Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

DC clock's source is incorrect

October 8, 2015, 5:07 pm
$
0
0

Hello, 

I recently promoted two DCs in a remote site "site02". The promotion was successful and replication is healthy. I noticed however the clocks on both of the newly promoted DCs are incorrect. Below is the output from w32tm /monitor. My forest is correctly configured so that the PDC in "site_01" recieves it's time from an external time source "externalTime.mydomain.com". The output below shows a RefID of "unspecified / unsynchronized" on both of my newly promoted DCs in "Site_02". Also below is w32tm /query /source run from one of the newly promoted DCs. Not sure why it says "Local CMOS Clock".

Thoughts?

==========================================


Search

Exporting AD user list to a text or excel document

March 8, 2010, 9:21 am
$
0
0

I have been tasked with streamlining the AD user list for the various clients we support.  Is there an easy way to export the user list to a text file or an excel document?  Thanks!

FSMO Role Placement in a mixed 2003R2 DCs and 2012 R2 DC in a domain

October 14, 2015, 11:51 am
$
0
0

In a  mixed 2003R2 and 2012R2 domain infrastructure should you move all the FSMO roles to the 2012 R2 DCs?  Or just specific roles? Any gotchas?

Thx.

Thx. Darshan Doshi

Windows 7 cannot access to a server

October 7, 2015, 9:24 am
$
0
0

Hello everybody,

We have 5000 workstations with both Windows 7 (4000 workstations) and  windows XP (1000 workstations left).We access to a directory on a file server using a  Windows XP workstation  but when we are trying to access to the same file server with Windows 7;we have the message "Winodws cannot acces to "the name of the server" ";This happend just to our windows 7 workstations..

I need help to what i cannot access to this server.

Thank you.

Regards,

Le Balbo

is the limit/recommendation to number of subnets associated to AD site

October 14, 2015, 6:33 am
$
0
0

is the limit/recommendation to number of subnets associated to AD site?

I have a requirement and wanted to check on the scale ability for subnets in AD sites, i have a recent requirement to add 500 subnet to a site, though not encouraging we have to add them. We wont be able to add a subnet mask, so this has to be added.

Looking for thoughts/recommendations. 

Thank you Vijay

Migration Active directory 2008 R2 from my local data center to AWS

October 14, 2015, 8:13 am
$
0
0

HI Team,

Presently i have win 2008 R2 active directory in my physical Dell poweredge 610 model server. The same active directory need to migrate on AWS win 2008 R2 Server. please let me know the process to do this.   

Web Application Proxy Kerberos Issue

October 4, 2015, 9:34 pm
$
0
0

I have a very odd problem. I've setup a Web Application proxy and am using ADFS pre-authentication to pre-authenticate users from the outside to an internal web application that is using integrated Windows authentication (non-claims). I've configured all constrained kerberos delegation properly (even had Microsoft support confirm the configuration was proper). If I log into the web application through the web application proxy and I log in as a domain admin, the WAP computer account is able to create the kerberos ticket on the user behalf and pass it along properly to the web application. However, if I'm not a domain admin, the kerberos ticket is not created and I get a HTTP error 500. From network captures I've seen the following error: KDC_ERR_C_PRINCIPAL_UNKNOWN

From the event log, we see:

Web Application Proxy encountered an unexpected error while processing the request.
Error: The user name or password is incorrect.
 (0x8007052e).

We've obviously confirmed the username and passwords works just fine and the users are able to access the web application internally (bypassing the WAP) with no issues.

Any thoughts? Thanks in advance.


How to secure Hosting Active Directory

September 21, 2015, 6:29 am
$
0
0

Hello,

We are planing to have hosting and there will we host active drectory. We are going to have 10 clients. I hope that someone can help us with tips how to secure info so that customers can't see each other and that they can't find info from another domain.

