Hi all,
I hope you can help
I am looking to populate to the "city" field depending on the content of the office field
IE if the 'office' field is set to "Kings Cross", the'city' field gets populated with "Sydney"
Next thing, if there is a city_mapping.csv file with this office to city mapping can this be referenced?
I have over 500 entries to update and would rather not go mad(der) than I already am
many thanks!
I know that this is hidden and in the sysvol, I have no idea what this folder does, its purpose, etc.
Any information on this will help greatly.
I do know it is hidden by default and that the system account requires full control permission but that is about it.
One of our domain controllers experienced an unexpected shut down.
Since then it has been unable to replicate SYSVOL information.
This issue has been ongoing for several months, and we don't have a backup of SYSVOL from that date.
This domain controller also holds all FSMO roles with the exception of the Infrastructure Master.
One action I am considering for resolution is to make another domain controller authoritative for the SYSVOL store.
The following articles detail this procedure, which involves setting the Burflags entry to D2 or D4:
I am considering about setting the burflags entry to D2 on the bad DC and to D4 on the other good DCs.
Given the configuration of this domain controller, what ramifications should I be aware of when using this procedure?
Thanks!
Good Morning.
I`ve joined a computer to a domain and when I try loggin on it gives me the message: "The security database on the server does not have a computer account for this workstation trust relationship".
I've tried making the following:
- Deleting the computer from my domain, deleting the object from AD and joining it again.
- Steps explained in these links:
http://technet.microsoft.com/en-us/library/ee849847(v=ws.10).aspx
http://clintboessen.blogspot.in/2011/06/security-database-on-server-does-not.html
And also used netdom and nltest to reset the trust relationship but nothing seemed to work.
Does anybody have any clue?
Ps.: If I change the computer name it works normally.
Raphael Santos | MCP 70-410
Email: raa.santos@hotmail.com
Linkedin: http://br.linkedin.com/pub/raphael-santos/39/87b/958/
Hey Folks,
I was trying to create a "Query Based Distribution Group" for mailing purposes just now, and came to find that I have no such option in my Active Directory.
I'm using Exchange 2007 SP3 in a Windows 2012 R2 environment.
Is there something that needs enabled or repaired to provide this option in ADUC? The article I was following to do this simply shows it as a right-click popup option off of a whichever OU one chooses to house the group.
Suggestions? Input? Thanks!
JTW
Hello ,
I'am working on a new project where i have to discover all service accounts in a domain ?!
any help !
thank you
Hi -
I am working in a Windows 2008 R2 environment. I have an OU that has the "protect this object from accidental deletion" box checked, which puts an explicit DENY on the "Delete All Child Object" permissions for the EVERYONE group. I am also a member of a group that has create/delete permissions for computer objects in this OU. I find that despite the explicit DENY permission, I am still able to move computer objects out of that OU
Question: Assuming that moving an object involves deleting it from one OU and creating it in another, how am I able to move the object? My expectation is that the explicit DENY on the OU would prevent me from deleting the object from the OU despite my group-based permissions.
Any insight would be greatly appreciated.
Thank you
Hello
I run dcdiag on my DC and i found the below
how can i fix the below issues?
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = rrrMHDC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\rrrMHDC01
Starting test: Connectivity
......................... rrrMHDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\rrrMHDC01
Starting test: Advertising
......................... rrrMHDC01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... rrrMHDC01 passed test FrsEvent
Starting test: DFSREvent
......................... rrrMHDC01 passed test DFSREvent
Starting test: SysVolCheck
......................... rrrMHDC01 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B47
Time Generated: 12/02/2015 15:23:30
Event String:
......................... rrrMHDC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... rrrMHDC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... rrrMHDC01 passed test MachineAccount
Starting test: NCSecDesc
......................... rrrMHDC01 passed test NCSecDesc
Starting test: NetLogons
......................... rrrMHDC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... rrrMHDC01 passed test ObjectsReplicated
Starting test: Replications
......................... rrrMHDC01 passed test Replications
Starting test: RidManager
......................... rrrMHDC01 passed test RidManager
Starting test: Services
......................... rrrMHDC01 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 14:35:39
Event String:
The session setup from computer 'PLASMA-34' failed because the security database does not contain a trust account 'PLASMA-34$' referenced by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 14:41:31
Event String:
The session setup from computer 'NQ39' failed because the security database does not contain a trust account 'NQ39$' referenced by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 12/02/2015 14:43:49
Event String:
The session setup from the computer NQ39 failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 12/02/2015 15:11:01
Event String:
The session setup from the computer SD-TRAINING failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 15:18:56
Event String:
The session setup from computer 'BR43TR09' failed because the security database does not contain a trust account 'BR43TR09$' referenced by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 15:19:34
Event String:
The session setup from computer 'BEAMTESTING' failed because the security database does not contain a trust account 'BEAMTESTING$' referenced by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 15:20:16
Event String:
The session setup from computer 'PMS-HO' failed because the security database does not contain a trust account 'PMS-HO$' referenced by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 12/02/2015 15:22:58
Event String:
The session setup from the computer BEAMTESTING failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 12/02/2015 15:22:58
Event String:
The session setup from the computer PMS-HO failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 12/02/2015 15:25:09
Event String:
The session setup from computer 'rrr-CCC-055' failed because the security database does not contain a trust account 'rrr-CCC-055$' referenced by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 12/02/2015 15:27:12
Event String:
The session setup from the computer rrr-CCC-055 failed to authenticate. The following error occurred:
A warning event occurred. EventID: 0x0000043D
Time Generated: 12/02/2015 15:34:10
Event String:
Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the "More information" link.
