Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Removal of Missing DC

$
0
0

I have a question on removal of a missing DC. On our network, the current Administrator doesn't know a lot about Active Directory and at some point, hey retired a DC by simply removing the PC from the network and tossing it. He didn't demote it and remove it, just pulled the PC out.

Then he did it again, to another DC (there were three, then there are now one). Not only was this second DC not removed properly, it was also the secondary DNS server on the network. Anyway, I just happened to notice it so I promoted one of my servers to a DC to use as a secondary DNS et cetera. It's not my network, so I didn't move any FSMO rolls or anything, I simply did it to make sure that my portion of the network continues to operate if he does something else that's, well you get the point.

My question though, since I have never actually just removed a DC like this, is how do I clean up AD to get that server out of the nest?

I read a few articles that say (see below) to just delete it and select the (Domain Controller is permanently offline ...) and I do, but mine then asks me one more question and I am not sure if answering it will mess up anything or not, so I am coming here to ask for confirmation that continuing on will not impact anything negatively.

Here is the thing I get asked which isn't listed below (added missing image):

Do I want to select the Use Delete Subtree server Control and continue or not and continue or not continue at all?

All the FSMO rolls are on another server, I don't know what was on this server before it was yanked out. But I believe it's causing replication issues or at least lengthy ones as they search for it before timing out.

Any help would be appreciated. Domain Functional Level is still 2003.

Thanks!

________________________________________________________________________________

  1. Open Active Directory Users and Computers: On the Start menu, point toAdministrative Tools, and then click Active Directory Users and Computers.

  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-clickActive Directory Users and Computers <DomainControllerName>, and then clickChange Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then clickOK.

  3. Expand the domain of the domain controller that was forcibly removed, and then clickDomain Controllers.

  4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then clickDelete.

    Metadata Cleanup in ADUC
  5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion.

  6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then clickDelete.

    DC offline in AD Users and Computers
  7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, clickYes to continue with the deletion.

  8. If the domain controller currently holds one or more operations master roles, clickOK to move the role or roles to the domain controller that is shown.

    You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.



Active Directory Certificate Services Terms of Use

$
0
0

Hello,

I am looking for the Terms of Use for the Active Directory Certificate Services. In particular the ones for Certificate Enrollment Web Service (CES and CEP).

I found something similar but for IIS in the section about API. Though couldn't dig up anything for Active Directory and its related roles and 

http://www.iis.net/terms-of-use

Member Server Trying to Reach DC's in Another Site

$
0
0

We have a separate AD Site setup for our DMZ. Within our DMZ Site, we have two RODC's. I have a member server inside of the DMZ which I want to communicate exclusively with the RODC's for any AD requests. 

I have my subnets set up correctly in Sites and Services to ensure that the member server uses the RODC's as it should. If I issue the 'nltest /dsgetdc:<domainname>' command from the member server, the correct RODC and Site is returned as it should be.

However, I'm looking at the firewall between our DMZ and our main network, and I'm finding that my member server in the DMZ is still regularly trying to make LDAP connections to the DC's on my internal network. What other reasons would cause the member server to still attempt LDAP connections to my other DC's?

Active Directory Server Freezing

$
0
0

Dear Sir/Madam,

I have server (SRV-1) contain active directory master and server (SRV-2) contain replication active directory. 

1. I don't have backup for system state.

2. SRV-1 is freezing after 3 minute of work and i'm not able to backup the system state.

3. How can i convert the SRV-2 into the master active directory. I'm afraid if i start the master transfer schema and the server freeze it will damage my replication active directory. In this case all my network will stopped.

Any good idea for solving my problem.

RPC server is unavailable on DSA.MSC and GPMC.MSC for a specific DC

$
0
0

Hi everyone,

I have an issue, when trying to open my dsa.msc and "change domain controller" to a specific one, I always got "The following domain controller could not be joined: xxxxx The RPC server is unavailable".

I have this also with gpmc.msc

However this does apply to only one specific DC and for these consoles, all the others DCs are working fine and I can connect successfully to this DC with dnsmgmt.msc or the eventviewer.

I have a single forest/single domain configuration, all my DC run 2012 R2 OS and have 2012 R2 domain/forest functional level.

I also have to say that it used to work very well for quite a few months now. However, since friday, the network team put in place two Riverbed between the site where is located this DC and the site where I am (there is a MPLS link between the two Riverbed). I clearly suspect this is the problem (the coincidence is very strong) but I have no way to justify it yet.
I've asked the network team to put the Riverbed in bypass mode, will see...

Firewalls have been checked and all AD ports are open (as it was the case before this network change) therefore I do not think it is FW related.

I did check replications and everything is fine on this point.

A dcdiag executed on this DC gives me "passed" test everywhere.

Any hint or advice would be very much appreciated...

Thanks a lot :)

How to remove WINS from DHCP

$
0
0
How to remove WINS from all Scope Options in dhcp, and will that have any adverse affects in production?

