Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD 2008 Login Scripts not running

August 21, 2015, 11:32 am
$
0
0

Hello,

I have a simple script that we run on each users account in AD on the profile tab. The script just runs a .bat file that executes a script to manage users outlook signatures. Everything was working great on this script until we added a Windows Server 2008 r2 Domain Controller into the existing network which is running Server 2003 AD.

To verify the logon script is not working I tried just having the script mad a drive on the users machine.

I can verify the script for .bat file is good because currently we are just running it manually.

Not sure where to go from here on resolving this issue. Here is a list of things I have tried.

1. Checked event viewer for any replication errors. Found none.

2. Confirmed that the NETLOGON and SYSVOL folders are on all 3 domain controllers. Also checked and made sure the same permission were listed on  both folders.

3. Tried manually adding the .bat file to the NETLOGON and SYSVOL folders and no change.

I have notices in the SYSVOL folder, under my domain, there is the file listed that I need to run. However it is not in the scripts folder.

Not sure where to go from here on trying to resolve this. Any ideas are appreciated.

Thanks

Search

ADMT Group Migration - Confused by Copy Group Members

August 21, 2015, 9:18 am
$
0
0

So I'm testing with Group Account Migration in the ADMT 3.2. 

When you get to the screen that has "Copy group members" on it, what exactly does that mean?
Does it mean, migrate the group to the destination domain/OU, as well as all of its members to the same destination? 

In the Help/Description, it says "If you do not select this option, ADMT creates the group in the target domain, but the group does not contain members". 
I'm confused as to what that means. Does it mean the Group will no longer contain members so after the migration, you have to re-add all its members?

What's strange is I migrated a Security Group between two domains. It was a test group, and it had 3 test account members.
I didn't check this box, and after the migration, the Security Group was indeed in the new domain, but it still contained the same members that exist in the parent domain.
According to my understanding of the description, since the checkbox isn't checked, the test Security Group I migrated should have had no members in it after the migration.

Share Drive

August 21, 2015, 1:05 pm
$
0
0
I have a share drive on a server.  From my desktop, I can access that share drive,\\servername\sharedfolder no problem, but on the server itself, if I try to go to\\servername\sharedfolder I get "network path cannot be found".  If I go to just\\servername, I can see the share folder listed, but when I double click it I get the network error.  This leads me to believe it's permissions based, but I have authenticated users set to Full.  I'm curious if there might be a policy setting that would be causing this.  Any info is appreciated.

Web Enrollment - No certificate templates could be found

August 21, 2015, 5:35 pm
$
0
0

I migrated a Windows 2008 R2 root enterprise CA to Windows 2012 R2.  All looks like it’s working well except that I can’t get Web Enrollment to work.  Upon selecting to submit a certificate request, I get the message:

No certificate templates could be found.  You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

Certificate enrollment does work through the Certificates MMC, in fact I was able to create a certificate to secure the CA’s Default Web Site.

I have done everything I can find on the Internet to fix this, including:

Any of you seen anything like this and maybe have an idea how to remedy it?

Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


Old Domain Controller (W2K3) Decommission process in active directory

August 21, 2015, 2:08 pm
$
0
0

It’s single domain environment with 3 DCs, 2 DCs are running Windows Server 2008R2 and one is running with Windows Server 2003.

Planning to decommission Win 2003 Domain controller.

Below is the plan. Please have a look, correct if any steps going in wrong manner.

  1.       Changing Domain controller DNS IP which is planned for decommission from all the Systems, to with available DNS servers.
  2.       Changing the DNS IPs hard coded in Applications and correcting the DHCP scope DNS settings.
  3.       Transferring FSMO roles from this old server.
  4.       Check the health status of the Domain replication. If it is good.
  5.       Stop the replication on DC Windows 2003 (inbound and outbound) 
  6.       Disable the NIC card.
  7.       Shutdown it for 1 week and monitoring it. -==> is this cause any issues except replication, tombstone period is 1 Month for this domain.
  8.       If there is no issues found.
  9.       Demote the server from Domain & clean the metadata using the ntdsutil tool.

