Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Sysvol replication failing on the long chinese domain

July 22, 2015, 3:18 am
$
0
0

Hi Team,

We have created a Active Directory on Windows server 2012 DC(Root first DC in the forest) and ADC Windows Server 2008 R2 EE SP1 with Chinese OS and a long domain name .

We have created a long domain name like:

新的拓扑结构测试在中国的角色固定的问题长.COM

The respective files are getting created in the sysvol domain folders.

However,the files are not getting replicated .

We have tried with the force replication, restarted the services and checked the event logs.

Any pointer regarding this would really help us.

Thanks,

Rucha

Search

2012 R2 GC not responding to AD when 2008 R2 server goes down

July 27, 2015, 3:49 pm
$
0
0

I have a weird problem.

Background: I had 2003 sbs and migrated to 08R2. I demoted sbs and 08R2 worked just fine. I added domain services to 2012 R2 and clicked GC and moved the FSMO roles to the new 2012 R2 server. They both show up in ADUC under domain controllers. I can ping lf.local from any workstation and get the round robin reply from DNS.

Here's the problem. When I shutdown the 08R2 server, AD goes down too. I tried to run ADUC from my workstation and from the 12R2 server but they both say there are no directory servers available.

If I boot up the 08R2 server then all is well. I can manually change to 12R2 server in ADUC and it comes up fine while the 08R2 server is running also. My goal is to continue the migration from 08R2 to 12R2 and demote the 08R2 asap.

I've checked a million times everything in AD I can, and it all says both servers are domain controllers. DNS works fine. I modified an A record on 08R2 and it changed on 12R2. I then changed it back on the 12R2 and it changed on the 08R2. I changed the description field in a user and it changed both ways. Replication seems to be bi-directional and working. Plus I've check in ADSS a bunch too to make sure the replication is set correctly.

What did I miss on the 12R2 server? I'm not seeing my mistake.

Windows XP Error The specified server cannot perform the requested operation

September 1, 2015, 12:55 pm
$
0
0

I'm transitioning from a very extinct Windows NT Server OS (as a DC) to a Windows Server 2008 (as a DC role).  When bringing the machines onto the new DC's network, some Windows XP (SP3) machines display, "The specified server cannot perform the requested operation".  The event log show an Audit Failure of the following;

Event Type:        Failure Audit
Event Source:     Security
Event Category:  (3)
Event ID:            560
Date:                 [date]
Time:                 [time]
User:                  NT AUTHORITY\NETWORK SERVICE
Computer:          [machine name]
Description:
The description for the Event ID (560) in Source (Security) cannot be found.  The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.  You ....
The following information is part of the event: Security, Key, \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, -, 0, 556855, 2332, C:\WINDOWS\system32\wbem\wmiprvse.exe, NETWORK SERVICE, NT AUTHORITY, (0X0, 0X3E4), -, -, -, %%1537

%%1538
%%1539
%%1540
%%4432
%%4433
%%4434
%%4435
...

Can someone please offer any suggestions on resolving this so that the computer can properly join the network?



What happens when AD's start to Replicate again?

September 1, 2015, 11:48 am
$
0
0

Got bit of situation here. Our tech's noticed that  AD1/AD2 are not replicating with AD3 (AD3 has most recent updates on every user / pwd etc). So my question is, I know how to fix the replication (DNS fix) , but I am afraid that if AD1/AD2 will replicate old stuff to AD3 and AD3 won't replicate new users/pwd changes to AD1/AD2... 

Can you give me an overview as to what is going to happen once replication is fixed? 

Having problems obtaining Windows 10 Education or Enterprise for DirectAccess

September 1, 2015, 3:22 pm
$
0
0

I am Currently Running Win 8.x Enterprise Edition from a Previous Technet Subscription along with 2 Domain Controllers in my Home Win2012R2 & Server 2016 in Non-Production/ Testing use..

I want to upgrade to Win10 for Direct X12 & DirectAccess VPN  - so for this purpose it looks like Windows 10 Education would be the best fit ( I believe it also comes with Mark Russinovich Sysinternals.com tools /desktop pack) - I don't need the long term branching etc.

