Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Schema Extensions

September 4, 2015, 1:38 pm
$
0
0

Hello,

Apparently the Schema extensions in Active Directory by SCCM (SMS) have been changed.

Executing query (&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=174742319)(MSSMSRangedIPHigh>=174742319))))
Executing query (&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=10.106.80.0)(mSSMSRoamingBoundaries=RRH)(mSSMSSiteCode=SRV)))
LSGetAssignedSiteFromAD
I am trying to find out why the site code is wrong

How could I do:

- List of extensions used by SMS

- Last Modified Date

Thanks,
Dom

System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager


Search

Remote Server Administration Tools for Windows 10

November 27, 2015, 12:55 pm
$
0
0

I have a small network set up at home and I am using Remote Server Administration Tools for Windows 10 to update/create gpo's.

I have 2 laptops one running windows 10 32bit and the other is now running windows 10 pro 64bit

I was using the windows 7 pro 64bit version before I upgraded to windows 10 and everything was working great. now that I have upgraded when ever I go into to edit a gpo that I have already been working on it gives me an error (0x80070041) occurred parsing file. network access denied when ever I try to access user configuration/preferences & computer configuration/preferences.

can anyone help with this

Get-ADDomainController

December 29, 2015, 7:13 am
$
0
0

Get-ADDomainController reports and old server that we want to retire

How do I change the reported hostname and IP address of an old server that we want to demote and retire

when I shut down the old server. I am unable to log into any AD or exchange info

yes, all the FSMO roles have been moved over to the new Server. when I run netdom query fsmo everything looks great.

yes, the new DNS server is a global catalog.

here is what the Get-ADDomainController reports

ComputerObjectDN           : CN=SERVER1,OU=Domain Controllers,DC=domain,DC=local
DefaultPartition           : DC=domain,DC=local
Domain                     : domain.local
Enabled                    : True
Forest                     : domain.local
HostName                   : Server1.domain.local
InvocationId               : dac797ec-????
IPv4Address                : 10.10.10.3
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : SERVER1

SERVER1 is the old

I am thinking Command would be

Set-ADDomain -server newserver.domain.local

but that gives me an error

  + CategoryInfo          : InvalidArgument: (:) [Set-ADDomain], ParameterBindingException
  + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.SetADDomain

thanks for your time and your help

Mike

Windows Server 2003 member server is going out of domain

January 10, 2016, 4:19 am
$
0
0

Hi,

In my production environment the Windows 2003 servers are going out of domain intermittently. When I tried to rejoin it again but unable to do the same. I have checked the DNS IP's are properly provided. Kindly help me to resolve this issue.



Network Log Request

January 10, 2016, 6:28 am
$
0
0

Hello All,

 

I need assistance from the Team, I have been ask to provide a list of all users logged into to AD at the one of the location from users OU from the start of the day January 6, 2016 to January 7, 2016 12 midnight EST I would need the users name and the device they logged into.

I would like to know would that be possible to get the information.

Thank You.

Thanks HA

Log

January 10, 2016, 3:55 am
$
0
0

 Dear all

i want check domain user logging log he how many time use domain all domain log how to check?

RODC Migrate with Primary AD 2012 R2

January 10, 2016, 12:06 am
$
0
0

Dears,

We have plan to migrate our active directory 2008 r2 to Windows server 2012 r2, but we have fifth RODC in the regions, is that necessary to upgrade our RODC too? Our plan is only upgrade main office not regions, May I have Microsoft recommendation that we can only upgrade head office from 2008 r2 to windows 2012 r2 and keep RODC regions with 2008 r2? is it working fine both together? Do I face problems?

Thanks.

Best Practice Analyzer For AD DS Domain Controllers Firewall Configurations!!

January 10, 2016, 3:56 am
$
0
0

Dears,

Good day, hope all are fine and doing very well.

I have question:

I have 4 DCs in single AD domain, the 4 DCs are distributed in 3 locations protected by different layer of HW firewalls. When I try to use AD BPA on one of the DCs it gives me error "cannot get information from other DCs" everything is configured correctly but it seems firewall issue, so can I know what are the firewall setting required to complete the BPA for AD DS servers which are distributed in different protected sites?

Thanks in advance

Regards


Search

Disabled VSS eats disk space

January 4, 2016, 4:13 am
$
0
0

Hi,

I have 3 domain controllers running Windows Server 2008 R2 SP1. My problem is that VSS are eating disk space. I checked the VSS configuration and it is disabled on disk C: and B: but they still eating the disk space.

