First off let me apologize if this was submitted into the wrong forum. Please let me know what would be the best forum and I will try to move.

I have recently setup a Server 2008 R2 AD LDS server. The idea was to use this device in the DMZ and have WordPress authenticate against the LDS server. I have a handful of users in an OU that will have exported and then imported into my LDS instance. After some troubleshooting I was able to get this going. Then management requested that a bigger handful also be allowed to authenticate against this instance also but they are all over the place as far as different OU's and importing this just seemed to be a nightmare. So I had a thought can I create a universal security group and make all the users desired members of that group and then export/import my users in that way? If so what would I need to change?

Here is the export command I'm using: ldifde -f diffXX.ldf  -d "DC=xxx,DC=com" -p subtree -r "(&(objectcategory=person)(objectclass=user)(givenname=*))" -l "cn,givenname,objectclass"

I have a domain my.domain.com in forest domain.com, that had a bad incident.  The PDCE died, and so the role went to another DC, one that was behind a firewall from one of my remote DCs (remote.my.domain.com).

It took a while before it was discovered and the problem escalated to me.

The PDCE role was late moved to another DC that is not firewalled, but the remote DC didn't get the message and is somewhat broke.  For instance, Forest Enterprise Admin credentials womn't work to log into it, and it has various errors in DCdiag.

What can I do to fix my remote domain controller so it syncs up with the new PDC?

just david

HI all,

Recently couple users after changing the password , found that the password is not syncing with all the application, 

So we logged into the DC and checked and it was working fine, the next level found the prob that two services related to password sync was stopped , then they restarted and issue got fixed.

I want to know how to find this two services, which is responsible syncing the password

Aamir

NA

Hi all,

Is there any relation between a FQDN that is used in a SPN and suffix routing that might be configured between two forests with the using the same 'domain' suffix as was used in the FQDN on the SPN ?

Forest trust between forestA.com and ForestB.com; ForestB.com wil get a suffix registered for company.com and suffix routing will be enabled. (new user are created in ForestB with the UPN suffix @company.com)

However in forestA.com there are eg. resources with constrained delegation via service-accounts that use a SPN like HTTP\server.company.com which exist for services (eg webserver) in ForestA only.

For all I know, that last SPN part will be like a FQDN, or is this involved in the suffix-routing as well ?

The whole Kerberos ticketing would be based on http/server.company.com@forestA.com and would therefore not be routed to ForestB.com ? Or am I missing something?

TIA

Hello All

We recently had an issue where a Help Desk associate deleted the wrong computer account in Active Directory.

So, I've created a module for all of our Help Desk staff to use and want to prevent access for them to use any of GUI tools.  One day, maybe I'll get up the gumption to give them their PowerShell tool via GUI...

Anyway, I have blocked access to all of the AD Management Consoles; however, the one particular user was actually using the "Active Directory Administrative Center".  How can I completely block access to using this by the Help Desk staff?

I know I can block running an executable; however, just create a copy and name it to something else and you've bypassed it.

Thanks & Merry Christmas & Happy Holidays

Hi all, 

I'm having a terribly difficult problem to solve, trying to understand lockout issues with Windows 7 Ultimate. I have done vast amount of research on the topic, but to no avail, none of the suggestions seem to apply. 

The environment is a private network in which the computer in question does not join the domain. One issue is that users must vary authentication between domain services and local computer services -- i.e. if they want to map a network drive or connect to MS Exchange Server through Outlook, then they must authenticate with their DOMAIN account. If they want to install software they must authenticate with the LOCAL ADMIN account. There are several local accounts on the computer, including administrator accounts. This computer is not connected to the internet. It is regularly updated though with Microsoft and other application security patches. It is also significantly locked down from a security perspective. 

Users that experience the issue all SEEM to have one common denominator in that they are using the "Switch User" function to switch between various user accounts. This could be a factor of locking out one account and switching to the next or could actually be part of the root problem. 

The users report that "ALL ACCOUNTS HAVE BEEN LOCKED OUT". I did not even know such a state was possible unless you single-handedly went through each account and failed with the password three times. 

Is there a known issue in Windows 7 Ult that will trigger the account to be locked out because of switching users? Or anything that could lock out ALL accounts? 

