Hi Guys,
Can anyone help me find out the reason as to why one of our pc in question went on suspension for Bitlocker. The PC is IBM Lenovo T450 taken out of box and set for build through SCCM.
Please let me know if you guys need more information on this.
Haroon Khan IT Consultant Enfo Sweden
Dear Concern,
We have a server with the OS windows server 2008 Standard SP2 . We have a IIS & dot net based application running on server
client pc s will we accessing the same . suddenly application will be slow due to a process in server with name LogonUI.exe
occupying 87% of CPU usage . how to resolve this issue permanently.
Regards,
Prakash M E
8095023207
I need to migrate our domain out of a larger forest. Our domain name is old.domain.com. Looking for some guidance and advice. Let me describe our environment a bit.
We are part of a large private fiber network and will remain on that network. We are a small shop of about 700 users and 700 Windows Clients. All servers are 2008 R2 and above. We use IP printing. We have two web applications in our Linux Oracle Environment. We do not have Exchange email at this time. We have no SCCM. My plan is as follow. Mind you I am in the early stages of this plan. I have a 3 node file cluster. We have about 60 servers that host various applications and services but nothing that jumps out and screams big problem. (McAfee EPO, Citrix (Small foot print), A door security application etc..) Most of these servers can be rebuilt with little to no disruption in service.
We are abandoning the old.domain.com and upon completion old.domain.com will be removed from the forest. With that said we need to keep the name space old.domain.com.
Our DNS zones for old.domain.com are zone transferred to to several enterprise DNS servers. Our internet presence is with regards to DNS is handled by the enterprise.
This is a rough sketch of my plan. I am looking for some insight and advice from people who have faced this same scenario. Not sure what the new name will be for the forest but perhaps something like Newdomain.local and host the old.domain.com DNS for internet and application presence.
I want separate claimproviders for intranet access and extranet access to my relying party.
For Intranet I want windows authentication and having configured
Set-AdfsProperties -IntranetUseLocalClaimsProvider $true
and configuring only windows authentication as authentication method for Intranet users on intranet are logged directly on.
However, for extranet access I have configured a custom token provider and I want this claimsprovider to be used without users having to choose between ADFS ActiveDirectory provider and my custom provider.
If I configure
set-adfsRelyingPartyTrust -targetname myRelyingParty -ClaimsProviderName "myCustomProvider"
intranet users are redirected to myCustomProvider regardless of the IntranetUseLocalClaimsProvider setting.
Thus I configure
set-adfsRelyingPartyTrust -targetname myRelyingParty -ClaimsProviderName ("Active Directory","myCustomProvider")
which causes the HRD choose page.
If I configure no extranet authentication methods in ADFS console - the HRD choose page is still shown and an error
MSIS7104 : The policy does not allow any users from location 'Extranet'
is logged when selecting ADFS Active Directory provider. Yes - agree - dont show me the option!
Any ideas how to avoid the HRD choose page for extranet users?
Hi, I found out that a problem when I open gpmc in my server (Windows Server 2008 SP2)(Domain Controller). I got an error message saying
The specified domain controller could not be contacted. This affects the following domain in the console.
Domain: <FQDN>
The RPC server is unavailable.
I tried to perform in command prompt a dcdiag command and I got this messages.
Warning: <servername> has not finished promoting to be a GC. Check the event log for domains that cannot be replicated.
Warning: <servername> is not advertising as a global catalog.
Im not sure what's causing this but this is just a newly setup DC, no errors so far with its event viewer.
Thanks
Jeff
Hi,
I have a printer installed by gpo and my problem is that if I change the setting from the server printer, the installed printer ignores the changes.
I'm not sure the issue is related to the printer or the gpo.
Can anybody help me?
Thanks.
Hi,
I have noticed a huge amount of entries in my DC Security Event log with this event, all from one Windows 7 Pro workstation in our domain.
Account for which logon failed:
Security ID: NULL SID
Account Name: NetworkService
Account Domain: <Workstation Name>
In a one-day period, I have approximately 2,000 such entries for just this one <Workstation>.
Unfortunately, I haven't found any information as to what is causing it.
Process Information is empty.
Any clues as to how to determine what is causing these events would be greatly appreciated.
Thanks,
David
We need to migrate DHCP server from windows 2003 to Windows 2008 R2.
Currently, we have one Windows 2003 DHCP and two Windows 2008 R2 clustered DHCP servers
We need to move DHCP hosted on above servers to different servers.
What are the best approach to do this?
Thank you!
What is the best way to find a role of a Security Group in Active Directory?
For example, this group provides file permissions, this group provides application access
Hello everyone,
We have hosted Active Directory and we want to block customers from seeing each other. We have enabled list object mode but when I remove List Content from Parent OU and list object from Child OU I am able to hide OUs from users, I mean if they open RSAT they will not be able to see OUs. Problem here is that if they look up for the users in FInd or Powershell they will be able to see them. One way is to remove the List Content permissions from the child OU. If I do that if both "List object" and "List contents" are removed from a child OU whose parent OU has "List contents" removed, I run the risk of denying applications, that rely on user accounts in an AD DS environment, the ability to look-up information in the domain. Is there a way to block users from seeing each other in Find. It must be a way to do this.