Since I am a Student -  I was able to obtain a Personal Dreamspark account from Microsoft (which provides Free Microsoft Server products (2012, SQL Visual Studio etc)  - but not client software) ....  My School University of Washington  (UW.edu) is a Dreamspark Premium member... which  normally provides Windows10 - but that is limited to specific departments /Colleges at the University - that excludes me  - so am I SOL..?  or can I actually purchase a single copy of windows 10 education? if so from where exactly? 

Do I need to buy a Volume license min 5 copies direct from Microsoft of Enterprise edition?  and at that price of around $1500  would it be better to get a low cost MSDN Subscription at $1199 that includes 2 Free tech Support..  are there any Discounts or Advantages for being a Microsoft Certified Professional ?

or could I get Windows 10 Enterprise + Server 2012 Free from Microsoft for 3 years by Joining Microsoft Bizspark program?

I just want to know the best want to get Windows 10 Education / Enterprise edition as an upgrade from Windows 8.x Pro or Enterprise... when the rest of the world is getting the updates for free.. because they don't need DirectAccess VPN to their Home while traveling...

Primery Domain Controller Not working Properly

August 30, 2015, 5:16 am
$
0
0

Hi,

We have two windows server 2012 domain controller.My primary server not connect network more than 1 month.After connected the network DNS and Replication not working.we are created user account in primary server and i try to logging PC using this account ant set primary server DNS in this PC can't logging.I created user account in my secondary domain and i try to logging using this account and set secondary domain DNS it's working properly.

What is the reason.how can current my primary server.

Thanks.

What causes a lastlogontimestamp attribute upate on an expired account ?

August 3, 2015, 5:51 am
$
0
0

Hello, I saw this question / issue several time but couldn´t find the explanation. User needs to change their password every 30 days (no Fine-Grained Password Policy). I have an user object with an pwdLastSet 8/4/2014. The lastLogon attribute is set to 10/30/2014 on one DC and empty on all other DCs (normal behavior).

The lastLogonTimestamp attribute however is set to 7/25/2015 (on all DCs) for that user object.

How is this possible or what can cause an update of the lastLogonTimestamp attribute although the password of the user object is expired ? This circumstance brakes our process to identify inactive users.

FRS Service Stopped

September 1, 2015, 9:53 pm
$
0
0

Dear,

I have three domain controllers 2008 (one PDC and 2 are ADC). The FRS service automatically stopped in all these servers and when i restarted the FRS service , it generate the error in events " the donain controller is migrated to DFS for Replication of  SYSVOL folder".

However no Sysvol_DFRS folder is created in my domain controllers .. 

So i could not able to understand wheather it is the issue or not. 

second should i migrate my all other domain controller trees of the same forest to DFRS (is it good , and what is the risk level in doing this). 

Waiting for response, 

This is the very active forum where i always get solution.. thanks to Microsoft and contributors.. 

Wajahat

Search

Forcing the change of a password for Users with an Active Directory account using a BYOD

September 1, 2015, 11:53 pm
$
0
0

Hello. I was wondering if somebody was able to help me.

Basically, we have several sites, all setup with Server 2008 and Active Directory.

We also use Subcontractors who join and leave the company at undisclosed times.

When we're made aware of one starting, it's usually the same day and we make an account for them on the Primary DC or whichever site is most local to that user. Usually, we just set the passwords for these users and give the password to their manager or Project director.

However, for security purposes, we need to start allowing the Subcontractors to change their own passwords, without a Domain enabled computer.

I know this is possible on Linux computers as we have a development team who all use Ubuntu and they're able to change their passwords on their Linux BYOD devices using a special script that is performed through Terminal. Basically, I need to know if something is possible with Windows computers (as most of our subcontractors tend to use Windows 8.1 laptops).

Thank you for taking the time to read through the problem I am having. I look forward to seeing your replies.

Old Domain Controllers in Replication list

August 21, 2015, 10:34 am
$
0
0

I was checking on the replication status for a domain controller when I noticed that long ago decommissioned domain controllers show up in the list. What is the best way to remove these references?

repadmin /showvector /latency DC=domain,DC=com

Help Desk Group - Delegating Right to Change Group Membership

September 2, 2015, 9:12 am
$
0
0

Hi,

I did some reorganizing our our domain to put all the non-admin, non-help deskusers into their own OU so that I can delegate specific jobs to the Help Desk Groupfor that OU and that OU only.  I then delegated to the Help Desk group the ability to a) add a user to that OU and b) reset passwords for users in that OU.

