DC+DNS Race Condition

August 25, 2015, 7:13 pm

≫ Next: Windows service sending a bulk of email

Hi,

I will try to be concise, the short question is:

What is the best DNS configuration (on the network card) on Domain Controllers that are also DNS Servers?

is this, the best? (Found it here https://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/)

If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.

I really like to share with other admins and IT Consultants what is your preferred setting and what ms says about this, because I experienced a race condition when all DCs were started at the same time and every DC was waiting for the other to start DNS and DS Services.

Thanks

↧

Windows service sending a bulk of email

August 12, 2015, 4:24 am

≫ Next: Which ports should be open under Fire wall in DMZ when ADFS would be run?

≪ Previous: DC+DNS Race Condition

I've written a windows service that actually imports a CSVin dynamics CRM. It is supposed to do its job on daily basis earlier in the morning around 5a.m. It also sends an email if any error occur. Now, it is working fine but sometimes it sends a bulk of emails that is around 1000. And when I drill down to CSV everything is imported without any problem.

Can anybody let me know how can I fix the issue as its embarrassing.

↧

Which ports should be open under Fire wall in DMZ when ADFS would be run?

August 25, 2015, 5:32 am

≫ Next: ADMT - SID history not working

≪ Previous: Windows service sending a bulk of email

Hi everyone,

I would like to know which ports should be open under Fire will in DMZ when ADFS would be run in internal network environment.

Therefore could you let me know any articles which describe information regarding my requests?

Any information is welcome.

Thanks

↧

ADMT - SID history not working

August 24, 2015, 2:23 am

≫ Next: Establishing Global Active Directory ( GAD)

≪ Previous: Which ports should be open under Fire wall in DMZ when ADFS would be run?

Hello guys,

I have stopped with ADMT migration tests. Using ADMT 3.2 installed within my resource forest (FFL = WS 2003). I have resource forest with 4 child domains divided per continent.

Resource forest and domain functional level WS 2003. Target forest WS 2003, target child domain functional level is WS 2008 R2

Two way external trust is between with Disabled SID filtering feature. I have created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA (TcpipClientSupport - DWORD with value 1 on resource PDC.

My ADMT service account is member of Built-in Administrator in resource forest and Domain admins in target domain . I´m able migrate users from resource to target forest including passwords (PES already configured), but when I want to use option to migrate SID to target domain, I´m getting error:

Does anyone know what is the root cause? Thank you for help!

Petr Weiner

↧

Establishing Global Active Directory ( GAD)

August 25, 2015, 9:00 pm

≫ Next: User CALS license

≪ Previous: ADMT - SID history not working

HI All,

Our parent Company is proposing GAD and want to know bit more about the setup.

We are separate forest in different country . So if we are resource domain and if they are the Account domain how our users getting impact by this design?

We got 5 sites and each site got 200+ users.

What will happen to our AD servers? Domain? Mail? Groups and shares?

High level i know they want one AD to manage.

↧

User CALS license

August 23, 2015, 10:32 pm

≫ Next: Windows seerver 2012 -USer CAL license

≪ Previous: Establishing Global Active Directory ( GAD)

Hi Team,

Greetings...Domain controller(ADS) is installed and placed in India. We have to procure Users CAL license..

Can we buy and use CAL license from US? Because it is cheaper than Indian cost.

Kindly clarify my doubt and let me know if this is possible.

Ramaiah C

9590583151

↧

Windows seerver 2012 -USer CAL license

August 25, 2015, 10:22 pm

≫ Next: Renaming User Accounts using DSMOD command

≪ Previous: User CALS license

Hi Team,

I would like to know if i purchase User CAL license from USA , Shall i use it in INDIA office?

Note: Server is located india

Please let me know and clarify my doubts..

Regards,

Ramaiah C

↧

Renaming User Accounts using DSMOD command

August 24, 2015, 10:58 pm

≫ Next: Active Directory Services - Domain Controller

≪ Previous: Windows seerver 2012 -USer CAL license

Hi,

The command DSMOD provides facility to change various attributes of a user account. However, I want to change a particular section of user account, which I am not able to do using DSMOD. I have attached the screenshots, where I have circled the value that I want to modify.

Request support as I need to modify this value in around 1000+ users.

Thanks,

Amit Jogi

↧

Active Directory Services - Domain Controller

August 25, 2015, 10:24 pm

≫ Next: How to determine users authenticate to an application via their UPN

≪ Previous: Renaming User Accounts using DSMOD command

A department has requested you set up a new user on our Windows domain controller.

You create the user, but happen to notice while the user exists on the server on which you created the new user, the second domain controller does not show this change.

a. What might be a reason for this condition?

b. What steps or tools would you employ to resolve this if the condition persists?