Please help this problem does not seem to go away. It is the single greatest failure in the system right now. 

I think I may have screwed up but I need advice from those more knowledgeable than myself.

I do IT consulting work and one of my customers is a small manufacturing company, we will call CompanyA. This company has 3 servers, 2 of which are Domain Controllers and the other is a file server. There are a number of workstations, all of which are part of the domain and all the users are domain users and access is controlled through Group Policy.

This company has acquired a smaller company, we will call CompanyB. CompanyB has one server and 3 workstations. The server acts as a file server and the user accounts are replicated on all computers to enable file sharing.

CompanyA wishes to do the production for CompanyB which means they need an efficient way to transfer design drawings from one company to another.

I installed a VPN capable router at each site and initiated a VPN connection between the two locations. This means adjusting the network address used by CompanyB.

To avoid the duplication of user accounts, etc, I decided to integrate CompanyB into the AD of CompanyA. I considered creating a sub-domain as one alternative or keeping a single domain and creating 2 sites. After studying the issue, I concluded, possibly incorrectly, that a single domain with 2 sites was the way to go.

According I joined the server at CompanyB to the CompanyA domain, created user accounts for the people at CompanyB in the domain and promoted the server at CompanyB to be a Domain Controller so that should the VPN fail, everyone could still logon.

All worked well and I was very pleased with myself.

This morning the boss at CompanyB called wanting access to his server in order to do an update for their accounting software that is resident on the server. So now, I have this dilemma. Since only Domain Admins have administrative rights on the DC, I had to give him access. Now, these are small companies with trusted employees so I am not terrified of this security breach, but it is not the right way to go.

I know having Domain Controllers host software is essentially not a good idea, but in an outfit this small it is a necessity since there is only one server. But I don't like the idea of having anyone at CompanyB having control over the CompanyA domain.

I was looking for an option to create an account that would be an administrator on CompanyB's server but not a Domain Administrator, but I can't find anyway to do that.

As I see it, I have 3 options, one of which is probably a non starter and I seek guidance as to the best way forward.

1. Demote the CompanyB server from being a DC and have no Domain Controller at CompanyB. The boss could then become an administrator on the member server and do software updates.
2. Roll back everything and instead create a different domain in the Forest and then set appropriate trusts to allow cross domain access where needed. This would work but as the two companies achieve closer integration might prove cumbersome in sharing data.
3. Install another server to act solely as a Domain Controller. I am pretty sure this would be resisted on cost grounds. I could run a virtual server under the current server and make it a Domain Controller, but the CompanyB server only has 4 GB RAM and isn't really up to this.

I am open to suggestions as to which path I should follow. If you have ideas that are superior to any of the 3 I outline above, I'd like to hear them as well.

Even though these are small companies, I like to set them up using the same tools as though they were larger companies as I believe that doing things the right way, even if a little more trouble, always pays off in the end.

Thanks in advance for any help.

Martin Horton

Hello All,

We have total 8 Domain, it almost contains approx. 150 Domain Controllers

For our Monitoring team, we want to provide a rights to reboot a Domain Controller after the monthly patches.

I tried them by Adding in Admin group, but they get a access to RDP a DC, which is not required.

Is there any way to provide a access only for DC reboot only.

Thanks HA

Hi,

I am currently building a small test isolated active directory environment. I have installed and deployed 2 DC's and my AD is up and running.

Now I want to take a system state backup from my production AD and restore only the users, groups, the OU and the group policy objects to the test environment. So basically, I would have a copy of my production AD data on my test environment sans the production AD configuration (sites and services) and the other infrastructure details as it wouldn't match anyway....

Has anyone tried this before and can provide some guidance?

Many thanks.

Regards,

Ochen

Hi all,

We're updating the .admx and .adml files within our PolicyDefinitions folder in SYSVOL for Windows Server 2012R2 and Windows 10. What we've noticed is that whilst new .admx / .adml files replicate around our DC's (we have 4 in total on the same site but in different vLANs) pretty quickly, existing .admx / .adml files don't replicate around the change in the date modified value, suggesting that they haven't replicated.