I have had some trouble with delegating to the Help Desk the ability to add/remove users from groups.  Instead of futzing with this, I thought I should ask for more specifics here.  I have two scenarios:

Scenario A: help desk goes to the user object with this OU, opens the properties for the user and changes group membership there.  This does not work.  I understand I need to delegate the ability to manage group membership to that OU (one thing to note: I do not want the help desk to be able to add a user to the Domain Admins group).

Scenario B: I have reorganized all the non-admin, non-"system"groups into an OU of their own.  That is, for the groups that the users "see" (e.g. "Assistants Group", "HR Committee", "Christmas Party Committee" etc), these have been placed  in their own OU.  This is because again I only want the Help Desk group to be able to manage these groups.  I do not want them to be able to manager our "system" groups like Domain Admins etc.   This seems to work intermittently (is some caching going on?).  Again would like to know how I should be doing this in case I am slightly wrong.

Thanks for any help!

Share Drive

August 21, 2015, 1:05 pm
$
0
0
I have a share drive on a server.  From my desktop, I can access that share drive,\\servername\sharedfolder no problem, but on the server itself, if I try to go to\\servername\sharedfolder I get "network path cannot be found".  If I go to just\\servername, I can see the share folder listed, but when I double click it I get the network error.  This leads me to believe it's permissions based, but I have authenticated users set to Full.  I'm curious if there might be a policy setting that would be causing this.  Any info is appreciated.

Win 2008 servers can't access sysvol or netlogon partition on Windows 2012 domain controllers

September 2, 2015, 7:07 pm
$
0
0

I have a small Windows 2012 domain that includes 3 Win 2008 servers and 8 Windows 2012 servers. None of the 2012 servers have an issue connecting with AD or viewing\\<domain controller>\netlogon or \\<domain controller>\sysvol> in Windows explorer.

If I try to do the same thing from the Win 2008 servers though, I get prompted for a username/password and even with a valid password supplied I get an "Access Denied" error.

I can otherwise ping the domain controllers, access the C: drive via the admin share (c$), users authenticate with no issue. If I manually drill down from the admin share (C$) I can get into the sysvol folders and browse them.

Running gpupdate from a 2008 server generates these messages:

"The processing of group policy failed. Windows attempted to read the file \\xxx\sysvol\xxx\Policies\{long string}\gpt.ini from a domain controller and was not successful. Group policy settings may not be applied until this event is resolved."

Using windows explorer and \\domain controller\c$, though, from the 2008 server, I can drill down and find that gpt.ini file and open it and edit it if I want.

Running rsop.msc generates the message "Unable to generate RSoP Data. In logging mode, likely causes are group policy has never successfully processed for the computer or user, RSoP logging was never enabled, or data is corrupt. In planning mode, verify that the selected domain controllers supports RSoP"

Running rsop.msc from any 2012 server runs without problem however, so it appears the domain controllers support it.

I'm stumped - any suggestions?

Paul


IPPS printing Not working on Windows 2012 Print server

September 2, 2015, 11:30 am
$
0
0

Hello all

I have had a Ricoh Printer updated to use IPPS, now since this has occurred I can no longer print to it via my windows 2012 print server. Originally it was connecting to the printer via direct IP address, I have tried connecting the printer to the server via IPPS and it does not allow it. It appears to not be supported.

thank you

Matt Burgos

Do I need to install language package in the target domain during migration of Active directory via ADMT?

September 2, 2015, 6:03 pm
$
0
0
I'm going to migrate users and groups via ADMT.
Server's OS in both source and target domains are Windows server 2012 R2.
Language setting of OS in source is Japanese, on the other hand the one in target domain is English.
Do I need to install language pack for Japanese in the target domain to avoid encoding probrem(mojibake)?