Failed to authenticate - event id 14

$
0
0

Recently i changed the domain functional to Windows 2008 and upgraded all DC from 2003 to 2012 R2.

Now i'm receiving some erros (event id 14) when i try to logon on Cisco ISE Web portal.

While processing an AS request for target service krbtgt, the account xxxxx did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  17  23  -133  -128  24  -135. The accounts available etypes : 23  -133  -128  3  -140. Changing or resetting the password of xxxxx  will generate a proper key.

Any idea?

Thanks


Felippe

single primary dc missing many of the sysvol folders

$
0
0

my sysvol became corrupted when a dc was pulled out of service; due to a company split.

my server is now the primary, but the sysvol is not complete; missing many file/folders, including scripts, etc.  as a result i cannot fully deploy anything in the gpo.

i tried an authoratative restore, but in one case, event log reported it could not create the scripts server share as the system could not find the file specified. (5706,netlogon)

i have no backup of the sysvol, but given the corruption, am perfectly fine setting this back to square 1 and starting over.   i was hoping the d4 flag would do that, but that doesn't appear to be the case.

so what is the easiest and fastest way to get the sysvol folder tree completely reset as if it was a brand new?

i was hoping the ms article would help, but get very confused with the steps, as they seem to relate to installations with many dcs: https://support.microsoft.com/en-us/kb/315457

appreciate any help you could offer.


Unable to reset the ADFS 3.0 Illustration back to the ADFS 3.0 default

$
0
0

Hi There,

I'd set the ADFS 3.0 Illustration page to a custom one. However, I now need to set it back to default.

The Illustration page was by default -> {[, System.Byte[]]}

However when I reset it to @{}. It didn't set it back to the above. And If I try setting it to the above, it gives a syntax error.

This is causing the Illustration 3.0 page to show as plain blue, without the default style.

Can you kindly help me restore it back to the default please?


Regards, Kartikesh Nadar MCSA 2008, MCTS, VCP, ITILv3 -------------------------------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Domain Clients starting slow

$
0
0

hello experts 

Our company have domain controller. Domain controller runs Windows 2008 r2, windows 2003 R2 SP2
Today my technician reports me windows XP clients login is to slow about 30 min after bring back login window. Anyone have idea this promlem?
I see slowed computer event log this application error log showed me:

Application DeviceLock Service (2) from policy Device_lock_install_32bit was

configured to upgrade application DeviceLock Service from policy Device_lock_install_32bit.

The assignment or install of the upgrade application DeviceLock Service (2) from policy

Device_lock_install_32bit failed with error : The installation source for this product is not available.

Verify that the source exists and that you can access it. The upgrade will be aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I think problem cause is our domain controllers OS version windows 2003 and windows2008. This is right?

Please suggest me and Please help me fixing domain clients are slowing login window?

Thanks


Permissions required for NOC Team

$
0
0

We are working to lock down our access permissions and trying to put a granular access model so that only required rights are present for the teams:

Would like to know how we can accomplish some of these activities, without giving away Admin rights.

Start & Stop Services on Windows 2008 and above servers

Clean up DiskSpace on Servers

Issue finding which logon server a remote workstation is currently Connected too ?

$
0
0

Hi Guys,

(Get-WmiObject-Classwin32_ntdomain-Filter"DomainName = 'domain'"-ComputerNamemade_up_workstation_name).DomainControllerName

When I run the above on my workstation it gives the same value as theset variable Logonserver

When I run it on my colleagues workstation it gives a Valid DC but not the one that shows in its set variable Logonserver

I get the same results wether I run on or remotely on both workstations

Any ideas ?

how to get last logon user details of a particular computer from active directory. Note computer is not online, we have to get it from the ad logs , how? please

$
0
0
how to get last logon user details of a particular computer from active directory. Note computer is not online, we have to get it from the ad logs , how? please 

Password Complexity error

$
0
0
Team,

I have a password policy with minimum password length 8. I am facing unique issue, I am unable to set password above 8 characters. Does minmum length also means maximum? Bit confused, as in my test domain with same setting, I can set 10 character password.

I am beating my head from last two day on this issue, unable to find why it is not allowing me to set longer password. I verified there is no FGP applied.

Amit

Help Desk Group - Delegating Rights and allowing access

$
0
0

Hi,

I followed the steps in another thread (https://social.technet.microsoft.com/Forums/en-US/f1846ea7-31fc-4d38-8950-ef7d86f3cefb/need-to-create-help-desk-users-to-unlock-andor-change-passwords?forum=winserverDS) on delegating rights to a "help desk group" to allow this new group to do limited things in AD (create accounts, reset passwords etc).  I applied this to the OU where most of our users objects belong.

Having done that, how do I give the help desk person access to the appropriate programs (users and computers for instance) so they can make these changes?  Do they log in as themselves to a domain controller to fire up "users and computers"?  Or can they still do too much on a DC?  (I only want them to be able to a) create users b) reset pwd c) add a computer to the domain).