For example on the DC where we have copied the .admx files to, the AddRemovePrograms.admx file has been updated to 25/11/2013 07:25 but the remaining DC's all have a time stamp of 10/06/2009 22:34. Replicating new files seems OK, so is there a setting for updating modified files at all? Also, short of copying the updated files into the PolicyDefintions folder of each DC individually is there another way of bringing all the files (including the date modified timestamps) into line and ultimately, does this even matter (ie, is there any difference in say the AddRemovePrograms.admx file from 2009 to 2013?).

Many thanks

I have one physical server that's holding my FSMO role for the entire company:

C:\Ad>netdom query /domain:csaa.local fsmo
Schema master               CS-DC1.csaa.local
Domain naming master        CS-DC1.csaa.local
PDC                         CS-DC1.csaa.local
RID pool manager            CS-DC1.csaa.local
Infrastructure master       CS-DC1.csaa.local
The command completed successfully.

I was wondering would it be possible to have a secondary "fail-over server" or have some sort of NLB (Load Balancing) holding these FSMO roles in two separate servers (1 pgysical and one VM)? I'm trying to place failovers in my network and one of which that I was asked if this is possible...

Cheers - DB

I need to migrate our domain out of a larger forest.  Our domain name is old.domain.com.  Looking for some guidance and advice.  Let me describe our environment a bit.

We are part of a large private fiber network and will remain on that network.  We are a small shop of about 700 users and 700 Windows Clients.  All servers are 2008 R2 and above.  We use IP printing.  We have two web applications in our Linux Oracle Environment.  We do not have Exchange email at this time.  We have no SCCM.  My plan is as follow.  Mind you I am in the early stages of this plan. I have a 3 node file cluster.  We have about 60 servers that host various applications and services but nothing that jumps out and screams big problem. (McAfee EPO, Citrix (Small foot print), A door security application etc..) Most of these servers can be rebuilt with little to no disruption in service. 

We are abandoning the old.domain.com and upon completion old.domain.com will be removed from the forest.  With that said we need to keep the name space old.domain.com.

Our DNS zones for old.domain.com are zone transferred to to several enterprise DNS servers.  Our internet presence is with regards to DNS is handled by the enterprise. 

1.       We plan to use ADMT to migrate the users and groups not the workstations.  We chose this because as part of this we are going to stand up SCCM in the new forest and re-image workstations and join them to the new forest.  Workstations have little to know data stored on them.
2.       Regarding the file cluster.  As stated above, my plan is to migrate users, groups and bring workstations in by reimaging.  Users will continue to access the file cluster in the old forest while I build a new cluster in the new.  At which time I will use something like Robocopy to sync the data and permissions.  Test and then cut users over to new file cluster.
3.       Things like McAfee EPO and Citrix because they are so small I will just rebuild.  McAfee will pick up new client PC’s after their re-image.  Citrix I will just have to recreate the half a dozen applications there.
4.       I will use ADMT to migrate GPO’s as well.
5.       DNS – during the migration I will use forwarders to the old forest to keep things such as printers and our applications working seamlessly.  At some point in the migration process I would like the new forest to take over hosting the old.domain.com zone for the foreseeable future. 
6.       DHCP – Not sure how I am going to handle this since we are not migrating workstations.  My thought was once leave DHCP in the old forest until workstations are moved then recreate in the new forest making necessary adjustments. 

This is a rough sketch of my plan.  I am looking for some insight and advice from people who have faced this same scenario.  Not sure what the new name will be for the forest but perhaps something like Newdomain.local and host the old.domain.com DNS for internet and application presence. 

Ran DCDIAG/test:VerifyEnerpriseReferences on a few DCs and same problems reported.  Detailed below:

Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes.

Repadmin not showing errors and other dcdiag results seem fine.

Checked adsiedit configuration and CN=LostAndFoundConfig has content but I wanted to ensure that it's safe to delete? I reckon objects are linked to an old DC. Nothing is listed in the Active Directory LostAndFound OU.

Any advice would be appreciated.  I just want to be sure that no problems will occur if these objects are removed?