Any help would be appreciated.

Thanks a lot.

Domain running on Secondary Domain Controller only - Transfer Roles?

January 5, 2016, 5:53 pm
$
0
0

dear all,

we have a domain say domain.com, has 2 DCs, DC1 is PDC and DC2 is SDC running on Windows Server 2008 R2. DC1 holds all FSMO roles at this moment. both the DCs are ADI zone DNS servers and DNS are in synch. now DC1 is having its health issue, and we need to rebuilt it. we are very production environment 24X7 and cannot afford any long downtime, expected to have no downtime or else a minimum. we have ADI Citrix, and applications running in Citrix are SSO by AD authentication integrated, Exchange also SSO integrated with AD. we have VMware vSphere to access PVCenter for VM management.

we did a fail-over test of DC1 when we brought down DC1 to check if everything working fine while SDC DC2 is active. here we found the issues:

- Citrix log-in is good, but log-into the apps inside Citrix takes a while (40 secs). it was less than 10 secs before

- Ping domain.com started resolving old DC1 IP address instead of DC2. however after a while may be 15 minutes or more, it started resolving DC2 IP address

- on Citrix app, when users tried to find an ID (the ID was already present in AD), it said ID not found in domaim.com, though users logged-on to the application using SSO

- after Ping started resolving DC2 IP address, VMware vSphere was not able to connect to PVCenter saying "the vsphere client couldn't connect to <PVCenter IP address>. the server <PVCenter IP Address> took too long to respond"

Now the questions is, do we need to to transfer all FSMO roles to SDC to make it PDC before we disconnect existing PDC? and if we do that, all these issues above wont occur?

Thanks and I will appreciate your answers.

Forest trust - logon problem

December 28, 2015, 11:26 pm
$
0
0

Hello,

my client is during merge and has configuration:
AD Forest A ( local ) with local users ( not migrated yet )
AD Forest B ( remote ) with local computers ( every PC was installed from scratch from image and belongs to Forest B )

There is a two-way trust between Forest A and Forest B ( checked  and is OK ).

Forest A and Domain A ( only one domain ) are on level 2003.
There are two DCs:
DC1 with Windows 2003 SP2 English
DC2 with Windows 2008 R2 SP1 Polish.

User ( from A ) can login on a computer ( from B ) and when logon request is processed by:
DC1: everything is OK: Outlook is connected to local Exchange 2003, drives to local resource are mapped etc.
DC2: access to local resource is denied: Outlook is offline, drive are not mapped etc.

[ I can check logon server by "set logon" command in command prompt. ]

This situation occurred a few days ago; previously everything worked OK.
Recently both controllers were updated by Windows Update.

I' haven't seen nothing special in event logs on DC1 / DC2 or on local computers [ I have no access to B ];
perhaps I've missed something.

Today to mitigate problem,  I've raised priority of DC2 in DNS SRV records according with:
https://technet.microsoft.com/en-us/library/cc787370%28v=ws.10%29.aspx

"changing the priority causes DNS to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable."

What is wrong ?

best regards
Janusz Such



RODC replicate single object DNS partition (access denied)

November 15, 2015, 8:20 pm
$
0
0

Hi,

I have a 2008 R2 RODC that is logging Event 4015 in the DNS Server logs every 3 minutes -

Event 4015 -

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002105: SvcErr: DSID-03210BEB, problem 5012 (DIR_ERROR), data 0". The event data contains the error

----------------------

The writeable DC the RODC is attempting to replicate single object with has the following errors -

Event 2883 -

The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set.

Requesting directory service: xxxx-xxxx-xxxx-xxxx (xxxx.DC.COM)

Directory partition: DC=DomainDnsZones,DC=DC,DC=COM

User Action

If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right.  You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs.

--------------------

Event 1699 -

This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.

Directory partition: DC=xxxx,DC=DC.COM,cn=MicrosoftDNS,DC=DomainDnsZones,DC=DC,DC=COM

Network address: xxxx-xxxx-xxxx-xxxx._msdcs.DC.COM

Extended request code: 6

Additional Data Error value: 8453 Replication access was denied.

------------------

No other tests I have run fail, all other aspects of replication are working including the replication of the DNS partition and replicate single object for other partitions.

Running Repadmin /replsingleobj for a DNS object causes the same error.

I am at a loss to find what can be causing the RODC to be denied access to only replicate single object on the DNS partition.

Cheers, Ryan.