Search

Schema Transfer Problem

January 3, 2012, 4:26 am
$
0
0

I have a PDC (windows server 2003 Enterprise) hard drive failure.  I have been able to seize all roles except the Schema on the BDC.  The schema comes up with the following error:

ntdsutil
ntdsutil: roles
fsmo maintenance: quit
ntdsutil: connect to server datas.nabishi.pri
Error 80070057 parsing input - illegal syntax?
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server datas.nabishi.pri
Binding to datas.nabishi.pri ...
Connected to datas.nabishi.pri using credentials of locally logged on user.
server connections: quit
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03151D80, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151E07, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:

I can see the schema using adsiedit.msc and all contents as far as I know are correct.

I can use active directory restore from an earlier backup which in the end produces the same result. 

Also the controllers carry the GC, these report as un-contactable even though they show in DNS and as selected in the AD Sites and services.

I got myself a little stuck on this one, What am I doing wrong?

I have also tried the change via the active directory schema plugin (MMC) in addition to the Ntdsutil method

Any ideas, I need to restore this domain into working order, it has three BDC in the system, two dns servers

Alison

RODC Authentication not working

October 14, 2015, 1:59 pm
$
0
0

I have 2 RODC domain controllers configured in a site but I see no computer or users are authenticating against the RODC's.

I checked the Allowed RODC password replication Group and it has all the PC's in that site and a handful of user accounts. I even checked the Accounts whose passwords are stored on this Read-only Domain controller and it shows me all the computer objects and the user objects.

However, when I login to any machine in that site it authenticates against the RW DC from another site.

I checked echo %logonserver% and Set L and each time it shows me a RW DC and not the RODC.

Can anyone tell me why the users or client machines are not authenticating with the RODC?

Thanks

starchaser


Active directory Disaster Recovery

October 14, 2015, 8:31 am
$
0
0

Hi,

I have a question regarding the Disaster Recovery . The scenario is , I have 15 Domain Controller in my production environment and one domain too.

May I know how can I recover my Forest/Domain if something goes wrong ?

Appreciate any help which you can provide.

Impact on change in SAMAccountName on TFS and ClearCase

October 15, 2015, 5:52 am
$
0
0

Hello,

What would be the impact on TFS and ClearCase if just the "SAMAccountName" is changed? Has anybody tested this? If there was an impact, how serious was it?

Thanks in advance.

Ramesh Chandra

domain joing problem for client pc

October 15, 2015, 5:01 am
$
0
0

 sir

     I have old domain server windows 2003 . My server AD user near about 1500. Now i am ready  another new server windows 2012 R2 installation &  configure same domain name, server IP, & users  from old server .

   I connect new domain server on  my think client perfectly with same user.

  Now my problem share with you given below:-

1. My desktop PC already join old domain server window 2003.It is working domain user. But now i am join my new server windows 2012 server same pc. Given error "the security database on the server does not have a computer account for this workstation trust relationship"

2. If i change workgroup name & reboot PC. After reboot pc when i join new server Domain than it perfectly j

I have 1500 users . It is not possible to change workgroup than join domain.

Please help me if any script or batch file run on new server window 2012  than all desktop PC join domain.

or any other solution please provide me.

List groups having a user as a member

October 15, 2015, 5:49 am
$
0
0
(&(objectClass=group)(objectCategory=group)(member=so and so dn)) returns the search result well in all domains except one. Changed the filter format to (&(member=so and so dn)(objectClass=group)(objectCategory=group)) and it works fine in that domain. So I tried checking (obejctClass=group) and returned 0 search results. Is there any problem in using (objectClass=group) in 2003 and below functional DC's? 

Manually Edit LastLogonTimeStamp Attribute

October 14, 2015, 5:09 pm
$
0
0

As I'm sure most of us are aware, the LastLogonTimeStamp attribute is meant to store the last time a user/computer logged on. When the user gets authenticated by a DC, this attribute on their account gets set to the current date/time. 