......................... rrrMHDC01 failed test SystemLog
Starting test: VerifyReferences
......................... rrrMHDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : boldaj
Starting test: CheckSDRefDom
......................... boldaj passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... boldaj passed test CrossRefValidation
Running enterprise tests on : boldaj.com.eg
Starting test: LocatorCheck
......................... boldaj.com.eg passed test LocatorCheck
Starting test: Intersite
......................... boldaj.com.eg passed test Intersite
MCP MCSA MCSE MCT MCTS CCNA
Hi
We are changing the 1 Gb NIC of Domain controllers, will do the change with FSMO owner first and once it's up we will proceed with second DC. Is there any special procedure with changing NIC for a DC?
Thank in advance
LMS
Hi people i need generate wildcard certificate for *.domain1.com and *.sub.domain2.com
one second level wildcard and one third level wildcard. It is posibble to include this two domains in one wildcard certificate? I need it from public authority.
Thanks
I'm aware that this can be done in ADDS, and I'm already using it to do exactly that. I have a further question. Suppose I want to set up a situation in which the only person allowed to logon to a workstation (whether physically at the workstation, or remotely through RDC) is the employee that workstation is assigned to.
Clearly I could do that by writing a group policy for every single workstation in the company, but that obviously gets a little tedious. Is there any method by which I can write a single group policy that applies to all workstations, but can enforce the logon restrictions based on, say, a custom AD attribute for the Computer object (call it WorkstationOwner or something similar)? The goal here would be to designate who 'owns' a particular workstation when it is joined to the domain, and then the group policy would work out who is allowed to log in to that workstation.
Is anything like that possible?
Hi
We have a couple of Domain Controllers (Windows Server 2012) in the company and we monitor only the PDC for Event ID 4740 for user account locked out so we can proactively notify the user.
From what I have been reading, this Event ID '4740' is suppose to replicate from other DC to the PDC but somehow we have user accounts being locked out and PDC did not have in the security logs. So I have a few questions in mind:
1) Is Event ID 4740 exclusive only to PDC or other DC can log this event id as well?
2) Should only PDC be monitored or all DCs should be monitored for Event ID 4740? (if other DCs are monitored as well, will this generate a duplicate event id if it is replicated to PDC)?
3) Any other Event ID to monitor for user account locked out?
4) We are on a policy to lockout a user account after three bad password attempts, is there any event ID to lookout for for the third bad password attempt? (Reason I asked is because Event ID 4740 does not get triggered until the fourth bad password entry is attempted even though the account gets locked on the third attempt)?
Thank you
Hi, we've had some intermittent issues with maxtokensize errors on Windows 7 and Server 2008 computers in our environment. We implemented a group policy to push out the key atHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa\Kerberos\Parametersand set the value to 48000 as suggested by this article.
https://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx
However, on some servers, we are still seeing errors such as the following, and group policy is failing to apply because of it.
"The kerberos SSPI package generated an output token of size 15719 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 4.
The application needs to be fixed to supply a token buffer of size at least 48000 bytes."
I have confirmed the registry key exists on the server. Can anyone suggest an explanation why this could be occurring?
Hi guys,
Stub zone = abc.com
Child domain = test.abc.com / dev.abc.com
I have a Win Server 2012 R2 DNS server, it has a stub zone (abc.com) with external DNS server that is located at partner company.
Everything in the stub zone (whatever.abc.com) is resolving perfectly fine.
The issue comes when we resolve records that are in the child domain of the stub zone (record.test.abc.com, record.dev.abc.com etc etc).
In client, if we set the dns server directly to the external DNS server, everything including records in child domain is resolving fine.
From what we observe is our our win 2012 DNS doesn't forward child domain DNS queries to the external DNS server, it simply returns no record to client.
Is there a way to make it a wildcard to forward any child domain query to the external DNS server?
I do not want to do conditional forward because it would means we create a new forwarder, everytime partner has a new child domain.
Let's say we had 1,000 contacts in AD. We are now on 365. We currently have all contacts synchronizing with AAD Connect. We want to stop synchronizing contacts so we can edit them in 365. What's the best way to do this?
Can I just stop synchronizing contact types? If so, how to force that sync to happen?
My company's Min Sec Baseline requires this setting at '1' ". . . The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s."
When set to (1) 'Accept if provided by client' on a 2012R2 file server, attempt to access the share using a DNS alias (of the server name) fail with message "You do not have permissions to access <share name>". When set to (0) 'Off', the same access works.
Checking SPNs of the file server, I see the alias exists as SPNs
HOST/<alias>
HOST/<alias.domain.com>
What are we missing? Do I have it correct, that the client is passing this alias SPN, and that this same SPN, if it shows on the list of SPNs of the server (setSPN -L), is what the server checks against? And if yes, shouldn't this then be working?
Tony Auby
I currently have a domain, test.local, but I require a server that needs adding to the domain as test.com in order to apply a security cert etc. I have alternative UPN suffix so users can logon username@test.com but I can't add a workstation/server to test.com only the true domain name of test.local.
Is there any way to allow a machine to join the domain test.local but fool it to use test.com?
Hi All,
We have some issue in DNS zones transfer, we have one DC and five ADC's. in DNS management zone transfer tab, zone transfer to "only to servers listed on name server tab" we have selected. Also we have selected the notification of zone updates to "same server listed on name server tab".
Is it mandatory to change the above settings in all forward and reverse lookup zones in DC
Or on ADC's also.
Regards,
Chinmay
Dears,
We have plan to migrate our Microsoft active directory 2008 to AD 2012, in our current environment. We have three domain controller one primary two secondary one of them is VM, my plan is to preparing three servers also with OS 2012 one physical two VM's, I wants to find Microsoft recommendation for best plan if you have three servers shall I make one physical and two VM's or all three VM's. Please if some one can send to me letter or recommendation by Microsoft which way is the best. Appreciate.
Thanks.