___________ Ravi Ch

File Replication Service is taking a long time to scan the system volumn

July 9, 2010, 8:56 am
$
0
0

There were multuple event ID 13568 errors in the application event log.  I performed the recommendation to set the "Enable Journal Wrap Automatic Restore" registry setting to recover.  Now I am getting event id 13566 stating that the File Replication Service is scanning the data in the system volume.  This has been going on for over 2 hours.

This is a sbs 2003 sp2 server.  There are not any other domain servers.  I have checked repeatedly for the sysvol share but it is not available.

Thanks for the help

Bret

Migrating DC, DNS, and DHCP from server 2008R2 to new server 2008R2 with different name and IP

August 22, 2015, 11:47 am
$
0
0

Hello All,

I have the fun situation of having Exchange, DC, AD, DNS, and DHCP all on one server. I inherited this and no that it is not recommended or supported. I looked at migrating exchange but found that was the bad way to go. I now want to migrate DC, DNS, and DHCP from the current exchange server to a new 2008R2 server and dont want to miss anything. I have run through the migration prep checklist and have everything noted. Now is the point I am worried. I know that I installed the AD DS and then I can run the DCPromo to start the process. From what I can tell DNS will come with it but do I need to install that Role before I start the DC Promo? Once I do the DC Promo do I then install the DHCP roles or is that later on? Also once I bring this new server up I know that it is running as secondary until I migrate everything and demote the exchange server.

I am looking for stuff that I know I will miss by having to give this server a new name and IP. I know that DHCP will take care of the new DHCP server and I will just have to change the static devices to see the new IP. I guess my concerns are what affects I need to take care of on the old server that is demoted but is still running Exchange 2010 and what else I have missed on the new server that is caused by the new name and IP.

Sorry for the amount of questions but this seems to be the only way I can start getting things seperated and correct before I face moving to future OS upgrades.

Thanks again,

Bill

Bill

Active Directory Major Issues - Please Help

August 22, 2015, 6:33 am
$
0
0

Hi,  

Please help I have inherited a domain and it is in a very sorry state.

DC1 - Site A, PDC, GC - IAS Server, File Server
DC2 - Site A, BDC - Exhcange Server
DC3 - Site B, BDC - File Server

Connection was made like this DC1 - DC2 - DC3.  

From what I can gather DC2 had a hardware issue and the drives were removed and put in another system.  This has been left with this since 2013.

I have run a dcdiag on DC1, DC2 and DC3

DC1

   Testing server: Default-First-Site-Name\DC1
      Starting test: Replications
         [Replications Check,DC1] A recent replication attempt failed:
            From DC2 to DC1
            Naming Context: CN=Configuration,DC=Domain,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the t
ime since the last replication with this server has exceeded the tombstone lifet
ime.
            The failure occurred at 2015-08-21 11:06:11.
            The last success occurred at 2013-12-13 17:11:12

[Replications Check,DC1] A recent replication attempt failed:
            From DC3 to DC1
            Naming Context: CN=Configuration,DC=Domain,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the t
ime since the last replication with this server has exceeded the tombstone lifet
ime.

DC2

[Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Configuration,DC=domain,DC=local
            The replication generated an error (8606):
            Insufficient attributes were given to create an object.  This object
 may not exist because it may have been deleted and already garbage collected.
            The failure occurred at 2015-08-21 10:50:44.
            The last success occurred at 2015-06-22 13:42:27.
            1801 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From DC3 to DC2
            Naming Context: CN=Configuration,DC=domain,DC=local
            The replication generated an error (8606):
            Insufficient attributes were given to create an object.  This object
 may not exist because it may have been deleted and already garbage collected.
            The failure occurred at 2015-08-21 10:50:44.
            The last success occurred at 2015-08-18 13:50:10.
            25 failures have occurred since the last success


The PDC - DC1 is stating two of the other domain controllers are tombstoned I require to get active directory operating to enable to enable me to start to migrating over to 2012 Server.


Should I be believing that DC2 and DC3 are both Tombestoned and demote them and promote them again?


Any assistance with this would be most helpful.