Deleting Child Domain Domain

December 17, 2015, 1:18 am
$
0
0

I was able to successfully deleted child domain but i see that entry has not removed and child domain entry shows again.

I wanted to delete child domain

hadeed.com.pk

RODC replicate single object DNS partition (access denied) - new

January 11, 2016, 3:30 am
$
0
0

Hi,

I have excact the same issue, like it was discussed in https://social.technet.microsoft.com/Forums/office/en-US/7fe92204-b931-42e9-9ae6-21552602b092/rodc-replicate-single-object-dns-partition-access-denied?forum=winserverDS&prof=required

But I was asked to start a new topic for that, so I am writing this question:

I have a 2008 R2 RODC that is logging Event 4015 in the DNS Server logs every 3 minutes -

Event 4015 -

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002105: SvcErr: DSID-03210BEB, problem 5012 (DIR_ERROR), data 0". The event data contains the error

----------------------

The writeable DC the RODC is attempting to replicate single object with has the following errors -

Event 2883 -

The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set.

Requesting directory service: xxxx-xxxx-xxxx-xxxx (xxxx.DC.COM)

Directory partition: DC=DomainDnsZones,DC=DC,DC=COM

User Action

If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right.  You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs.

--------------------

Event 1699 -

This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.

Directory partition: DC=xxxx,DC=DC.COM,cn=MicrosoftDNS,DC=DomainDnsZones,DC=DC,DC=COM

Network address: xxxx-xxxx-xxxx-xxxx._msdcs.DC.COM

Extended request code: 6

Additional Data Error value: 8453 Replication access was denied.

------------------

No other tests I have run fail, all other aspects of replication are working including the replication of the DNS partition and replicate single object for other partitions.

Running Repadmin /replsingleobj for a DNS object causes the same error.

I am at a loss to find what can be causing the RODC to be denied access to only replicate single object on the DNS partition.

Thank you and best regards,

Sven

Authoritative restore and Non Authoritative restore

September 6, 2011, 2:11 pm
$
0
0

Hi

1.Whats the difference between Authoritative restore and Non Authoritative restore?Please explain with the example.

 

Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help me

Search

Sysprep.exe with or without "Generalized"?

October 25, 2011, 9:45 pm
$
0
0

Can anyone tell me what the difference between sysprep.exe with or without "Generalized" Option?

Another question is, is it possible to join a computer to domain contorller if they have the same SID (I clone them from a single image)?

Thank all beforehand for answering my questions :)

About domain user account

January 7, 2016, 11:43 pm
$
0
0

Hello Sir,

I have some questions, if a user already has a "Domain User Account" on AD(WinServer 2008 or WinServer 2012) domain environment and if the user asks use to change the password of his"Domain User Account" , Is it true that "Domain User Account" of any domain user could also be changed by logging into the Computer of that user and clicking on"ALT+CTRL+DEL" and clicking on "Change a Password" ?

Thanks.



After ADMT migration user gets credentials from source domain when logs onto target domain

January 11, 2016, 4:55 am
$
0
0

Hello all,

i´m experiencing an odd issue with some random users after migration.

I have migrated around 300 users and workstations to a new domain using ADMT 3.2. In some cases (around 5%) when i finish migrating the workstation i can log on correctly with the user but the behaviour of the migrated user takes policies from source domain. When perform a gpupdate /force the systems says (translated from spanish):

Error processing Group Policy. Windows could not read file \\targetdomain\sysvol\targetdomain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

When perform a gpresult -r it reveals the user credentials are got from the source domain and computer´s from target. 

Of course i´m logging with the user in the target domain

Does anyone experience this kind of issue migrating?

Thank you in advance,

CMX

Changing KRBGTG password

January 11, 2016, 1:21 am
$
0
0

Dear All,

Our security team wants me  to change the KRBGTG password twice for a recommended best practice,i want to know how to rest it and i am also want to know the impact it will have in my environment after changing the password,i have multiple sites with Dc's and running exchange server,we have a mixed OS running windows server 2008 and 2012

what is the best and safest method to do so?

Regards

Tom.

TechGUy,System Administrator.

Renaming domain controller

January 11, 2016, 4:57 am
$
0
0

Hi,

Greetings!

I am using single domain controller with server 2008 r2..i want to change domain name as mentioned below.

From (Current name) DC.xxx.com To (New name) DC.yyy.com.

Also let me know whether this will affect for user client login and do i need to take users and group,dns backup?

Thanks in advance for your help.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>