Thank you in advanced
Hi
I have to increase the event viewer size in all DCs from 300mb to 1gb, i know we have to do it from properties, my question is how to increase it all DCs togther or should i do it one by one?
Aamir
NA
Hi,
we are facing some issue from outlook 2010 and outlook 2007
its asking password for some of the users only we are having Exchange 2010 HA
i have checked the outlook SP also installed properly
i'm putting outlook log for your reference
2015.10.30 13:15:42 <<<< Logging Started (level is LTF_TRACE) >>>>
Kindly help me to resolve the problem
I've taken over directory administration and combing through permissions on the tree and then are way out of whack. I wanted to know if it's safe to use the DSACLS program to reset the permissions when we have Exchange 2010 and Lync 2013 installed.
I did some spelunking through the default permissions on some of the classes in the Schema and it didn't look like Exchange or Lync permissions were there so I figured it might not be safe but thought I'd check with people who probably know better.
Regarding the Exchange and Lync permissions, and as an example, the root node has Exchange Enterprise Servers, Exchange Servers, Exchange Recipient Administrators, Exchange Trusted Subsystem, RTCUniversalServerReadOnlyGroup, RTCUniversalUserAdmins, etc
I figure DSACLS isn't going to replace all those if I reset permissions with it.
Thanks!
Here's my scenario. We have two domain controllers, DC1 and DC2. DC1 was the first domain controller in our domain, DC2 was added later. For various reasons, we want to repurpose DC1 into another role and bring up a new domain controller, DC3 to take it's place.
My plan is to promote DC3 to a domain controller first, then demote DC1.
Is there any special procedures required when demoting the first domain controller in your domain? It holds the PDC Emulator and FSMO roles for certain. Would I need to deal with that before demoting DC1? Is there anything else I should keep in mind?
For a customer, we're running Windows Server 2012 R2 and a mix of Windows 7, Windows 8.1 and Windows 10 clients. We have an issue regarding home folders being mapped when a user first boots up. This occurs when users are online and when they attempt to use offline folders.
We use the home folder settings on the user account's profile tab in ADUC to map their H: drive to their home folder. Prior to us managing this network, the IT person manually mapped the users' P: drive to a "public" share on their servers. We haven't changed that as it's a small company and there's not a huge amount of turnover, so it's not creating too much administrative overhead.
Scenario 1:
User A has a computer which is in the office and is always using a wired connection to the LAN. That user turns on or reboots their computer. Upon logon, there is no H: drive mapping. The user does, however, have their P: drive. The
user logs off and logs back on and they have an H: drive as well as their P: drive.
Scenario 2:
User B has a laptop which is sometimes in the office connected via wireless or wired connection to the LAN. Other times, User B uses their laptop out of the office. User B sometimes connects to the office LAN via VPN and other times the user doesn't.
The user has configured their H: drive to "Always Available Offline". When the user works offline, the H: drive doesn't appear, however the P: drive is there and available offline. User B connects to the office LAN via VPN and manually
maps H: drive and it maps correctly. User B disconnects from the VPN and the H: drive is available to use offline.
This behavior is consistent and easily replicated.
Does anyone have any ideas as to what could be the problem? I have some ideas on both issues, but I don't want to lead the conversation and would appreciate some fresh input.
Thanks!!
Hi,
After rebooting w32time is getting disappeared from Domain Controoler. Even after that when I am trying to register time service I am getting below error.
C:\Users\sdavid>net start w32time
System error 1290 has occurred.
The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the
service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
Can anyone help here please ?
We are running a particular application where the only way to give a user access to it is to make them an AD user.
This application is for our end-user customers, and as such we don't want customers to have access to our entire AD directory. The purpose of this AD user is really just so they can log into the application and we don't want them doing anything more than that.
I created a separate OU and placed a user under it, and experimented with permissions settings on the OU (such as denying List Contents, List Object, and even Read all properties" as special permissions, but the AD user can still see a list of all AD users if they are in a AD login pop-up "Select User or Group" window, and click "Find Now"
I realize this is how AD works by default, but we only want to restrict permissions for very specific users.
I'm still thinking there should be a way to restrict this in the OU security permissions but so far no deny combination I've tested works.
In other research I found this article about a "confidentiality bit":
http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory
But, it also says there that "base schema attributes" cannot be made confidential, and I'm pretty sure 'Name' is a base schema attribute right (?)
So what is a solution if we want to configure things so particular AD users would not be able to enumerate/query/browse the AD directory of users but can still log in to/through AD.
Thanks
Hi,
I am looking for Active Directory Health check script , which will give all below output in email.
NetlogonsTestAs we prepare to move to Office365 we're going to start pushing our users to login with their UPN in the format of first-last@domain.com to match our email addresses.
When we login on a windows 7 or windows 8 machine using UPN the credentials used seem to be properly recognized.
We can check HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData and verify the key LoggedOnUser is recognized as first-last@domain.com. However on Windows 10 the same registry key is changed and matched the LoggedOnSamUser matching domain\user format.
Our domain and forest functional levels are at Windows 2003
Rkaram