Thanks


Martin

Search

Win 10 Pro Computer

August 22, 2015, 2:32 am
$
0
0

I have a working website in WS 2012 R2.  I want to make my Windows 10 Pro Tablet a "computer" in my "OU" called "Lab".  I have set up the OU with the Computer in "Lab" with the name "SurfacePro". When I go in the Tablet and change from "Workgroup:" to "Domain:" it will not accept my website: mysite.com.  I also have a Win 7 computer giving the same error?

Error Message:

An Active Directory Domain Controller (AD DC) for the domain "mysite.com" could not be contacted

Ensure that the domain is typed correctly.
Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

An error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "mysite.com".

The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)

The query was for the SRV record for _ldap._tcp.dc._msdcs.mysite.com

Become the August 2015 Windows Server Guru!!! Here's how!

August 22, 2015, 4:34 pm
$
0
0

Just add your TechNet Wiki article to this list:

  

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. This includes a dedicated blog post in the Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, an announcement on your forum, and other acknowledgement from the community. 

Winners will be voted on by five judges. The judges consist of 3 Microsoft MVPs and TechNet Wiki Community Council members and 2 Microsoft Employee SMEs (Subject Matter Experts -usually the people making the technologies). The judges will be looking for articles that are thorough, technically accurate, visually clear (images might help, but aren't necessary), and well written.

  

How to Enter

1) Create a new TechNet article YOU CAN COPY YOUR CONTRIBUTION FROM MSDN/TECHNET FORUMS OVER TO TECHNET WIKI (IN AUGUST) TO QUALIFY FOR THESE AWARDS. You can also create a new article not related to your forums contributions. 

A) Log into TechNet/MSDN with your Microsoft credentials

B) Add your content as an article to TechNet Wiki: http://social.technet.microsoft.com/wiki/contents/articles/add.aspx%20  

If you are copying and pasting your MSDN/TechNet forum solutions over to TechNet Wiki, please give some introduction to the problem, make sure your steps are clear, and then link to the original forum post. You can also paste in your blog posts (rather than forum content).

2) Tell us about it To add a link to your article:

A) Log into TechNet with your Microsoft credentials

B) Click the "Edit" tab on the list of August Guru articles, and copy in the URL  to your TechNet Wiki article into the appropriate section, along with your name and link to your profile!

  

 

We're looking forward to seeing your article!

Thanks!

Ed Price, Azure & Power BI Customer Program Manager (Blog,Small Basic, Wiki Ninjas, Wiki)

Answer an interesting question? Create a wiki article about it!

dfs 2003 not replicating

August 20, 2015, 10:11 am
$
0
0

I am not sure what is happening but when I put a simple txt file on my root dfs server file share. its not replicating out to remote sites.

any idea?

Preventing a service to run during machine startup if DC not available

August 16, 2015, 9:39 pm
$
0
0

Hope to get some help on this:

My objective is to prevent a in-house developed service to run if Windows cannot connect to the domain controller during startup. The reason for this is that some old machines may have hardware time wrong and when they started up, if they are not able to communicate with the DC, their times will be wrong. Some down-level clients (devices using embedded os) get the time from these machines (Windows XP, Windows 7 professional)  and if the time is wrong and the service is running, wrong time will be propagated, that can create havoc.

So, if it is possible to only allow the service to run if I am sure that the time is correct (that the machine has synchronized with a DC), then I can prevent down-level machines to synchronize time with these Windows workstations. 

Is it possible? For example, if machine authentication with DC fails during startup the service shall not start. Is there any Windows service that is dependent on machine authentication with DC (that can only run if machine authentication is successful)?

Valuable skills are not learned, learned skills aren't valuable.

Who created that user?

August 20, 2015, 7:18 am
$
0
0

I need to setup audit on Domain Controllers to log who creates users.

Ie: if me, with my login user xpto-admin created user01, I need to be possible to realize that user01 was created by xpto-admin. 

Is there any step-by-step or can you guide me to accomplish this task?

Thanks in advance. 

