards
Raghuraj Sharma
Mail ID:- raghuraj.sharma@infotelconnect.com
Phone:-+919653018111
Raghuraj Sharma
I'm posting here because the issue is with a demoted server that can't find the new domain controllers on the network. It could also be a DNS issue; feel free to move it if it doesn't belong here. Thanks.
I have this server 2008 SP1 that was a playground for the Operations Manager for quite some years before i came here.
It had ADDS with all FSMO roles, DNS server, DHCP server, TS server, file server, IIS, our ERP, Exchange for some time, every single utility he could find to test, 20 users logged on fulltime using Office Remote Apps and surfing the web (on admin privileges) on it and then some. The only thing it didn't have was updates. All of this on a single RAID 5 volume with no HS. It was a mess.
I've been working my way to kill it and managed to remove almost every essential service out of it, the most recent (oct) being ADDS. I created a new server, promoted it and moved all FSMO roles to it, finally i demoted the old server.dcdiag reported all Ok.
Since then, i've been having conectivity issues all the time on that server.
I'm having 3 different errors poping up all the time:
Level: Error Source: NETLOGON Event ID: 5719 Description: This computer was not able to set up a secure session with a domain controller in domain <DOMAIN> due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Level: Error Source: GroupPolicy Event ID: 1054 Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.
Level: Error Source: GroupPolicy Event ID: 1030 Description: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
ErrorCode: 58
ErrorDescription: The specified server cannot perform the requested operation.
As a result it sometimes takes 3 or 4 tries to RDP successfully on it, other times it just won't let you until later. It says "Access denied" on the dialog.
The errors basically tell me there are DNS/Network issues with the server. I couldn't find any network issue: It flawlessly serves files, keeps RDP sessions open and responds to ping with <1ms lattency all day, so it must be DNS or something else.
Thing is i can't scrap the server just yet, not until we buy the new file server and that may still take some months and up to a year.
So my only option is to fix this problems.
Further info:
I'd appreciate any help you could provide.
Cheers.
"When something is not working as it is supposed to, then it is working as expected" -R
Am getting event id 1450 logs on my DC servers(8 DC's) more than 20logs/sec.
Source:NTDS SDPROP
Category:Internal Processing
Event ID:1450
User: NT AUTHORITY\ANONYMOUS LOGON
The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=AAA,OU=BBB,OU=CCC,OU=DDD,DC=EEE,DC=FFF,DC=GGGThis operation will be tried again later.
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
Additional Data
Error value:
1340 The inherited access control list (ACL) or access control entry (ACE) could not be built.
Does anyone came across with this error log, what could be solution for this erro logs. Need help for event id.
Regards, VBP
We have Windows 2008 Dc’s in domain and I have configured DNS auditing for a zone stored in DomainDNSZones partition.
In first step I configured “Default Domain Controllers Policy” to define “'Audit directory service access” for success and failure .
Then enabled auditing on the DNS zone stored in DomainDNSZones partition, using DN “DC=DomainDNSZones,DC=<domain name>.
Under CN=MicrosoftDNS you will find DC=< zone name> Right click on that and select Properties.
Select the Auditing tab, and click Add then Under User or Group, type ‘Everyone’ and click on Check Names button. Click OK.
On the Auditing Entry window that pops up, under the Object tab, select Success and Failure for access types Write All Properties, Delete, and Delete Subtree and click Ok.
But still it’s not working for me, is there any other configuration apart of this, which I need to configure.
I also went through article http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx
Hi,
One question: one company has separated AD envitonment and they want to publish their cloud aplications. Another company has own AD environment and they want to use public cloud aplications from first company, but they want to use SSO to other environment.
Is it possible to configure that with ADFS 2.0 or they need to establish domain trust between AD domains?
Thnx!
Greetings,
I execute this:
C:\Users\Administrator\Downloads\ldif_files>ldifde -i -k -f test.ldf -v -j "C:\Users\Administrator\Downloads\ldif_files" Connecting to "dc1.company.local" Logging in as current user using SSPI Importing directory from file "test.ldf" Loading entries There is a syntax error in the input file Failed on line 6. The last token starts with 'C'. The change-modify entry is missing the terminator '-'. 0 entries modified successfully. An error has occurred in the program C:\Users\Administrator\Downloads\ldif_files>
test.ldf is this:
dn: CN=PrinterAdmins,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local changetype: modify add: member objectClass: top objectClass: group member: CN=John Doe,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
I have painstakingly troubleshooted this for a couple or few hours now without success. I have tried...
The OUs, security group, and user exists. For the life of me, I can't figure it out. I have successfully imported an OU structure from 'oldcompany.com' domain, used Notepad++ to remove a particular space/enter character and also to replace 'dc=oldcompany,dc=com' with 'dc=company,dc=local', imported the users, imported the security groups -- everything successfully.. all that is left is to import the part of memberships to every group (tying users to their groups).
Please help. :(