Thank you,
Kazuo Ieiri
Search

Trust Relationship on the workstations lost after demoting the only DC/GC in the AD site but there is another DC/GC in other AD Sites ?

September 2, 2015, 9:31 pm
$
0
0

Hi All,

I need your help urgently because my simple AD Domain Controller demotion has gone beyond my understanding ?

AD Sites & Service Setup is full mesh no IPSEC VPN tunnel:
Data Center AD Site;
2x Win 2008 R2 DC/GC

Head Office AD Site:
1x Win 2012 R2 DC/GC

Problem Site Office AD Site:
1x Win 2012 R2 DC/GC which is also running as AD-Integrated DNS & DHCP

Problem root cause:
What I did today this morning before people working is to do completely harmless task of force demoting Windows Server 2012 R2 that was unable to replicate into any other AD Sites, only accept incoming AD objects update.

Steps taken:
1.      Change the DHCP scope DNS to point to  Primary: Data Center DC/GC IP, Secondary: Itself where it is no longer functioning as DNS integrated since no Forward lookup zones Domain.com
2.      Reduce the DHCP scope into 6 hours, wait until today since yesterday morning.
3.      Force Demote AD role
4.      Reboot
5.      Manually go to AD Users & Computers console to perform metadata clan-up (right click delete), followed by manually search the DNS containers  any name of the current DC server that has been demoted.
6.      Wait until 30 minutes, then... the problem starts to happens one by one.

7.      I have joined the same server back with the same name & IP address just to run DHCP, File Server and Print Server but still one by one workstations complained the trust relationship issue.

The next steps is to be taken next week Because I cannot do it myself due to the large amount of user complaints bombarding myself constantly until now in the afternoon I cannot have a quiet lunch:
1.      Promote as AD domain controller
2.      Configure AD-Integrated (is it necessary ?)
3.      Change the DHCP scope back to 8 days
4.      Change the DHCP scope DNS into itself and one DNS server in Data Center AD Site.


Now the new problem is:
One by one Workstations in the Problem Site office lost its trust relationship with the AD Domain ? Therefore the fix was to:
1. Exit the domain, Reboot
2. Rename the computer, Reboot
3. Join to the AD domain, Reboot
4. Change the name back to the previous name, Reboot
5. User can now login to their previous desktop.

There are 90+ workstations in the problem site office and now I'm stuck having to manually perform 5 steps above one by one for the entire office.

What could have gone wrong in my steps above ?
I have make sure that all of the computers using DHCP assigned IP and also the static IP can ping the DNS server in the Data center as I have changed the DCHP scope priority the day before, but somehow this problem occurs today after 30 minutes of the demotion.

Any help would be greatly appreciated.

Thanks very muchly.

/* Server Support Specialist */


Adding Multiple Servers to WSUS.

September 2, 2015, 11:28 am
$
0
0

Hello all,

I need to add several servers to a wsus servers. However, I would like to automate or at least semi automate this process. Does anyone have a power shell script or similarly a tool that can perform this task?

thank you and all responses are welcome.

Matt Burgos

Active Directory domain search

September 2, 2015, 6:14 am
$
0
0

Hello,

In my AD environment other domains are in trust with each other, so we should search with any Active directories.

I am not able get result from other domain's directory when I bind with one domain, with my Java code.

But when I use Search Active Directory features of Windows 7, I can see the results. So what bind details is using with this feature and can I use those details in my Java code to search other directories data.

See image: 

Track Changes to account description

September 2, 2015, 1:42 pm
$
0
0

hi,

I want to know if there is way to track what is Changed on Description of the account,

I am referring to all changes that don't affect users ability to Login or Access level of the account for example Changes like mobile number, Address, changes to Job Title.

Query on KTPASS in Windows server 2008 R2

September 2, 2015, 11:55 pm
$
0
0

Hi,

Can anyone help me with below scenario.

OS : windows server 2008 R2

Domain : Contosocorp.com

I was trying to create an SPN entry for multiple users using below command and the operation aborted saying duplicate spn exist as I was using same SPN entry for morethan one users.

setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test1
setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test2
setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test3

Is there any alternate or Is it possible to create the same using KTPASS ? If yes, can you please help me by changing this command to fit my setup ?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>