↧

How to determine users authenticate to an application via their UPN

August 25, 2015, 8:10 am

≫ Next: Windows Server - Warning Message

≪ Previous: Active Directory Services - Domain Controller

Hi,

Can we understand if a user account authenticates to an application with their UserPrincipalName(UPN) by viewing Domain Controller event log records or some other logs on a Domain Controller? Our goal is to understand how many user accounts use their UPN to authenticate to an application.

Thanks for your help! SdeDot

↧

Windows Server - Warning Message

August 25, 2015, 10:30 pm

≫ Next: Servers dis joined from DC

≪ Previous: How to determine users authenticate to an application via their UPN

Windows server has a recurring warning happening at random intervals. The event ID is 1020 and the source is DHCP-Server.

Questions regarding this error:

a. What does this problem indicate?

b. What steps would you take to resolve the error and the underlying condition causing the issue?

↧

Servers dis joined from DC

August 25, 2015, 8:49 am

≫ Next: Active Directory Error

≪ Previous: Windows Server - Warning Message

HI All,

We need to monitor the servers which are dis-joined from the Domain controller , can you all please help me how to get know the servers thrown out of domain

↧

Active Directory Error

August 26, 2015, 8:22 am

≫ Next: Frequent error on AD DS Windows Server 2008 R2

≪ Previous: Servers dis joined from DC

Hi community,

I use to have two domain controller. I've demoted one of them, so I'm thinking it should not need to replicate. However I get this error when running dcdiag.

Starting test: NCSecDesc
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=DomainDnsZones,DC=test-ip,DC=net
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=ForestDnsZones,DC=test,DC=net
   ......................... testserver2008R2 failed test NCSecDesc

How can I fix this?

↧

Frequent error on AD DS Windows Server 2008 R2

August 26, 2015, 10:28 am

≫ Next: Turning off DC's

≪ Previous: Active Directory Error

I have an error that shows every day on my Active Directory Server

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/25/2015 8:43:54 PM
Event ID: 2887
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: NGFS1.guzmor.local
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection

This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

Summary information on the number of these binds received within the past 24 hours is below.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

Number of simple binds performed without SSL/TLS: 2
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="32768">2887</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2015-08-26T03:43:54.003849000Z" />
<EventRecordID>3613</EventRecordID>
<Correlation />
<Execution ProcessID="620" ThreadID="788" />
<Channel>Directory Service</Channel>
<Computer>NGFS1.guzmor.local</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>2</Data>
<Data>0</Data>
</EventData>
</Event>

Since this started to show, some of my computers show an error when trying to log in.

The trust relationship between this workstation and the primary domain failed.

And some mapped drives fail to connect.

↧

Turning off DC's

August 26, 2015, 10:30 am

≫ Next: Problems authenticating from legacy domain to trusted domain when trusted domain RWDC at location becomes unavailable.

≪ Previous: Frequent error on AD DS Windows Server 2008 R2

We have to sites A and B and in B which is in another state they already communicate with A. Site B were shutting off two DC's (win server 2008 r2) they are DNS, & Global catalog servers and dhcp with no fsmo roles of which are handled by Site A main domain controller.

Were using Intersite replicaiton between site A and B what do I need to do?

My question would be how should I do this

* Dcpromo before shutting down

* Shut them down and then dcpromo /forceremoval

Do users at site B have to log off then back on to authenticate to domain controllers at site A?

All I want to do is remove these two servers and need to know the best way so that users in site B are able to logon and authenticate like nothing happened.

↧

Problems authenticating from legacy domain to trusted domain when trusted domain RWDC at location becomes unavailable.

August 26, 2015, 12:02 pm

≫ Next: Old Domain Controller (W2K3) Decommission process in active directory

≪ Previous: Turning off DC's

Configuration details for location:

LegacyDomain (legacy.pri): Single Forest, empty root with single sub-domain: Windows 2000 Forest Level with Windows 2000 DC (I know I just typed W2K but I don't have the magic wand to make developers move their systems ;-)

TrustedDomain (prod.pri): Single Forest, single domain: Windows 2003 Forest Level with 1 - Windows 2008R2 RWDC and 1 - 2012 RODC

Problem:

We're having issues authenticating users in prod.pri from systems in the legacy.pri when the RWDC in prod.pri becomes unavailable at the site. The PDC for prod.pri is at another location and there are a number of DCs globally located outside the site with the problem.

This issue was experienced prior to the addition of the RODC at the site in prod.pri when the RWDC at the site became unresponsive due to a disk full condition. (It is likely this issue could exist at other locations that just haven't had the conditions align)

Three weeks ago an RODC was added to the site for prod.pri. Last week in an attempt to convert the site from having a RWDC on prod.pri to only having a RODC, the RWDC was disconnected from the LAN for testing. While users on prod.pri experienced no issues authenticating with systems on prod.pri *(we confirmed connections in the logs on the RODC) we did experience authentication failures for users in prod.pri authenticating on systems that remain in legacy.pri.