In our production environment we use SINGLE AD domain for authentication. In our AD DNS system we use several  sub-zones  delegated to UNIX BIND servers. In other words: AD domain name is contoso.com, dns zones names are us.contoso.com, eu.contoso.dom etc. After the domain join we do manual change of the domain name  suffix of a hosts: from contoso.com by default to us.contoso.com. Thus hosts a members of AD domain contoso.com. but have FQDN like computer.us.contoso.com, e.g. AD domain name does't match DNS domain name. The question is, can we do it on the moment of domain join? I mean, can we join a computer to an AD domain with different domain suffix? The standard ways to join don't seem to have this option: GUI, netdom add, add-computer. All of them have an  option computerName, but it sets only host name or NETBIOS name, the domain suffix is taken form AD domain name by default anyway. I figure if it might be a way to run around this? Using .net classes or registry hack or something else...

Thanks in advance.

I inherited a domain called abc.office.company.com. It is the forest root, with no subdomain. I want to rename it to abc.company.com, or preferably just company.com The forest is at 2008R2 functional level. I have 2 DC, 2008R2, which holds the FSMO roles, and 2012R2. I can demote the 2008R2 DC if needed. 

Can the rename be done using rendom? 

Hi,

In our test domain, found that one of the Domain controller with Windows Server 2008 R2 is having the problem of DNS and its related services not starting.

When I restart the services related to DNS, error 1068 is getting displayed.

Any help is greatly appreciated

Thanks & Regards S.Swaminathan Live & let others live!!!

My how do you query the message tracking log in exchange to give you the number of email sent and received in a given time period for a user mail box

I am using power shell with two different methods and it produce different number of email counts for the same user mailbox.

The first method  is using Get-messagetrackinglog  (- sender) or (-Recipient)  select-object -unique MessageID

The Second is using  (-sender) or (-recipient)  -EventID (Receive) or (Deliver)  to query exchange

The next question is how do you validate the data to be correct.

Thanks 

Alain J Laverdure

Hello everyone,

Some time ago I was browsing security logs on one of our domain controllers and I found something like this showing up every now and then:

During the past 4.00 hours there have been 50019 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise.

Without much thinking I decided to add subnets to AD Sites & Services, hoping it would solve the problems. While I was waiting for my collegue from networking division to provide me all of the subnets used within our organization, I pulled scopes from our DHCP servers to a csv file, created an excel spreadsheet to build cmdlets and after I decided which subnet should belong to which site, I added approx. 40 of them.

I was curious if that helped, so the next day I opened the event viewer and was SHOCKED when I saw THIS:

During the past 4.00 hours there have been 205497 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise.

Can anyone explain, why the number of such connections incresed four times after adding subnets to specific AD sites? I'm trying hard to find the solution for this because I really don't want to revert those changes and delete the subnets.

Hey everybody! 

In our environment I was running a single DC running DNS, AD, etc.  We have gone through an engineering change which requires 3 Child domains to be spun up.  I built the Child DCs, and promoted them as such with the global catalog option two days ago, and all seemed fine until I went to join my first server to the new Child domain. My DNS skills are quite terrible, so please go easy on me. All servers are Server 2012.

Upon trying to join a server to the child domain, I received the error: "DNS name does not exist" the query was for the SRV record for _ldap._tcp.dc._msdcs.child.parent.local  - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS.  These records are registered with a DNS server automatically when a AD DC is added to a domain.  One or more of the following zones do not include delegation to its child zone  (substituted names for child and parent domains for annonymity).

On the parent DC, in DNS manager, I can see delegations for all three child DCs with FQDNs.  I've set zone transfers to allow to any server.

On the child domains, in the TCP/IP settings, the primary DNS address points to the loopback 127.0.0.1, and secondary is set to the IP of the parent DC.  I've tried creating secondary zone, but it says that "the server with this IP address is not authoritative for this zone"...and when it finishes creating the zone, I try to go into the properties and change the name server to add the parent dc as authoritative, but the buttons are greyed out.

On the server I've attempted joining to the Child Domain, the TCP/IP settings are set to point to the Child DC's DNS.

I'm sure i'm missing something very simple somewhere, but my experience with DNS is limited, and non-existent with subdomains.  Any help is greatly appreciated.

Dears,

I have 2 DCs, one PDC and one ADC, both are available, how can I verify that ADC is working fine without disconnecting the PDC?

Thanks

Regards