Although it represents a date/time, it is actually stored as a number (a 64 bit Integer to be precise), so theoretically it could actually be set to a number that does not represent a date... and it seems that sometimes the "system" sometimes does indeed set it to something completely invalid like this:



I've seen this happen twice now and in two completely separate organisations, but both instances were within the last month. Interestingly in both cases it was a service account that the issue was on (not sure if they were Managed Service Accounts or just regular user accounts created only to run services). EDIT: Seems like someone else had the same issue a few years ago so I guess its not a new thing.

Anyway, I realise its very unlikely anyone will have an idea of what caused this but what I'm wondering is: how can it be fixed? The attribute is owned by the system, so we cannot manually edit it. Is there any way to override this and modify an attribute that is owned by the system?

Thanks

Chris

My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com


Search

delegate add rights but not remove for a group?

October 15, 2015, 7:36 am
$
0
0
I have a security group to which i want to delegate rights to add users but not remove users. I do see the modify permission but is there a way to get more granular and allow only add but not removal of users?

2003 R2 to 2012 Issue

October 15, 2015, 8:48 am
$
0
0

I'm trying to finish virtualizing my environment, and I've hit a snag that I can't seem to get through. My old server is a Windows 2003 R2 box that runs Active Directory and also has Exchange 2007 on it. It's functional levels are set at 2003.

I have created a new mail server which is working, and everything we have is pointed at this new Server 2012 box with Exchange 2013 installed. Mail works, and there are no issues with the co-existence we currently have, but the goal is to remove that 2003 AD/Exchange 2007 Server.

I have also build a new domain controller, Server 2012 box. I have transferred my roles to it without a hitch, and whenever I add a new employee to AD in the old AD server, I can see them show up within seconds on the 2012 box, so on some levels, I know replication is working.

However, when I go into my Server 2003 box, or do this step from the 2012 box, when I turn off the Global Catalog on the 2003 box, chaos ensues. Once I do that, which leaves Global Catalog on only my new server, no one can log in. When I turn on GC again on the old unit, the problem goes away, and things are as they should be. Any ideas why this could be happening? I don't want to demote the 2003 server at this point, because logging in is a critical part of our users daily routines.

Some things I have noticed, is that the Sysvol and Netlogon folder won't replicate. DCDiag fails the advertising test, saying my new server isn't suitable, and also says my old server is the one advertising. It fails Netlogon test, stating it can't find the folder. And the test ends with group policy failures as well, probably all related.

AD User Profiles

October 14, 2015, 1:54 pm
$
0
0

Hey Guys

I have the most strangest question?

If we migrated users from 2003 Domain functional level to 2008 domain functional level then would this force the user profiles for Terminal Servers (Not local TS profiles) to have both the %USERNAME% % %USERNAME%.V2???

We are in the process of implementing folder redirection but now have to come to a halt because users have on profile path that is used \\servername\user profiles\%Username% and then some users have both \\servername\user profiles\%Username%.V2

Please can someone advise me on this as I am losing it hahahaha

Thanks

Marty

Forcing my DC/DHCP Server to pass out a time using NTP?

October 14, 2015, 1:04 pm
$
0
0

Evenin' Ladies and Germs,

I'm running a 2012R2 DC, that's also a DHCP server.  I know that normally my time for each node would come from the DC but, I need to force DHCP to push out a time from NTP to make the time/date correct on my phones. 

I've filled in option 004 and option 042 in my DHCP scope and it's not really doing anything.

Does anyone have any suggestions for how to make that work?

Thanks.

Ldap string to query multiple domain controllers

October 9, 2015, 6:21 am
$
0
0

Hi,

Is it possible to query two different domains in C# using one ldap string? If so, how would this string be structured? For example, here are the two domains:

1) adext.local

2) ad.com

Currently for the first one my ldap string is (LDAP://DC=adext, DC=local").  Can I add the second domain information into this string so it is queried if the user isn't found in the first domain?

thanks,

Sherazad

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>