FM

Does LastLogonTimestamp get updated when an ADFS authentication occurs

August 7, 2015, 2:30 pm
$
0
0
Does anyone know if an ADFS auth triggers an update of the lastLogonTimestamp attribute?

Importation utilisateur d'un fichier csv dans un object active directory

August 21, 2015, 3:03 am
$
0
0

Bonjour,

Je me permets de vous contacter concernant un projet que j'ai en cours.

Après avoir exporté tout un ensemble d'utilisateur depuis un autre domaine dans un fichier csv,

je voudrais  récupérer ce fichier et importer tous les utilisateurs qui se trouvent dedans dans un OU  de mon active directory d'un autre serveur.

Avez vous une idée?

Par avance merci!

Cordialement,

Search

Does AD FS vNext (Windows Server 2016 Technical Preview 3) supports OAuth2 on_behalf_of flow?

August 23, 2015, 9:18 pm

Account lockout in LDAPS

August 10, 2015, 9:04 am
$
0
0

All,

I have external AD forest created in DMZ, 1 DC (2012 R2), running windows CA and ADDS , for which only LDAPS port 636 is enabled to other network.

There is another one 2008 R2 web server which is in workgroup, Application (Java based)running on this box connects to this DC through LDAPS for user authentication\user account creationn\deletion using a LDAPS service account (used inside the application).

All was setup and was working fine. However it’s been found that as per AD policy auto unlock of AD account was not working after 30 minutes (In AD policy its set that after 3 wrong password, to lock account and another policy to unlock the account after 30 minutes).

After troubleshooting I found that, all the accounts which was able to successfully authenticate to AD has below sequence of events.

4776-Credential validation
4648-explict credential Logon Audit.
4624- Successful logon audit
4634- Logoff event

However user who have tried with wring password more than 3 times has below scenario

1.After 3 bad password attempts, users are not able to login.
2.Accounts are actually not getting locked (no account lockout event) in AD.
3.Administrator logged into AD, unlock account from user account properties (though the account is not locked as per AD log). User will be able to login with right password.
4.Since the accounts were not getting locked, it was not getting unlocked by policy, however they were not able to login even though they use right password after 3 attempts.
5.If I directly RDP to DC with bad password account lockout event is logged. However if you come through the application authentication (LDAPS account) it’s not getting locked.


I suspect that  the in event ID 4624 , the impersonation level is set to impersonation,  So the bad password attempts are not considered as from direct user object, since LDAPS service account is impersonating the actual user account, the actual user account is never locked, let me know if this is right.

I also suspect that impersonation level is set in application, nothing to configure in AD.

Please let me know your thoughts, I never seen this behaviors, this is really something new to me. i have to enable auto unlock feature working.


Thank you..

nslookup reveals wrong setup

August 24, 2015, 7:42 am
$
0
0

I am having trouble with what my nslookup is saying:

PS C:\Users\Administrator>nslookup
Default Server: UnKnown
Address: fe80::xxxx

Firstly it is giving me a IPv6 address not a IPv4. 

Secondly the Default Server is unknown maybe because it is IPv6.

I am working in WS2012 R2 and have a working website.

I just can not add a Computer.

How do I get my server: mysite.com to show up as Default Server?

How do I work with the IPv6 Address?

Password Expiration

August 24, 2015, 5:13 am
$
0
0

Hello all,
I have the password expiration notification script. It is working perfectly,but when
I try to set the script on my DC in secondary domain(We have multiplied domains in single forest)-i get the notifications for first domain.
When i run Get-ADDefaultDomainPasswordPolicy in powershell on DC in secondary domain i get the result of the first domain.
Are DC's found on the same site (we have to sites ).

Any idea why i get the ADDefaultDomainPasswordPolicy of second domain?

Thaks,

Aniri


Moving a 2012R2 AD Integrated DNS to a new IP address in a different location

August 24, 2015, 8:44 am
$
0
0

I recall that moving a 2003 AD Integrated DNS server to a different address space was not a trivial exercise.   Is there any updated guidance or procedure change for 2012R2?  The best references I have found refer to 2003 and 2008.

Thanks for your help!

Mark Massey, MCP 316,MCSE

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>