Or can you somehow install some sort of snapin on their local PC to allow them access to users and computers?

I added them as a remote user to the domain controller but they still could not log in.

Thanks,

Albert


GPO Issues with User Rights Asignment "Log on as Service"

$
0
0

Please feel free to move this into a more appropriate category as I feel the Forum selection area is too limited to make much sense out of.

The issue that I am experiencing at this time is that I have a few software packages that require administrative rights to PCs and also require the "Log on as Service" right.  This software package is from GFI and is to help manage our use of external media devices and help maintain updates to Windows and other software.

I have tried using a GPO to send out the required changes to add Service Users, users we create per service which requires administrative rights, to both the Local Security "Log on as Service" right and the Local Administrators group.

There is a conflict that occurs that I am having trouble with finding a workaround other than using BAT/PS1 scripting with a 2003 Server Resource Kit file, NTRIGHTS.zip.  The conflict that happens is the following...

I have three servers, 1-DC 2-SQL 3-HyperV.  Each server with their own default assignments in the Local Security Policy user rights "Log on as Service".  If I have the DC push this created GPO out to the SQL and HyperV servers, they loose their defaults and only use the users stated in the GPO.

This issue became known when I tried to manage a VM within Hyper-V Manager on the the server and kept getting a 'User does not have sufficient rights' error.  This also occurred while using full administrative credentials even with elevated Hyper-V Manager.  I looked on the SQL server and found the same had taken place with the GPO dropping the default and over writing the rights area with just those users, dropping all SQL\* Users from the list.

I retracted this policy and all went back to normal after a restart of the test servers and have been looking for a work around ever since.  I would like to know of a better way to do this other than using startup scripts to add the necessary users to the rights item.  I don't like the idea of using CarbonDLL or having to put a utility such as NTRIGHTS.exe on a network share for machines to access on boot and it fail due to no network connection at the time the script would run.

Also, these are not the only software packages that have this as a requirement that we use around the company.  If I were to push this GPO to production, it would kill various other packages for reporting services and data collection services we have on our production floor.

Any ideas would be helpful.

Thanks in advanced.

dcpromo The operation failed with the following error: "The parameter is incrorect."

$
0
0

I Just installed windows 2008 R2 trial. All defaults.

ran DCPROMO, server rebooted unexpectely during this. after reboot I tryed again. when starting DCPROMO I get:

The operation failed with the following error: "The parameter is incrorect."

How do I solve this?

The server with this IP address is not authoritative for the required zone.

$
0
0

 I have a site, call it xyz.com that has it's public DNS, website, etc hosted withan ISP.  Works fine.  I have a small amount of control over the settings in the DNS server for xyz.com

We have 2 locations, one that was set up as a.xyz.com for the domain (192.168.1.x) and b.xyz.com (192.168.8.x) , but there is no DNS information about just xyz.com.  They are self contained units, with b being added much later.

When I try to establish a trust between a.xyz.com and b.xyz.com, neither thinks the other is authoritative for the other's domain.  Seems like I need some glue records somewhere to get this to work, but a conditional forwarder won't validate, tells me that the other server is not authoritative for that domain.

Tried to add a secondary DNS server on b for a, and a for b, and the step where it confirms the domain name fails as well.

DNS internally is working fine for the few clients that are on it, but the clients are dedicated machines essentially service one function, and don't really have any need to talk to anything else, except on a very occasional basis.

What do I need to do?  Seems like I may need some kind of glue records at my ISP's DNS, but then I'd be handing out private IP's for the queries, which is OK, or I need another internal DNS server for xyz.com that has the right records.

What's my next step?

Thanks for any help.

AD server being moved considerations

$
0
0

We are running Windows 2012 R2 AD DS and have built out an environment here in our corporate office for a new site. One of the builds is an AD Server. We need to take the environment offline including the new AD server for 1-2 weeks to ship it to our new location. 

We know taking the AD server offline will cause our existing AD infrastructure to belch for awhile but don't completely know ramifications when we bring server back online.  Will it just download changes to the AD environment since taken offline or will it reload the entire AD DB since it was offline for an extended period?  Is this a safe method or would it be better to DCPromo it and bring back online as a DC at our new site.  What are the concerns with this process?

Look forward to replies.



working with ldap browsers

$
0
0

this question is related to

https://social.technet.microsoft.com/Forums/windowsserver/en-US/c7db0c7e-8ea4-46f4-89fe-c8792a2a559a/what-rights-to-give-an-ldap-application?forum=winserverDS#7f8258c4-4b80-45b3-99fe-8ebb13eb0239

as i want to help the vendor with their LDAP authentication so i installed an LDAP browser and tried to make a connection from it. from what i can tell, i am unable to browse my AD tree UNLESS theinitial credentials that i use in this LDAP browser is a domain admin. that is fine with me but what about those vendors? i cannot provide them admin credentials in order to do an LDAP bind.

is this how you normally bind with an LDAP tool? use an admin credential? i was under the impression that any domain user can read the AD tree.

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>