Unfortunately I'm also in an outsourced service provider model so every step in troubleshooting includes a time lag. Any idea if we just have an issue where we need to flush something on the legacy.pri systems or is there something else at play in the complexity of domain trusts?

Thank,

Jeff

↧

Old Domain Controller (W2K3) Decommission process in active directory

August 21, 2015, 2:08 pm

≫ Next: Active Directory user get locked frequently from 1 pc

≪ Previous: Problems authenticating from legacy domain to trusted domain when trusted domain RWDC at location becomes unavailable.

It’s single domain environment with 3 DCs, 2 DCs are running Windows Server 2008R2 and one is running with Windows Server 2003.

Planning to decommission Win 2003 Domain controller.

Below is the plan. Please have a look, correct if any steps going in wrong manner.

Changing Domain controller DNS IP which is planned for decommission from all the Systems, to with available DNS servers.
Changing the DNS IPs hard coded in Applications and correcting the DHCP scope DNS settings.
Transferring FSMO roles from this old server.
Check the health status of the Domain replication. If it is good.
Stop the replication on DC Windows 2003 (inbound and outbound)
Disable the NIC card.
Shutdown it for 1 week and monitoring it. -==> is this cause any issues except replication, tombstone period is 1 Month for this domain.
If there is no issues found.
Demote the server from Domain & clean the metadata using the ntdsutil tool.

___________ Ravi Ch

↧

Active Directory user get locked frequently from 1 pc

August 26, 2015, 7:17 am

≫ Next: Moving and reorganizing an AD domain for users and computers - some basic questions

≪ Previous: Old Domain Controller (W2K3) Decommission process in active directory

Dears,

i have windows server 2012 and client is windows7, one of IT help desk member get locked anytime,

i already know the PC name and made all the troubleshooting steps,

i deleted the cached user profile, also checked the credential manager, and run full scan with mcafee, maleware byte, and with MS conficker worm removal, also checked all the running service,

but the user account still get locked.

i just need a way to know which process or application use the the user credential.

↧

Moving and reorganizing an AD domain for users and computers - some basic questions

August 26, 2015, 8:34 am

≫ Next: Accessing a domain on a different forest

≪ Previous: Active Directory user get locked frequently from 1 pc

Hi all,

I am moving, renaming and generally reorganizing an AD domain that has really not been touched in a couple decades. I've got a bunch of questions so I don't mess it up:

1) can I move user or computer or groups "live" during the day? That is, if someone is logged in when I move their user object, when the object is "refreshed" (I know that group policy is refreshed during the day), will this cause a problem for the user? Likewise for a server or a computer (I would like to move the servers out of the general "computers" container into their own container so that some group policy items are not applied to them). And then the same for groups - can they be moved live without affecting the security on the network.

2) the previous admin put all user security groups within the OU that holds the users. But I don't see any reason to do that and would rather have the groups out where they are more visible (at the root of the domain in their own OU). I figure that security groups do not need policy applied to them because they are not a user or computer object. Is this a correct assumption?

3) the domain has the default "users" container off the root. Can I a) rename this or b) can I move groups that I use a lot (e.g. "Domain Users", "Domain Admins", "Domain Computers" and the user object "Administrator") out of this container and will AD find these objects e.g. I assume when a computer is added to the domain the process finds "Domain Computers" and adds the computer as a member of that group. I want to just make it easier for admins to find the groups we need so I am going to have a "User Groups" container at the root (and also an "Admin Groups" and "System Groups" off the root).

The last question is more just - any comments on the above strategy? I am trying to divide up the objects in a better way so that as group policy is applied, I can just apply it to different OU's. Same goes for applying delegation to different OU's. Right now most of the group policy is applied to the "default domain policy" policy object and sometimes it has to be blocked further down.

Thanks for any comments!

Albert

↧

Accessing a domain on a different forest

August 26, 2015, 4:23 am

≫ Next: Windows 2003 AD4UNIX schema extension

≪ Previous: Moving and reorganizing an AD domain for users and computers - some basic questions

Hi All,

We have a Domain ABC that resides on its own forest XYZ with no trusts establishes between our forest and XYZ. We do have the server name of their DC and the credentials to RDP onto their environment. The problem is, we want to be able to image user machines for this ABC domain but in the process need to join the machine to the ABC domain. I don't see how we can do this without establishing a trust between the XYZ forest and ours. Is there a way without going the trust route?

Francisco Mercado Jr.

↧